Crime Scene

FSEC 2017 Wrap-Up Day #2

Here we go with a quick wrap-up of the second day. It started smoothly around 09:00 and was dedicated to more technical talks. After some refill of coffee, I was ready to follow all talks presented in the main track.

It started with LiveOverflow who presented “Play CTF“. CTF games (“Capture The Flag”) are present on the schedule of many infosec conferences but can also be independent events. The idea of the talk was original. It started with a short definition: They are security competitions with challenges that you must solve to find the “flag”. Sometimes, I’m playing CTF games but it’s always a dilemma. If you play, you don’t follow tracks (and I can’t write my wrap-ups!). Playing CTF is a great way to learn to hack. That’s what demonstrated Fabian in his talk. CTF’s are also a great to learn new technologies because it’s always changing. (example: many developers switched from PHP to Node.js). Challenges are usually based on typical vulnerabilities but you must be creative to solve them. They are often weird and do not always reflect the real world. So be prepared to fail :). The second part of the talk was more technical with examples of challenges. I like the one based on an issue present in Python 2 and how it compares objects. The second example was a format string vulnerability and finally a Python sandbox evasion. A very nice talk to start the day! If you’re interesting, you can find many CTF’s on a common agenda on ctftime.org.

The second slot was mine. I presented my overview of webshells from an HTTP protection perspective. Here are my slides:

Then, Ryan Lackey presented “The trouble with updates“. This is a fact, to be better protected against software vulnerabilities, patching is the key! Today, most operating systems and software have automatic update features but it’s not always for the good. Indeed, a few times a year, we read some bad news about a patch that broke a system or makes it less stable. But automatic installation also means that some bad code can be automatically injected into a system. What if the patching process is compromized? There was already several papers released about Microsoft WSUS! Some people also recommend to not install patches automatically. Certainly not on production systems. In this case, a best practice is to deploy the patches on a test system first to ensure that everything runs smoothly.

 

The next presentation was about “The status of web browsers VS DOM fuzzing” by Ivan Fratric (from the Google Project Zero). DOM or “Document Object Model” used in web browsers has been an interesting target for a while. A classic technique to find bugs in software is fuzzing. Ivan’s presentation reviewed how modern browsers are protecting themselves against fuzzing. Ivan explained how he developed his fuzzer and successfully used it to discover a lot of vulnerabilities. And guess what? All major browsers suffered from vulnerabilities.

I really expected a lot of the next talk about AutoIT by Vanja Svajcer from Cisco/Talos: “Hiding malware payloads with AutoIT”. A few days ago, I wrote a diary about AutoIT based malware. Vanja started with a nice introduction about AutoIT. This tool exists for years but seems to be back on stage. It’s a BASIC alike scripting language that can perform GUI automation and testing, can load external UDF (“User Defined Function, …). Of course, like any other languages, the code is never released as is, it is usually heavily obfuscated (variables and functions are renamed, junk code is inserted, strings split, etc…). It is even possible to inject the payload into an existing process. After the introduction, Vanja focused on a specific sample and explained how it infects the victim’s computer.

During the lunch break, I attended the lightning call session. A lot of interesting stuff and, amongst others, a quick presentation of Taler was performed by Sva. Taler is an alternative electronic payment system still under development. If you’re interested, check this website.

There was no talk foreseen in the afternoon, just the closing session and the results of the CTF. We spent the rest of the day chatting around some drinks under a nice weather. Yes, networking is also important during security conferences. This wraps up my first visit to FSEC. This is a nice event and the country looks nice. You can add put it on your wish-list of conferences to attend next year!

Leave a Reply

Your email address will not be published. Required fields are marked *