New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

Hack in Paris 2015 – Day Two

July 1, 2015

Hack in Paris 2015 – Day Two

KEYNOTE: ATTACKING SECURE COMMUNICATION: THE (SAD) STATE OF ENCRYPTED MESSAGING – Thomas Roth

Since Edward Snowden's revelations, encryption of communications has become a necessity, especially in the event of civil conflict, such as in Egypt or Hong Kong.

Since the use of PGP and S/MIME is not easy, Thomas Roth therefore became interested in the security of secure public communication systems promising users protection from the NSA.

The findings are damning: across the tested products (Proton Mail, SpiderOak, Tutonota, etc.), several vulnerabilities or implementation flaws were detected. In addition to the use of non-standard cryptographic implementations, XSS or CSRF vulnerabilities were also found on web portals that allow access to the user's private data, including their private key.

The Electronic Frontier Foundation maintains a list of tools for securing communications, categorized according to several criteria, which is available: https://www.eff.org/secure-messaging-scorecard.

 

SERVER-SIDE BROWSING CONSIDERED HARMFUL – Nicolas Grégoire

Nicolas Grégoire told us about the various Bug Bounty programs he participates in. The main criteria for participation are: the website must be large, the security team must be good and responsive, and the payment must be fair.

The author presented several vulnerabilities identified on various websites, including Facebook and Yahoo. The presentation focused primarily on Server Side Request Forgery vulnerabilities.

This type of vulnerability can be exploited to scan the local network or all of the server's ports. The speaker then presented several solutions for bypassing application firewalls using the various possible representations of IP addresses. A script is available on his website to generate the different existing formats: http://www.agarri.fr/docs/ipobf.py.

 

 

 

FITNESS TRACKER: HACK IN PROGRESS – Axelle Apvrille

Axelle Apvrille took an interest in the Fitbit Flex bracelet and presented the work done so far.

The presentation began with a summary of several vulnerabilities impacting data privacy, such as users' sexual activity.

Then, she presented us with a state-of-the-art overview of the advances in reverse engineering the exchange protocol with the tracker, with the aim of understanding the content of the exchanged data and being able to create alternative clients.

Finally, the presentation ended with a bit of hardware hacking using the bracelet as an entropy generator.

 

 

 

SAP SECURITY: REAL‐LIFE ATTACKS TO BUSINESS PROCESSES – Arsal Ertunga

Arsal Ertunga presented concrete examples of attacks on SAP, including the possibility of extracting credit card numbers. Securing an SAP system is complex because the attack surface it exposes is very large. We recommend reading the presentation, which was quite detailed.

 

 

ORACLE PEOPLESOFT APPLICATIONS ARE UNDER ATTACK! – Alexey GreenDog Tyurin

Oracle's PeopleSoft tool is used in most large companies for human resources management and is sometimes accessible online. As a result, a great deal of sensitive information is processed within it. After presenting the overall architecture of the solution, Alexey "GreenDog" Tyutin focused on several vulnerabilities discovered in the software.

He then focused on the SSO solution provided by Oracle within PeopleSoft, and more specifically on how the user's session cookie is created. Indeed, the cookie's integrity is verified using the SHA1 hash of a string with a known structure. Only one component of this string is not transmitted to the user.

The proposed solution is to forge a valid administrator cookie from a standard user cookie by brute-forcing the missing parameter.

 

 

EXPLOITING TCP TIMESTAMPS – Veit Hailperin

Veit Hailperin revisits a well-known topic: TCP timestamps. After a brief overview of their use and the various existing attacks, he proposes a solution for enumerating the different machines behind a NAT, firewall, or load balancer based solely on TCP timestamps. A script that exploits the results of an Nmap scan is available on his GitHub page. https://github.com/luh2/timestamps

 

SIMPLE NETWORK MANAGEMENT PWND: INFORMATION DATA LEAKAGE ATTACKS AGAINST SNMP ENABLED EMBEDDED DEVICES – Deral Heiland and Mathew Kienow

Deral Heiland and Mathew Kienov, researchers at Rapid7, were interested in the information available via the SNMP protocol.

Currently, 7 million machines using the "public" SNMP community are accessible on the internet, according to Shodan. The authors focused particularly on routers. Indeed, 73,000 routers were found to be disclosing sometimes sensitive information on the internet.

Based on the use of the "snmpbulkwalk" command, they wrote several scripts capable of retrieving information such as email addresses, passwords, and even the private community used for machine administration. These scripts are available on their GitHub repository. https://github.com/dheiland-r7/snmp

 

 

REVISITING ATM VULNERABILITIES FOR OUR FUN AND VENDOR’S PROFIT – Alexey Osipov & Olga Kochetova

Currently, 95% ATMs run on an outdated operating system: Windows XP. Alexey Osipov and Olga Kochetova began by summarizing the various physical (skimmer) and logical (malware) attacks against ATMs. For example, over the past two years, the Tyupkin malware has been primarily detected in the United States, Canada, and France.

Then, continuing from Black Hat 2014, they presented their attack using serial or USB ports via a Raspberry Pi. This creates an access point that allows them to communicate directly with the vending machine and send commands.

Contact