Links to reports from other days:<\/p>\n
- \n
- Hack.lu 2016 \u2013 first day<\/li>\n
- Hack.lu 2016 \u2013 Day Two<\/a><\/li>\n
- Hack.lu 2016 \u2013 Day Three<\/a><\/li>\n<\/ul>\n
Day 1<\/h1>\n
Keynote: Stressed out? Denial of service attacks from the providers' perspective<\/h2>\n
![\"Alice](\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2016\/10\/2016-10-21_15-03-15-265x300.jpg\")
<\/a><\/p>\nAlice Hutchings, from the University of Cambridge, opened this 12th edition by presenting the results of her thesis on criminology and more particularly on the "booter" or "stresser" services used to conduct distributed denial-of-service (DDoS) campaigns on websites.<\/p>\n
![\"lizard-squad\"](\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2016\/10\/Lizard-squad-300x300.jpg\")
<\/a><\/p>\nOne of the best-known pirate groups offering this kind of service is the "Lizard squad," all of whose members have now been arrested after the UK's National Crime Agency paid them a visit.<\/p>\n
The website "vdos-s[.]com", with over 10,000 active users and which made headlines following its compromise <\/a>and to the arrest<\/a> The site, owned by two young people in September 2016, also falls into this category of platform. Following these revelations, KrebsOnSecurity.com suffered a denial-of-service attack that was thwarted thanks to Akamai's security service, which, incidentally, stopped protecting the site after the attack.<\/p>\n
A month later, the source code of "Mirai," the botnet that massively used compromised connected devices and was used against the KrebsOnSecurity website and the hosting provider OVH, was released. audience<\/a>.<\/p>\n
![\"Mirai](\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2016\/10\/mirai-hf-580x232.png\")
<\/a><\/p>\nAccording to Alice, the life cycle of online criminal activities follows several phases: initiation, maintenance, and withdrawal.<\/p>\n
![\"](\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2016\/10\/2016-10-21_15-48-33.jpg\")
<\/a><\/p>\nIn order to learn more about the motivations that might lead people to engage in this type of activity, Alice became interested in the social aspect of a cybercriminal's life.<\/p>\n
She therefore invited 51 "booter" service providers out of the 63 initially identified (12 being offline during the 3-month period of her investigation) by offering them the opportunity to respond to an anonymous online survey or to participate in an interactive interview.<\/p>\n
Of all the invitations sent, only 25% responded, with a preference for the online form.<\/p>\n
The conclusions of his research paint the following portrait of cybercriminals:<\/p>\n
- \n
- They are mostly men aged 16-24, living primarily in the United States.<\/li>\n
- In most cases, the initiation phase is due to the influence of their social circle or the people they associate with.<\/li>\n
- Most of the attacks were orchestrated against online gambling sites<\/li>\n
- Financial gain has often been one of the main motivations<\/li>\n
- These actors often deny responsibility, feeling unaffected by existing laws and potential legal action against them.<\/li>\n<\/ul>\n
Alice concluded her presentation by indicating that she would continue her research, but this time on the defensive side in order to understand why some people choose to fight crime on the internet.<\/p>\n
Advanced exploitation: ROP and bypass protections under Linux<\/h2>\n
![\"Julien](\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2016\/10\/2016-10-21_17-00-56.jpg\")
<\/a><\/p>\nThis workshop was presented by Julien Bachmann aka @milkmix_<\/a>, working at Kudelski Security, on the topic of advanced vulnerability exploitation and more specifically on the ROP (Return-Oriented Programming) exploitation technique.<\/p>\n
After a brief review of simple buffer overflow techniques, the various concepts of ret2libc (allowing bypassing the non-executable stack) and the gadget search methodology for building the ROP chain were presented. The workshop concluded with techniques for bypassing ASLR (Address Space Layout Randomization), which is used to randomly distribute data in memory.<\/p>\n
For those wishing to complete the various exercises in this workshop, all the binaries can be retrieved from the following Github repository:<\/p>\n
https:\/\/github.com\/0xmilkmix\/training<\/a><\/p>\n
The materials for this workshop are also available at the following address:<\/p>\n
https:\/\/speakerdeck.com\/milkmix\/advanced-exploitation-on-linux-rop-and-infoleaks<\/a><\/p>\n
Cyber Grand Shellphish: Shellphish and the DARPA Cyber Grand Challenge<\/h2>\n
![\"cgc_logoanimation\"](\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2016\/10\/CGC_LogoAnimation-300x212.gif\")
<\/a><\/p>\nKevin Borgolte, one of the members of the ShellPhish team, presented the defense research project to us.\u00ab\u00a0Cyber Grand Challenge<\/a>\u00a0\u00bb organized by the Defense Advanced Research Projects Agency (DARPA).<\/p>\n
As a reminder, ShellPhish is a team that participates in many CTF (Capture The Flag) and is ranked 8th on CTFtime, at the time of writing this article.<\/p>\n
![\"Classement](\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2016\/10\/2016-10-21_17-50-15.jpg\")
<\/a><\/p>\nThe goal of this challenge was to build a fully automated system to analyze, exploit and develop patches for the different binaries offered throughout the competition, with a prize of $2 million for the winning team.<\/p>\n
As Kevin mentioned, the start of the competition was very challenging and required many hours of work and effort. Despite an apparent delay in the competition due to late registration, they still managed to qualify for the finals.<\/p>\n
For these, ShellPhish built the "Mechanical Phish," whose architecture is as follows:<\/p>\n
![\"Mechanical](\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2016\/10\/2016-10-24_15-11-39.jpg\")
<\/a><\/p>\nThe biggest challenge was anticipating the behaviors and decisions of the different opponents, and avoiding penalty points awarded to the different teams in case of service unavailability or performance degradation.<\/p>\n
One of the techniques employed by ShellPhish was to insert a backdoor into the deployed patches. This technique allowed them to gain a significant number of points, as some teams preferred to use patches obtained from the network, thus potentially exposing themselves to a specific team rather than remaining generally vulnerable.<\/p>\n
96 rounds comprised this final, which took place on August 4, 2016 in Las Vegas, and during which more than 2400 exploits were generated by ShellPhish's machine, which finished in 3rd position behind Xandra and Mayhem:<\/p>\n
![\"Grand_Challenge](\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2016\/10\/2016-10-24_16-28-28-300x131.jpg\")
<\/a><\/p>\nThe entire final can be viewed via the following link:<\/p>\n
https:\/\/www.youtube.com\/watch?v=n0kn4mDXY6I<\/a><\/p>\n
Appendices<\/h1>\n
The various presentation materials will soon be available at the following address:<\/p>\n
http:\/\/archive.hack.lu\/2016\/<\/a><\/p>\n
In the meantime, here are some links to watch the different conferences:<\/p>\n
- \n
- Day 1\n
- \n
- Stressed out? Denial of service attacks from the providers' perspective\n
- \n
- https:\/\/www.youtube.com\/watch?v=Z0UaZNxdioc<\/a><\/li>\n<\/ul>\n<\/li>\n
- Lightning Talk \u2013 Metabrik Meets CVE-Search by GomoR\n
- \n
- https:\/\/www.youtube.com\/watch?v=4YZUVIun4YI<\/a><\/li>\n<\/ul>\n<\/li>\n
- Lightning Talk \u2013 When Your Firewall Turns Against You by Rene Freingruber\n
- \n
- https:\/\/www.youtube.com\/watch?v=rEZmADCuO1g<\/a><\/li>\n<\/ul>\n<\/li>\n
- Lightning Talk \u2013 Cracking An Egg And Cooking The Chicken by Jacob Torrey\n
- \n
- https:\/\/www.youtube.com\/watch?v=6E65xNHFsZk<\/a><\/li>\n<\/ul>\n<\/li>\n
- Exploiting and attacking seismological networks\u2026 remotely by James Jara\n
- \n
- https:\/\/www.youtube.com\/watch?v=BHBnVV5eyr8<\/a><\/li>\n<\/ul>\n<\/li>\n
- Secrets in Soft Token: A security study of HID Global Soft Token by Mouad Abouhali\n
- \n
- https:\/\/www.youtube.com\/watch?v=waiWcoFlkb0<\/a><\/li>\n<\/ul>\n<\/li>\n
- KillTheHashes 30 million Malware DNA profiling exercise by Luciano Martins\n
- \n
- https:\/\/www.youtube.com\/watch?v=MdulbF0bQQ8<\/a><\/li>\n<\/ul>\n<\/li>\n
- Unveiling the attack chain of Russian-speaking cybercriminals\n
- \n
- Video - https:\/\/www.youtube.com\/watch?v=apOKU7j2XAY<\/a><\/li>\n<\/ul>\n<\/li>\n
- Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets\n
- Unveiling the attack chain of Russian-speaking cybercriminals\n
- KillTheHashes 30 million Malware DNA profiling exercise by Luciano Martins\n
- Secrets in Soft Token: A security study of HID Global Soft Token by Mouad Abouhali\n
- Exploiting and attacking seismological networks\u2026 remotely by James Jara\n
- Lightning Talk \u2013 Cracking An Egg And Cooking The Chicken by Jacob Torrey\n
- Lightning Talk \u2013 When Your Firewall Turns Against You by Rene Freingruber\n
- Lightning Talk \u2013 Metabrik Meets CVE-Search by GomoR\n
- https:\/\/www.youtube.com\/watch?v=Z0UaZNxdioc<\/a><\/li>\n<\/ul>\n<\/li>\n
- Stressed out? Denial of service attacks from the providers' perspective\n
- Day 1\n
- Hack.lu 2016 \u2013 Day Three<\/a><\/li>\n<\/ul>\n