BlackHat Briefings Day #2

Second briefings day always in Barcelona. For the first talks of the day, I decided in last minute to change my wishlist. I attended the presentation of Thai Duong and Juliano Rizzo called “Practical crypto attacks against web applications“. Their started from a common error in security: “encryption is not authentication”. To maintain data integrity, encrypted messages must be authenticated. This was not the smoothest choice to start the day after a (too) short night! My brain was fucked up by too much mathematics. But, I meet Thai and Juliano later during the day and had a talk with them. (Note to myself for the next conf: avoid crypto presentations after lunch or at beginning of the day)

Then, I attended a very interesting talk performed by three (!) people: Mario Vuksan, Tomislav Pericin and Brian Karney. Mario is an independent security researcher, Tomislav is the author of the book “the art of reversing”. During their talk named “Hiding in the familiar“, they demonstrate how data can be hidden in popular file formats like archives (zip, 7zip, rar, etc). This is called “steganography“. And if data can be hidden, it can be done for evil purpose. But at this time, malicious data can only be hidden in an archive and not automatically executed… until? When this will be possible, mad things will happen. At the moment, around 600 tools are already available on the Internet to perform steganography! They store data mainly into media files (pictures, videos, mp3). Data can also be hidden in SFS (“Steganography File System) like Truecrypt. The guys demonstrated a new way to hide files in archives like RAR, CAB or 7Zip. They disclosed 15 vulnerabilities which can be used for this purpose. Note that data can also by hidden on Microsoft OOXML files. They demonstrated a tool called NyxEngine which helps to analyze archive files for malicious contents. It can be compared to PDFiD which do the same for PDF files.

After the lunch, back to the last sessions for the 2010 edition! My choice was “Targeted attacks: From being a victim to counter attacking“. Andrzej Dereszowski, a forensic analyst and incident handler, performed an analyze of a targeted attack. Nice research job. He explained how a malware can be analyze to exploit its control-center. He also explained how such malwares use RAT (Remote Access Tools) to take control of the infected hosts.

“Surviving your phone: Protecting mobile communications with Tor“, by Marco Bonetti was nice. Marco created the Slackintosh distribution (Slackware for PowerPC). Tor is a well know tool which help you to keep your anonymity while connected on the Internet. But Tor is not a bullet-proof solution. Browsers become more and more complex and allow users tracking via features like geolocation. Unfortunately, I missed most of the presentation due to practical issues (see below). Just an important note about Tor on mobile phones: it’s a battery-killer application! Due to the intensive CPU usage to (de)encrypt packets.

And finally, the last talk which was on my wishlist since the schedule was published: “Virtual forensics” by Christiaan Beek. Virtualization became a buzz for a while. Everything tends to be virtualized today: servers, desktops, appliances, etc. But how to perform forensics investigation when facing a virtualized (complex) environment? Christiaan explained the issues that forensics investigators can face with virtualized servers: Not all organizations are happy to shutdown ESX servers to analyze a VM. The fact that “users” are also moving to virtualization on their desktop to hide malicious activity like terrorism. Three solution were reviewed: Citrix, VMware and Windows 7. Yeah, Windows 7 also comes with its own solution.

But maybe the most important news of the day is the vulcano eruption in Islands! A ash cloud is moving toward Europe and most airspaces have been closed. Most part of the hackers present at the conference are blocked in Barcelona!