Hello DearÂ Readers, my agenda is quite hot at the moment, after attending BlackHat last week in Amsterdam, I’m now in Luxembourg until Friday to attend the 10th edition of Hack.lu. The conference organized in Luxembourg has Â already reached a decade! Congratulations to the organizers for the event that I’m attending since 2008! It remained since the beginning in my favorite top-threeÂ for the following reasons: nice atmosphere, good sizing (not to big not to small), most visitors are regular ones and allow me to meet them once (or two) times a year.
Â As usual, the first day started via a first bunch of workshops. They are very interesting because, compared to regular talks, you’re not passively listening to the speaker but you are doing practical stuff to learn a new tool, protocol. My first choice was to attend a workshop about the ELK stack prepared by Christophe Vandeplas. ELK means “Elasticsearch, Logstash & Kibana” and allows you to collect, parse, store data for further processing. Christophe explained the basic of each components and how to perform forensics investigations based on ELK. I was already using ELK at home to process my logs but, honestly, Christophe gave me some ideas to improve my setup, he has a really good knowledge of this platform. Besides the workshop, he also maintains a Github repository with interesting content to help you in your daily ELK operations. Besides the classic usage which is collecting logs from your infrastructure (firewalls, proxies, servers, …), ELK can also be used to perform pure forensics investigations. Christophe explained how he performs this tasks. The example was given with the analyze of a piece of malware. The complete path is:
Sandbox -> Pcap file -> Analysis via Suricata with generated EVE events (JSON) -> Logstash
The next workshop was the one of my friend Didier Stevens & myself about Cisco forensics investigations. We gave this workshop for the first time during BruCON and we were invited to provide it in Luxembourg. If you did not attended those conference, don’t forget that we propose an online lab which allow you to perform the exercises proposed during the workshop. Two sessions were organized today and the first one was fully booked.
After the workshop, I joined the main room to attend the last talks of the day. I attended the last minutes of “Bypassing sandboxes for fun… Profit will be realized by sandbox vendors” by Paul Jung. Today vendors are using sandboxes in more and more products and claim that they are the best way toÂ analyseÂ theÂ behaviourÂ of malicious applications. But this remains a “cat & mouse game“. Malware developers have techniques to detect when their code is executed in a sandbox but also how to evade this “secure” environment. I attended only the last 10 mins of the talk which looked very deep and technical.
The next talk was presented by a French guy: Serge Guelton. He presented a research about Python: “Python code obfuscation:Â improvingÂ existing techniques“. Serge explained the different techniques that can be used to obfuscate Python code. For each techniques, he reviewed the pro & con. There can be multiple reasons to do this, a good example is the Dropbox client which is written in Python.
Finally the day ended with a very long presentation by Xeno Kovah about “Extreme privilege escalation on Windows 8 / UEFI systems“. For sure, the word “extreme” was a good choice. Xeno explained that, once a machine has beenÂ compromised, we can go further and weÂ expect:
- More power
- More persistence
- More stealth
The talk explained deeply how the BIOS of a machine can be accessed from the operating system and alsoÂ compromised. The day ended with aÂ nice walking dinner with all the attendees and many interesting conversations with peers. I apologize for the lack of coverage of this first day, tomorrow should be more complete! Stay tuned!
Oh, by the way, this year Hack.lu implemented the same kind of wall of sheep likeÂ BruCON: