SSTIC 2015 – Day Three
This post is about the 3rdth SSTIC day 2015.
Using the pyCAF framework for configuration auditing — Maxime Olivier
This presentation follows the one given by Maxime at JSSI 2013 (http://www.ossir.org/jssi/jssi2013/index.shtmlPyCAF is a Python-based framework for analyzing a set of configuration files to extract results of interest to an auditor. Currently, the framework can only analyze configuration files from a Linux system. The tool focuses solely on the analysis aspect. Extracting the system's configuration files is done manually using a ZIP archive. Future developments include API documentation and support for network equipment. PyCAF is available on GitHub (github.com/Maximeolivier/pyCAG.git).
Analysis of MS Office documents and malicious macros — Philippe Lagadec
During this short presentation, Philippe began with a brief history of the use of malicious macros. The first macro viruses appeared in 1996 (Laroux and Melissa, for example). Between 2004 and 2013, the use of malicious macros fell out of favor because it was made difficult by the default disabling of macros in Office documents. Since Microsoft Office 2007, it has been possible to easily re-enable macros in just two clicks, which has led to a resurgence of interest among attackers in this method of infection, particularly in 2014 (Dridex, Rovnix, Vawtrak, Fin4, etc.). Following this, Philippe discussed the various actions that an Office macro can perform (triggering on opening, reading or modifying document content, downloading a file, creating a file, etc.) using only native VBA functions. To conceal the elements present in a malicious macro (IP address or URL, filename, etc.), attackers use code obfuscation techniques, notably by splitting and concatenating strings or transforming a character into ASCII code. Finally, the presentation concludes with the provision of tools that can be used to identify malicious documents: OfficeMalScanner, Officeparser, Oledump, Olevba, and ViperMonkey.
StemJail: Dynamic activity segregation for user data protection — Mickaël Salaün
Stemjail's objective is to protect user data. Currently, if an application is compromised on a workstation, all of the user's data is accessible.
In order to compartmentalize the processes, the author chose to use namespaces under Linux.
This experimental project is available at github.com/stemjail
Hack yourself defense — Eric Detoisien
An overview of the imbalance between attackers and defenders in cybersecurity. We recommend reading the presentation slides or watching the conference video.
Between urgency and thoroughness: what techniques does the analyst have at their disposal during the investigation? — Amaury Leroy
Amaury shared his experience on the approach to take during an investigation, focusing solely on network traffic and proxy log files. First, the author suggests dividing the investigation into three steps:
- Conducting simple and effective searches (approach low hanging fruit: searching for known indicators of competence (IOCs) to determine if the attack is known, reduce the amount of information, and above all, index the information
- Monitoring the attack: it is necessary to detect the important phases, but also to continue the investigation during monitoring by refining the searches (detection of automated navigation, inconsistent SSL flows, non-standard HTTP protocol values, etc.)
- Pushing the analysis further: it can be interesting to perform statistical and periodic calculations on the collected data in order to obtain graphs and thus be able to discern trends or suspicious behaviors at a glance.
Ultimately, after an investigation, it's important to conduct a review of the analysis to identify what worked and what didn't. This allows for the subsequent improvement of tools and methods.
IRMA: Incident Response and Malware Analysis — Alexandre Quint, Fernand Lone Sang, Guillaume Dedrie
The authors presented their tool, IRMA (Incident Response and Malware Analysis). It's a modular platform for analyzing unknown files or binaries. The principle is quite similar to VirusTotal, except that this platform is designed for internal use, thus avoiding the need to send documents to third parties. Technically, the platform consists of three modules:
- THE front-end: it retrieves the files submitted by the user;
- THE brainHe is responsible for carrying out the analysis with the probes and to retrieve the results which will then be returned to brain ;
- THE probes: each probe performs a specific analysis on the file. Currently, the probes Available tools are able to perform an antivirus scan (20 antivirus programs supported), extract metadata from the file, query VirusTotal only on the digest of the analyzed file, and query the NSRL database (http://www.nsrl.nist.gov).
In conclusion, this tool provides a private file analysis platform. It is still necessary for the community around this project to grow in order to increase the number of users. probes available and obtain user feedback. For your information, a workshop on the creation of probes will be carried out during the RMLL (https://2015.rmll.info/).
Crack me, I'm famous!: Cracking weak passphrases using freely available sources — Hugo Labrande
This short presentation focused on the possibility of cracking passwords, or rather long passphrases. Many people advocate using passphrases instead of passwords (see... https://xkcd.com/936/). Is it finally possible to easily break passphrases?
To find out, the author collected phrases from Wikipedia, Gutenberg, YouTube comments, WikiQuotes, and even the RaptDict website. This gave him a dictionary of 65 million possible passwords. After a few weeks of calculations on the speaker's PC (a few hours for a modern PC), he was able to crack some interesting passwords.
In conclusion, it is possible to break known passphrases. Therefore, it is important to choose a passphrase that is not present in a known "dictionary".
Contextualized and actionable information sharing within the cyber-security community — Frédéric Garnier
Frédéric gave a very comprehensive presentation on Threat Intelligence and information sharing. We highly recommend reading the proceedings or watching the video of the conference.
Snowden, NSA: Help, journalists are taking an interest in computer security! — Martin Untersinger
Martin is a journalist at the newspaper Le Monde. His preferred topics include surveillance and freedom of expression. For the closing conference, Martin proposes a simple assessment of the post-Snowden era: two years later, what have we learned?
Snowden's revelations showed us that American intelligence services conduct mass surveillance by collecting all possible information from various sources. Nevertheless, it appears that no terrorist act has been prevented despite this system. Yet, France seems to be following the same path as the US. Facebook, Google, Yahoo, and WhatsApp are implementing measures, including communication encryption, to strengthen the privacy of their users. Furthermore, in the United States, it has been observed that 301,000 Americans are beginning to change their habits. At the end of his presentation, Martin appealed to the security experts in the assembly to engage in dialogue with journalists and, in doing so, help them raise public awareness of security and privacy issues.
