I’m back in Belgium after driving a few hours back to Belgium and it’s time to give you my wrap-up of the second day. After a short night, we were back at the Chamber of Commerce in Nantes. The venue was located closed to the “Maillé-Brézé“, an old French military boat converted into a museum. For some of the attendees, the night was very short, the social event was a big success! The first talks were followed with a lack of caffeine, let’s go for a resume…
I’m in Nantes (France) for two days to attend a new conference: Botconf. As the name says, this event is dedicated to botnets and malwares. The goal is to present talks about those malicious network of computers, how to detect them, how to fight them and, finally, eradicate them. I received a press pass (thank to the organizers), so here is the wrap-up of the first day!
First of all, a few words about the organization. Being also involved in the same kind of event, I really know the huge amount of work that must be accomplished to bring a security conference alive! Kudos to the team, nice venue, everything was running fine. They successfully brought 150 people from all over the world to a French city (some people came from Japan and South-Africa!). Event a live streaming was available for those who cannot travel to Nantes. The event stated with a word from the Chairman, Eric Fressinet. Classic introduction with big thanks to the sponsors, the speakers. Eric is working for the French Gendarmerie and is of course interested into botnets. The program of this first day was very intense with thirdteen slots!
My clock tower is completed! I left home yesterday at 6AM to Disneyland Ressort Paris and I’m just back at 6AM. It’s too late to go to bed so I finished to write my Nuit du Hack wrap-up. This was the first time I attended this event. During the last years, I always attended Hack in Paris which is organised at the same place the week before. The Nuit du Hack is first of all the biggest CTF contest organised in France. For this edition, more than 1300 people attended the event. It’s an impressive organisation! But before the CTF, talks are also organised during the day. Here is my quick review of them.
The contest is closed. All tickets have been assigned.
Dear readers, I’ve some gifts for you! I’m very proud (and surprised!) to have been nominated to the European Security Bloggers Awards in two categories: “Best Personal Security Blog” and “Best Security EU Twitter“. To thank you for these nominiations (and first of all for reading/following me), I’ve some tickets to distribute for two nice security events in Paris (DisneyLand Convention Center).
The first one is Hack In Paris which will be held from 17th to 21st of June. Then, La Nuit du Hack will follow during the weekend. Both are very good events with renowned international speakers. To give you an idea, have a look at my 2012 wrap-ups (day 1 and day 2). A first version of schedule has already been published. The organizers provided me 2 x 10 tickets for both conferences. It won’t be fair to simply distribute them to the first comers so here is a small contest! Answer the following question: (tip: the answer is on my blog)
“After the last edition of BlackHat Europe in Barcelona, I waited my flight back to home with a good friend of mine. Who is it?”
Send your answer by email only to xavier[at]rootshell[dot]be. The following information must be provided in the mail:
- Subject: Contest HIP/NDH 2013
- My friend’s nick, Twitter or full name
- Your ticket preference (HIP, NDH or both)
Good luck! Some rules:
- Be sure to attend the conference (in Paris, June 2013) and not waste tickets
- Travel & hotel costs are not covered and must be paid by the winners
- HIP tickets are not valid for trainings (only talks)
This year, I won’t be able to attend the conference during the week. But I will join Paris for the weekend, see you there!
PS: Don’t forget to vote!
Yesterday, I went to Disneyland Paris! Not for a family trip but to attend a security conference. Great place isn’t it? Everybody knows the Disney park but the nearby hotels propose facilities to organize events. That’s what did Sysdream, the organizer of Hack in Paris 2011. I left home very early (to avoid traffic jams) and arrived just in time to register and take a coffee. Thanks again to Emilien for the press access!
Hack in Paris is organized like many other conferences. It is based on two days of trainings and two days of talks performed by international speakers. Honestly, when I’m going for an event in France, I’m always a bit scared about their habit to organize “Franco-Français” events (read: everything is in French). In the case of Hack in Paris, there was international speakers and all the talks were performed in good English. Good point! Even the audience was also a mix of people coming from several countries. What about the talks? The conference was based on a single talk at a time.
The first one was about pentesting iPhone or iPad applications (based on Apple IOS) by Flora Bottaccio and Sebastien Andrivet coming from a company based in Switzerland: ADVtools. The presentation focused on native IOS applications. They are distributed as .ipa files (in fact a hidden zip file) and deployed as .app files (like on MacOS). Their executable code is encrypted (Fairplay DRM) and signed with the Apple signature. They are developed in Objective-C. Applications usually store they data in different format:
- SQLlite3 files
- plist files (Properly lists)
- Binary data files
How to understand how and where applications store their data? iTunes is your best friend. Every time you sync your device, a backup is performed (by default, non encrypted) with ALL the device data. You just have to analyze the backup to find interesting stuff! After this introduction, the speakers explained their methodology to pentest the applications. They perform the following steps:
- Prepare the device: jailbreak it (mandatory) and install useful tools like Cydia, gdb, netcat and tcpdump)
- Prepare a workstation (recommended OS is Windows) with burpsuite, IDpro, wireshark and ADVsock2pipe (the list is very extensive)
- Prepare the network
- Perform the pentest: install the application from iTunes, perform passive reconnaissance and attack.
Two interesting tools were used during the presentation: ADVsock2pipe and ADVinterceptor. The first one is used to get a live pcap stream send via netcat and forward it to a local Wireshark. This is useful to analyze the network traffic generated by an iPad/iPhone on a Windows workstation. The second one acts as an intercepting proxy for DNS, HTTP(S) protocols.
This lab is very helpful to analyze the behavior of mobile applications. Live demos were performed and demonstrated how it is easy to find passwords or any sensitive data. What to conclude from this presentation?
- Lot of passwords are still stored in clear text in config files
- Every IOS application is verified by Apple (regarding ethic, battery, bandwidth, …) but they don’t check security! Do not trust Apple validation from a security point of view!
After a coffee break, Jean-Baptiste Aviat presented his tool called “Skyrack” (or ROP for masses). ROP means “Return Oriented Programming“. Wikipedia says:
“ROP is a computer security exploit technique in which the attacker leverages control of the call stack to indirectly execute cherry-picked machine instructions or groups of machine instructions immediately prior to the return instruction in subroutines within the existing program code, in a way similar to the execution of a threaded code interpreter.“
Not being a developer, it was difficult to follow the deep information given by Jean-Baptiste. One thing is sure: he knows his topic! Even if you don’t understand how ROP works, the most important is to know how to protect you. One of the countermeasures is ASLR (“Address Space Layout Randomization“) which can be enabled in Windows applications with the Microsoft tool called EMET. Jean-Baptiste’s tool will be released soon!
After the lunch break, we started again with a very good presentation about SVG files or, more precisely, how to use them to conduct attacks. This was presented by Mario Heirerich. To resume the presentation: Everybody is aware of the risks to open malicious PDF files? The same can be performed using SVG files! Did you know that those files are supported by default in your browser?
Mario started with a presentation of SVG (or “Scalable Vector Graphic“) files. Basically, they are XML files with a lot of features. The most interesting are: they can contain links, scripting & events and inclusion of arbitrary objects. Enough to become scared! They may contain an applet, a Flash file or a PDF and are deployed using an <img>, <object> or <embed> tag, directly accessed or via CSS. Imagine a malicious beautiful SVG file, you download it and double-click on it. This file has full access to your files/directories!
Mario performed several demos and showed how the different browsers handled malicious SVG files. The most awesome demo was an SVG file within an <img> tag. It contained a malicious PDF which started Skype and dial out a number. Brilliant!
What to conclude from this excellent talk:
- Image files do not necessary contain only graphical information!
- The SVG format needs definitively more attention from security researchers
- How to protect us against such attacks? There is a tool called SVGPurifier developed by Mario.
Then, Alain Zidouemba talked about rogue anti-virus programs. I was a little bit afraid about a commercial presentation when Alain started but fortunately, it wasn’t. He first gave some interesting facts about rogue anti-virus software. Here are some:
- Users are in panic when they see messages like “xxx infected files detected, click here to fix them“
- 9000 URLS ans 2000 IP addresses were detected distributing rogue AV software (labs.snort.org/iplists/ is a nice list)
- Some TLD’s are mainly used to distribute rogue AV like .cc
After the introduction, the presentation switched to an analyze of the MacDefender malware which was recently a hot-topic. The rogue AV implemented a strong registration process. Interesting to know: the analyze of the C&C showed that 75% of the victims where US citizens and 27% of them used a Yahoo! email address.
The next presentation was performed by Tom Keetch. This was the presentation made during BlackHat Europe in Barcelona.
Finally, the last presentation was the one of Gary S. Miliefsky. He talked about “Proactive network security throughout vulnerability management“. The presentation started slowly and Gary spent a lot of time on security facts that everybody already knows: “Nothing is secure“. Then he spent a lot (too much?) time to explain what are CVE‘s (“Common Vulnerability Exposure“). Hopefully, the next part of the presentation was more interesting. Nice tools were presented like OVAL (“Open Vulnerability Assessment Language“). Based on a huge XML configuration file, this tools analyzes your host. It builds a list of installed software and associated vulnerabilities if they are. You could roughly compare it to the Secunia PSI. The most important fact given during the presentation: 95% of attacks are using known vulnerabilities. That’s why patching your systems and applications is so important!
This summarize my visit to Hack In Paris. Unfortunately, I was not able to stay longer to attend the next event: La Nuit du Hack (still ongoing while writing this blog post). See you next year for sure!
A few days ago, a buzz hit the information security landscape. /. relayed a BBC article announcing that a new French decree will make hashed passwords illegal. Really? Honestly, when I read this, I also twitted about it. For security professionals, it looks totally unacceptable! Now, the buzz seems over and I would like to come back on this announce.
Several security professionals started discussions on forums and were curious (if not scared) about this new decree. This kind of announce leaves no one indifferent. Several questions raised like:
- The decree will make all operating systems illegal (they all stored password hashed)?
- What about banks using smart-cards to authenticated their user (storing only the user public key won’t be enough to decrypt the user’s data)?
An interesting thread started on the CISSPforum Yahoo! group. Unfortunately, this group is not publicly available. I asked to the French CISSP who gave more details to relay the information here. Thanks to Jean-Philippe for the permission to re-use his explanations.
According to many French information security people, the BBC news relayed by ./ is wrong. The problem is not that passwords cannot be hashed, it’s worst: the new French law says that organizations must keep personal data during one year (data retention period). Where the BBC is right, it’s on the fact that major on-line actors (eBay, DailyMotion) challenged the French law. Their request will be examined by the Council of State.
Here is Jean-Philippe’s analysis of the law: The decree asks e-service/commerce/banking providers to store a lot of personal and technical information related to their users. This information must be provided upon request during criminal investigations. When the user’s account is created, the text asks to store :
- The connection ID;
- First and Last name or corporate name;
- Postal address ;
- Pseudonym(s) ;
- E-mail(s) ;
- Phone number(s) ;
- The last version of password, and data that enable to verify and modify it.”
The “and” continues the enumeration of the first bullet-points… and seems not to be a grammatical link between “password” and “data that…”. Well, let’s hope so!
But here the trick – yes a law trick – the article ends with a VERY important sentence:
“This information (login, e-mail, password, …) must be stored – and therefore provided to law enforcement – ONLY IF the service provider used to store it“
This sentence is the most important here and it prevents organizations from a lot of security trouble and/or system redesign. If you are not forced to collect users information, don’t! But… if you do, you must keep them for one year! To summarize :
- If you store the user’s password in clear text (shame on you!), then you’ll have to provide it.
- If you store a hash of the password, then you’ll have to provide the hash
- If your system uses a user’s public key verification, then you’ll have to provide a private key escrow but again, only if you have it.
For those who have enough patience to regal legal stuffs, the original text of this decree is here.
I’m back from Lille (France) where was organized the 4th edition of “FIC” – “Forum International sur la Cybercriminalité” – during two days. This was my first edition and I was pleasantly surprised: I was a bit afraid to attend an event organized in France for French speaking people about French topics. Certainly not! It was multi-national and people visiting the event came from a lot of different countries. The FIC is not a “technical” event (New exploits or new attack vectors are not presented by hackers like common security conferences). Visitors and speakers are: police departments, authorities, mayors of cities, politicians, etc… and the topics were oriented to legal aspects. There was a lot of interesting sessions and it was difficult to attend all them as usual.
My first choice was an open discussion organized by the OSCE about “A comprehensive approach to cyber-security”. The OSCE (“Organization for Security and Co-operation in Europe“) is an organization which has a lot of different activities around security and one of them is more and more cyber-security. After a presentation of the OSCE, six speakers had ten minutes of presentation about their view of the cyber-security to end with a questions-answers session. Some facts given during the talks:
- The Council of Europe is involved in lot of project to address the move to a trans-national dimension of cyber-crime (with a lot of juridictions issues).
- A good balance must be kept between security and freedom of speech.
- Problem with electronic evidences: they are often “volatile” (quick reaction needed)
- More cooperation between countries is a requirement.
Another potential issue: critical infrastructure (like power-plants) are controlled by computers. They are prone to failures, human errors. But computer help us to find evidences (ex: with DNA and fingerprints databases). Cyber-crime activities occur below the radar and are automated. It’s easier to steal 100000 x 1€ instead of 1 x 100000€. A member of Scotland Yard (Keith Verralls) spoke about the operation “Mazhar” and explained how evidences were used to track criminals. Finally the EuroISPA (“European Internet Service Providers Association“) explained the role of ISP in the fight against online crime. The conclusions of this discussion were:
- To have a global vision of the issues.
- To keep to police dept updated with new threats and new technologies.
- To never underestimate the cyber-criminals.
After a break, I followed a presentation of 2centre (“Cybercrime Centre of Excellence Network for Training, research and Education“). This organization defines methods of training law enforcement in forensics investigations. At the moment, they are two members: the University College Dublin Centre for Cybercrime Investigation and the University de Technologie de Troyes. But others could join in a near future (they spoke about Belgium?).
The next talk was the most interesting: Fighting the download of illegal material. It started with a presentation of the current status in France (you know the famous “HADOPI” law). A member of the Japanese cyber-police explained how they fight the download of illegal files on P2P networks. I learned that the first P2P application used in Japan is: “Winny“. The countermeasures applied in Japan are:
- Act amendment
- Communication (“We are watching what you are sharing”)
A representative of Advestigo explained how they track the files on P2P networks using hashes. But new techniques will allow to generate a finger print of the data. Tests on video files reported a successful detection in 96% of the checks). Then, the legal aspect of the HADOPI law was explained and of course the major issues the authorities are facing. To resume: it’s impossible to apply this law in a correct way. And of course, IP addresses are still the focus of debate: are they considered as private data or not? But, one thing is clear: they cannot identify a user with a 100% accuracy.
After the HADOPI fun, a talk covered the future of the Internet (what else after the Web 2.0?). The speakers reviewed the differences between the Web 1.0, Web 2.0 and explained that people change! And the mentality of young people is not the same as 20 years ago. Teenagers found normal to put private pictures on Facebook and do not realize that those pictures could be reused against them in a few years.
To end the day, the closing plenary conference spoke about the rights to see its wrongdoings erased from the Web. All speaker agreed on a golden rule: the right to keep our privacy. And this must enforced via education. Interesting statistic: In the USA, 70% of the recruiters already decide to not hire a candidate based on the information found on social networks. New applications must be developed using the principle of “privacy by design”.
The talks were interesting and listening to legal aspects of cyber-security is interesting . It changes from the classic “bits & bytes” presentation. In the main room, there was some exhibitors which presented some technical solutions (I saw nice devices to perform forensics investigation on mobile phones)! or legal services. BTW, there was a huge presence of policemen in the area and on the exhibition. For sure, the place was safe 😉
The principle of full-disclosure is to publish all the details of a discovered security problem (a software vulnerability). By doing this, the security researchers try to fight against the other principle of “Security by Obscurity”. Once a vulnerability has been found, the “normal” way of working should be to contact the developers of the affected product and give them the details to help them to fix the issue. This is called “Responsible Disclosure”. Helas, we aren’t living in a perfect world and, often, it takes time to close the hole. In worst cases, it will never been closed!
In the Full-Disclosure scenario, the security researcher contacts the software editor and, immediately after, publishes his work for the community without waiting for an editor’s feedback. In this scenario, all information is published: the vulnerability but also how to detect and exploit it. It can be immediately re-used by “black hats” for bad purposes. That’s why the Full-Disclosure was always source of debates and is seen as a bad practice by some editors. On the other side, it forces them to do their job… so simply! How many vulnerabilities would never have been settled without the Full-Disclosure?
Are things changing in France? A tribunal in Montpellier decided that Full-Disclosure is illegal according to the following article (323-3-1 from the criminal code) : «Represses the provision of equipment, instrument or computer program designed or adapted to commit violations of the automated processing of data» (translation from French by Google Translate)
Note that this law was voted and published in 2004! There was already a discussion about it on the Bugtraq mailing list. But it seems it was never applied to Full-Disclosure cases. This is really a big issue for the security researchers in France. Will the Full-Disclosure move to the underground or the dark side of the force? Hopefully, only French researchers are affected (for now). Long live to Full-Disclosure!
Source: dazibaoueb.fr (French article)