Hack In Paris 2015 – Day One
One week after SSTIC, Intrinsec was present at the 5thth edition of the Hack In Paris conference which took place this year at the Fratellini Academy in Saint-Denis.
All materials will soon be available on the conference website:
Keynote: Analogue Network Security – Winn Schwartau
Winn Schwartau is the founder of several security companies, including "The Security Awareness Company". He is particularly known for his original ideas that seek to challenge the community.
That is precisely what he is trying to do for this opening conference on a concept he defines as "Analog Security".
The idea is to draw inspiration from concepts usually associated with the analogical approach and transpose them to defense methods. Examples include:
- Stop imagining that a security product has two states: either it lets an attack through, or it blocks it. Instead, like safe certifications, evaluate it based on the time it takes an attacker to bypass it.
- Do not grant all privileges to a single administrative account, but rather enforce granularity in administrative actions and the associated accounts. This means that some actions will require the involvement of multiple administrators. It is therefore necessary to weight the decision-making chain based on time (default validation period) and the level of trust that can be placed in one administrator over another.
- The concept of depth detection complements that of defense in depth. The idea here is a decentralized detection infrastructure that would provide a "score" indicating the likelihood of compromise, allowing for more nuanced action than simply considering two states: undetected attack / detected attack. One example of such an action would be reducing network bandwidth to slow down the attacker and facilitate a more thorough analysis.
In general, the principle is to play with time based on the classic: time required for the complete attack > detection time + reaction time.
Three solutions to shift the balance of power in this direction: either by adding delay to the attacker (security products, reduced bandwidth) or by reducing detection time (addition of detection hardware) or intervention time (acceptance of default validations in the case of multiple administrators).
You don't hear me but your phone's voice interface does – Jose Lopes Esteves & Chaouki Kasmi
José Lopes Esteves and Chaouki Kasmi are researchers at the "Wireless Technology Security" laboratory of ANSSI.
Their presentation was a detailed version of the short presentation given by José Lopes Esteves at SSTIC and already summarized on this blog (SSTIC – first day).
The document, in French, can be downloaded from the ANSSI website:
Copy & Pest: a case-study on the clipboard, blind trust and invisible cross-application xss – Mario Heiderich
Mario Heiderich is a security researcher at Ruhr University Bochum (RUB).
The presentation begins with a demonstration during which Mario Heiderich composes a message on the web interface of his Gmail account, copies the (apparently legitimate) content from a LibreOffice document and pastes it into his writing interface, causing a Javascript alert to appear.
To explain this behavior, he begins with a history of the clipboard and ends by detailing the attributes that enabled this behavior. To observe the state of the clipboard, the researcher relies on Peter Büttner's ClipView application (http://sourceforge.net/projects/clipview/The clipboard stores data in several formats ("Buckets") that are defined by the source application so that the copied content is interoperable with other applications. Thus, even simple text written in a notepad is copied in four different formats.
In the case of a LibreOffice or Word document, the clipboard stores the document's content in HTML format; this is the format that will be used when the text is pasted into the Gmail web interface. The idea is therefore to ensure that JavaScript code is present in the clipboard's HTML bucket.
To inject HTML code, the author relies on the font names to be used. This attribute can be modified directly in the odt files, which are archives containing a styles.xml file with the fonts used in the document, including the "Micro Hei" font, used as the default font for displaying Chinese content.
However, web browsers partially filter the contents of the clipboard's HTML bucket before pasting it, making it impossible to directly inject scripts or iframes. To bypass this filter, the author leverages the `animate` attribute of SVG data and is thus able to execute code in Chrome and Firefox.
The remainder of the presentation is devoted to testing formats other than ODT. Since the DOCX format is designed similarly (an archive containing a set of files, including document.xml which specifies the fonts to be used), the technique is easily adaptable. Although PDF Reader does not create an HTML bucket, it creates an RTF bucket which Internet Explorer itself converts to HTML before copying it. Therefore, an attack is possible on this browser by directly modifying the PDF with a hexadecimal editor.
The presentation concludes with some points to consider in order to address these vulnerabilities:
- For browser developers: improve filters
- For web application developers: adding a filtering layer
- For users: do not copy just anything
The full presentation is available here: http://fr.slideshare.net/x00mario.
Backdooring X11 with much class and no privileges – Matias Katz
Matias Katz is the CEO of the security company Mkit Argentina.
The author started with the idea that if someone wanted to access the information on his computer, the simplest way would be to steal the computer. However, since the hard drive was encrypted, the scenario he envisioned was an aggressive theft while the computer was in use, with an unlocked session.
The first phase of his project was to create a key that would be permanently plugged into the computer and whose unplugging would lock the session. To achieve this, the author created a Python script based on D-Bus that checks every second for the presence of a USB device with the correct ID and, if the device is not present, locks the session via D-Bus.
The second phase of his project logically involved doing the same thing in reverse: unlocking a session by plugging in a device. To avoid using the USB interface, which is heavily scrutinized by antivirus software, the author relies on the headphone jack. Connecting a device to this jack is also directly reported to the system, even when the session is locked, but this port is not monitored by antivirus programs. However, since audio devices do not have a specific ID, the author modified his Python script so that it only unlocks after recognizing a specific pattern (device plugged in for 1 second, unplugged for 3 seconds, plugged in for 1 second).
Breaking in bad (I'm the one who doesn't knock) – Jayson E. Street
Jayson E. Street is a consultant at Pwnie Express.
The presentation is a feedback on the social engineering techniques implemented during its various missions with a recurring observation: why carry out complex technical attacks when, with a good scenario and a little politeness, one can obtain physical access to the servers that interest us very quickly?
In the various examples presented, supported by photos and videos, we will note:
- The scenario of the IT technician who is left wandering behind the counters and is asked to intervene in the server rooms of a bank in Beirut;
- Foot in the door to enter a US Treasury building, wait for all employees to leave while pretending to be on the phone and ask a member of the cleaning staff to open the doors for him by pretending to have forgotten his keys inside;
- The scenario involves a fake TV producer posing as a producer for a charity report, playing on the pride of the association's employees to gain access to all doors.
Bootkit via SMS: 4G access level security assessment – Timur Yunusov
Timur Yunusov is an application security researcher and a member of the SCADA StrangeLove Team.
The starting point of the presentation is the presence of 4G access points on a very large variety of equipment: ATM, SCADA, IoT, etc.
The author initially explains that many operators have GGSN (GPRS Gateway Support Node) services directly accessible on the Internet and develops several attack scenarios on these devices (DoS, fraud, APN recovery).
The second phase of the presentation develops a scenario for an attack on network equipment via SMS. These attacks are possible on various devices that poorly handle messages (notably USB modems, used as an example) and over which the attacker has gained control. Once the USB modem is controlled, the attacker attempts to take control of the computer to which the modem is connected: the idea is to make the modem appear as a keyboard, similar to a Teensy, to inject keyboard input and try to gain control of the computer through this method.
The final phase was to be devoted to attacks on JavaCards applications present on SIM cards, but the delay in the earlier parts forced the author to stop his presentation abruptly, which is a shame.
DDOS Mitigations' Epic Fail collection – Moshe Zioni
Moshe Zioni is a consultant for multinational corporations and security solution developers.
The author begins with a review of DDoS attacks, the principles of amplification and reflection. He specifies that, contrary to popular belief, the majority of DDoS attacks are not due to bandwidth saturation (53% of attacks have a throughput of less than 2Gbps).
At the heart of the presentation are 10 phrases the author heard from his clients (developers of anti-DDoS solutions or multinationals configuring these same solutions on their infrastructure) during his DDoS testing. He explains why these statements are insufficient, misunderstood, or simply false.
Conclusion: As with everything in cybersecurity, before purchasing an anti-DDoS solution, it is essential to fully understand the concept of DDoS and the various realities it encompasses. Without this understanding, implementing a solution is doomed to failure.
