Go to Luxembourg for the new edition of hack.lu. A three days conference about computer security and impacts on the society. This is the second edition for me.
The first day started with workshops. I attended the one about DAVIX: “a live CD for data analysis and visualization that brings the most important free tools for data processing and visualization to your desk. There is no hassle with installing an operating system or struggle to build the necessary tools to get started with visualization. You can completely dedicate your time to data analysis.“. The goal of DAVIX is to help network administrators to analyze their logs and “visualize” on their desktop what happened. By their format, log files are difficult to read (how to extract the real value from a log file just by reading it?) and today’s infrastructures produce very large amount of events which cannot be processed by a human anymore.
After an introduction about the life CD and its available tools, some material (a VMware image with pcap files and scenarios) was distributed for hands-on exercises. Several tools were reviewed to draw graphs like:
DAVIS is really a tool to be investigated if you have to generate reports about your network traffic.
The talks really started after the lunch. The fist one was “Peeking into Pandora’s Bochs – instrumenting a full system emulator to analyze malicious software” by Lutz Böhne from RedTeam Pentesting. To evade signature based protections, malwares are often runtime-packed (encrypted). To be executed by the CPU, the code must be first unpacked. When decrypted, the code is readable in memory. Lutz developed an automated unpacker called Bochs. Instead of executing the malware (which can be very dangerous for the system used to analyze it), the code is executed in an emulated environment. The goal of Bochs is to extract as much information as possible from a malware sample without executing the hostile code contained therein. Using a Python interface and a set of routines, it is possible to monitor the “guest” system. It can identify and instrument individual processes, trace memory writes and branches, and dump process memory when a modified memory region is executed. As Bochs does not rely on standard debugging features, it is not affected by common anti-debugging protection used in malwares.
Then, Anthony Desnos (from ESIEA) presented his work about a new generation of viruses: the “K-ary” viruses. What does K-ari mean? It’s a new type of virus composed of several files located on one or more computers. Those files do not have to be executable and contain parts of the virus. Those files can be processed in a specific order, nor necessary sequentially. Maybe we will see “cloud viruses” soon? Anthony explained the design of a new virus able to generate each type a new virus and gave an example written in Python. K-ary viruses changes the way anti-virus products have to perform their analyze.
Fernando Gont presented vulnerabilities found in the TCP stack and techniques to mitigate them. Based on a project realized during the last four years by the CPNI (United Kingdom’s Centre for the Protection of National Infrastructure) which analyzed the TCP and other IP protocols, several vulnerabilities were found and disclosed to CERTs and vendors. Unfortunately, sometimes not much technical details were available and it was difficult to understand which of them are real. Fernando reviewed some of them and the associated tools like Netkill, Naphta, FIN-WAIT2, … To mitigate the DoS attacks, possible counter-measures are enforcing strong policies on users and processes (example: to limit the number of ongoing connections from a single host/network at application layer or firewall). Interaction with vendors is also a key element in the process of disclosure. Fernando gave examples of vulnerabilities reported to Microsoft and Cisco, how it happened and how was the communication with such big players.
The last timeslot was dedicated to improvisation. Interested speakers players could register and the hack.lu crew randomly assigned presentations to them. They had five minutes to present them in the most funny way. Good laugh! I liked the one about “chicken, chicken, chicken” 😉
A contest will be organized every day by answering questions regarding the security landscape. Today’s question was “what’s the biggest threat of 2009 for you?”. I lost today but tomorrow will be my day!
I already uploaded a few pictures on Flickr.