hack.lu Part #2

Back from a coffee break, let’s start the next part!

Adam Laurie presented its Python library used to explore RFID devices. RFID devices becomes part of our daily life. Adam focused on ePassports. He made a demo with a passport grabbed from the audience (he had to ask several times, nobody was volunteer, don’t know why?) . A copy of the password came on screen in a few seconds. Impressive! By the way, we now know that the Senegal Ministry of Interior uses a hotmail.com e-mail address!. The next step was to write down the data on another RFID support. The original owner picture was replaced by a picture of Osama bin Laden! Fortunately, ePassports cannot be modified due to the cryptographic signature!

Next, Jean-Baptiste Bédrune presented how to analyze a network protocol. Review of the architecture, components, classification of binaries. How to get more data by turning on verbose or debugging modes. How to grab some transactions sample by using a network sniffer. The goal is to have a complete overview of the packets structure. I detached from the presentation after a few minutes… The topic was interesting but Jean-Baptiste seemed to be under stress (I don’t blame him, it should be very difficult to speak in front of ~250 top-security-guys).

Back from lunch…

Now, a presentation about identity-based firewalling presented by INL. Classical firewalls do not have a “view” of the company, they only process IP packets. New security policies have to take care of “users”: different users connected on the same IP network can have different access rights. Authentication at application level is not enough (lot of security breaches) and binding a user to an IP/MAC address is unsafe too (easy spoofing). Their product (NuFW) is connection based. Every new connection is authenticated by the originating user. No mode “IP == user” model. This system requires an authentication agent installed on all clients! In fact, it works in the same way Checkpoint’s clientsession authentication but based on open-source tools (NetFilter). This solution is sexy but in case of Internet access filtering, why not deploy a proxy-appliance also with user-authentication and much more filtering features (up-to layer 7). A nice feature is a real-time logging of all sessions. This information can be easily re-used via SQL queries and add nice SSO (“Single-Sign-On”) feature to third-party software.

Let’s continue now with Mihai Chiriac from BitDefender who presented “Anti-virus 2.0 – Compilers in disguise“. After a small review of Anti-virus history, the speaker went deeper into some assembler code to explain how malicious code works and what are the limits of the existing environment (emulation/virtualization) to reproduce virus behavior. New methods have to be used to analyze viruses code. This is clearly not my preferred domain and I trust Mihai about his topic!

Coffee break! Stay tuned…


  1. Hi Xavier,
    I’m not present, but you can meet Sébastien, which will present a lightning talk on picviz today, or Eric.

  2. Hi Pollux,
    That’s my mistake… I wrote “client” instead of “session”.
    Checkpoint provides also a session authentication (via an agent to be deployed on workstations):

    The Session Authentication Agent can be used for any service, and authenticates a particuler session by the user. When the firewall encounters a rule with Session Authentication, it tries to query the appropriate machine using the FW1_snauth service on port 261. The Agent will then automatically present the user with an authentication dialog. Session Authentication combines User and Client Authentication , since it can authenticate per session for any service.

    Are you present @ hack.lu? Can we discuss tomorrow?

  3. Checkpoint is not working the same way at all: it tries to intercept application authentication (thus has to decode the protocol, and work on a very limited subset).
    NuFW works regardless of the application, and is the only actuel solution which is not based on a captive portal (which falls in the “IP == user” case).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.