New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

NoSuchCon 2014 Conference – Day 3

November 24, 2014

NoSuchCon 2014 Conference – Day 3

As part of its monitoring activities, Intrinsec attended the second edition of the NoSuchCon international conference, which took place from November 19 to 21, 2014, at the Niemeyer space at the headquarters of the French Communist Party (PCF) in Paris. The presentations were in English, technical, and straightforward. (bullshit-free).

image15(source : http://www.nosuchcon.org/)

We offer summaries of the various presentations from the conference: Day 1, Day 2 and day 3 (this article).

We would also like to thank the organizers and student volunteers who managed this event very well, as well as the speakers who shared their knowledge and discoveries.

Day 3

«Reverse engineer MSP 430 device» – Braden Thomas (Accuvant)

Slides: not shown

Braden Thomas presented an object that is popular in the United States and Canada, but unknown in France: the «"Real-estate lock boxes"». These boxes are placed on the door handles of houses for sale and store the property keys for access by authorized real estate agents.

The new generation of locks can be opened contactlessly in different ways: electronic key from the manufacturer, Android or iOS application (Bluetooth) or infrared transmitter.

The speaker presented the results of his research on the security of these devices. As the vulnerabilities discovered have not yet been patched by the manufacturer (who is, however, receptive and cooperative), he chose not to broadcast his presentation.

Braden notably managed to extract the firmware of the MSP430 microcontroller used, bypassing the fuses disabling the JTAG port through a procedure called "« paparazzi attack » which requires cleaning the chip and subjecting it to flashes of light.

 

 

He also discovered a hardware backdoor in the form of a resistor between two microcontroller ports: it can be easily unsoldered or destroyed by drilling at the right spot from the outside. In conclusion, Braden reiterates that it is strongly advised against storing cryptographic secrets in a standard microcontroller that is not designed to resist their extraction.

 

«Attack on the Core» – Peter Hlavaty (Keen Team)

image27Slides: http://www.nosuchcon.org/talks/2014/D3_02_Peter_Hlavaty_Attack_on_the_core.pdf

Peter Hlavaty is a vulnerability researcher. His highly technical presentation was aimed at those experienced in developing kernel-level exploits. It provided an opportunity to demonstrate several techniques for escalating privileges to the kernel level when exploiting a vulnerability. He also introduced his framework development shellcodes in C++.

 

«Cryptographic Backdooring» – Jean-Philippe Aumasson (Kudelski Security)

image32Slides: http://www.nosuchcon.org/talks/2014/D3_03_Jean_Philippe_Aumasson_Cryptographic_Backdooring.pdf

Recent revelations about national computer espionage programs have cast more doubt than ever on the possible presence of backdoors in cryptographic algorithms and their implementations, which allow government organizations to decrypt communications in the context of lawful interceptions.

Jean-Philippe Aumasson pointed out that it is difficult to build reliable backdoors and there is always a risk that they will be exploited by malicious individuals.

The speaker presented the desired properties of a good backdoor. In particular, he mentioned the term attributed to the NSA: NOBUS «"No one but us"», which means that the vulnerability must only be exploitable by the agency alone.

Jean-Philippe demonstrated some possibilities for designing and implementing backdoors. In conclusion: according to the speaker, inserting backdoors is easy.

 

«Hardware Workshop – Fun with RF remotes» – Damien Cauquil (Sysdream)

Slides, PCB file, manual: https://github.com/virtualabs/NSC14-HW

This workshop was offered during the lunch break. Damien Cauquil reviewed the mechanisms of wireless communication and demonstrated how to intercept it. The workshop focused on modifying a consumer-grade wireless doorbell system. A remote control is located outside the house and communicates with the doorbell; this exchange is protected by a 6-bit code.

Damien proposed modifying the remote control to add an electronic board that implements an automatic brute-force attack on the 6 bits of the code using a component that generates a clock and a counter (to generate successive combinations). This hack is interesting because it reuses the legitimate remote control and does not require reimplementing the radio part.

 

«Detecting BGP hijacks in 2014» – Guillaume Valadon, Nicolas Vivet (ANSSI)

image16Slides: http://www.nosuchcon.org/talks/2014/D3_04_Guillaume_Valadon_Nicolas_Vivet_detecting_BGP_hijacks.pdf

The BGP protocol is used at the Internet level to exchange routing information between different networks (AS: Autonomous SystemsThe ASes advertise the prefixes of the IP networks they manage using this protocol; therefore, this protocol requires trust in the received advertisements. It is thus possible to divert traffic destined for certain networks.

According to the speakers, in Europe registering an AS number and a /22 address range both cost €50 per year and allow participation in BGP exchanges.

 

 

A countermeasure is possible: declare in the "route" object of the network's WHOIS record which AS(s) is/are authorized to advertise the prefix, but not all network managers do this yet.

 

Guillaume Valadon presented the methodology and results of offline analyses conducted on a year's worth of BGP traffic to detect prefix spoofing. Numerous suspicious events are generated, and several techniques can reduce their number to a relevant and manually processable volume. Approximately 10 serious spoofing attempts against French operators were detected using this method during the year.

Nicolas Vivet presented how this methodology and these tools have been modified to perform real-time detection. Several concrete examples were presented, including a suspected case of a French operator's IPv6 prefix being spoofed by a Ukrainian operator, which, after investigation, turned out to be the opposite: the French operator had forgotten a zero in the IPv6 address it was advertising!

In conclusion: traffic can be redirected, so it is important to encrypt and authenticate it. Operators must monitor BGP traffic on their prefixes and be prepared to counterattack. Finally, the IETF's Best Practices (BCPs) must be implemented by operators.

 

«Unreal mode: breaking protected processes» – Alex Ionescu (CrowdStrike)

image30Slides: http://www.nosuchcon.org/talks/2014/D3_05_Alex_ionescu_Breaking_protected_processes.pdf

This presentation was not revealed before the conference; in fact, the vulnerability presented by Alex Ionescu was discovered in August but will not be patched by Microsoft until January. He therefore only received permission to present the day before, omitting the details.

In recent versions of the Windows operating system, administrator access no longer means unlimited access to the system: more and more features are only accessible in kernel mode, which is much more difficult to reach.

This distinction allows the creation of protected processes (see also on this topic the presentation of day 2 "Understanding and defeating Windows 8.1 Patch Protections: it's all about gong fu! (part 2)" by Andrea Allievi) and therefore, for example, the implementation in a compartmentalized manner of DRM mechanisms, but also of processes and services impossible to stop, even as an administrator.

 

Alex explained the different levels of process signatures and privileges. For example, on a classic desktop Windows system, any program can be run, whereas on a Surface tablet, only programs signed by Microsoft can run normally.

 

The LSASS process that handles authentication can be protected to prevent the theft of its contents (for example, with mimikatz). However, Alex has shown that by exploiting the Windows crash manager, it is possible to vulnerabilities. (Windows Error Reporting) it is possible to obtain a dump of this process and thus bypass the protection! This dump being that of a protected process it is normally encrypted, however Alex discovered a vulnerability (which will be fixed in January) which allows this file to be obtained in plain text and exploited with mimikatz to still obtain the identification information.

 

 

In conclusion, the ability to protect processes in Windows 8.1 improves the overall security of the OS, but it does not protect against kernel-level attacks. The upcoming Windows 10 version will contain even more advanced features that also protect against kernel-level attackers.

 

«No Such Security» – Anthony Zboralski (Belua)

Slides: none

Anthony Zboralski delivered a keynote During his closing remarks, he presented his experiences in the professional world of IT security and during security assessment missions (penetration testing, audits, etc.). He evoked a sentiment shared by several consultants in the audience, using the myth of Sisyphus, condemned to repeat the same task day after day. He recalled the recommendations made following penetration tests and the training sessions delivered, all in vain, as year after year he rediscovered the same vulnerabilities in the companies he tested.

 

«Challenge Results»

image29Introductory slides: http://www.nosuchcon.org/talks/2014/NSC_Challenge_intro.pdf

image28 Slides solution: http://www.nosuchcon.org/talks/2014/NSC_Challenge_solution.pdf

Nicolas Collignon and Eloi Vanderbeken presented the results of the complex, multi-skilled challenge they had organized. Then the winner, Fabien Perigaud, was invited to present the steps he took to solve it (including an attack on...). timing (on the processor cache to exfiltrate an RSA key!).

 

— Clément Notin

Contact