Intrinsec attended the 7th edition of the Hack In Paris conference, preceding the Nuit du Hack, at the conference center of the Newport Bay Club hotel in Disneyland Paris.

All conference materials should soon be available on the conference website: https://hackinparis.com/archives/2017/

The presentation videos are available on YouTube: https://www.youtube.com/playlist?list=PLaS1tu_LcHA8yOrGuyvBIJjEO87-vXQG2

Strategies on Securing banks & enterprises – Jayson E. Street

Jayson E. Street is a security expert at Pwnie Express who gives numerous talks around the world.

During his presentation, he demonstrated how easy it was to conduct reconnaissance (both passive and active) to develop social engineering attacks on employees of large companies.

Throughout his presentation, he detailed how to obtain highly specific information by navigating various external databases (DNS, whois, shodan, etc.) and social networks (professional or otherwise). With just a few searches, Jayson developed a very plausible targeted phishing scenario.

His presentation also provided an opportunity to revisit the challenges of risk management within companies. Most executives believe they are immune to all risks: "It's never going to happen to me [when it comes to security]," which gives pause for thought.

Ventrilock exploring: voice-based authentication systems – Chaouki Kasmi & José Lopes Esteves

Chaouki Kasmi and José Lopes Esteves are two agents from ANSSI. They presented their work on voice-based authentication methods (with a focus on Siri, Google Now and S-Voice).

After introducing us to the risks and impacts that the misuse of such systems could have, the two researchers detailed the physical and mathematical analysis methods they used to perform speech recognition (voice modeling, parameter extraction, voice non-linearity, frequency analysis method, etc.).

They then presented 3 black-box attack scenarios on these systems:

1. «"Speaker impersonation": the attacker hears their target's voice, records it, and then submits it multiple times to the phone's authentication service to refine the model to their advantage. They made the strange observation that Siri's model evolved before authentication, thus allowing the model to be refined until the phone authenticated the recording by submitting it a large number of times.
2. «"Reconstruction": The attacker knows the keyword (e.g., "OK Google") and has a snippet of the victim's voice. They are thus able to reconstruct the keyword from the phonemes in the victim's voice. The demonstration shows the phone being unlocked despite a sound inaudible to a human.
3. «"Keyword composition": The attacker possesses snippets of voices from people saying the keyword. They are able to mix these snippets to authenticate themselves on the phone. The most interesting aspect of this is that the legitimate voice doesn't have to be in this mix. However, they were unable to explain this observation.

Finally, they pointed out that these results should be taken with a grain of salt and that they cannot be generalized given the black-box analysis method.

After presenting several countermeasures (preventing brute-force attacks, adding entropy with a challenge/response mechanism, strengthening the model, etc.), they concluded that advancements in voice recognition are not yet mature enough. Therefore, using voice as the sole authentication method on your phones is not recommended!

Internet of compromised things: methodology and tools – Damien Cauquil

Damien Cauquil is a security researcher at Econocom – Digital Security. His research often involves investigating proprietary IoT devices whose protocols are little known or unknown, and whose documentation is often very limited or even nonexistent. Reverse engineering these devices is time-consuming and expensive, especially if they employ complex protection mechanisms (military-grade encryption, etc.). Therefore, he presented a collaborative platform dedicated to sharing and gathering information and techniques (TTP) on these devices. Hardware Forensic Database (HFDB).

Sharing and collaboration are welcome!

The forgotten interface: Windows named pipes – Gil Cohen

Gil Cohen, CTO of Comsec Global, presented Windows Named Pipes and their characteristics. He introduced the IONinja tool, which allows users to read data transmitted through these named pipes. Because this information is accessible by default to any anonymous user on the network (it's not just accessible locally!) and is unencrypted, it can be exploited by an attacker.

By performing fuzzing On certain named channels, Gil Cohen has shown that he can cause a crash within two applications using named pipes: qBitTorrent and SugarSync. Unfortunately, the demonstration did not show whether it was possible to perform remote code execution through this mechanism.

Beyond OWASP Top 10 – Aaron Hnatiw

Aaron Hnatiw is a security researcher at Security Compass.

In his presentation, he discussed the need to go beyond the OWASP Top 10 when assessing the security of web applications. To illustrate this, he presented three other types of vulnerabilities with concrete examples of exploitation:

• HTTP Parameter Pollution (CWE 235)
• Overly Permissive Regex (CWE 625)
• Server-Side Request Forgery (CWE 918)

To conclude his presentation, Aaron discussed the future developments of the OWASP Top 10 (with the 2017 version currently in release candidate). He reiterated that it was a good starting point for assessing the security of a web application, but that further investigation was needed to achieve a truly satisfactory level of security.

Dissecting a ransomware-infected MBR – Raul Alvarez

Raoul Alvarez, a security researcher at Fortinet, analyzed the workings of the Petya malware.

Find our detailed report in a separate article: [HIP2017] – Dissecting A Ransomware-infected MBR – PETYA

Are you watching TV now? Is it real? Hacking of smart TV with 0-day – Lee Jong Ho & Kim MinGeun

Lee Jong Ho and Kim MinGeun are two Master's students in security in South Korea. They presented their work on smart TVs and more specifically on the WebOS operating system found on most connected televisions to date.

After detailing the internal mechanisms of WebOS, they performed a demonstration where they remotely took control of a connected television by:

1. Forcing the installation of development mode
2. Restarting the television
3. Installing a malicious application
4. Restarting the television a second time
5. Exploiting a vulnerability that allows them to escalate their privileges on the system

802.1X Network Access Control and Bypass Techniques – Valérian Legrand

This conference is described in detail in a dedicated article: [HIP2017] Bypass 802.1x – FENRIR

Hackers! Do we shoot or do we hug? –Edwin Van Andel

Edwin Van Andel discussed the complex relationship between hackers and companies in the context of vulnerability reporting processes. By default, those who report vulnerabilities are viewed negatively and considered malicious by companies. Despite responsible disclosure practices, hackers are still too often prosecuted.

By describing their methods and ways of thinking, he tried to show that hackers were benevolent and that they needed to be treated properly to encourage these approaches.

To conclude his presentation, the speaker clearly stated: "We hug!"«

Popping a shell on a mainframe, is that even possible? – Ayoub Elaassal

Ayoub Elaassal, a security consultant at Wavestone, addressed the topic of mainframe security. These machines, with their high processing power, are widely used in large companies, such as banks and insurance companies. Having encountered this issue during certain projects, Ayoub continued his research, and his presentation described various mechanisms for bypassing the security of these machines.

The applications available on the mainframes are accessed via a Telnet connection and rely on the CICS (Customer Information Control System). The first step proposed by Ayoub is to escape the application environment displayed upon system access. This can be done by pressing a specific key combination, which may vary depending on the application or system. It is then possible to execute arbitrary transactions. Some of these transactions can have a significant impact on the confidentiality of the data stored on the mainframe. This is the case with the CECI (Live Interpreter Debugger) transaction, which allows the execution of CICS API commands. Through this transaction, it is possible to read the contents of files stored on the mainframe, and thus access potentially sensitive customer data.

The next step described by Ayoub is obtaining a reverse shell on the mainframe. It achieves this through a CICS feature called "Spool functions". Using this function, it is able to write a program to the task scheduler (JES) queue, which will then execute it.

Ayoub Elaassal concludes by demonstrating the possibility of privilege escalation to obtain administrator rights on the system, made possible by two characteristics: firstly, there is a category of library (APF) for which each program can request higher privileges. Secondly, access rights to these libraries are not restrictive enough, allowing arbitrary code to be written within them.

The tools developed during this research are available on his Github, and in particular cicspwn, which automates some of the tasks mentioned above.

25 Techniques to gather threat Intel and Track actors – Wayne Huang & Sun Huang

Wayne Huang and Sun Huang presented 25 methods they used within Proofpoint to obtain information on various malicious actors in the market.

Of the 25 methods presented, many are derived from standard penetration testing methodologies:

• Acknowledgement (fuzzing of known files, etc.)
• Exploiting misconfigurations (Apache Status, Directory Listing, etc.)
• Exploitation of known vulnerabilities (Shellshock, etc.)
• Etc.

These methods nevertheless dispelled any doubt in the audience regarding the legitimacy of the actions taken.