The 12th edition of the Luxembourg conference Hack.lu has just ended and has once again fulfilled its objectives in terms of technical content with regard to the presentations and workshops offered.

As every year, this conference welcomed nearly 400 people over 3 consecutive days (from October 18 to 20, 2016) and was held at the Parc Hotel Alvisse.

As the presentations and workshops took place simultaneously, we weren't able to attend all of them. We've therefore made a small selection, and we hope you enjoy it!

Note: all presentations were filmed and put online (see annex).

Links to reports from other days:

• Hack.lu 2016 – first day
• Hack.lu 2016 – Day Two
• Hack.lu 2016 – Day Three

Day 1

Keynote: Stressed out? Denial of service attacks from the providers' perspective

Alice Hutchings, from the University of Cambridge, opened this 12th edition by presenting the results of her thesis on criminology and more particularly on the "booter" or "stresser" services used to conduct distributed denial-of-service (DDoS) campaigns on websites.

One of the best-known pirate groups offering this kind of service is the "Lizard squad," all of whose members have now been arrested after the UK's National Crime Agency paid them a visit.

The website "vdos-s[.]com", with over 10,000 active users and which made headlines following its compromise and to the arrest The site, owned by two young people in September 2016, also falls into this category of platform. Following these revelations, KrebsOnSecurity.com suffered a denial-of-service attack that was thwarted thanks to Akamai's security service, which, incidentally, stopped protecting the site after the attack.

A month later, the source code of "Mirai," the botnet that massively used compromised connected devices and was used against the KrebsOnSecurity website and the hosting provider OVH, was released. audience.

According to Alice, the life cycle of online criminal activities follows several phases: initiation, maintenance, and withdrawal.

In order to learn more about the motivations that might lead people to engage in this type of activity, Alice became interested in the social aspect of a cybercriminal's life.

She therefore invited 51 "booter" service providers out of the 63 initially identified (12 being offline during the 3-month period of her investigation) by offering them the opportunity to respond to an anonymous online survey or to participate in an interactive interview.

Of all the invitations sent, only 25% responded, with a preference for the online form.

The conclusions of his research paint the following portrait of cybercriminals:

• They are mostly men aged 16-24, living primarily in the United States.
• In most cases, the initiation phase is due to the influence of their social circle or the people they associate with.
• Most of the attacks were orchestrated against online gambling sites
• Financial gain has often been one of the main motivations
• These actors often deny responsibility, feeling unaffected by existing laws and potential legal action against them.

Alice concluded her presentation by indicating that she would continue her research, but this time on the defensive side in order to understand why some people choose to fight crime on the internet.

Advanced exploitation: ROP and bypass protections under Linux

This workshop was presented by Julien Bachmann aka @milkmix_, working at Kudelski Security, on the topic of advanced vulnerability exploitation and more specifically on the ROP (Return-Oriented Programming) exploitation technique.

After a brief review of simple buffer overflow techniques, the various concepts of ret2libc (allowing bypassing the non-executable stack) and the gadget search methodology for building the ROP chain were presented. The workshop concluded with techniques for bypassing ASLR (Address Space Layout Randomization), which is used to randomly distribute data in memory.

For those wishing to complete the various exercises in this workshop, all the binaries can be retrieved from the following Github repository:

https://github.com/0xmilkmix/training

The materials for this workshop are also available at the following address:

https://speakerdeck.com/milkmix/advanced-exploitation-on-linux-rop-and-infoleaks

Cyber Grand Shellphish: Shellphish and the DARPA Cyber Grand Challenge

Kevin Borgolte, one of the members of the ShellPhish team, presented the defense research project to us.« Cyber Grand Challenge » organized by the Defense Advanced Research Projects Agency (DARPA).

As a reminder, ShellPhish is a team that participates in many CTF (Capture The Flag) and is ranked 8th on CTFtime, at the time of writing this article.

The goal of this challenge was to build a fully automated system to analyze, exploit and develop patches for the different binaries offered throughout the competition, with a prize of $2 million for the winning team.

As Kevin mentioned, the start of the competition was very challenging and required many hours of work and effort. Despite an apparent delay in the competition due to late registration, they still managed to qualify for the finals.

For these, ShellPhish built the "Mechanical Phish," whose architecture is as follows:

The biggest challenge was anticipating the behaviors and decisions of the different opponents, and avoiding penalty points awarded to the different teams in case of service unavailability or performance degradation.

One of the techniques employed by ShellPhish was to insert a backdoor into the deployed patches. This technique allowed them to gain a significant number of points, as some teams preferred to use patches obtained from the network, thus potentially exposing themselves to a specific team rather than remaining generally vulnerable.

96 rounds comprised this final, which took place on August 4, 2016 in Las Vegas, and during which more than 2400 exploits were generated by ShellPhish's machine, which finished in 3rd position behind Xandra and Mayhem:

The entire final can be viewed via the following link:

https://www.youtube.com/watch?v=n0kn4mDXY6I

Appendices

The various presentation materials will soon be available at the following address:

http://archive.hack.lu/2016/

In the meantime, here are some links to watch the different conferences:

• Day 1
  • Stressed out? Denial of service attacks from the providers' perspective
    • https://www.youtube.com/watch?v=Z0UaZNxdioc
  • Lightning Talk – Metabrik Meets CVE-Search by GomoR
    • https://www.youtube.com/watch?v=4YZUVIun4YI
  • Lightning Talk – When Your Firewall Turns Against You by Rene Freingruber
    • https://www.youtube.com/watch?v=rEZmADCuO1g
  • Lightning Talk – Cracking An Egg And Cooking The Chicken by Jacob Torrey
    • https://www.youtube.com/watch?v=6E65xNHFsZk
  • Exploiting and attacking seismological networks… remotely by James Jara
    • https://www.youtube.com/watch?v=BHBnVV5eyr8
  • Secrets in Soft Token: A security study of HID Global Soft Token by Mouad Abouhali
    • https://www.youtube.com/watch?v=waiWcoFlkb0
  • KillTheHashes 30 million Malware DNA profiling exercise by Luciano Martins
    • https://www.youtube.com/watch?v=MdulbF0bQQ8
  • Unveiling the attack chain of Russian-speaking cybercriminals
    • Video - https://www.youtube.com/watch?v=apOKU7j2XAY
  • Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets
    • https://www.youtube.com/watch?v=Ja_VgUMz43Q
  • Windows systems & code protection signing by Paul Rascagnères
    • https://www.youtube.com/watch?v=ByO-skBILQ4
  • Cyber Grand Shellphish: Shellphish and the DARPA Cyber Grand Challenge
    • https://www.youtube.com/watch?v=nK9L4m0P7Wc