FSEC 2017 Wrap-Up Day #1

There are more and more infosec events worldwide and it’s always nice to attend new events and meet new people. This time, it is the case with FSEC. First visit to this security conference organized in Varazdin, Croatia. I had the honor to be invited as a speaker. This is already the seventh edition. FSEC was born thanks to the initiative of Tonimir Kisasondi. The event grew years after years and reached today 470 attendees (they reached the maximum capacity the venue). The conference was kicked off with some words by authorities and academic people. I was also impressed by the number of journalists presents to interview Tonimir! If only, we could have the same interest in Belgium! About the event itself, it is based on three tracks that cover large topics from round tables about GDPR to high technical presentations like browser exploration. Of course, there is also a CTF. The venue is a very nice  old theatre:

As usual, the event started with some keynotes. The first one was assigned to Alan Duric, the CEO of wire.com. The topic was “E2EE” or end-to-end encryption. Alan started with a review of the messaging tools that people used to communicate over the Internet (the “consumer world”). I liked the comparison of encryption with smoking in presence of children. Twenty years ago, parents were smoking in presence of their kids. Not because they were evil or bad parents, just because they were not aware of the risks associated to the smoke. It’s the same with encryption. In the past, people were not aware that their communications could be intercepted. Today communications are everywhere: not only people communicate but also computers (“M2M” or “Machine to machine”). Business critical data must also be protected, IoT, health data, etc… All of these must be federated with interoperability. Most of the data is stored in the cloud today. How to increase the awareness for E2EE requirements? Let’s imagine a deny of service attack against institutions from cars of video recorders. That’s not science-fiction! What if big cloud players are brought down due to DDoS? Our daily life will be affected. Security must be presented and sold in the right wat. It is driven by behavioral economics. Alan descrive three types of companies that are facing different challenges:

• To protect intelectual property (risk is industrial espionage)
• To protect client data (risks is coming with the GDPR)
• Internal information (sensitive) like political parties (risk is cybercrime)

Again many services rely on service providers. Security and privacy are dependant on them and their practices and ability to fight threats. Interesting question from the audience: what to do when E2EE is not implemented? Do we wait or do we go with risks? Business can’t wait, the most important is to know the risks.

The second keynote speaker was Jaya Baloo, CISO of KPN. How KPN approach security? KPN is an old company (like most telco’s, they have to take into account multiple technologies, some of them being quite old). In 2012, they were hacked and realized that the question that you ask to yourself is not “if” but “when” you’ll be targeted. They provide critical services (emergency, airports, etc) Their mission: keep KPN secure, reliable and trusted. Besides a classic security life cycle (“prevent – detect – respond – verify”), they also have an internal red team responsible to test everything. As said Jaya: “They are there to hack all our sh*t!”, the message looks clear. If something is not secure, the project is simply blocked no matter  of what the business says. But the critical aspect for security professionals is to translate the impact to the business… What will happen if case of successful attack? How much will it cost to the organization? Jaya is known to be transparent and delivers good advice like “If your management relies on compliance, you’re in big sh*t!“. She also showed the security dashboard used by the management. Clear, simple, based on four categories: a “DEFCON” level, a threat intelligence, the vulnerabilities discovered by the red team and incidents. Very nice keynote full of good advices and facts!

After the lunch, I went to a session focussing on TLS: “TLS/SSL Transactions and PCI DSS, 3-D Secure, PSD2 & GDPR” presented by Predrag Kovačević. The idea was to review the status of the different TLS/SSL versions and then to see how to use the properly in different scenario’s: in a PCI/DSS environment, 3D-secure and GDPR. The problem was that the talk not in English… A good advice if you have to implement TLS: OWASP has a great cheat sheet about TLS. For the organizers, if a talk is not in English, it could be interesting to notify it on the schedule.

Then, I switched to another room to follow a presentation of the Sentinel SPS solution. This is a home router (for residential users) that has many interesting features all based on free software. It offers many interesting features: Internet access, multimedia features, IoT, telephone services and the “Sentinel services” that are:

• A classic firewall
• Network analysis
• Hash lookup
• RHA
• YARA
• Format parsing and analysis (check archives)
• Parental controls
• Remote management

Then, a talk looked interesting: “HiSiicon DVR hack” by Istvan Toth. Istvan made a very didactic presentation and explained how the firmware used in many DVR boxes was vulnerable. The presentation was easy to understand. It was like an hands-on presentation. He demonstrated how to use different tools to perform reverse engineering tasks (based on IDApro & python scripts or gdbserver). Step by step demonstration how to find the buffer overflow in the firmware. Nice presentation except that Istvan was reading every time his documentation 😉

Then, I followed Ivan Voras who presented “Designing a private blockchain… in case you really need one”. Everybody heard about block chains (mainly due to the BitCoin crypto currency) but not everybody knows how it works (and I’m part of this group). Only 10% of the audience looked to know what blockchain is (from a technical point of view). Ivan made a great introduction to the blockchain technology. Consider a block chain as some kind of database and data are dropped into blocks. In case of crypto currencies, one transactions is a block. Each new block signs the block before it. It’s immutable. But blockchains are not only used by crypto currencies, they’re many usages. Ivan developed his own private blockchain implementation that is a private blockchain. Each block is a SQLite database. The goal is to distribute official data in a safe way. His project is called Daisy and is available here.

Then, “Challenges and pitfalls of modern deep learning computing vision models” was presented by Marko Velic & Enes Deumic. Machine learning is a hot topic today and is used everywhere. We can find such technologies in security and surveillance, fraud detection, drones, self-driving cars, … After an introduction, they explained the risks that machine learning might face. Examples were based on self-driving cars. They demonstrated how the detection rate of road signs can be affected by covering some signs with stickers etc… Interesting. Again about machine learning, tgrzinic presented his machine learning framework to analyze malware samples. The framework is called MaliO and based on many free tools like Cuckoo.

The talk “Targeted attacks in 2017” by Felix Aimé.There were so many events that it’s not possible to remember all of them. Felix made a review of the last attacks and the techniques used to compromise the targets. They don’t change often and remains based on:

• Compromised installation tools
• Webmail phishing
• Compromization of suppliers
• Frontal compromise of servers
• Classic spear phishing

sva came on stage to speak about PEP or “Pretty Easy Privacy”. I saw her presentation at the RMLL in July. The goal of PEP is got help the user to get rid of the complexity of PGP or S/MIME who are known to not be the best tools in terms of usability.

Finally, the last talk of the day (not the least one) was presented by Arnim Eijkhoudt from KPN about threat intelligence: “From incident to threat response“. I also gave the same message as Felix: “Sharing is caring”. Threat intelligence is:

• Not a phase
• Formalization with some caveats
• Based on standards (STIX, TAXII, Cybox, )
• Tons of players/feed/tools. All vendors have a feed
• “Hype” (which could be bad)

The goal is to find the threat common to multiple incidents, to include a risk assessment component. It must be actionable and provides input for hunting. It must, of course, be a continuous process. Arnim explained different aspects of threat intelligence and finished with a real spear phishing case that targeted KPN (but without disclosing too much details ;-). A last advice: do not automatically classify  phishing emails as not malicious or to not submit they to VT. Perform a minimum set of controls to be certain that it’s not a targeted attack!

The day ended with a party but the music was way too loud, I had a dinner outside in a relaxed atmosphere with a friend. See you tomorrow for the next wrap-up!