FRHACK01 2009 conference report

The first edition of the FRHACK01 conference was held on September 7th and 8th, 2009 in Besançon (France). This is the first time that such a conference is organized in France. FRHACK tries here to follow the well known "underground" conferences such as "BlackHack", "DefCon", "ToorCon or even closer in Europe “Hack.lu”. A wide range of audience attended the event, from security professionals, security amateurs, to people just curious about “hacking”, but especially people passionated by technologies, the "hackers" in the original sense of the term.

In practice, several presentations were conducted in parallel, so it is therefore not possible for one person to attend all of them. Although the conference was told to be French speaking, almost all of the presentations were made in English. This report therefore tries to provide an overview of the presentations we could attend.

• Social and cognitive psychology applied to the fuzzing of the human

In this presentation, Bruno Kerouanton covers many aspects of the psychology of human being. It shows in particular how it is possible to abuse our brain (that is to say: our senses) through specific stimuli. A good knowledge of both psychology and the functioning of our brain, allow with specific techniques to abuse our default reasoning, our views, etc. Met after the World War Two, these "MICE" (Money Ideology Constraint Ego) techniques or better known in French as "SANSOUCI" (Solitude Argent Nouveauté Sexe Orgueil Utilité Contrainte Idéologie) are used to obtain information through social engineering.  In regard to information security, Kerouanton presents through the so-called pyramid of needs (the Maslow's pyramid) how some government agencies but also the mafia, have used these techniques to target and compromise individuals. He describes in particular the impact of communication channels (visual, gestures, appearance, etc.) which could impact the result of the compromise.

• OpenVAS – Open Vulnerability Scanning

• Viatko Kosturjak presents the OpenVAS (Open Vulnerability Assessment System). This well-known tool is a network vulnerability scanner developed under the GPL licence. It was initially based on the so-called Nessus vulnerability scanner (now commercial). Its engine is based on a database of over 10,000 tests network vulnerabilities.

• Reverse engineering and encryption errors

Philippe Oechstin, the inventor of the so-called "Rainbow tables" (which can greatly accelerate the breaking of passwords by using pre-computed tables), explains that "FIPS140-3" biometric USB keys can be easily fooled because of an implementation flaw in its cryptographic components. He shows that the weaknesses which were introduced in the cryptographic functions are mainly due to development errors.

• HostileWRT – Abusing embedded hardware platforms for covert operations

Philippe Langlois and Nicolas Thill from the HostileWRT project, show how they have transformed wireless devices found in any computer shops, into autonomous Wifi access point, capable of being used for malicious purposes. Based on the well known OpenWRT or FONERA2 access points, this transformation can provide a platform for intrusive security audits (pentests). Using specially designed scripts, the developers were able to provide these "standard" Wifi access points, with a toolkit containing an impressive list of attack tools (aircrak-ng, etc ...), and despite the technical limitations of equipment (CPU, power, memory, etc.). The modified devices, coupled with other devices such as GPS, can also do IP address geolocation.

• Internet Explorer default weaknesses

In this presentation, Cesare Cerrudo shows that vulnerabilities related to "automatic” Internet Explorer (version 7 and above) behaviours, can induce serious shortcomings in Microsoft's browser. Cerrudo demonstrates that certain default behaviours of the browser, coupled with certain undocumented features of the browser, can be used to hide invisible screens which could graphically mimic specific system contexts (such as login screen, session popups, wallpapers etc.). It could be used to trick users to retype their password. The final demonstration simulated a Windows login screen within Internet Explorer with an invisible window (popup) without any status bar or title bar in full screen - a sort of "Desktop Phishing". An unwatchful user would not have noticed that the login screen was actually displayed by your browser.

• Memory forensic and incident response for live virtual machine

Quynh Nguyen Amh presents "Outspect", a "toolkit" that he developed to analyze real-time behaviours of malwares or network attacks in virtual environments.Recognizing that malware are now becoming smarter and that they are able to inhibit their malicious functions when they feel "observed", his project does not alter the integrity of the virtualized system. Completely transparent from the view of the virtualized guest environment, Outspect is based on two distinct tools.

The first one is called "XenDoor". It allows direct access to the "physical" memory of the hypervisor and the one of the guest environment. The second, called "EagleEye", allows to restructure the raw memory of the captured operating system into objects (memory, ports, handles, windows, connections, processes, etc..). These objects can then be manipulated for analysis by various forensic tools.

As a demonstration, an attack known to be stealth was made with the "Metasploit" framework between two virtual machines. The tool has clearly highlighted the attack, although it was using a DLL injection into memory processes with camouflage and "hook" redirections.

Note: Although "Outspect" is not yet available, the author intends to make it public soon.

• W3af

Andres Riancho presents his framework called "W3AF (Web Application and Audit Framework). It is dedicated to web applications pentesting. This framework is a set of tools which operate various software testing techniques on web applications, such as "fuzzing" or "spidering". W3AF is composed of several audit and vulnerability exploitation tools (XSS, XST, SQL injection, etc.). Its capabilities can be extended with many plugins. There are currently over 135 plugins (MITM attack, parser, editor request, fuzzer, etc.).

Link: http://w3af.sf.net

• All browsers MITM keylogging on remote

Matthew Lombard, a young security autodidact, presents a toolkit he has developed to test and hide web attacks such as XSS, CSRF, etc. Various techniques for encoding and processing (packers) allow circumventing protections such as the so-called SOP (Same Origin policy) mechanism. Lombard shows, thanks to a demonstration, various obfuscation techniques, including one based on a technique called "paradox of the compressor with no loss" which can hide malicious scripts (e.g., JavaScript) by compressing data flows encoded using "packers" and "base64", or to Unicode.

His work led him to develop a keylogger to capture keyboard inputs from the user's web browser. The tool allows the recording of any activity via a browser like Chrome or Firefox without the user noticing it. The information collected is stored in an SQL database that the attacker can then check afterward, or can be directly observed thanks to the "Google Earth" API.

• Unified Communications Security

This presentation made by Abhijeet Hatekar, deals with security related to unified communications such as those based on MOCS (Microsoft Office Communication Server). As a reminder, MOCS is a platform to unify several communication technologies such as IM (Instant Messaging), video conferencing, VoIP calls, electronic diaries, webcast, etc. Hatekar attempts to alert the user about the dangers and threats associated with such solutions. In particular, he points out the vulnerabilities related to hardware, those related to implementation flaws in protocol stacks, and especially those related to authentication and encryption flaws. The author points out the possibilities of "flooding" attacks against signaling mechanisms, fuzzing attacks, or malicious messages injecting, session hijacking, and identity theft during the registration phase.

He has made available the tool he developed by reverse engineering. Named "OAT" (OCS Too Assessment), this tool allows you to test “MOCS R1/R2” servers with various techniques such as; dictionary attacks, attack of the connected users, contacts stealing, instant messaging flooding, peeking in progress calls, denial of service, etc. Finally the author points out that the recommendations (Best Practice) made by Microsoft can significantly reduce the vulnerabilities of MOCS, if of course one have implemented them.

Link: http://voat.sourceforge.net/

• The Good, the Bad, and the Ugly of Crypto

David Hulton, from "Pico Computing”, presents the "Openciphers" project which purpose is to explore the ASIC (Application-Specific Integrated Circuit) components and FPGA (Field-Programmable Gate Array) circuit to exploit their cryptographic computational capabilities. It is commonly accepted that one of the main problems when cracking keys or passwords is that the cryptographic algorithms require large computational power but is also very time consuming.

Hulton highlights several case studies that he designed to break cryptographic keys of mobile phone. And he analyzes each of them according to the costs involved (hardware and software), power consumption, computing time and performances. He reviewed the pros and cons of various solutions such as those based on clusters of dedicated machines, those systems based on dedicated FPGA or those consisting of conventional PC with super-powerful graphics cards which calculation capacities can be exploited. Some low-cost solutions, including the ones of PCs with graphics cards can achieve very good results using graphics processors (GPU) configured via CUDA (Compute Unified Device Architecture) technology.

He finally concludes by explaining that the metric used by hackers to break cryptographic keys is not necessarily the same as the one used by the cryptographic algorithms designers. Therefore, clever hackers will target one particular solution that regular cryptograph might not have think of. Who would have thought a few years ago to use the GPU processor to break passwords?

Link: http://openciphers.sourceforge.net/oc/

• SS7

Philippe Langlois quickly presents the SS7 (Signalling System # 7) protocol, which is a signaling telecommunication protocol used in the mobile environment. He explains that hacking techniques derived from the old "bluebox" (an electronic device used to cheat on legacy telecommunication media), can also be used with the SS7 protocol. These techniques were used back in 2004 to cut off the communication of the eastern coast of the United States, by abusing the signaling protocol features. Apparently the protocol would allow many possible attacks, as suggested by the speaker; protocol signals injection, the IAM (Initial Address Message) stealing, GTT (Global Title Translation) scans, or SSN (Subsystem Numbers) scans of the SCCP (Signalling Connection Control Part) protocol.

• Mystification de la prise d'empreinte (OS Fingerprinting Defeating)

Guillaume Prigent (Diateam) presents the IPMorph project based on the “Security through Obscurity” principle. Already presented at the SSTIC 2009 conference, IpMorph is an Open-Source tool which aims at hiding the identity of one or more systems on a network (when it acts as a gateway) by altering the headers of IP flows exchanged between machines, so that remote fingerprinting tools can not identify which systems communicate. For example, it is possible to mystify the identity of a Windows XP system and make it appears as a Novell server. The tool is currently able to "fool" most of popular fingerprinting tools including Nmap, SinFP, p0f or Ring2, in order to slow the progression of potential remote attackers whose first objective is to map the network environment of its targeted systems.

Link: http://blog.hynesim.org/fr/ipmorph/

• Free Software in Ethics and in Practice

Richard Stallman presents his vision of the "future" and the reasons which have led him to the drafting the “Gnu Public License” (GPL). He gives explanation regarding the “urban beliefs” that Linus Torvalds is the creator of Linux, while he is "only" the initial kernel developer. At the same time, he recalls that one must not say a "Linux" system but "GNU Linux" system. Without going into details of the internal "war" that they are engaged in, these two popular computer icons and whose visions of computers and the free world obviously diverges, Richard Stallman finally passes on the objectives of GNU. Through numerous anecdotes and winks to our national motto "Liberté, Egalité, Fraternité", he recalls that free software has 4 fundamental freedoms, "1 - Freedom to run a software", "2 - Freedom to modify the source code "," 3 - Freedom to share the software with neighbours" and finally "4 - Freedom to redistribute the modified software.

After 2 long hours "preaching", he finally concluded that "free" does not mean free (moneywise), and that companies can legitimately get paid for modifications they make, but have also to redistribute the modified versions. Finally Stallman gave several examples of business solutions embedding backdoors such as "Amazon Kindle", a hardware solution paid for reading electronic books, which installed a backdoor to prevent the reading of certain books.

• Wireless Sensor Networking as an Asset and a Liability

More anecdotally, Travis Goodspeed is a "hacker" in the field of electronics. His main challenges are to link everything which is electronic to a USB port via a microcontroller which he knows by heart. Within 5 minutes he can weld and connect a mini robot arm to a computer that he can then operate.

• Audit and PHP application security

Philippe Gamache, the author of the book "PHP 5 & MySQL Security", presents his feedback in the audit process of PHP code, and how the lead for good results in terms of reliability and safety. He addresses both "black boxes" audits used in particular intrusive operation (pentest) and audits he calls "opencode in which the auditor has access to information such as source codes, technical documents, etc. For him, these two types of audits are complementary. Because they avoid at the end unnecessary costs and time spent to use patches, which themselves often lead to new vulnerabilities. He finally concludes that one major problem he identified when auditing web applications, comes from the weaknesses related to developers and especially the lack of security during their course of learning. Indeed beyond the computer prowess they are able to develop, many of them do not measure the full impact of vulnerabilities and threats related to their development. These people also do not always understand the need to audit their code.

Link: http://www.ph-il.ca/fr/

• Flash Remote Hacking

Jon Rose from Trustware, explains how to use different Adobe Flex servers. Although few applications currently exist, the Flex Data Services can be easily exploited via programs specifically written in the Flash language and allow to bypass restrictions access such as those implemented by "crossdomain” services; the equivalent of the same-origin policy. Using special tools he discusses, it is possible to access certain services simply by "brute forcing" "Flex Data Services”. It then becomes possible to decompile the code and discover the used methods. Another technique is to recover SWF files, and extract their content with tools such as "swfdump, then find the vulnerable functions.

Conlusion

Without any pretension, FRHACK wanted to follow its peers (BlackHat, DefCon, etc.), with an equally technical skills, bringing speakers from around the world. This contract is fulfilled if we consider the technical quality of the presentations and despite the absence of personality such as Joanna Rutkowska. However, it is a pity that some topics where a little out of scope regarding security such as the ones about "lock picking" or "hackerspaces" (not presented in this report), which added no value to the conference.

Finally, the choice of the geographical location of the event (Besancon) probably induced a disinterest regarding the conference. Then, the conference ended on a note of uncertainty. It is quite unclear whether there will be a second edition.