On the 16th of April, two of us were at the Minet Conference which was organized by students of TélécomSud Paris. During the afternoon, five conferences took place some technicals and some more oriented on global security. This article aims to make a summary of each one.
Security is not only a matter of technology – Jean-Marc Bourguignon (@fo0)
During his conference, Jean-Marc Bourguignon tried to answer this important question :
How to protect population and journalists against state monitoring into countries where human rights are flouted knowing that they are simple users and not security professionals ?
He first talked about risks and issues that journalists encounter during their mission. He gave one big example which was if journalists don’t encode their communications, they can put in danger their life, their job and also the life of their contacts. Thus, in certain situations computer security is a matter of life or death.
Unfortunately, home editorials and journalists are often not aware of this so there is a real need of sensitization. For instance, some of them say the mainstream argument “I have nothing to hide” (which is, in their case close to professional fault…) whereas if a journalist’s computer is infected it can be a huge vector of infection for his parent company.
After exposing the problematic, Jean-Marc Bourguignon gave us some advices about computer hygiene :
- Smartphones and tablets have to be secure
- When you are a journalist, you must not stay in famous hotels with all other journalists because you increase the chances to be spied
- Never let your computer into your hotel room even if you just go take breakfast thus it can not be infected or stolen
- Desactivate wifi when you got ethernet connection. Indeed, your computer broadcasts SSID where you were connected so if you connected once into your company, people who listen on the network will know where you’re working…
- Never connect to open access point, you don’t know who owns it and if he is listening or not
As a conclusion to the conference, the speaker point out the lack of sensitization in home editorials and journalism schools and said that regrettably, they put it in place when dramas happened.
Threat intelligence to the rescue of the response to incident – Thomas Chopitea (@tomchop_)
Thomas Chopitea came to conference Minet to present the process put in place during incident response and to show how threat intelligence is useful in this case.
Afer explaining what is an information, he explained the six steps of a response to incident which are :
- Direction : To handle an incident you have to ask a question and try to answer it
- Collection : Collecting all data which could answer this question
- Processing : Normalizing data (for example translation if they are in a language you don’t understand)
- Analyze : Understand issues those data can bring to the investigation
- Dissemination : To whom can we share the information ?
- Feedback : Are those informations answering the question? What could we improve to be more efficient the next time ?
Then he explained the OODA loop which is the process to apply to analyze facts faster, based on observation and decision.
In the second part of his presentation, he talked about the four categories of intelligence which are :
- Strategic : not technical information destinated to decision makers
- Tactic : attackers’ TTPs destinated to technical team
- Operational : to prevent attacks
- Technical : to react faster
To conclude, Thomas Chopitea talked about the importance of sharing the intelligence collected between different companies and explain the classification of sharings. Moreover, he pointed out that the feedback step in incident response is too often forgotten even though it’s an important one to be more efficient.
Introduction to reverse engineering – Julien Voisin
With his conference, Julien Voisin aimed to initiate people to reverse engineering more by doing demo than a theoric presentation. To do this, he started by explaining what is assembly language, how the stack works and the difference between decompilation and desassembling.
Then, he answered the question “Why people would do reverse engineering ?”. He gave us several reasons like industrial spying, bugs exploitation, bugs correction, interoperability and mainly for fun.
After he finished the presentation of reverse engineering he threw us in the heart of the matter with two demos. The first one was a demo to show how to bypass the checking of cd-rom by Age of Empire I and thus play the game without any cd-rom.
In the second one he showed us a code containing a BufferOverflow. He explained what a buffer overflow is and then exploited it to open a shell on the computer while the code was just made to enter a name.
He concluded his conference by telling us not to blindly trust softwares or constructors and to be curious of how they work.
Optimization of time search for a compromission – Alexandra Toussaint et Sébastien Larinier – Sekoia (@FliegenEinhorn, @sebdraven, @sekoia_fr)
We were at Conference Minet not only to attend the conferences but also to present our work concerning the sorting of files and how documents can be vectors of infection, espcially pdf.
Our problematic was “When you have to analyze a hard drive disk, what files do you analyze and why ?”.
We first started by enumarating which files we have to keep for analysis and why :
- Pictures : they can be used for transmit commands in the case of a c&c
- Zip : they can contains pe or files used during a compromise
- OLE (doc, xls and ppt) : they can contain malicious VBA which is a language that allows you to easily make malicious actions like opening a shell
- PE : by nature PE can execute code on the computer and it’s inevitable to analyze them to determine if they are legitimate or not
How to hijack mobile traffic when you have no money – Alexis Bonnefoi (@_haplo__)
The purpose of Alexis Bonnefoi with his conference was to show how you can sniff mobile traffic without spending too much money. He started by explaining the fourth sets composing GSM which are :
- Mobile Station (MS) : represents the mobile and the sim card
- Base Station Subsystem (BSS) divided in three parts :
- Transceiver (relay antenna)
- Controller (logical management of Base Station Subsystem such as deciding sending power of relay antenna)
- Transcoder and rate adaptation
- Network Switching Subsystem (NSS) composed by :
- Equipment identifier register
- Mobile switching center (commutation, connections management, geolocation)
- Visitor location register (temporary database about user containing authentication data, MSISDN, accessible services…)
- Home location register (operator database)
- Authentication center (identify customers and link them to their subscription)
- Detailed the three different channels :
- Broadcast Control channel (list BTS around, location area identity, identifying cell)
- Common Control Channel (broadcasts control information toward mobile stations)
- Dedicated Control Channel (send stand alone dedicated control channels)
- Operation Support Subsystem (OSS)
After this dense presentation, Alexis Bonnefoi explained which hardwares and softwares you can use to sniff mobile traffic and showed us some tricks like retrieving kc to decipher sms with gsm-receive.To conclude his talk, he said to not trust your phones because GSM is open and based on availability not security. Here you can find his slides to have more details ! -> countzero.info/gsm.pdf