Report from JSSI 2014

Report prepared by Mathieu Mauger, security consultant in the Evaluation department

Intrinsec was present this year at the 13th edition of the JSSI. This annual conference is organized by the’OSSIR The theme was: "« Is it still possible to protect oneself? ? ».

This theme lived up to all its promises and provided us with very high-quality presentations. Below you will find a summary of each of the day's presentations.

For those participating in today's event, please remember to fill out the OSSIR survey regarding JSSI 2014.

Advanced Protection Techniques, or how to use APTs against APTs (Advanced Persistent Threats)

By Vasileios Friligkos & Florian Guilbert (Intrinsec)

This presentation, created by our colleagues from the Intrinsec SOC, begins with a reminder about APTs (Advanced Persistent Threats) which continue to be a hot topic in the security world. Some statistics are provided regarding intrusions and attacks suffered by companies, including:

• More than half of intrusions are detected by a
  third-party organization (CERT, government authorities, etc.); ;
• On average, it takes 243 days to detect a compromise on an information system; ;
• And most importantly, 78%'s attacks could have been avoided thanks to
  simple controls.

Subsequently, several correlation scenarios were presented, along with interesting ideas for detecting potential information leaks or machine compromise, including the use of a honeyfile allowing one to protect oneself from ransomware ((for example, Riseup or Bitcrypt). The idea is quite simple: several files honeyfile are located on the equipment's hard drive. When a request to modify, delete, or rename is detected on the honeyfile, The process that made the request is stopped and the computer shuts down to prevent the ransomware to encrypt new files.

Tests conducted by Intrinsec's SOC indicate that the effectiveness of honeyfiles vary depending on their location on the hard drive. In conclusion, it appears that it is preferable to have several honeyfiles to strategic locations on the hard drive (especially user directories).

Presentation materials: http://www.ossir.org/jssi/jssi2014/JSSI-Intrinsec-APT.pdf

 

Is TLS security just wishful thinking?

By Christophe Renard (HSC)

Christophe Renard begins his presentation by mentioning the doubt that currently exists about the security of TLS in light of the various revelations made by Snowden, but also concerning the latest weaknesses identified (notably CRIME, BEAST, iOS and its "goto fail", as well as the validation of certificates in GnuTLS).

The speaker then presented the different layers of a cryptographic system:

• Algorithms
• Cryptographic mechanisms
• Protocol
• Implementation
• Integration
• Configuration
• Operation

For each layer, Christophe details the various existing weaknesses and the areas for improvement that need to be implemented. One trend quickly emerges from his presentation: The APIs available to developers are poorly documented and complex to read.

In conclusion, TLS security is not wishful thinking, but efforts are still needed regarding implementation and integration. A rapid transition to TLSv1.2 is necessary.

Presentation materials: http://www.ossir.org/jssi/jssi2014/jssi2014-hsc-securite_tls-un_voeu_pieu.pdf

 

Is it still possible to secure a Windows domain?

By Arnaud Soullié, Florent Daquet & Ary Kokos (Solucom)

Solucom consultants shared their experience with penetration testing in a Windows environment. This presentation was punctuated with examples of real-world failures encountered in the field.

The presentation begins with an interesting and well-known statistic from pentesters : « During an internal penetration test, the pentester obtains Windows domain administrator rights in over 90% cases! ».

Subsequently, the Solucom consultants presented us with the main weaknesses encountered, and these are, unfortunately, well-known scenarios, including:

• Using the same local administrator account on all workstations; ;
• Lack of segmentation and filtering of the internal network (administrative workstations on the user network for example); ;
• Presence of passwords in plain text in administrative scripts; ;
• Using domain administration accounts for inappropriate tasks (web browsing, running services, etc.).

In conclusion, securing a Windows domain is a complex task and requires mastering best practices, but also changing the administration methods encountered today.

Presentation materials: http://www.ossir.org/jssi/jssi2014/JSSI_2014__Solucom_WinSec_vf.pdf

 

Is it still possible to protect oneself internationally?

By Eric Barbry (Alain Bensoussan Law Firm)

A change of pace for this presentation, where Eric Barbry guides us through the intricacies of international law, particularly the compatibility of legal constraints with international contexts. The presentation begins by highlighting how businesses approach the law: compliance is not the primary objective, but rather the pursuit of maximizing risk in order to avoid sanctions. From this observation, the presenter uses the analogy of tectonic plates and volcanic formations to illustrate the situations that arise when the legal systems of different countries clash.

Eric Barby concludes his presentation by announcing that the best way to protect oneself is to comply with the common foundation of different rights (intrusion/data/evidence/protective actions/statute of limitations and secrecy).

Presentation materials: http://www.ossir.org/jssi/jssi2014/Droit_international_des_TIC.pdf

 

 Tools and techniques for targeted attacks

By Renaud Feil (Synacktiv)

During this presentation, Renaud Feil presented the various techniques and methodology used within his company when conducting penetration tests in Red Team mode. The presentation began with a description of the context and legal aspects of certain missions, as well as the origins of security (the discovery of Buffer Overflow in 1972 and the first penetration tests in France in 1995). Renaud Feil also enriched his presentation with anecdotes, practical tools, and recommendations that can be implemented to avoid certain vulnerabilities.

Throughout the presentation, the speaker highlighted the real issue with this type of service: user awareness. Today, it's possible to make people understand that giving out their password over the phone is unacceptable. However, it still seems difficult to tell users not to open attachments or click on links in "normal" emails (for example, the human resources department receiving CVs from candidates).

Presentation materials: http://www.ossir.org/jssi/jssi2014/Synacktiv_pentest_red_team_Renaud_Feil.pdf

Implementation and implications of setting up a backdoor in a hard drive

By Aurélien Francillon (Eurocom)

Aurélien Francillon investigated the possibility of installing a backdoor in a hard drive's firmware. Several difficulties arose, such as the lack of documentation or support, which forced the project team to create a specific program for analysis. This phase took nearly a year.

Subsequently, the speaker managed to modify the firmware of its hard drive in order to intercept data read and write operations. An example of data exfiltration was presented. Interestingly, shortly after Aurélien Francillon's initial publications, an internal NSA document explained the implementation of the same type of backdoor within hard drives, regardless of the manufacturer.

The conclusion of this presentation is that it is difficult to trust embedded systems. This study has led to the development of a framework analysis specific to embedded systems: AVATAR

Presentation materials: http://www.ossir.org/jssi/jssi2014/hdd_jssi_v4.pdf

 

The radio environment, which is becoming increasingly difficult to protect

By Renaud Lifchitz (Oppida)

During this conference, Renaud Lifchitz described the current state of radio security, punctuating his presentation with demonstrations such as listening to a Bluetooth headset using an onboard antenna or retrieving the GPS coordinates of airliners. The speaker quickly highlighted a complete lack of security in radio protocols, where replaying and reading unencrypted information is extremely easy. Furthermore, today it is simple to acquire radio equipment at a low cost.

In conclusion, it appears that most radio protocols suffer from poor design (lack of encryption, authentication, signatures, anti-replay mechanisms, and anti-jamming). This situation demonstrates the importance of considering security from the initial protocol design stage.

Presentation materials: http://www.ossir.org/jssi/jssi2014/jssi2014-oppida-radio.pdf

Security: From a constraint to a business lever. Lessons learned

By Bernard Olivier (Orange)

During this presentation, Bernard Olivier, using a castle analogy and with explosive energy, highlighted the various problems he encountered while developing different projects at Orange. Throughout the conference, the speaker skillfully emphasized the different security needs from both a company's and its customers' perspectives. The key issue emerging from this presentation is the necessity of integrating security into the service creation process without overcomplicating it, in order to prevent circumvention of existing protections.

In conclusion, Bernard Olivier explains the importance of implementing security tailored to specific needs. Regarding the process for improving security levels, he follows the classic approach:

1. Risk analysis; ;
2. Implementation of security functions and measures; ;
3. Residual risk assessment; ;
4. Conducting security audits.

Presentation materials: http://www.ossir.org/jssi/jssi2014/JSSI_2014_Orange.pdf