After driving most of the night, I arrived in Besancon just in time for the registration at FrHACK_01. Next step was to look for a breakfast and 0xC0FFEE. Nothing to do with the conference but Besancon looks to be a nice small city.
My first mission was to let some BruCON flyers (next week!) at the registration desk. Some visibility is always good. The conference is held in a nice building (a theater). Let’s follow the introduction by Jerome Athias, the organizer of this event.
Jerome opened the show with common questions and facts about security in the IT world today: white hats vs black hats, viruses, Wi-Fi, crypto (“Crypto is good for you”). He briefly presented what will happen during the two days, it looked to be promising!
About Wi-Fi connectivity, a major remark addressed to the event team: Guys, no Internet connectivity at all is a real problem for a conference about security! The answer that was given to my questions does not satisfy me: ok, Wi-Fi is unsecure but put a disclaimer and that’s all. Visitors will always be free to use the service or not. That was the bad news of today. Fortunately, a bar not far from the conference place provides Wi-fi access. It became my headquarter for the next 48 hours!
The first presentation was performed by Bruno Kerouanton: “Fuzzing the brain”. Bruno immediately warned the audience: his slides won’t cover “technical” stuff. Indeed! It started with a fact: “IT security is a failure”. A demo (the well-known black dots illusion) helped him to prove that people are the weakest link and are unpredictable, unique and think different (nobody sees the same number of black dots). Human behavior can be predicted or, better, can be triggered with a speficic stimuli
Marketing departments, recruiters or sects use such methods for a while. Today hackers could use the same methods. Take care! Bruno gave a nice example with Apple and its iPhone. They use strong marketing techniques to convince buyers (danm! I’ve an iPhone too!). Bruno continued to describe several methods to capture attention of your correspondents using a parody of a well-known security distribution: “Brain Track IV”. Excellent idea.
Then I followed a presentation of HostileWRT performed by Nicolas Thill and Philippe Langlois. The goal of this project is to make performant security audits in controlled environment. Based on a FON2 access point, they developped scripts based on several open source tools like aircrack-ng. They are stored on a USB stick and can be started just be plug-in the stick into the FON. Why? Security audit, controlled environment only, script to automate Wi-Fi tests and scans.
Funny story: they discovered that Broadcom chip-sets does not support broadcast attacks very well (cannot inject packets at full speed)! The FON access points is really an open platform and can be upgraded with more poweful antennas or other hardware such as GPS.
They also developed a new method to crash keys. They use dictionaries based on the SSID around the target. Example: if SSID are known to be used in France, they will use a dictionary composed of French words. They are lookup for SSID lists for more countries to expand their list. Feel free to participate (See tmplab.org)
The last presentation before the lunch was about cryptography: “The good, the bad and the ugly of crypto” presented by David Hulton – openciphers.org project. One of the major issue when cracking crypto algo is the required time to crack the algorithm. How to speed up? Using CPUs, GPUs or FPGAs. David explained the pro & con of each method in terms of computing power, performance and cost (hardware).
Even if using a strong crypto algorithm, are you sure it is correctly implemented? If you roll your own crypto: what are the potential attacker cost metrics? Do you prefer open vs proprietary algorithm? Reinventing the wheel can have a cost, even the best mist something.
[Note that David is also the organize of ToorCon 11 San Diego 23-25/10/2009]
Back from Lunch, Filippos Georgiadis spoke about “Identifying and Exploitation of Business Logic Flows in web application”. A very cool topic. What’s business logic? The functional algorithm that handle information between databases and user interfaces. It’s completely different than classic attacks like SQL injections, buffer overflow, … The goal is to identify parameters, tables, fuzzing or race conditions present in a web application. The keyword is “Be inspired! Imagine! Try!” Each application is a new challenge for the auditor / pentester.
Example in real life with a banking site: abuse of the validation process and transfer money to a 3rd party account. Try to detect unusual functions, hidden parameters (remember, security by obscurity is never good). Try to impersonate, to change values. Of course, this can consume a huge amount of time and results are never warranted. The identification process (crawling, identification of variables & functions, categorization and fuzzing) can be automated using the tool developed by Filippos: BLe, the logic exploiter. This tool is able to report a probability of business logic flow. So, what are the countermeasures? You can try! Apply defense in depth principle, never trust client side validation, stick to standard (authentication processes, …) take care of random data generators (if required), think about security always! A really interesting presentation.
Now, the best presentation of today (from my point of view). “Outspect” : memory forensics & incident handling for live virtual machine. Nguyen Anh Quynh, part of the project vmsecurity.org, presented a new tool to perform real-time forensics investigations on a live virtual system running Xen. Outspect is the right tool to resolve issues with investigation on a virtual system (on-line memory forensics). Why is the memory so important? Some malwares fully reside in memory and does not even write data in disk. Also, performing a dump of the memory requires time and huge storage (in gigabytes). Other problems are: erased evidences (by design), capture can be tampered by existing malware or inconsistency. The goal of Outspect is too fix all those problems. At the moment, it runs only on a Xen system (on dom-0) and access memory of virtual systems using the Xen API (the VM is paused during the memory access). This is fully transparent for the guest OS and potential malwares running on it. Outspect relies on two tools: XenDoor which access the physical memory and EaglEye which retrieves the OS objects (virtual memory) such as ports, connections, processes, kernel modules. EaglEyes has the knowledge of all OS components and know how they are structured in memory (using the LibDI library). Then Nguyen performed some demos. He hacked virtual systems using MetaSploit exploits and payloads and monitored the content of the memory in the same time. Amazing! The project is still under development and should be released soon. This looks very promising! I asked to Nguyen is the Outspect tool could be used as an “IDS” to detect any malicious changes on a running VM (like a suspicious process or loaded DLL). He’s also working on something like this (a real-time malware scanner).
Next session was about W3af – a “framework to 0wn the web” by Andres Riancho (a ‘web application security enthusiast’ and founder of Bonsai). This is a set of scripts that evolved into a serious project, vulnerability scanner, exploitation tool for web applications. Started from nothing, Andres needed for a good toolbox for web testing. Today, 135 plug-ins (and growing) exists. Some manual and others automated (MitM, manual request editor, fuzzer,…). Andres explained, based on some examples, the difficulty of writing a good fuzzer. Architecture of W3af is a core and plug-ins. The core coordinates the process and provides features that plug-ins will use. Knowledge base used by plug-ins shared in a db (“à la Nessus”). Several plug-ins were reviewed and explained in details. A must have to all auditors and pentesters.
To close the first day, a VIP was present. Mister Richard Stallman himself came and made a speech about his preferred topic: free softwares! Softwares must respect users freedom. There are four rules to keep in mind:
- Freedom to run the software as we wish
- Freedom to change the source code as we wish
- Freedom to help the neighbor (redistribute the software)
- Freedom to contribute to a community (redistribute a modified version)
Richard gave several examples of commercial solutions with known backdoors. A good example is the Amazon Kindle. He fired Amazon and its “pay per read device” which has a backdoor to remove specific books (a very bad press for amazon). Richard recounted the story of GNU Linux with the origin of the recurrent acronym etc. Finally, the speech ended with a questions & answers session. The main room was full during Richard’s speech, this guy has a fabulous karma!
That’s all for today!