Report for the SSTIC 2014 conference (Part 1 of 2)

Date : June 07, 2014

The SSTIC 2014 conference has held in Rennes (France) from 4th to 6th of June 2014. This is a famous French speaking conference that brings together peoples who are fond of techniques and security. The conference agenda is available at this location: https://www.sstic.org/2014/programme/

Our report for this event is splitted in 2 parts. This article is the first part. The second part will be published next month.

The presentation materials are available on this page. In addition to the presentation slides, most of the presentations also include an article that further describes the topic. For the whole conference, this makes around 600 pages or very interesting reference articles (in French, unfortunately). Our aim here is to give you a quick overview to give you the desire to read these articles.

The table below gives an overview of the conference where each presentation has been assigned to a category. This shows, for example, that:

  • The “[reverse]” category is the biggest one (7 presentations on this topic),
  • Presentations on technologies are not focused on Windows (and no presentation was done about Linux), and Smartphone, Smartcard, Cloud and Network are topics that are also very present.
Topics Nb Comment
[Intro]  4 General presentation to give an introduction on a topic. This year the topics were: crypto, main-frames, CERT and Industrial Control System security.
[Hacking]  4 Hack and experiments.
[Reverse]  7 Reverse-engineering, vulnerability research
[Windows]  3 3 presentations related to the Active Directory
[SmartPhone]  3 GSM, Android et IOS
[SmartCard] 2 Smart card (JavaCard) and crypto card (PKCS#11)
[Cloud] 2 Cloud et virtualization
[Network] 2 Wide range scan and Firewall
TOTAL = 27  

We give below a quick report for each presentation that occured in this 2014 edition. Our report follows the conference agenda.

 

[Hacking] Opening talk by Travis Goodspeed

A presentation by a pretty wacky enthusiast hacker who described a serie of computer curiosities such as:

  • An USB disk that erases itself when it detects a forensics copy attempt. It is quite easy to implement this on an iPod, because this device relies on an embedded Linux (named “Rockbox”) which can be easily changed.
  • A trapped PGP file that produces itself when uncompressed. This induces an infinite decompression loop on Symantec PGP, because it tries to uncompress the file again and again.
  • Polyglotte files, such as a file that can be read as a PDF or as a ZIP.
  • Etc…

For people who love such tricks, Travis is co-writer of a crazy journal named « PoC||GTFO » (“The International Journal of Proof of Concept or Get the Fuck Out” by Reverend Pastor Manul Laphroaig) which loves such curiosities. There is no official web site to download this journal, but it can be found on various mirrors, such as this one : http://pocorgtfo.freshdefense.net/.

 

[Windows] Analyzing Active Directory security with the BTA tool (by Airbus)

[Windows] Control paths on Active Directory (by ANSSI)

We group together these 2 presentations because they cover the same subject: the analysis of the security of a Windows Active Directory.

  • The first one presents a tool written in Python (named BTA) to run scripts that analyze an off-line copy of the AD. It can be used to inspect an AD and spot anomalies.
  • The second one presents a tool that produces a graph showing who can take the control of the AD. There is several ways to take control on the AD: being member of the administrator group, or having the right to write in a GPO, or having the control on an object that has control on the AD (and use transitivity). The graphs produced on real ADs are impressively complex and show that maintaining security on AD is a real challenge because there is really too many ways to take the control on the AD.

These 2 presentations show that AD is really complex. Very little people really master this complexity and running ADs can become ugly (from a security perspective). Either you close your eyes on it, and you become very vulnerable in case of attack. Or you try to keep the control and you start security audits on the AD to detect weaknesses. The BTA tool is indeed worth a look if you choose that track.

 

[Windows] Authentication Secrets episode II: the Kerberos counter-strike (by ANSSI)

This presentation shows that in case of compromise of the AD, an attacker can steal the Kerberos data stored in the AD (the keys for machines and for the KDC) and use them to generate false PAC (Privilege Attribute Certificate) in Kerberos service tickets, which allows illegal arbitrary privileges gain. It is probably impossible to properly clean a compromised AD: for example, changing the KDC key seems impossible. The only completely safe solution is to start from scratch: create a new Active Directory and gradually migrate to this new AD.

 

[SmartPhone] Security analysis of mobil phone modems (by ANSSI)

The ANSSI has set up a test lab for mobile phones, that allows observing the behavior of 2G, 3G and LTE phones when they connect to the operator network infrastructure. This testbed allows for example to observe the behavior of the phone when negotiating encryption keys, or when the protocol is not strictly followed. Of course, vulnerabilities were found: no warning if the data network is not encrypted, buffer overflow, etc. These vulnerabilities were reported to manufacturers, and many have been corrected.

 

[SmartPhone] How to play Hooker: A solution for an automated analysis of an Android market (by Amossys)

The speaker presents a tool named “Hooker” that performs dynamic analysis on Android Apps. “Hooker” has been used to perform high level test campaigns on large sets of Android applications. These campaigns assessed aspects such as the following ones:

  • How many applications actually use the permissions they requested for?
  • Which cryptographic functions are the most used?
  • Etc.

Hooker relies on « Substrate » (for API hooking), « ElasticSearch » (to store the results in a database) and “Kibana” (to explore the data stored in the database). The test campaign covered a set of several thousand applications that were downloaded from various Android markets (official or not). The results are given in the article published on the SSTIC web site.

 

[SmartPhone] Digital investigation and Apple iOS device (by ANSSI)

The speaker analyzes how to perform forensic investigations on IOS devices, and in particular how to produce a disk image. IOS disks are often ciphered twice (NAND disk full encryption, and encryption of files in the file-system), and disk copy could consequently only done from the running OS or from auxiliary channels (such as the backups done via iTune). The speaker presents various methods to obtain a disk copy, and in particular a method he developed that relies on a jail-break (the copy is launched from the live device, once this device has been jail-breaked). This approach does not sound as forensically correct (because the device is modified), but it is some time the only way to get the copy of the disk.

 

[Reverse] Catch Me If You Can - A Compilation Of Recent Anti-Analysis In Malware (by Cyphort.com)

This is a very specific presentation, which explained various anti-analysis protections that the speaker had to deal with, when analyzing malwares.

 

[Hacking] Security analysis of DSL boxes (by CNRS-LAAS at Toulouse)

The approach here is to look at the traffic between DSL box at the subscriber premise, and the DSLAM at the operator network edge, to observe the service traffic. For some operators, this traffic is sent as clear-text (HTTP) and an attacker who is able to get access to the network segment can mimic operator requests and for example send fake firmware updates. To experiment this, the speaker put his own DSLAM on the subscriber phone line. More precisely, he put a chain that includes a DSLAM, a local network segment and a DSL modem, on the subscriber line: the signal sent by the subscriber is decoded by the DSLAM; it can easily be observed on the local network segment, and re-encoded by the DSL modem before it is sent to the genius DSLAM.

 

[Hacking] Smart-TV security (by Thales)

The speaker tested the security of a Philips IP-connected TV set. And of course, the results were not good and the security level is poor. And this story can be summed-up as following: network scan, vulnerable UPnP server running as “root”, which result in the attacker gaining “root” access on the TV set. The details can be found in the presentation and the accompanying article.

 

[Hacking] The radio that came in from the cold (by Cogiceo.com)

The speaker explained that most of the wireless devices (such as keyboards) now use the nRF24L01 chip from Nordic Semiconductor. This chip generates a 2.4 Ghz signal. The speaker presents all the possible solutions to eavesdrop such a signal. This includes the following devices:

  • RTLSDR :
  • KeyKeriki
  • GoodFET by Travis Goodspeed :
  • An MMDS Downconverter that changes source signal frequency into a range that is supported by RTLSDR device

Most of the presentation is focused on hardware. In his conclusion, the speaker indicates (but this was known for some time) that some wireless keyboards are insecure. Logitech uses AES ciphering (that is good), but Microsoft just uses XOR (and this can be easily broken).

 

[SmartCard] Privilege escalade on a Java Card smartcard (by Limoge University)

This presentation elaborates on the EMAN attack (that was presented a first time at SSTIC 2009, and in version 2 at SSTIC 2011) and describes a version 3 for this attack. This new variant has been tested on a set of Java Cards: 3 of 7 showed abnormal behaviors (see the yellow lines on presentation slides 27 and 28).

 

[SmartCard] research of vulnerabilities in USB stack: method and tools (by QuarksLab)

The speaker presents a fuzzer developed to test USB driver robustness. He first presents a solution based on Quemu (this is a software approach), but then turns his interest on Facedancer (a hardware approach developed by Travis Goodspeed). The full fuzzing environment includes:

  • Regular traffic capture,
  • Traffic mutation with Radamsa,
  • Target system behavior observation.

The fuzzing campaigns against Windows 8.1 did not yet found exploitable flaws. The current tool support only USB2, but support for USB3 should be added in the future. As USB3 stack has been rewritten in Windows 8, it is highly probable that flaw will be found in it.

 

We stop here our report. The second part will be published next month in our Monthly Bulletin.

Previous Previous Next Next Print Print