SSTIC, users and the internet
Two weeks ago, the SSTIC conference took place in Rennes. This major security conference opened with a first day that offered a diverse range of topics, from dynamic debugging and password cracking to XSS and client-side attacks. After an interesting discussion on security mechanisms (particularly isolation) and an overview of BitLocker's operation, two presentations showcased .NET and XSSF exploits.
The SSTIC was therefore inaugurated by Joanna Rutkowska, who presented the results of her work on client workstation security. Generally speaking, workstation security encompasses three approaches:
- The reactive approach which essentially includes antivirus software, protection against exploit codes and the excessive application of patches;
- The safety of the languages used and, more generally, of the development of applications, which requires great rigor;
- Finally, the separation and isolation of the different elements in order to restrict them as much as possible.
After a long introduction on fairly generic concepts, she presents Qubes, a POC OS that allows applications to be isolated through virtualization.
As seen in recent attacks, users are increasingly being targeted directly, either for their data or for their access to internal parts of the information system, and the combination of client-side attacks, phishing, and social engineering is proving highly effective. This year's SSTIC conferences confirm this trend.
Indeed, the presentation of the’silverlight mining, the (future) competitor to flash, offers very stable exploits, not sandboxed in most cases and an activity covered by the .NET framework and protected from ASLR.
The demonstrations of XSSF framework , Besides its deep integration into Metasploit (as opposed to BeeF), it presents interesting XSS bouncing techniques, but also new avenues for more advanced exploitation of smartphones where the browser has numerous accesses to other elements such as directories, the file system, etc.
On the last day, a presentation of the different engines XSLT This overview concludes by presenting both client-side and server-side exploitation of the various search engines on the market. These engines often lack any particular protection and allow for very advanced interactions with the system. It is therefore possible to launch attacks directly against users' browsers, as well as against servers.
Eric Bardry's excellent guest lecture also addressed the legal implications for companies when user data is affected by a cyberattack. The trend is toward stricter penalties for companies when adherence to best practices could have prevented the incident. For example, a company may be required to individually inform all individuals whose data may have been affected by a security incident. Nevertheless, the law encourages companies to be proactive in security matters, and the most severe penalties can be waived if they demonstrate that they have implemented improvements following an incident.
Of course, SSTIC included its share of conferences, some of which were impressive due to the amount of work done by the speakers (for example, the conference on the KBC custom shop ), or surprising in the results presented. Thus, Graham Steel informs us that on most of the keys implementing PKCS 11. It was possible to extract private keys, even from major software vendors. This is disconcerting, given the costs of implementing such security solutions.
We won't go over all the conferences, which were all of high quality, including the famous "rump session." But at the end of these three days, Hervé Schauer took the microphone for the closing conference. And after some lofty philosophical pronouncements, particularly on the balance between security and freedom, he abruptly (perhaps a little too abruptly) returned to the realities of our profession and the difficulty of raising awareness. He nevertheless concluded on a positive note, emphasizing the need to persevere and push for improvements in information systems.
See you next year!
