JSSI 2012 conference overview
Date : March 30, 2012
The 11th JSSI (Journée de la Sécurité des Systèmes d'Information) conference, organized by OSSIR (Observatoire de la Sécurité des Systèmes d'Information), held in Paris on March 13th, 2012. As usual, a hundred attendees were present at this conference. Here is a report of the presentations performed there. The full agenda, and the presentation materials, are available on the conference website.
This year, the conference focused on cyber intrusion topics (including pen-testing, DDOS defenses, post incident analysis, etc.) and most of the talks were rather technical: except for the first two presentations, which addressed organisational and legal issues, the five remaining presentations were highly related to tools, technologies and technical analysis.
The role of the security services providers for IT security (by MBDA)
This presentation discusses the various aspects induced by service delivery activities in the field of security auditing:
- Why performing an audit?
- Why using a service provider?
- How to choose this provider?
- Why is the starting phase so important for success?
- How to monitor audit performance and make the results fully usable?
Even if conventional, the talk provides interesting examples (such as the one that suggests performing the most sensitive tasks on the company’s computers in order to preserve data confidentiality), and puts the emphasis on the following aspects:
- It is very important that both parties understand each other: take the time to know your provider, and explain to him your needs and expectations. Ask him to adapt its deliverables to your business context (its recommendations must be understandable and relevant for your context),
- The trust between the provider and the customer is a key point to success.
Legal aspects of pen-testing (by HSC)
This presentation deals with the legal issues that must be taken into account when performing a penetration test such as:
- Do we have the right to do penetration testing?
- Can the selected provider outsource the pen-test activities?
- Are some attack techniques prohibited (e.g. social engineering)?
- Can the web hosting service file a complaint if it considers that the pen-test is an attack against its infrastructure?
- etc ...
The speaker indicates that these issues are solved if a properly written agreement is prepared and signed between the involved parties at an appropriate management level. He provides the typical contents for such an audit agreement (which is made of 11 parts including: an authorization form, a description of the scope, the limitations of the tests, etc ...)
Protecting Charlie Hebdo web site with NAXSI (by NBS)
This talk presents NAXSI, a WAF (Web Application Firewall) that NBS has developed to protect websites against attacks attempts. NAXSI is open-source software that installs upon the Nginx reverse proxy. In order to detect attacks, it does not use a signature database (this approach is called WAA - Web Application Antivirus - by the presenter). Instead, it uses a scan engine that evaluates web requests and assigns them a score. If the score exceeds a given limit, the request is considered dangerous and rejected. To avoid false positives, NAXSI uses whitelists. These whitelists are built during a learning period before the WAF is put into production. Learning is done by observing regular web requests generated by legitimate users and by generating whitelists that match these regular requests.
NAXSI was used “in the wild” for the first time in November 2011, to defend the website of the Charlie Hebdo magazine when it was attacked because of publications that were seen as Islamophobic.
Experience feedback in the field of black box web audit tools (by Orange)
This presentation summarizes the experimentations made by the speaker concerning black box web site audit tools. The speaker first explains that this kind of tool is composed of four modules, and each module must be properly implemented for the tool to be effective:
- First, the crawler module. It browses the web site to find all the entry points of the web application.
- Then, the injection module. It must be able to inject the attack attempts through all the available attack vectors: GET parameters, POST data, cookies, etc…
- The vulnerability analysis module. It must be able to detect a large range of attacks: XSS, SQL injections, etc…
- The reporting module.
The speaker then presents the results of tests performed on four open-source tools: w3af, Arachni, Wapiti and Skipfish. Arachni seems to be the most effective one, but w3af has a better coverage in terms of vulnerability tests (best analysis module).
No-SQL injections (by NGM Security)
No-SQL is a new family of databases that is not based on the classical model of the relational database. This technology is still not very common but is used particularly for the applications that need high performance and handle very large amounts of data. For example, Facebook and Twitter report using No-SQL technologies. The best known example of No-SQL database is MongoDB.
The presentation examines whether injection attacks (well known in the SQL world) can be transposed to No-SQL databases. And the answer is yes: just as with conventional databases, if users’ data are not properly controlled and sanitized, then No-SQL injection is indeed possible.
XML and security (by Agarri.fr)
The speaker first presents the XML technology:
- A very simple basic structure (a document organised into a hierarchy using tags), but highly extensible. By creating "Namespaces", XML can be used to describe any new data structure.
- XML introduces the concept of homo-iconicity: all XML data look the same, while they describe totally different semantics (depending on the Namespace they belong to). Thus, an XML file can contain such different things as SVG (a graphics format) or XSLT (a textual transformation), PI instructions, XHTML (Extended HTML), or even combine all these objects within the same XML file.
- Although if not obvious at first glance, XML is actually present on many websites. It is for example used on the websites of Microsoft Azure, WordPress, W3C or Chronopost.
The talk then explains some of the vulnerability induced by XML, giving several examples:
- Concealment by encapsulation of malicious content. It is possible for example to hide a PDF document within an XML file using the XDP Namespace defined by Adobe. This encapsulation defeats detection by antivirus software (none of them support XDP).
- The "LOL Bomb" attack (a complex XML entity containing and nesting millions of times an entity named "LOL") can be used either to create a denial of service, or to identify that a remote server includes an XML engine (finger-printing)
- XEE (XML External Entity) attacks, which force the vulnerable XML engine to process an external content. This typically results in the XML engine to disclose the contents of files that are normally not accessible.
- XSLT vulnerabilities. This is an update of the study on the offensive use of XSLT that the speaker presented at the SSTIC conference in 2011 (see our report regarding this conference).
Windows Forensics (by Devoteam)
This presentation provides an update on the investigative tools available for forensics analysis on Windows. It does not cover the techniques based on the live capture of the state of a running Windows system (capture of a memory image, capture of processes and network connections lists, etc ...) because most of the incidents analyzed are old (the investigation takes place several months after the incident occurs), which greatly limits the potential of this type of analysis.
The techniques presented cover the following topics:
- Analysis of the file system. Three major approaches for this topic: the examination of the timestamps associated with the files (creation, modification, and access dates), the review of the ACLs set on directories (in case a hacker has added an ACL to access the contents of a directory) and the search for ADS (Alternate Data Stream).
- Analysis of the Windows event logs. The presenter mainly focuses on the difficulties induced by the new event log file format (".evtx" files that appeared with Windows Vista) compared to the traditional formats (".evt" files that existed prior to Vista). For example, the binary file format has become more complex because it has changed from a simple sequential format to a complex format organized in groups of events. The speaker recommends the following tools for parsing this file format: Evtx parser (PERL), TZWorks Windows Event Log Viewer and Microsoft Wevtutil.
- Analysis of the registry. The registry contains a lot of useful information in a forensic analysis because most user actions cause a change in it (such as the MRU - Most Recently Used - registry entries).
There is no unified tool integrating these different approaches (while there are frameworks, such as Volatility, for live analysis or advanced tools for recovering deleted data). As a consequence, the toolkit of an investigator consists in a large number of small utilities that must be mastered. To remedy this lack, the presenter participates in the development of a tool called "RtCA". This is a quite young product (version 0.1 is available since October 2011: see this entry on the blog of the author), which evolves quickly.
Conclusion
The subject of the JSSI conference this year (cyber intrusion) was covering a broad field that has mainly been addressed on technical aspects. Even if we rather regret not having a more global view on the management of this threat, the presentations were of a good quality which made the conference very interesting.