"GS-Days 2013" conference report
Date : May 24, 2013
The 5th edition of the "GS Days" conference has been held in Paris on April 4th, 2013. This event is organized yearly by the founder of the Global Security Mag French IT news magazine. The conference program included twelve presentations (running in parallel into 2 meeting rooms) covering legal, technical and organizational topics.
We present hereafter the sessions Cert-IST attended. The full agenda and presentation materials are available (in French) on the conference website.
Plenary conference : The Cloud security : beyond a manichean vision
Roundtable moderated by Jérôme Saiz, Security Expert and Qualys editor, with :
- Maître Diane Mullenex, Cabinet Ichay & Mullenex,
- Philippe Humeau, DG of NBS System, CerberHost creator,
- Thierry Floriani, Numergy RSS,
- Alexandre Morel, OVH project manager,
- Olivier Iteanu,EuroCloud.
This round table facing technical, legal and organizational considerations related to data security of applications hosted in cloud computing architectures.
The speakers were all convinced that the cloud is an opportunity. They made the difference between a secure private cloud, and a public cloud more open but with many technical (such as synchronization of remote database) or legal (the confrontation of different courts in different countries) problems.
The best solution would probably be to use an hybrid cloud, mixing both types of architecture. This solution requires a risk analysis to accurately identify the data which can be stored in a public cloud and those which much stay in a private cloud.
Hacktivists, from Scientology to cyber wars
Yoann HEDDE, Lineon.
The conference presented a typology of hacktivists, their motives and their methods.
The "hacktivist" word is composed of the "hacker" and "activist" words. It was first used in 1996 by the Omega pirate, who was a member of the "Cult of the dead cow" group.
It means a person who uses a computer to serve political causes.
They think that freedom of expression and access to information are fundamental rights and that they should fight to preserve them.
The speaker identified three types of hacktivists:
- the computer engineer who has sharp computer skills and whose motives may be varied (national causes support, digital protest, fun and provocative).
- the "script kiddie" who has limited computer skills and use simple software for purposes of provocation or fun.
- hactivist who uses IT support for political purposes (national causes support, digital protest).
These hacktivists use the following means:
- survival kits aimed to help dictatorships victims to escape monitored or censored networks,
- harm to the image through protests or defacements,
- personal injury through personal information disclosure,
- harm to organizations through denial of service or data theft.
The presentation concluded with advice to avoid becoming an hacktivist target:
- code hardening and perimeter protection of the website, in such a way to be less exposed to defacement,
- network control to fight against data theft.
Mobile payment market, new playground for cybercriminals
Maître Diane Mullenex, Cabinet Ichay & Mullenex
This conference presented:
- a "Mobile payment" definition
It is "all the payments for which payment data and instructions are issued, transferred or confirmed through a mobile device."
European Commission has identified two categories of "Mobile payment": remote (through internet or SMS), or proximity (through NFC).
- the "Mobile payment" legal status
The legal problems related to "Mobile payment" concerns identification of duties and responsibilities between various actors (telecom operators, banks, retailers).
- security issues related to "Mobile payment"
Security being essential to win the consumers trust. It is important to fight the various threats (SIM card reproduction, malware,...) by developing techniques and tools against insecurity (safety standards, audits, cooperation between the different actors, access codes, ...).
Plenary conference : A network defense capacity implementation in the EU Council: from theory to practice
Presented by:
- Jean-Luc AUBOIN,
- Sébastien LEONNET.
This conference has shown a specific case of a network defense capacity implementation.
At the end of.2008, facing many attack attempts and poor security of its network (network audits had revealed suspicious behaviors), the European Union Council decided to set up a network defense capacity.
This development has gone through a phase of theoretical concepts appropriation followed by an implementation of these concepts through qualified personnel recruitment, and the development of an appropriate strategy.
APT are they advanced attacks?
Nicolas RUFF, Security Expert, EADS Innovation Works
This presentation focused on the argument that the APT "Advanced Persistent Threat" would not be so "advanced".
These attacks succeed through the large number of vulnerabilities and the lack of defense in depth.
They use simple techniques known:
- to bypass passwords authentication,
- to check the Windows domains,
- to steal data.
APT would not be so advanced attacks!
Demonstrations of security vulnerability exploitation and practical presentations
Presentation by the ARCSI (Association des Réservistes du Chiffre et de la Sécurité de l’Information) demonstrators:
- Cyrille TESSER – Expert at the "Cour d’appel de Paris" – Expert IT security,
presented a hardware device used, in the context of judicial expertise, to read all information contained or having transited through a mobile phone. - Isabelle LANDREAU –LANDREAU law firm,
presented the legal aspect of personal data and privacy protection when using a mobile phone: authorization to establish communications, supervision of wiretaps, pictures releases, ... - Vincent HAUTOT – Security autitor –SYSDREAM
presented a metasploit framework demonstration.
HTML5 and security, a step point
Presented by Sébastien GIORIA, French OWASP Leader – OWASP France
This presentation focused on the security impacts of the HTML5 new API:
- WebSocket
- WebMessaging
- IndexedDB
- OffLineWeb Application
- WebStorage
- Cross Origin Ressource Sharing
According to the speaker, these APIs are vulnerable to many types of attacks (Cross-site scripting, denial of service, injections, ...), and the HTML5 standard does not take into account the security risks associated with these new APIs.