Intrinsec attended the 7th edition of the Hack In Paris conference, preceding the Nuit du Hack, at the conference center of the Newport Bay Club hotel in Disneyland Paris.<\/p>\n
All conference materials should soon be available on the conference website:\u00a0https:\/\/hackinparis.com\/archives\/2017\/<\/a><\/p>\n The presentation videos are available on YouTube:\u00a0https:\/\/www.youtube.com\/playlist?list=PLaS1tu_LcHA8yOrGuyvBIJjEO87-vXQG2<\/a><\/p>\n Jayson E. Street is a security expert at Pwnie Express who gives numerous talks around the world.<\/p>\n During his presentation, he demonstrated how easy it was to conduct reconnaissance (both passive and active) to develop social engineering attacks on employees of large companies.<\/p>\n Throughout his presentation, he detailed how to obtain highly specific information by navigating various external databases (DNS, whois, shodan, etc.) and social networks (professional or otherwise). With just a few searches, Jayson developed a very plausible targeted phishing scenario.<\/p>\n His presentation also provided an opportunity to revisit the challenges of risk management within companies. Most executives believe they are immune to all risks: "It's never going to happen to me [when it comes to security]," which gives pause for thought.<\/p>\n Chaouki Kasmi and Jos\u00e9 Lopes Esteves are two agents from ANSSI. They presented their work on voice-based authentication methods (with a focus on Siri, Google Now and S-Voice).<\/p>\n After introducing us to the risks and impacts that the misuse of such systems could have, the two researchers detailed the physical and mathematical analysis methods they used to perform speech recognition (voice modeling, parameter extraction, voice non-linearity, frequency analysis method, etc.).<\/p>\n They then presented 3 black-box attack scenarios on these systems:<\/p>\n Finally, they pointed out that these results should be taken with a grain of salt and that they cannot be generalized given the black-box analysis method.<\/p>\n After presenting several countermeasures (preventing brute-force attacks, adding entropy with a challenge\/response mechanism, strengthening the model, etc.), they concluded that advancements in voice recognition are not yet mature enough. Therefore, using voice as the sole authentication method on your phones is not recommended!<\/p>\n Damien Cauquil is a security researcher at Econocom \u2013 Digital Security. His research often involves investigating proprietary IoT devices whose protocols are little known or unknown, and whose documentation is often very limited or even nonexistent. Reverse engineering these devices is time-consuming and expensive, especially if they employ complex protection mechanisms (military-grade encryption, etc.). Therefore, he presented a collaborative platform dedicated to sharing and gathering information and techniques (TTP) on these devices. Hardware Forensic Database (HFDB)<\/a>.<\/p>\n Sharing and collaboration are welcome!<\/p>\n Gil Cohen, CTO of Comsec Global, presented Windows Named Pipes and their characteristics. He introduced the IONinja tool, which allows users to read data transmitted through these named pipes. Because this information is accessible by default to any anonymous user on the network (it's not just accessible locally!) and is unencrypted, it can be exploited by an attacker.<\/p>\n By performing fuzzing<\/em> On certain named channels, Gil Cohen has shown that he can cause a crash<\/em> within two applications using named pipes: qBitTorrent and SugarSync. Unfortunately, the demonstration did not show whether it was possible to perform remote code execution through this mechanism.<\/p>\n Aaron Hnatiw is a security researcher at Security Compass.<\/p>\n In his presentation, he discussed the need to go beyond the OWASP Top 10 when assessing the security of web applications. To illustrate this, he presented three other types of vulnerabilities with concrete examples of exploitation:<\/p>\n To conclude his presentation, Aaron discussed the future developments of the OWASP Top 10 (with the 2017 version currently in release candidate). He reiterated that it was a good starting point for assessing the security of a web application, but that further investigation was needed to achieve a truly satisfactory level of security.<\/p>\n Raoul Alvarez, a security researcher at Fortinet, analyzed the workings of the Petya malware.<\/p>\n Find our detailed report in a separate article:\u00a0[HIP2017] \u2013 Dissecting A Ransomware-infected MBR \u2013 PETYA<\/a><\/p>\n Lee Jong Ho and Kim MinGeun are two Master's students in security in South Korea. They presented their work on smart TVs and more specifically on the WebOS operating system found on most connected televisions to date.<\/p>\n After detailing the internal mechanisms of WebOS, they performed a demonstration where they remotely took control of a connected television by:<\/p>\n This conference is described in detail in a dedicated article: [HIP2017] Bypass 802.1x \u2013 FENRIR<\/a><\/p>\n Edwin Van Andel discussed the complex relationship between hackers and companies in the context of vulnerability reporting processes. By default, those who report vulnerabilities are viewed negatively and considered malicious by companies. Despite responsible disclosure practices, hackers are still too often prosecuted.<\/p>\n By describing their methods and ways of thinking, he tried to show that hackers were benevolent and that they needed to be treated properly to encourage these approaches.<\/p>\n To conclude his presentation, the speaker clearly stated: "We hug!"\u00ab<\/p>\n Ayoub Elaassal, a security consultant at Wavestone, addressed the topic of mainframe security. These machines, with their high processing power, are widely used in large companies, such as banks and insurance companies. Having encountered this issue during certain projects, Ayoub continued his research, and his presentation described various mechanisms for bypassing the security of these machines.<\/p>\n The applications available on the mainframes are accessed via a Telnet connection and rely on the CICS (Customer Information Control System). The first step proposed by Ayoub is to escape the application environment displayed upon system access. This can be done by pressing a specific key combination, which may vary depending on the application or system. It is then possible to execute arbitrary transactions. Some of these transactions can have a significant impact on the confidentiality of the data stored on the mainframe. This is the case with the CECI (Live Interpreter Debugger) transaction, which allows the execution of CICS API commands. Through this transaction, it is possible to read the contents of files stored on the mainframe, and thus access potentially sensitive customer data.<\/p>\n The next step described by Ayoub is obtaining a reverse shell<\/em> on the mainframe. It achieves this through a CICS feature called "Spool functions". Using this function, it is able to write a program to the task scheduler (JES) queue, which will then execute it.<\/p>\n Ayoub Elaassal concludes by demonstrating the possibility of privilege escalation to obtain administrator rights on the system, made possible by two characteristics: firstly, there is a category of library (APF) for which each program can request higher privileges. Secondly, access rights to these libraries are not restrictive enough, allowing arbitrary code to be written within them.<\/p>\n The tools developed during this research are available on his Github<\/a>, and in particular cicspwn<\/a>, which automates some of the tasks mentioned above.<\/p>\n Wayne Huang and Sun Huang presented 25 methods they used within Proofpoint to obtain information on various malicious actors in the market.<\/p>\n Of the 25 methods presented, many are derived from standard penetration testing methodologies:<\/p>\n These methods nevertheless dispelled any doubt in the audience regarding the legitimacy of the actions taken.<\/p>","protected":false},"excerpt":{"rendered":" Intrinsec attended the 7th edition of the Hack In Paris conference, preceding the [\u2026]<\/p>","protected":false},"author":12,"featured_media":3268,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22],"tags":[],"class_list":["post-3196","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-veille-securite"],"yoast_head":"\nStrategies on Securing banks & enterprises \u2013 Jayson E. Street<\/h2>\n
Ventrilock exploring: voice-based authentication systems \u2013 Chaouki Kasmi & Jos\u00e9 Lopes Esteves<\/h2>\n
\n
Internet of compromised things: methodology and tools \u2013 Damien Cauquil<\/h2>\n
The forgotten interface: Windows named pipes \u2013 Gil Cohen<\/h2>\n
Beyond OWASP Top 10 \u2013 Aaron Hnatiw<\/h2>\n
\n
Dissecting a ransomware-infected MBR \u2013 Raul Alvarez<\/h2>\n
Are you watching TV now? Is it real? Hacking of smart TV with 0-day \u2013 Lee Jong Ho & Kim MinGeun<\/h2>\n
\n
802.1X Network Access Control and Bypass Techniques \u2013 Val\u00e9rian Legrand<\/h2>\n
Hackers! Do we shoot or do we hug? \u2013Edwin Van Andel<\/h1>\n
Popping a shell on a mainframe, is that even possible? \u2013 Ayoub Elaassal<\/h2>\n
25 Techniques to gather threat Intel and Track actors \u2013 Wayne Huang & Sun Huang<\/h2>\n
\n