New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

Information Systems Security Day 2016

March 11, 2016

Information Systems Security Day 2016

Introduction

Intrinsec was represented by four of its consultants at the Information Systems Security Day 2016 organized by OSSIR (Observatory for Information Systems and Network Security). The conference took place on Tuesday, March 8, 2016 at the MAS (Paris 13th arrondissement).th).

Intrinsec thanks all the organizers and speakers, and presents below a summary of the presentations.

 

A day in the life of our personal data – Damien DESFONTAINES

Slides not available

Damien Desfontaines is an engineer at Google. He works on issues related to the protection of personal data, and more specifically on those related to geolocation.

During his presentation, Damien explained Google's internal process for protecting personal data throughout its lifecycle. This begins as soon as a new Google service is designed, with a document called a "privacy design doc" which is written to verify that all the technical details related to data collection are compliant: what data, where, and how it is stored…

The data collected by Google is then encrypted and stored in the company's various data centers. To access this data, Google engineers must have the owner's permission (e.g., a user calling customer service). The person in charge of the case then receives an access token for the personal data, valid for a specific period and scope.

If a user wishes to delete all of their personal data, it will still be kept for a period of a few weeks after the request, in case the user wishes to cancel the deletion.

 

A look back at 10 years of security audits – Renaud FEIL (Synacktiv) and Jérémy LEBOURDAIS (ON-X)

Slides

Renaud and Jérémy are experienced security consultants. They therefore took up the theme of this JSSI to reflect on the more than 10 years of evolution in the security field that they have witnessed.

They noticed the evolution of attacks, which are becoming increasingly difficult as publishers become more aware of the situation. Microsoft, in particular, has had to deal with several high-profile vulnerabilities, recognized by auditors, such as MS03-026 (exploited by the worm). Blaster) or MS08-067 (exploited by the worm Conficker). This evolution is reflected in the increased role of the security team, MSRC, from a subdivision of the marketing department of the servers branch, including the program Microsoft Trustworthy Computing (secure by design, by default and in deployment, improved communication on vulnerabilities, end of IE 6, memory protections type ASLR/DEP/SafeSEH/SEHOP/etc.).

Similar developments are observed at Google (with Chrome) and Apple (recent "success" against the FBI exploited as a marketing argument).

The evolution of security involves, for example, strengthened default configurations, taking into account in the frameworks, the disabling by browsers of vulnerable versions of plugins, the mechanisms for automatic distribution of regular patches and the work of collectives like OWASP.

Despite this, risks persist, particularly due to historical legacy: on Windows, they note that it is still just as easy to compromise a domain, that weak LM/NTLM algorithms are still present, that the attack Pass-the-Hash is still achievable, all of which is highlighted by the tool mimikatz, as well as exploitable network protocols (LLMNR/NBNS for WPAD retrieval, exploitable with ResponderOffice macros remain just as dangerous, as demonstrated by the current waves of ransomware.

In terms of the threat, they are observing an increase in attacks via third-party compromises (e.g.: Target, XCodeGhost, via cloud providers and sometimes porous isolation, as well as by exploiting vulnerabilities in increasingly used third-party libraries, or by directly compromising source code such as that of the distribution Linux Mint), as well as state attacks citing Hacking Team Or Zerodium.

 

Lessons learned from the fight against (state) cyber espionage – Laurent OUDOT (Tehtri-Security)

Slides

Through several concrete examples, Laurent Oudot revisits the issues of cyber espionage. The notion of state involvement remains a subtext throughout the presentation, even though the speaker indicates that in most cases, definitively identifying this element is difficult.

The various examples discussed should, according to the speaker, allow us to draw some lessons, including:

  • The human factor can be totally unpredictable in case of danger and physical security can be compromised very quickly (e.g., a data center in a country in crisis where panic leads everyone to flee); ;
  • Strong business opportunities should not lead to accepting the unacceptable (e.g., unauthorized visitor access to a sensitive area of a factory). Vigilance and the adoption of firm measures are necessary. It may also be beneficial to seek support from government agencies (Ministry of Defence, Ministry of the Interior, etc.). ;
  • It is important to have clear procedures for managing this type of situation (roles, responsibilities, actions to follow, etc.). In addition, it is important to implement monitoring and containment measures of all kinds, particularly in sensitive or exposed areas (e.g., honeypots).

 

From employee cyber-surveillance to employer cyber-protection: 15 years of evolving case law. What now? – François COUPEZ (ATIPIC)

Slides

François is a lawyer, managing partner of ATIPIC, and works in the field of new technologies, including information security. He spoke at the traditional late-morning legal presentation, and he warned the audience with a message contrary to that of the other speakers: "I am a lawyer, but I am not a technical expert" (note that your writer is technically minded and summarizes this presentation in his own words and at his own level).

Based on his experience, employers face conflicting regulatory injunctions, facing an increasing number of internal attackers (intentional or through misconduct).

In the event of a hack, a company can face fourfold penalties:

  • The classic consequences of intrusion (theft or sabotage of data, brand image, loss of productivity, etc.); ;
  • A potential lack of compliance with the CNIL; ;
  • If a security flaw is the cause of the incident, the damages will be reduced; ;
  • Various sanctions, which can range from criminal penalties up to 4% of global turnover.

Employers must therefore monitor their Information Systems, while adhering to rules to ensure these controls are valid. General, statistical, and anonymous controls are possible, but for monitoring to reach the individual level, it requires notification of the employee and must have limitations (transparency, proportionality, and fairness).

A charter appended to the company rules must exist, but several pitfalls exist in its drafting; otherwise, in the event of dismissal, the evidence may be deemed inadmissible by the Labor Court and used as grounds for a complaint by the employee, often resulting in a substantial settlement. Several cases of dismissals all ending in this same way have been presented: following undisputed malicious actions, but for which the evidence was obtained illegally.

For example, an employee had been authorized to use their personal email for work purposes while traveling. This authorization was not explicitly revoked upon their return, so no recourse was possible when, the day before leaving the company, they exfiltrated a large amount of data through this method. Another example is that of an employee who received a reprimand by email and could no longer be dismissed for misconduct because the email had already served as a disciplinary measure, and it is illegal to impose a second disciplinary measure.

Since the Labor Code contains no specific rules, case law applies to these matters. However, this case law changes regularly. The speaker gave the example of the well-known files and emails labeled "personal," which are no longer inviolable if justified, for example, if there is suspicion of misuse.

In conclusion, he recommends the implementation, on the model of an ISMS, of an ISMS: Information Security Law Management Systems.

 

Organized gang surveillance – Jérémie ZIMMERMANN

Presentation without slides

Two ideas are central to this presentation:« security model »" And "« trust »Do current security models truly fit our society? Are they realistic? How is trust acquired? How is it shared?

The term "hyper-security" was quickly introduced, a model in which the enemy is anyone and can strike anytime and through any means. This model, according to the speaker, "transcends all other models." This "unrealistic" model, a consequence of the 9/11 attacks, was primarily used to justify questionable government practices (mass surveillance, the integration of backdoors into numerous products, etc.) and to secure substantial budgets. The "BULLRUN" and "PRISM" programs, revealed to the public by Edward Snowden, were specifically mentioned.

For Jérémie, trust is definitively broken and the computing we use every day must be rethought: use of free software on trusted hardware with known specifications, end-to-end encryption of communications that does not rely on the good faith of a third party (goodbye certification authorities?).

The speaker concludes that his presentation "raises more questions than it answers" and that we all have a role to play in fighting against the current model.

 

Security and AS400 – Sylvain Leconte (Cogiceo)

Slides not available

Sylvain Leconte is an IT security expert specializing in penetration testing at Cogiceo. His presentation focused on AS/400 security, on which he decided to share his experience following various security audits he had conducted on this system.

AS/400, short for Application System/400, is a line of minicomputers marketed in 1988 by IBM. The access control system is the central element of the system's security: user rights can be assigned to various profiles, which can themselves be assigned to a class containing special privileges. Starting with a simple user account, Sylvain presented a concrete example of a penetration test on an AS/400 system, proceeding step by step:

  • Recognition – What services are available on the machine?
  • Enumeration – How to enumerate and identify users with elevated privileges?
  • Bruteforce – How to brute-force account passwords?
  • Command execution – How to execute arbitrary commands on the server?
  • Privilege escalation – How to elevate your privileges and obtain maximum rights?

Sylvain then gave feedback on the various missions he had the opportunity to carry out, presenting in particular results on the complexity of passwords encountered at clients' sites.

 

IoT and Sigfox security – Renaud LIFCHITZ (Digital Security)

Slides not available

Renaud Lifchitz is an IT security expert particularly interested in connected objects, the subject of his presentation.

Although the number of connected objects is increasing very rapidly, knowledge of their technical specifications is only in its early stages: little-known or unknown operating systems, new radio frequency standards… With the omnipresence of these objects in our daily lives, their security is a crucial issue, as the first hacks on pacemakers or connected cars have already been carried out.

Renaud was particularly interested in the security of the Sigfox protocol, a telecom operator among others in the Internet of Things. Sigfox allows objects to communicate using ultra-fast, long-range radio frequency signals.

After analyzing the Sigfox protocol through the study of a test device, Renaud indicated that his results highlighted various flaws, such as the fact that the data transmitted by the device is not encrypted when it travels over the Sigfox network.

According to him, the transmitted data, on the other hand, exhibits resistance to noise thanks to the sending of three identical messages, on three different frequencies and three different encodings.

 

Bitcoin cryptography, from trust to proof… – Jean-Luc PAROUTY (CNRS / IBS)

Slides not available

The speaker begins by explaining how blockchains work (blockchain): This is a decentralized database incorporating a history of all records protected against falsification. The best-known example of blockchain is the virtual currency called "Bitcoin".

Jean-Luc Parouty then presents a related and ingenious use of Bitcoin: DocProof. This tool allows the integration of a file's digest into a block of the Bitcoin blockchain. In this way, it is possible to obtain proof of prior existence for a file, provided that metadata has been added to link the document to an identity (otherwise, the user can only claim proof of the document's existence at a specific point in time).

The tool is available via the following URL: https://www.docproof.org/

 

— Clément Notin

Contact