JSSI 2013 conference overview

The 12th JSSI (Journée de la Sécurité des Systèmes d'Information) conference, organized by OSSIR (Observatoire de la Sécurité des Systèmes d'Information), held in Paris on March 19th, 2013. Like previous years, a hundred attendees were present at this conference. We made in this article a report of the various presentations. The full agenda and the presentation materials are available on the conference website.

This year, the conference theme was « Method and tools for security audit ». Topics presented were rather technical: except for one presentation and the round table which addressed organizational and legal issues, the 6 other presentations were related to feedbacks, audit methodologies and aspects related to security watch.

 

Feedbacks on security audit campaigns (by C2S)

This presentation is a feedback on security audits performed by C2S (entity in charge of security within Bouygues). Those audits, that may be either organizational, or technical, can be initiated by Bouygues SA, performed for one of the many organizations belonging to this group, or outside the group.

Those audits enabled to highlight the Top 10 of the most often observed vulnerabilities (Wall of Shame):

1. Trivial/default passwords
2. Application/software components not up to date
3. SQL injections
4. XSS/CSRF
5. Installation/configuration not secured or strengthened
6. Protocols and flows not encrypted
7. Insecure management of user sessions
8. Insecure passwords storage
9. Multifunction printers containing all the secrets of the company
10. Post-it in inexpected locations

We notice that the vulnerabilities have been the same for 10, 15 or even 20 years. Regarding SCADA audits, more and more in demand, vulnerabilities observed are completely compatible with this Wall of Shame.

Good practices are thus the following ones:

• Include security all along the project lifecycle
• Define and set up password policies
• Secure source codes
• Use Web Application Firewalls (WAF)
• Also take into account the threats coming from inside
• Perform systematic and recurrent penetration tests

As a conclusion, the speaker insists on the fact that security is not only a technical issue. It is indeed required to define organizations and methods to face the risks, educate users and plan internal training for architects and developers.

 

Feedback of penetration tests on a Windows domain (by Solucom and COGICEO)

This intervention presents methods of penetration tests on a Windows domain and aims at sharing feedbacks. The scenario used is the one of a consultant in a meeting room, with a network access. The goal is to go through the most known vulnerabilities to access systems, obtain credentials, up to the ones of the domain administrator.

The speakers remind that several methods exist to get passwords (schedulers, web browsers…), to retrieve passwords (hash), or even to skip passwords (NTLM authentication). The results obtained show that 85% of passwords are obtained, 96% of domains are compromised in less than a week, 100% of companies have at least one trivial password, more than half of the domains are compromised in less than two days and a third of networks have out of date systems. For the speakers, this confirms that Windows domains security is a failure.

It only remains to find striking data to better raise awareness: business data, human resource syndicate data, e-mails, personal data (billing, health), etc…

 

Social engineering: legal and organizational aspects (by HSC)

This intervention presents the legal and organizational aspects of social engineering services, performed by HSC. First of all, they tried to know if it was legal to do social engineering, mostly by studying the laws related to spoofing, information stealing, fraud and unfair collection. They arrived to the conclusion that there was no major issue to perform this kind of service. The announced objective is to measure the user awareness level, but also the data leak exposition level (number of fallible users, criticality of the obtained information).

In practice, the auditors try to exploit the credulity of targets and gain their confidence, in order to obtain crucial information (passwords, network architecture, personal data…). Speakers then detailed the building of a phishing scenario, taking into account the context (the news, the business of the company, the target profiles, the employment market) and trying to identify the factor that may trigger the click…). The realization of this scenario ends up by the construction of the web site, the sending of e-mails and the choice of the online duration.

The conclusion of these works is that education gives a mixed result: it must be targeted, periodical and accompanied by technical measures.

 

Labeling of security audit providers (round table)

This round table was dedicated to the labeling of some critical services:

• Penetration testing
• Architecture audit
• Configuration audit
• Source code audit
• Organizational and physical audit

Unlike what is made for people (certification process), this labeling affects companies and aims at ensuring confidence in the audit service (strong demand from Ministries).

 

Reverse engineering on iOS and Android (by Quarkslab)

This presentation constitutes a summary of the Reverse Engineering works on iOS and Android, performed by Sébastien KACZMAREK from Quarkslab. After a reminder of the technologies used on iOS and Android and on the application formats, the speaker then addressed the development process on those two systems and described the various tools enabling to debug the applications written on iOS and Android.

 

Semi-automated approach for configuration audits (by AMOSSYS)

This intervention presents an approach proposed by AMOSSYS to perform configuration audits. This kind of audit requires the acquisition of an image of a server and impacts several levels (system, network and applicative). The data that must be extracted can be static (operating system version, hardware configuration, network configuration, users and groups) or dynamic (listening processes, scheduled processes), and can above all become voluminous.

Possible approaches are the following ones: manual, automated, semi-automated. It is this last solution that was chosen by AMOSSYS. They thus developed a framework enabling to help the auditor’s job, made up of a core (focused on the operating system) and plugins (allowing to handle applications).

 

Advanced watch on Linux kernel (by LEXFO)

This presentation provides the results of the works performed by Etienne Comet from LEXFO, around the vulnerabilities affecting the Linux kernel, the aim of which is to obtain privileges. For the speaker, there is nowadays a shortage of public exploits, with on the other hand a lot of information, but poorly detailed, and many bugs, but either silently fixed or useless.

The conclusions of the speaker’s study around CVE is that there are finally relatively few flaws related to the Linux kernel, that many of these CVE are useless (e.g. when the impacted configuration is too exotic or if it is an old bug) and that these vulnerabilities are quickly fixed (CVE is well tracked by the editors that fix these flaws rather rapidly). It is then necessary to consider other sources like developers’ mailing lists, RedHat’s Bugtracker (bugzilla) or the Linux kernel GIT (commit).

In particular, the GIT repository forms a wealth of information that it is mandatory to sort out. A tool has therefore been created (GitzOr) enabling to analyze, on an ongoing basis, the kernel commits, searching for interesting patterns. Once a bug is identified, it must be seen if it is exploitable and, to do this, find its location in the sources, find an access path to the vulnerable function, create an exploitation program, and code the exploit.

 

WAF: dog competition (by Synacktiv)

This intervention presents the results of the tests performed by Synacktiv on SaaS-based Web Application Firewalls. Two architectures are possible, either by addition of code within the web application, or by modifying the DNS entry. Risks involved are the exposition of the management interface on the Internet and bypassing the filtering rules. Regarding the WAF running by DNS modification, the web server is moreover always exposed on the Internet and it is possible to bypass the WAF if its true IP address is discovered. Regarding the WAF running by code insertion, another risk to cope with, is the insertion of out of hand code.

The WAF chosen are XyberShield, CloudFlare and Incapsula. The first one, very put forward by the editor, operates by code insertion. The results are very disappointing (classical obfuscation techniques not detected, detailed information transmitted to the attacker and emission of data to the Cloud with a poor encryption). With CloudFlare’s solution, the analysis was even briefer as they did not succeed in making it respond. Incapsula (which operates by DNS redirection) is therefore the one that comes out best: it uses a filtering system with well-built blacklists, but present however some loopholes.

The conclusion on these WAF is that they are easy to deploy, but that they only offer a limited protection and above all present a globally poor quality level, if not shocking.

 

Conclusion

This12th edition of the JSSI permitted to cover various topics, both technicals, legals, practicals and organizationals. Many feedbacks regarding audits give a good idea of the evolution of techniques and issues in this area: increasing of demands for SCADA audits, necessity to develop tools to assist the audit, strong demand of some Ministries for a labeling of security audit providers and monitoring techniques evolution. In spite of this, 10 or 20-year old vulnerabilities are still valid and some issues seem to perpetuate, in particular users’ awareness issues, password robustness or Windows domain security. This day also permitted to caution against some security solutions held up as miracles, such as Web Application Firewalls.