Positive Hack Days V

I recently attended the Positive Hack Days V forum which took place in Moscow over two days. Interesting and diverse presentations were given there together with some interesting contests.

The first contest started online one week before the forum itself. It was the Hash runner challenge which consisted of cracking password hashes. The algorithms to crack were NTLM, SHA-1, MD5, LM, SHA-256, and the Russian standard GOST R 34.11. The Hashcat team won this contest.

During the other contests, each team represented a group of hackers from the virtual state: the United States of Soviet Union. These groups were asked to compromise fictional companies such as a railway company (Choo Choo Pwn), or a mobile operator (MiTM Mobile). In addition, this year, an industrial system challenge was set up about a power plant (Digital Substation Takeover). A PHD Stock Market was also implemented to allow teams to sell their exploits and gain more points or even to be compromised themselves. Videos reporting news of the challenge advances were projected during the forum. More Smoked Leet Chicken won the contest. Last but not least the (in)famous 2drink2hack contest. The goal was to hack a Web Application Firewall while drinking a shot of tequila at each stage of the contest!!

Meanwhile, very interesting talks were given in parallel. I first attended the fast track session where results about de-anonymizing Tor users were presented by a team from Kaspersky Lab. They gave the example of the creator of Silk Road who was arrested despite many of the details about the techniques used by the FBI on Tor remain unknown. They explained how to track users with fingerprinting in Tor with JavaScript and gave a proof of concept to illustrate their claims.

A second presentation of this track was given by the SCADAStrangeLove team on hacking 4G networks and devices. They presented SIM card attacks, remote phone cloning, traffic interception, changing passwords, and gaining access to internal networks. They also focused on some attacks against USB dongles.

Alexey Cherepanov presented john-devkit software to optimize hash algorithms in the famous John the ripper software. It takes an algorithm in Python as input and a set of optimizing rules and outputs a C implementation of the algorithm for use by for John the ripper.

Dmitry Kuznetsov from Positive Technologies explained the experience they had while certifying a Russian security product to the Common criteria scheme. He explained the difficulties they had and the differences between CC and the Russian certification process.

Next a live video conference with Whitfield Diffie (Yes the Diffie in Diffie-Hellman !!) was broadcast in all the conference rooms. He explained his opinion about the future of Information Security and Cryptography. He asked for more usability to allow a mass usage of Cryptography. He spoke about Quantum computing which, if implemented, should break the public key Cryptography we use every day. He also clarified that Quantum Cryptography and Quantum key distribution are also promising but are not really a new Cryptographic method rather a new channel of communication with interesting features. He also spoke about homomorphic encryption and its future.

I finished the first day with a presentation by Stanislav Smyshlyaev, Evgeny Alexeev and Sergey Agafin about Cryptography standards in Russia. They gave a comparison between Russian standards like the GOST block cipher and the hash function Stribog (GOST R 34.11-2012) to other standards. They also presented Courtois attacks and reminded us of their complexity. They also presented Russian standards based on ECDSA and gave implementation timing on different platforms. Finally some practical issues were presented such as the usage of tokens.

The second day started with a talk named “Why IT security is f***ed up”. Under this provocative name, Stefan Schumacher, from the Institute for Security Research, explained how Psychology, Sociology and Educational science could help security research. He thinks that the society lives now in a kind of Panopticon meaning that we can be monitored by our devices and our behavior changes when we are monitored. Post-Snowden security needs trust. We have to trust software and devices we use. Meaning that IT security should extend to a new scientific field called “Information Security” built based on Maths, Computer science, Philosophy, Psychology, Sociology and Jurisprudence.

Then I followed one of the hands-labs called “RFID/NFC for the Masses” given by Nahuel Grisolía. This lab explored the possibilities offered by the ISO 14443 standard which is used for NFC. He used Type A and Type B cards, which both communicate at 13.56 MHz. Several commercial products like the Sony FeliCa, Mifare Classic and Mifare Plus were presented. We were shown how to identify them with readers such as the SCL3711 or ACR122U which are both available for a small cost. The open-source software libnfc helps for low level interaction and is compatible with type A and B cards. Then he presented Proxmark hardware and showed how we could clone a card to open doors using their access system. Existing attacks against Mifare classic 1k were presented in details as well as attacks for the iCLass Hidcard.

The next talk was given by Marina Krotofil from European Network for Cyber Security about hacking a chemical vinyl plant process control. The first step was network penetration. It appears that it was the easiest part. The hardest was understanding the process, clearing the intruder tracks and understanding chemical forensics. It provided interesting ideas on how to prolong the attackers access like attacking the plant during regular operator maintenance, hoping the first reaction will be to accuse the operator and not an external attacker.

The final talk I attended was a presentation by Alexander Sverdlov about Building a digital fortress. Traditional fortresses have a secure inside with perimeter security and were the previous paradigm for cyber fortresses. He proposed a new approach and gave some techniques to create a cyber fortress like browser hardening with secure deployment of the Chrome browser or using whitelists on web proxies. All the techniques proposed are in his book.

Other information on the conference content, including those sessions I did not have time to attend are available here and videos of the presentations can be seen here.