This year again we were present for the 5th edition of the JSSI in Rouen, organized jointly by the University of Rouen Normandy and INSA Rouen Normandy.

The conference took place on Thursday, November 3, 2016 at the INSA premises in Rouen and the topics covered concerned the leakage and tracking of personal data, as well as its protection.

Intrinsec thanks all the organizers and speakers who presented their research work, and presents below a summary of the presentations.

«"The CNIL and security"»

Following an opening speech introducing the various themes of the conference and presenting the INSA group, Amandine Jambert, a technical expert from the CNIL (French Data Protection Authority), presented the security and internal processes of this organization. As a reminder, the CNIL is an independent French administrative authority whose primary function is to protect citizens against any misuse of their personal data.

She then explained in detail what personal data is and recalled the main points of the "Data Protection Act":

• Purpose
• Proportionality and relevance
• Shelf life
• Security
• Rights of individuals

Indeed, any organization collecting personal data must justify its purpose, define a limited retention period (for example, not exceeding 6 months for connection logs on a server), and finally commit to taking the necessary measures to guarantee the security of this data and allow users to access, rectify or delete it.

Amandine then outlined the regulatory process carried out by the CNIL (French Data Protection Authority) to analyze declarations received concerning the processing of personal data, drawing on recommendations from various guides such as the General Security Framework (RGS) drafted by the ANSSI (French National Cybersecurity Agency), ISO standards, and Article 29 of the Working Party (WP29). The latter was drafted for search engines to implement the ruling of the Court of Justice of the European Union (CJEU) of May 13, 2014, concerning the "right to be forgotten" online.

New rights recently granted were also presented, such as the right to data portability, the notification of DCP breaches (Data Breach Notification), and the general principle of transparency applicable to those responsible for processing personal data.

Amadine then compared two points: information systems security (ISS) on the one hand and privacy protection on the other, and concluded his presentation by detailing the methodological approach used by the CNIL. This approach lies at the intersection of technical and legal expertise and is divided into four stages: defining the context, identifying fundamental principles, analyzing risks, and making a decision.

She finally concluded her presentation by describing the different sections of a typical PIA (Privacy Impact Assessments) report, and by indicating the future work of the CNIL, such as the finalization of the international standard ISO/IEC 27552.

«"Home automation and connected devices: Security analysis of consumer components"»

Jérémy Briffaut, lecturer at INSA Centre Val de Loire, presented his research on the security of home automation equipment.

After a brief description of what home automation is, Jérémy reminded us of the architecture of a home automation system: the presence of a connected device, a gateway, and a user interface. Various communication protocols used by this type of component were then presented, such as ARC, X10, Z-Wave, and EnOcean.

After this introduction, Jeremy explained to us different attack vectors such as the implementation of a denial of service by a tri-band jamming device allowing to neutralize video surveillance cameras or alarms for a cost of 60€, or the recovery of sensitive data by passive listening of communications which, in most cases, are carried out in clear text.

Taking control of equipment using this type of communication is then possible, and various projects have been presented to achieve this:

• RFLink, used for objects communicating on the frequencies 315, 433 and 868 MHz and 2.4 GHz
• RTL_433, which allows the reception of signals between 52 and 2200 MHz
• CC1101-X2D-Heaters, for taking control of X2D thermostats

The last and most important attack vector presented by Jérémy concerns misconfigurations. He cited the case of the Mirai botnet, which exploited default username/password combinations and infected over 30,000 AirLink gateways. These gateways, publicly accessible on the internet, were used to launch distributed denial-of-service (DDoS) attacks against websites such as journalist Brian Krebs' cybersecurity site and the French hosting provider OVH.

Jeremy then indicated that one of the recommendations was to change these default accounts, while specifying that it proved insufficient since backdoors, such as undocumented administrative access or "hard coded" URLs, exist and are left, according to him, by the manufacturers.

Finally, the open-source project MySensors was presented; it allows users to build their own home automation platform using Arduino or Raspberry Pi microcontrollers. However, it also has security vulnerabilities, and the following recommendations are therefore necessary to secure home automation installations:

• Object authentication (using Atmel components)
• Confidentiality of communications (AES encryption)
• Data exchange integrity (using an Atmel ATSHA204A component)

«"Red teaming and exfiltration techniques to fly under the radar"»

During this presentation, we outlined our Red Team approach as well as our data exfiltration tool "Peet" (Post Exploitation and Exfiltration Tools).

As security assessment techniques have evolved alongside the improvement of defense methods, the Red Team approach is therefore necessary in order to challenger the level of security of a company against advanced attacks, and to assess the detection and response capabilities of internal teams («Blue Team»).

After an introduction on what Red Teaming is, we detailed the complete Red Team mission process, which can be divided into 6 steps:

We then gave some examples of feasible scenarios, recalling the 4 laws followed by Intrinsec during these missions:

• Do not cause disruption to the activity
• Do not reduce the current level of security
• Do not access employees' personal data
• Do not apply irreversible action

Several gadgets and their respective uses were then briefly presented:

And the Purple Teaming approach was then detailed:

We also added that Intrinsec offered two methods for implementing Purple Teaming. In the first case, we can conduct a workshop with the Blue Team following the Red Team mission, or in the second case, we define different case studies to be carried out and analyze the events detected by the Blue Team.

This type of workshop is also very popular with our clients because it helps to improve the detection and reaction techniques of the Blue Team, and this for a large number of offensive behaviors and attack scenarios.

Finally, since the theft of critical data represents a major risk for businesses, we presented our Peet data exfiltration tool during a technical demonstration.

For more information, please consult our website.

The presentation can be retrieved. here.

«"Blockchain security issues"»

Stéphane Bortzmeyer accomplished the feat of presenting the blockchain and its security concepts in just 10 slides. This revolutionary technology is used by numerous applications, but is best known for its monetary aspect, with the creation of cryptocurrencies such as Bitcoin and Ethereum.

Stéphane then explained the two fundamental principles of blockchain: proof of work and proof of stake. He also reminded us of the two main risks associated with using asymmetric cryptography: since the private key is used to sign transactions, it is important to protect against its copying and loss by adopting the following recommendations:

• Offline storage, the use of a Hardware Security Module (HSM), and the application of computer hygiene rules are all important.
• Backup copies

Several attacks were then presented. The first is the 51% attack, which, during a blockchain fork, allows the longest chain to be chosen, provided one possesses more than 51% of computing power. This attack is not, however, discreet, since the entire chain is visible to everyone.

Bugs in the blockchain can also have significant consequences. This was the case, for example, with the Solarstorm vulnerability in the Solidity language compiler used by Ethereum, which was recently discovered, or with the CVE-2010-5139 vulnerability, discovered in August 2010, which required rolling back the blockchain and canceling a number of transactions. An integer overflow and the lack of transaction verification allowed the creation of over 184 billion Bitcoins.

Finally, the last point raised by Stéphane concerned the public nature of the blockchain. Indeed, Bitcoin does not guarantee user anonymity since all transactions are visible. It was therefore advised to use... mixers Or tumblers Bitcoins, single-use addresses, or solutions like Zcash using the zero-knowledge proof principle to preserve the origin, destination, and amount of transactions, thus making all transactions confidential.

«"Anonymity with Tor – Protecting your identity through obfuscation"»

Adrien Smondack, a consultant at NES, presented the workings of the TOR network. The following protocols can be implemented to create a network that allows for anonymity:

• Mix network
• Dining cryptographer (DC-Net)
• Crowds
• Onion Routing (TOR)
• Freenet
• cMix (Priva Tegrity)

Adrien therefore focused on the TOR protocol and presented its architecture. As a reminder, it consists of several nodes, forming a mesh of proxy servers whose roles are to route packets through a circuit, and to ensure the confidentiality of exchanges between the nodes and the untraceability of messages.

To achieve this, key exchanges are carried out between each node and successive encryptions are performed between each onion layer.

The principle of anonymizing services hosted on the Internet was then introduced, notably with the use of ".onion" addresses, accessible only through TOR and its entry or meeting points.

Adrien concluded his presentation by reminding everyone that Tor protects anonymity, not confidentiality, since the transmitted data remains unencrypted at the exit nodes. Therefore, it is essential to use the SSL protocol between the client and the remote server to add a layer of encryption, and to use the Tor browser, whose configuration is optimized to disclose as little information as possible.

«"Hijacking of a dating app into a GPS tracking system"»

Julien Legras and Julien Szlamowicz, two consultants at SYNACKTIV, presented their POC (Proof Of Concept) of repurposing an online dating application into a device that can be used for tracking purposes.

After a brief introduction to the principles of geolocation, they explained how it was possible to track an individual's movements with a limited number of agents. This limitation stems from the fact that a Facebook account is required to authenticate on the tested mobile application, and that the social network detects the mass creation of users. The agents' role is to simulate a legitimate user by simply replaying the following three requests:

• Authentication via a Facebook account
• Agent location update
• Analysis of people nearby

Armed with 10 agents, deployed across a hexagonal network, they demonstrated that they could geolocate a person with compatible preferences with an accuracy of approximately 240 meters per agent. For comparison, 75 agents are needed to cover Disneyland Paris and approximately 6 million agents for the entire surface area of France.

A web application using the Google Maps API was even developed in Python to demonstrate the effectiveness of this system.

«"IoT in business and security: back to basics"»

In this presentation, Bruno Dorsemaine reminded us of the risks associated with BYOD (Bring Your Own Device).

The aim was to raise awareness among the audience that connected objects can be considered part of the information system once they are introduced into the company's premises.

«"Are search engines really your friends?"»

In this latest presentation, Charles Petit shared his hypotheses regarding search engines and their ability to spy on their users.

The personal information collected by default by these online services includes name, email address, phone number, payment card number, and profile picture. But this collection doesn't stop there, as data relating to the device used can also be retrieved, such as the phone model and unique identifier, and the installed operating system version. Other data that can be used to create a "digital fingerprint" of the user can also be collected by analyzing, for example, the content of cookies, HTTP headers, or browser configuration (list of installed plug-ins, time zone, screen resolution, etc.).

The issue of location data was also raised, as well as the massive use of name resolution servers owned by Google (8.8.8.8 and 8.8.4.4), capable of associating domain names with users' IP addresses and their geolocation information (city).

Charles then pointed out that the possible consequences could allow for targeted marketing or even industrial espionage based on information collected such as contextual personal information, place of residence or work, as well as personal preferences and ideologies.

Finally, he concluded his presentation by outlining how to protect oneself. He discussed setting up multiple Firefox profiles dedicated to specific activities and using extensions to block ads and trackers. Charles also mentioned secure distributions like QubesOS and Tails ("The Amnesic Incognito Live System"), which allow users to compartmentalize different parts of their digital lives or preserve their privacy and anonymity online by using the Tor network.