As part of its monitoring activities, Intrinsec attended the second edition of the NoSuchCon international conference, which took place from November 19 to 21, 2014, at the Niemeyer space at the headquarters of the French Communist Party (PCF) in Paris. The presentations were in English, technical, and straightforward. (bullshit-free).

(source : http://www.nosuchcon.org/)

We offer summaries of the various presentations from the conference: day 1 (this article), Day 2 And day 3.

We would also like to thank the organizers and student volunteers who managed this event very well, as well as the speakers who shared their knowledge and discoveries.

Day 1

«Keynote: Program Synthesis in Reverse Engineering» – Rolf Rolles (Möbius Strip Reverse Engineering)

Slides: http://www.nosuchcon.org/talks/2014/D1_01_Rolf_Rolles_Program_Synthesis_in_reverse_Engineering.pdf

The opening keynote, which was quite technical, provided an ideal introduction to this event.« bullshit"Free hardcore technical." Rolf Rolles presented the academic discipline of "program synthesis," whose goal is to automatically generate programs from desired behavior (input and output pairs). Using an intermediate language and a processor simulator, it is thus possible to automate reverse engineering tasks. Rolf demonstrated, for example, how to automatically deobfuscate a disassembled program by generating rules on the fly.

#NSC14 pic.twitter.com/biVVtrFhLo
— Aristotle (@Aristotle) November 19, 2014

 

«Your Q is my Q» – Georgi Geshev (MWR Labs)

Slides: http://www.nosuchcon.org/talks/2014/D1_02_Georgi_Geshev_Your_Q_is_my_Q.pdf

THE middleware based on message queues (Message Queuing Service) enable communication between different processes via a broker, asynchronously (messages remain in the queue until they are retrieved) and on a point-to-point model (1 sender – 1 receiver) or publish-subscribe (N senders – M recipients, the latter subscribing to the broker to the desired message types).

The vulnerabilities presented are not specific to these products, but have been discovered on several implementations.

The vulnerabilities are as follows:

• Configuration errors (exposed debugging services, default administration passwords, default files accessible without authentication)
• Brute-force attack on LDAP server made easier
• Insecure deserialization of messages
• Executing system commands based on message content
• SQL injection due to lack of validation before database insertion
• XSS due to lack of encoding before insertion into the administration web pages
• XXE due to a lax XML parser on the side broker

Many of these vulnerabilities are caused by blind trust in received messages.

The recommendations are standard:

• Side broker
  • Limit the activated protocols and retain those that allow for communication encryption.
  • Deletion of default accounts
  • Disabling debugging services (JMX, RMI, JDWP, etc.)
  • Administration VLAN
  • Disabling anonymous access
  • Whitelist by IP address
• Regarding applications:
  • Verify messages, don't trust blindly
  • Enable protocol-level integrity checking
  • Whitelist of objects allowed in case of deserialization

 

«HomePlugAV PLC: practical attacks and backdooring» – Sebastien Dudek (Sogeti ESEC)

Slides: http://www.nosuchcon.org/talks/2014/D1_03_Sebastien_Dudek_HomePlugAV_PLC.pdf

Sébastien Dudek studied the security of PLC (Power Line Communication) devices (not to be confused with...). Programmable Logic Controllers industrial systems) that allow the transfer of information over electrical networks.

He tackled the myth of the compartmentalization of PLC networks by electricity meters: it is, for example, possible to view the networks of your neighbors!

Sébastien created a layer for Scapy in order to analyze and manipulate HomePlugAV protocol packets. This tool enabled the fuzzing configuration software provided by manufacturers, as well as the implementation of attacks to discover the secret codes of devices (allowing modification of their configuration and possibly attacking the firmwares).

Vulnerabilities have been discovered in the implementation of the key derivation mechanism used by a manufacturer and reused in many devices. This flaw allows the key to be easily retrieved, enabling access to an existing network. A malicious individual could thus use the internet connection of a neighbor whose setup is vulnerable. It should be noted that the Freeplugs provided by the ISP Free are not affected.

 

«The Nitty Gritty of Sandbox Evasion» – Rob Rachwald (FireEye)

Slides: available upon request from the speaker

More and more security tools are implementing sandboxes (sandboxes) for the analysis of malware. These programs therefore seek to bypass these bins, mainly by detecting them to avoid carrying out malicious actions during the observation phase.

The four main methods (and already well known to sandbox designers and users) are based on:

• Human interactions: the malware It will either require an action from the user (clicking on a dialog box), or wait for a certain number of clicks or keystrokes. A particular example was a game hidden within PowerPoint slides designed to detect a human.
• The configuration: pausing the malware for N+1 minutes to exceed the maximum analysis time of N minutes, waiting for a certain date, downloading a file from the Internet (sandboxes tend to block these calls or return fake files).
• The environment: triggering only on a specific version of the operating system, or searching for certain common third-party software (Acrobat Reader, Adobe Flash Player, etc.). For example, the Microsoft Office suite is rarely found in sandboxes.
• Virtualization: detection of execution in a virtual machine (drivers, publisher tools, communication ports, etc.)

 

«Quantum computing in practice» – Renaud Lifchitz (Oppida)

Slides: http://www.nosuchcon.org/talks/2014/D1_05_Renaud_Lifchitz_Quantum_computing.pdf

Renaud Lifchitz began by recalling the principles of quantum physics: wave/particle duality, probabilistic determination of characteristics, impossibility of measuring without fixing the state, etc.

The current state of research and equipment already allows the concrete implementation of quantum encryption over short distances (the light signal cannot be retransmitted) based not on difficult mathematical problems, but on physical properties.

The speaker then presented the basic building blocks for constructing quantum systems: the equivalent of logic gates in electronics.

Various online applications and services (cloud) They were then presented: they allow amateurs to create their first circuits without acquiring any equipment.

These factors converge to suggest that current asymmetric cryptography algorithms will break in the medium term (between 10 and 25 years). Research is therefore focused on developing new algorithms capable of resisting these "quantum attacks.".

 

— Clément Notin