We spent a week at Positive Hack Days Security Conference in Moscow, Russia
As CTO of REPTILEHAUS I am always on the lookout for interesting high value conferences to attend where we can learn and most importantly network with other people in the same field and one of primary objectives with starting REPTILEHAUS was to create a digital agency that actually puts security to the forefront rather than trying to churn out as many projects as quickly as possible to increase revenue
Admittedly in the past this has caused us to lose clients but thankfully persistence in the space has finally begun to pay off and word of mouth has seen us gaining the right kind of clients who care about security and quality
Being that I take security very seriously I try to attend as many worthwhile conferences as I can.
While doing some research we came across PHDays Conference which is a information security conference based in Moscow, Russia
When it comes to security conferences the usual choice is to attend Defcon in Vegas, but its no surprise or secret that Russia has become synonymous with hacking in recent years,
All you have to do is turn on the TV, so a trip to Moscow certainly seemed like it might be more interesting and informative than visiting Vegas.
Having arrived the evening before the conference I was up at 7am and left my apartment beside the Kremlin to catch a metro from Арбатская (Arbatskaya) to Мякинино (Myakinino) which is about 1 hour outside central Moscow at the Crocus Expo Center, this metro station is actually built in the Crocus Expo center which a a colossus of a complex, this place is like an airport hanger its insane!
On the way we had gone through the conference schedule and already knew pretty much everything I wanted to check out, the only curve-ball was trying to see it all.
Techniques related to maintaining persistence on exploited Windows machines is always of interest, So a talk titled The art of persistence: “Mr. Windows… I don’t wanna go :(“ by Argentinian native Sheila Ayelen Berta lured me in and it did not disappoint.
She covered some very interesting techniques that the bad guys use to keep control of your system with some nice PoC scripts written in Golang which is nice to see for a change (usually Python is used).
After than I caught the end of a talk by Mikhail Shcherbakov about deserialisation vulnerabilities in the .NET language,
I got really interested in these kinds of attacks after the guys at Cure53 managed to hack PornHub using a similar attack vector in PHP 5.6,
Fantastically it netted them a cool $20,000 bug bounty prize as well as a lot of funny one-liners considering who the target site was – you can read more about it here and its well worth reading up on as you can find these vulns in a lot of modern applications still.
Congratulations to Dario & @_cutz of Cure53 as well as @evonide for scoring this major uhm.. load 😀 https://t.co/b8RVJFZwAR
— Cure53 🇺🇦 (@cure53berlin) June 16, 2016
Being that most of REPTILEHAUS’ work is architecting and building web based applications the Extended training on hacking web applications was my go to in between other tracks.
Hardware hacking is not my strong point, aside from basic knowledge of using Shodan to find a rogue CCTV camera, sniffing ports and finding a vulnerability I dont know a lot about targeing a device or its firmware so the Rapid Hardware Hacking track was really cool to learn more of the nitty gritty details about electronics, various chipsets and how to hack an electric toothbrush’s firmware.
Practicing attacks on GSM alarm systems, smart homes and kids smart watches was another entertaining one of the hardware related IoT tracks,
It has a slightly Machiavellian sound to it but with the onset of the IoT space moving faster than its being secured it is no surprise – even your baby monitor is not safe and probably more worrying is scaling that idea up to control grids and Nuclear facilities.
With Nuclear plant staff exposing Nuclear facilities to the open internet (read more here) its only a matter of time before we see something catastrophic even the United States government has developed malware whose specific job was to find Siemens industrial control units in Iranian Nuclear Plants and force them to speed up the centrifuges so that they would basically spin into pieces destroying the plants capability to create enriched Uranium (read more here), a truly catastrophic Chernobyl incident is not and if – but when! The bad guys already know how to build this stuff.
One of the few all Russian talks I managed to squeeze in was Mining threats in Namecoin by Alexey Goncharov of Positive Technologies (The organisers of the event),
He described how malware, more specifically the Gandcrab family, use the NameCoin fork of Bitcoin as a domain name registering service
being actively involved in the security and blockchain space I am always interested in anything that intersects both domains so hearing about a fork of Bitcoin that is powering malware and other APTs was very interesting – interested in knowing more you can see his slides here
Directly after Alexey Goncharov’s talk was again sticking with the subject of malware or more so the in depth analysis of the ReadTheManual banking malware or as the talk was called “the manual finally read – deep analysis of ReadTheManual banking trojan” by Nikita Proshin
It was a great insight into how this malware and basically any malware operates, also covered was how the authors try to deceive researchers by adding junk code, random/pointless conditionals and false positives to make reversal an even more difficult task than it already is,
Throw in some fake attribution (i.e throw some foreign language into the code to make it look like it came from some other state actor) for good measure just to ensure you give the reverse engineer and even bigger headache.
In short we were spoilt for choice when it came to talks and discussions, literally every aspect of security was covered in the detail that you would expect and want.
Aside from talks there was also plenty of Russian cyber security, IoT related companies looking to do business, so even if security is not your thing you can always try do some networking I even managed to bump into a vendor whose daughter was an all Ireland Irish dancing champion.
Red Team / Blue Team Hackathon
In the main conference hall, aside from having a real working Delorean (with flux capacitor!), there was a massive model of a city complete with trains, infrastructure, power grid.
To the right hand side of the city on the other side of the hall was about 40 guys and girls sitting around looking intensely into their laptop tapping like crazy,
likewise on the left hand side there was another group with the demeanour.
The aim of the game was basically a red and blue team exercise of hackers with the baddies on one side and the goodies on the other
Baddies trying exploit various vulnerabilities in the city and the good guys trying to thwart their advancing attack vectors.
The setup was epic and great to watch the attacks taking place in real time, a fantastic exercise for any security enthusiast, grey hat, black hat or anyone looking to take part in the fun.
There was an entire section just off the main hall dedicated to hacking ATM machines
Admittedly I couldn’t understand much of the actual talking that was going on but watching the technicals it was fascinating to see the hack take place in realtime on a real ATM but hardly surprising considering most ATMs still run unpatched old versions on Windows,
Unfortunately the ATM had only monopoly money, no Ruble’s, so my dreams of a free lunch didn’t come through.
Pace maker Hacking, WiFi Cracking and more
Outside of the main hall/talk areas there was all kinds of games going on for various levels of hacker.
From PacMan to Mind puzzles
There was literally something there for everyone with an all round fun vibe
Thankfully no real internal pace makers were hacked (that I know of).
As far as hacking conferences go, I had a great time learned some new stuff and made some connections which is exactly what I went for,
On top of that I got to spend a week in Moscow!!
I wasn’t sure what to expect but it exceeded all expectations and it may even be my favourite city so far; the food, the buildings, every person I met even the safety – no matter what time you walk around at night at.
Spasiba Москва, I will be back!
If you are thinking of visiting the event next year and want some information about visas, invitation letters, flights and accommodation feel free to reach out to us.
All photography is copyright of REPTILEHAUS, if you would like to use please request directly [email protected]