JSSI 2014 conference report

The 13rd JSSI (Journée de la Sécurité des Systèmes d'Information) confeence, organized by OSSIR (Observatoire de la Sécurité des Systèmes d'Information), held in Paris on March 17th, 2014. Like previous years, a hundred attendees were present at this conference. We made in this article a report of the various presentations. The full agenda and the presentation materials are available on the conference website.

This year, the conference theme was « Is it still possible to protect yourself? », and the talks were almost all focused on techniques.

 

Advanced Protection Techniques or how to use APT against APT (Intrinsec)

The speakers first give some very significant figures extracted from a study published by Mandiant:

• 63% of intrusions are detected by third parties (and not by the victim itself)
• 243 days elapse on average before a successful compromise is discovered.

This shows that improving security monitoring inside the company to detect attacks earliest should be a priority. Speakers present two examples of such monitoring:

• Use SIEM and event correlation to detect a web attack.
• Use "HoneyFile" to detect malware (such as CryptoLocker) that encrypt files on a workstation.

 

SIEM and event correlation:

In this first scenario, speakers show that a web attack triggers a series of events easily observable by a SIEM:

• Reconnaissance: the vulnerability scan launched by the attacker will trigger a large series of security alerts.
• Compromise: the pirate drop a web shell on the web server and uses it. This unusual page accessed repeatedly will generate an alert (because it is an atypical behavior).
• Exfiltration: when the attacker dumps the database of the website, this will generate high CPU activity that will generate an alert.

If SIEM can correlate these events (assuming it knows the attack scenarios), it will identify the alert suite, and subsequently reliably detect the ongoing attack.

HoneyFile:

Speakers have developed a prototype that can detect Windows processes which browse the workstation disk and alter the files they find. The principle is to put on disk a set of decoy files (they are the “honeyfiles”), and to monitor processes that attempt to modify these files. This method, however, is very specific to a type of threat, and requires deploying the monitoring agent on all the workstations in the company (or at strategic places, such as file servers).

The 2 examples given above look interesting, but seem difficult to generalize. While, as the speakers say in their conclusion, priority should be placed on improving detection and response procedures, the practice here is not trivial...

 

Securing TLS: Is it possible? (HSC)

This presentation gives a close look on SSL/TLS security, and demonstrates how difficult it is, to safely implement it. Beyond the vulnerabilities discovered, such as the recent Apple "GotoFail " (CVE-2014 - 1266) and "Bool is not Int " from GnuTLS (CVE- 2014-0092), or the Snowden revelations about NSA (theft of private keys, MiTM attacks, etc.), he shows that a proper implementation relies on a sequence of steps, from the algorithm design to the final implementation in an operational context, and each step has pitfalls. In fact, security is pretty good at the start (the algorithms designed are safe at first), but it degrades step by step. For example, the "integration into applications" phase is often catastrophic because programmers lack of good API. At the final step of the operational implementation, there has also to deal with the issue that some certification authorities (such as DigiNotar and Comodo) have been found as totally unreliable.

The speaker strongly recommends disabling SSL v2 (and earlier), and continuing the effort to migrate to TLS 1.2 (while TLS 1.3 is in preparation). He also advises people interested in the topic to read issues # 71 (for the description of attacks) and # 72 (for advice on server configuration) of the (French) MISC magazine.

 

Is it possible to secure a Windows Domain? (Solucom)

Referring to the title of the presentation, the speakers answered: "No, it is not possible to secure a Windows Domain." The main issue here is that if an administrator logs on to a workstation that has been compromised by a hacker, then hacker will be able to steal administrator’s credentials (using a tool like Mimikatz) and reuse them. Because of that, companies must adopt measures that limit the impact of the compromise of an admin account:

• Segment networks to limit the scope of a compromise.
• Segment administrator accounts (creating N accounts rather than concentrating all the privileges on a single account). E.g.: differentiate domain administrators, fileserver administrators, administrators for "ZoneA users", etc.
• Do not use the same password on all the computers for the local administration.
• Provide 2 separate workstations for each administrator: one for their regular activities, and the other for administration tasks. If this is not possible, set up a "bastion" server: Administrator cannot administer the machines directly from their workstation; they must connect first to the bastion machine which then give them the privileges required to connect to the machine they have to administrate. The connection to the bastion machine can be enhanced with specific authentication schemes (e.g. secure authentication tokens), while the regular Windows authentication scheme is kept on all others computers.

Privileged accounts management is nowadays a key element for Windows Domains security.

 

How could IT face with International laws? (Bensoussan Avocats lawyer)

The speaker (who is a lawyer) analyzes if it is possible for a company to be protected from legal actions worldwide. He first indicates that looking for a worldwide legal conformity is probably not possible but is also useless. He consequently recommends to first work at the national level (to be in compliance with national laws) and to gradually extend to other countries, with the help of a local expert in law (international laws are too complex to be mastered by a foreigner). Globally all the countries agree on the general principles (for example about what is an intrusion), but there are large divergences about:

• Some technological domains. For example laws on domain like cryptography, biometry or legal validity of digital signatures, are very different from one country to another.
• Some basic principles. For example, who should take precedence, between government, company or people is not the same for all countries.

 

Tools and technics for targeted attacks (Synacktiv)

During this presentation, the speaker gives a feedback about the “Red teams” audits he performed for his clients. In this kind of audit, the objective is to illegally penetrate inside the company by all possible means (a commando-like mission). The mission can take several months, and the techniques used (and the lessons learned) are:

• Attack with trapped email. In this area it is illusory to think that educating users to detect malicious mails is the solution. Indeed, for some areas of the company, opening mails from the outside is an obligation (eg HR, sales and marketing, etc ...) and it is impossible to prevent the attack. He therefore advices to rather work on hardening workstations to better resist to attacks, for example by implementing "application white-listing" solution.
• Attack via social engineering. The goal here is to get an account or a password by phoning company employees. The prime targets are the assistants (who have many contacts), new employees (easier to handle) and Help-Desk (who used to help in case of problems with password). For the speaker, the best defense here is awareness.
• The physical intrusion into enterprise premises. The goal here is to connect a mini PC on the internal corporate network (typically a ShivaPlug: a computer as small as a large electrical outlet). He explained that it is difficult to counter this type of attack, because few people dare to intervene to someone who marches forward resolutely.

 

Implementation and Implications of a Stealth Hard-Drive Backdoor (Eurecom)

The speaker introduces a project made at Eurecom (a center for research and an engineering school), which aimed to change the firmware of a hard disk to place a backdoor in it. The task was difficult (probably because the brand of hard drive chosen uses a complex firmware) but the project has succeeded in developing a prototype (described in this publication). Similar research has also been published by other researchers (see this article by SpritesMods) and it was revealed in late 2013 that the NSA had this type of backdoor since 2008 (this backdoor is the one called IrateMonk in the ANT catalog of the NSA).

Physical compromise is a real risk and is very difficult to detect. The speaker therefore recommends working to develop tools to detect this type of attack.

Note: During questions, he said that this kind of compromise does not work on Raid-5 disks: if one of the 3 disks is corrupted by a backdoor then it will be detected as faulty by the Raid system.

 

The radio environment is more and more difficult to protect (Oppida)

This presentation shows it is possible, with very cheap equipment, to observe unprotected radio signals, and to decode them. A USB DVB TV Dongle earning 20 Euros and a SDR (Software Defined Radio) software such as GNUradio can be used for example to geo-locate aircraft or locate mobile phone users (since many of GSM implementation leak the IMSI assigned to each mobile subscriber).

 

Security: from a constraint to a business leverage. Lessons learnt from experience (Orange)

This presentation takes the picture of a medieval castle to show the mistakes that could be made on the security topic during a project. It shows how security should be integrated all along the product development cycle.

 

Conclusions

The JSSI conference has a special place on the security conference arena in France. It is not as technical as others (such as SSTIC conference) and not commercial or strategic (such as FIC or “Les Assises”). It speaks technique but focuses on concrete subjects that enterprises could have to face with. The feedback that are presented here, are always very interesting.