As we announced it few days ago, the experts of CERT SEKOIA were present for the 11th edition of Hack.lu. In this article, you will find a summary of all the talks and workshops we did as well as a summary of some conferences that we attended.
Internet Of Tchotchke (Paul Rascagneres)
Paul Rascagneres performed a keynote about Internet of Things. He started with the presentation of the world’s first connected underwear, which contains a lot of sensors (humidity, temperature, flex, buzzer and finally bluetooth). Later on, he presented several reverse engineering works on different kinds of hardware: wireless ring bell, sex toy, ATM skimmer, encrypted hard drive and embedded system (Linux and Windows IoT). Finally, he showed that hardware and embedded system reverse engineering is not new: a lot of cases exist in real life, such as Cisco SYNful knock, BIOS compromise… He finished by concluding that hardware compromise could be the future trend.
Totally spies! (Paul Rascagneres, Joan Calvert and Marion Marshalek)
Paul Rascagneres, Joan Calvert and Marion Marshalek presented their works about the famous malware Babar, Casper, Bunny, Dino… The presentation explained each malware, their story, how they were detected, the link between each ones, their features, etc. The talk finished with the attribution and the probable authorship by a French Intelligence Agency.
Dr. Honeypots or: How I Learned to Stop Worrying and Love My Enemies (Guillaume Arcas, Lukas Rist)
This one-day workshop introduced attendees to honeypots history, the different types of honeypots, what they are, how they work, what they can be used for. Once the theory & the basics were presented, attendees were introduced to practice first with Kippo, and then by coding their own 20-lines HTTP honeypot in Python.
How digital forensics met threat intelligence (Ronan Mouchoux and Thomas Chopitea)
During their talk, Thomas Chopitea and Ronan Mouchoux introduced the concept of Threat Intelligence as we understand it today, by presenting the process of intelligence creation: Environment -> Data -> Information -> Intelligence. They reminded that “gathering intelligence” on your opponent is becoming crucial: being able to know and to predict your opponent’s moves greatly reduces the cost of defending against their attacks. To this purpose, they used concrete examples to see exactly how threat intelligence fits in the incident response process, ranging from preparation to lessons learned, and how dismissing it as snake oil can have a negative effect on the defenders. They also exposed some tools and processes that help DFIRers to collect, manage, and use threat intelligence today, including their aspirations and limitations (MISP, FIR, CRITS, MITRE, Yara, OpenIOC…).
Malcolm Workshop (Sébastien Larinier and Thomas Chopitea)
Malcom is an open source tool written in Python (https://github.com/tomchop/malcom). This tool is used to better understand communications between malware samples and their C&C by sniffing or reading PCAPs and sharing IOC via an API.
The workshop was divided into two parts. During the first part, Sébastien Larinier and Thomas Chopitea presented Malcom’s architecture and functionalities:
– Web UI Search
– Feeds of Threat Intelligence
– Pcap Analysers, netflows
– Modules: Yara, PassiveDNS, Suricata
The second part was a lab dedicated to the analysis of a cryptowall using a PCAP. The attendees developed a private feed to enrich the analysis.
All the resources are available at: http://tomchop.me/slideware/malcom-workshop.zip
The event was really exciting and all the talks should be described on the blog post. However, we noticed some conferences that particularly drew our attention :
Analyzing Malicious Office Documents (Didier Stevens)
During his workshop, Didier Stevens showed the attendees how to use his tool “oledump” which help people analyzing malicious Office documents. He made almost thirty exercises to show the different options of his tool. He also explained how to see which streams contain macros, how to select one of them and finally decompress the macro to get the VBA code contained in the document. He also showed how to decode the contents of a stream encoded with a XOR, using a decoder he provided. Moreover, he explained how documents are structured and what is the difference between doc, docx and mso applications. It was a really interesting workshop to understand how a document is structured and to learn how to get VBA code it contains.
Key-Logger, Video, Mouse – How to turn your KVM into a raging key-logging monster (Yaniv Balmas, Lior Oppenheim)
Yaniv Balmas started by explaining what a KVM is and why it is interesting to turn it into a key logger. He then explained how they did to succeed in their project: using binwalk onto the firmware, analyzing the serial protocol, comparing how the PCB is structured between two KVM, analyzing signal, how they broke the code to find there was a ROR3 on the last 8 bytes, and finally get strings and correct assembly code. Once they understood how the firmware was structured, they could make their own one with key logger functions and replaced the original one with the modified one. It was a very interesting talk because Yaniv Balmas showed all the difficulties he and his colleague encountered and their thought process to by-pass them.
Unpatchable: Living with a vulnerable implanted device (Marie Moe)
Marie Moe made her keynote to warn people about medical devices and security. Indeed, she lives with a vulnerable pacemaker. In her talk, she explained how the heart works, what a pacemaker is and the process to monitor pacemakers (pacemaker -> access point -> mobile network -> server -> website), pointing out that each step of the process can contain vulnerabilities. Then, she gave some examples of vulnerabilities: default or hard-coded passwords, malicious software update and cloud security. All these steps have potential impacts like malfunctions, battery exhaustion or death threats. Marie Moe finished her talk explaining that devices are vulnerable because software are proprietary, there is no software updates and there isn’t any regulation. She asked people to hack medical devices and thus, change this situation.
They Hate Us ‘Cause They Ain’t Us – How We Broke the Internet (Netanel Rubin)
Netanel Rubin explained what secure coding is and the drawbacks related to it to prove that it’s not because you do secure coding that you are secure. To do that, he took five examples (mediawiki, vbulletin, bugzilla, magento and wordpress) and for each one, he checked four points mainly found in secure coding books: user input sanitization, dangerous functions, language quirks and false assumptions. The only one which successfully passed all the tests was wordpress. But, with a user who could only read public pages, Netanel Rubin succeeded in creating a blog post due to a race condition. His talk was very interesting and pedagogic; it reminded us which points we need to think about when coding and above all, that testing the security of a code should be done by hackers and not developers.
Binary Constraint Solving with LLVM (Sophia D’Antoine)
During her talk, Sophia d’Antoine explained how difficult it is to develop a tool that do automatic exploitation of binaries. Automatic exploitation is divided into two problems: creating an input that triggers the vulnerability and writing the code that exploits the vulnerability. Sophia reminded the two way of analyzing binaries which are static analysis and dynamic analysis. Dynamic analysis is divided into three parts:
– Concrete execution mixing fuzzing, tainting with pintool and debugging
– Symbolic execution (emulation of architecture executing a binary)
– Concolic execution, which is symbolic execution with a concrete input
The aim of the tool is to go through all the graph flow of a binary whilein order to find a location where it will be possible to trigger a vulnerability. Sophia showed us that concolic execution is adapted to this type of exercise.
Slides : http://sophia.re/AEG/index.html