New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

SSTIC 2013 – Day Three

June 10, 2013

SSTIC 2013 – Day Three

Waking up was difficult… but here is the report of this last day of SSTIC.

«Intelligent Fuzzing of Type-2 XSS Filtered According to Darwin: KameleonFuzz» – Fabien Duchene

Having had the social event in full swing, we had reluctantly decided to miss the first morning conference on intelligent fuzzing of Type 2 XSS. We still managed to arrive before the end of the conference and caught a few snippets of the conclusion. It seems that the tool developed can instantiate fairly powerful detection filters and improves XSS discovery alongside other vulnerability scanners such as w3af…

 

«Fingerprinting of navigators» – Erwan Abgrall

To continue with XSS, Erwan presents some of the results of his thesis on browser fingerprinting. We begin with a reminder of the uses of this technique on the Internet (user profiling, exploit targeting, etc.), then move on to the different types of identification that exist.

Erwan explains his approach: using XSS by analyzing browser behavior. He details his choices, the implementation of his tests, and illustrates his points with various tests.

In conclusion, fingerprinting has a future, and there is no point in trying to fight against it, as future browser developments allow access to the system at an ever-increasing level.

«"Duqu vs. Duqu" — Aurelien Thierry

At 10:30, we moved on to a presentation with quite a bit of technical content, but very interesting. The speaker told us about the analysis they had carried out on Duqu.

The presentation focuses on the driver implemented within Duqu, and we discover step by step the reverse engineering work that was carried out to recreate an identical driver in C++. A brief anecdote reveals that a design flaw prevents the use of this version of the driver on 64-bit systems.

Using this recreated driver, the team was able to understand how the virus installed and launched itself. This allowed them to find a countermeasure to prevent infection of the workstation.

A demonstration of their work concluded this very interesting presentation.

 

«Incident Response or Some Practical Recommendations for Malware Authors» – Alexandre Dulaunoy

After a 45-minute advertising break offered by Hervé Sibert presenting their TEE solution and ARM processors equipped with TrustZone mechanisms, CERT Luxembourg certainly offered us one of the best presentations of these three days.

Alexandre offers a slightly different presentation based on feedback from experience. He decides to provide best practices to malware developers to help them avoid detection, and also to add a bit of spice for malware analysts.

A series of well-placed anecdotes and jokes kept the audience enthralled during this pre-lunch conference.

 

Short presentation: "The role of hosting providers in detecting compromised websites" – David Canali (Eurecom)

After the lunch break, we resumed with short presentations. The first focused on a study based on the observation that shared hosting has become widespread and is now used by millions of people. Whether for personal websites or SME sites, users are generally unaware of cybersecurity and lack visibility. Consequently, the potential attack surface is very large.

The conference aims to answer the following questions: Are hosting providers fulfilling their role? Is security enhanced on these shared platforms? Do detection systems (if they exist…) actually work?

22 hosting providers (regional and international) were selected to conduct this study. 5 intrusion scenarios were applied:

  • Botnet infection; ;
  • Data theft via SQL injection; ;
  • Phishing Kit; ;
  • Inclusion of malicious code; ;
  • Identity theft.

So in total 5 (tests) * 22 (hosts) = 110 tests.

The study shows that some hosting providers have preventative measures in place (e.g., URL blacklists, SQLi and XSS patterns, etc.). Approximately 30% attacks were reportedly blocked.

Even more amusing, only one hosting provider was able to detect an attack and issued an alert to the Eurecom team… 17 days after the tests.

One detection for every 110 attacks. The conclusion is clear: no effort is being made by hosting providers to identify obvious signs of compromise.

 

Short presentation: "Behavioral detection of P2P malware in a network" – Xiao Han

The speaker begins by reviewing decentralized architectures without DNS and the problems related to their analysis and detection (for example: it is not possible to operate on blacklists of domains).

After cleaning up non-P2P flows (e.g., flows preceded by a resolved DNS query or an insufficient number of failed connection attempts), their tool performs a behavioral classification by application type, then performs a further elimination of non-P2P applications.

The tests seem conclusive: out of 100,000 malware samples (P2P or not), the tool detected 556 P2P malware, with a false positive of only 0.014%.

In conclusion, their tool appears to be effective and has the advantage of working even if only one node is infected and even if no attack is observed.

 

Addressing cyber threats => detecting (attacks) and training (cybersecurity experts) – Ludovic Mé

SSTIC 2013 concludes with a conference presented by Ludovic Mé on attack detection and cybersecurity training.

A lengthy presentation on the shortcomings of incident detection and response followed. The speaker clearly knew his subject and drew us in with his flow of words. The key takeaway was that improving false positives is essential for increasing detection capacity. A few comments from our neighbors subtly punctuated the presentation.

Time is short, and the discussion quickly turns to security training. The observation is clear and unequivocal: the French school system is outdated and does not adequately train younger generations in IT in general, and even less so in security.

Ludovic presents his point of view and his vision of post-baccalaureate (or even pre-baccalaureate) education that would teach the vast world of information systems in a deeper way.

To conclude this presentation, the question-and-answer session turned into a series of remarks and additions from prominent members of the security community. No time was allotted for discussion; these remarks will remain as they are.

 

It's 4:30 PM, SSTIC is officially over, and we're leaving the Beaulieu campus. After three days of glorious sunshine, a storm breaks, unleashing a wall of rain on Rennes as we head towards the train station. Thank you for reading, thank you to the organizers and speakers… and see you next year!

By Maxime Le Metayer & Antoine David

Contact