Intrinsec was present at the 9th edition of the Insomni'hack security conference organized by SCRT in Geneva from March 17 to 19, 2016.

Edit 18/4/2016:

• Our video report
• Full support

The day of March 17th was dedicated to workshops:

• Forensic analysis of Windows systems using free tools (Sébastien Andrivet)
• Advanced Web Application Security (Alain Mowat)
• Advanced use of Metasploit (Adrien Stoffel & Julien Oberson)

And the day of March 18th was dedicated to conferences attended by the very famous CTF.

A Hippocratic Oath for Connected Medical Devices

After 10 years of experience in the medical field, Beau Woods is well acquainted with its challenges. He presented the work of "I am the cavalry," a global organization focusing on security issues when public safety and human life are at stake.

Five questions were posed to stakeholders in the healthcare sector:

• Who are you ?
• What are your hopes?
• What are your fears?
• Do you have a question?
• What can you bring?

The oath proposed by the "I am the cavalry" organization is based on the following 5 components:

• Secure product design
• Third-party collaboration (bug reporting)
• Extracting evidence to improve investigations
• Resilience and confinement, similar to what is done in submarines.
• "Cyber®" security updates

His presentation concluded with a call to action to:

• Recommend
• Adopt
• Adapt
• Enrich
• Collaborate

Link : https://www.iamthecavalry.org/

Crypto code: the 9 circles of testing

JP Aumasson presented 9 areas of testing which, if followed, could improve the security of cryptographic functions:

• Test vectors
  • Perform unit tests on all features
• Simple bugs
  • Buffer overflow, memory corruption, information leaks
  • Perform static code and fuzzing analyses
• Misuse of the software
  • Properly handle bad user input and correctly handle errors
• Optional features
  • The presence of optional features that are not tested and contain vulnerabilities.
• Random number generation
  • Performing statistical tests on random risks
• Timing leak
  • The execution time must be constant and not dependent on the key size or the functions used.
• Fuzzing
  • Using the AFL tool…
• Mathematical proofs
  • Is my encryption function mathematically proven?
• Physical tests
  • Side-channel, fault resistance

Unboxing the white-box

Eloi Sanfelix presented us with the different possible approaches to cryptographic analysis:

• Black box:

• Grey box:

• White box:

He then devoted his presentation to white-box cryptography, used in various fields such as mobile payment applications, content protection systems, and the use of cryptography in the cloud.

Two technical demonstrations were carried out to illustrate white-box attacks and the recovery of encryption keys used in the context of the wbDES challenge.

Both attacks consist of the following steps:

Differential Fault Analysis (DFA)

• Location of an injection point
• Sample retrieval
• Analysis of generated errors

Side Channel Analysis (SCA)

• Instrumentation
  • Instrumentation (PIN, Valgrind)
  • Stack capture by turn (Hooking, debugger)
  • Emulation (QEMU, Unicorn, PANDA)
• Multiple execution of random data
• Retrieval of measurement data
• SCA Analysis

He concluded his presentation by demonstrating the effectiveness of SCA attacks on white-box cryptography and therefore its weakness.

To address this, he recommends improving protections against reverse engineering and strengthening protections against key extraction by avoiding static dependencies between intermediaries and the key management system and performing double verification of encoded data.

Link : http://www.whiteboxcrypto.com/challenges.php

IAEA – The role of the IT security specialists at the International Atomic Energy Agency

Massimiliano Falcinelli presented his role within the IAEA, the United Nations branch in charge of everything related to atomic energy, as well as the threats he has to fight against daily.

After a brief overview of the organization's role and the complexities of managing security for an international organization comprised of employees from approximately one hundred different countries, he focused on the profiles of attackers. These are primarily script kiddies, hacktivists, or state-sponsored attackers. Regarding the types of attacks, the IAEA is mainly targeted by social engineering attacks, physical intrusions, or external compromises for the purpose of claiming responsibility or obtaining various types of information.

 

Building Trust by Design

Hoang Bao, director of privacy policy and data governance at Yahoo, presented the approach used by this company to protect the data of their users.

According to him, the main areas to consider are the following:

• Understanding the end user
• Collect only the necessary data
• Prevent and give users a choice
• Use existing tools (iOS controls, Android controls)
• Improve security
• Extend the value of the data

He also presented us with the geographical differences encountered such as the right to be forgotten, access to personal data or the obligations in terms of notifying users following a compromise (set at 72 hours in Europe).

Advice was offered on how to improve user data security (data storage, retention and deletion, access control, secure transport (SSL), logging, choice of third parties…) and how to extend the value of data by anonymizing it and using obfuscation techniques.

He concluded his presentation by stating that at Yahoo the priority was given to the user, that significant controls were in place, and that security was a prerequisite for protecting privacy and safety.

8 security lessons from 8bit games

Florian Hammers, a business engineer at Tenable, presented Tenable's vision of security. According to him, the priority is not to protect against zero-day vulnerabilities, but rather against known vulnerabilities that are always present on the network.

He illustrated each principle with an 8-bit game.

• The technique to win at "Space Invader" is to predict the enemies' path, so it is important to know your SI well in order to know potential vulnerabilities.
• In Pong, the smaller the attack area, the harder it is for the opponent to win, so you have to reduce the exposure area.
• In the world of Mario, Princess Peach is vulnerable and is regularly kidnapped, just like your users. It is therefore important to protect them properly.
• When playing Tetris, destroying 4 lines at once earns more points, but requires building a good foundation, just like for your SI.
• A 360° view of what is happening on your IS will be the key to victory in Asteroid.
• Super Mario's Goombas are slow, yet they still kill players, just as malware still infects users because of outdated antivirus databases.
• It's necessary to be agile in the face of change, just like in Sonic to collect all the pieces. You have to make certain choices and propose solutions.
• Finally, in Pac-Man, the goal isn't to collect all the ghosts. Similarly, you need to differentiate between your desires and your needs in order to align them with business requirements.

The slides are available as a video at the following address: https://www.youtube.com/watch?v=y5PQ9vJBXxA

Reversing Internet of Things from mobile applications

Axelle Apvrille presented her approach to analyzing connected objects such as Recon Jet glasses, the Beam Toothbrush and the Meian alarm system.

Using this approach, she discovered the use of a hard-coded password in the Recon Jet smart glasses mobile app.

According to her, starting with reverse engineering of mobile applications allows for faster onboarding and a more complete understanding of the audited objects.

Ransomware for IoT

Candid Wueest presented us with the motivations of attackers targeting connected objects in order to carry out ad-clickjacking, to drop ransomware/lockers or to infect other devices via these connected objects.

Attack scenarios include device blocking and encryption, as well as social engineering.

He concluded his presentation by recommending the following points:

• Securing connected devices by design
• Analyze network traffic
• Do not connect these to the internet
• Use strong authentication
• Add support for debugging

From Bored Hacker to Board CISO, a short-n-fun tale

This conference is difficult to summarize. The following links can be consulted to give you a brief overview:

• https://en.wikipedia.org/wiki/Ding_Dong_Song
• https://www.youtube.com/watch?v=z13qnzUQwuI
• https://en.wikipedia.org/wiki/Mr._Hankey,_the_Christmas_Poo
• https://www.youtube.com/watch?v=-KIUM3uo2UA
• https://en.wikipedia.org/wiki/The_Art_of_Thinking_Clearly
• https://en.wikipedia.org/wiki/The_48_Laws_of_Power
• https://en.wikipedia.org/wiki/The_Truth:_An_Uncomfortable_Book_About_Relationships
• https://www.youtube.com/watch?v=9IG3zqvUqJY
• https://www.youtube.com/watch?v=whEWE6WC1Ew
• https://www.youtube.com/watch?v=5JAqZ1IGwjM
• http://www.imdb.com/title/tt2717822/
• https://www.youtube.com/watch?v=3P7wZ4rDbUc&feature=youtu.be&t=1109

CTF

More than 200 people participated in the CTF this year. It started at 6 p.m. and ended 10 hours later around 4 a.m.

As with most challenges of this type, several categories were offered to the teams:

• Categories:
• Backdoor
• Crypto
• Hardware
• Misc
• Network
• Pwn
• Reverse
• Shellcode
• Web

This year's prizes consisted of 4 kg of silver, distributed as follows:

• 1st place: 8 * 250g
• 2nd place: 8 * 155g
• 3rd place: 8 * 100g

And once again, "Dragon Sector" has taken first place for the fourth year in a row, with a total of 169,400 points. The final ranking is as follows:

The solutions to the various tests can be found at the following address: https://github.com/ctfs/write-ups-2016/tree/master/insomnihack-ctf-2016