Toulouse Hacking Convention Conference

Date : March 07, 2019

On March 8th, the Cert-IST attended the Toulouse Hacking Convention. We highlight below the speeches that most interested us:

1st Conference: Jean-Marc Bourguignon (Nothing2Hide) and Etienne Maynier (The Citizen Lab): Infosec on the ground: butt naked Journalists & topless NGOs.

One of the speakers (NGO Nothing2Hide) presents how his NGO helps to raise awareness on digital security for NGOs, journalists, hacktivists... in various countries.

His NGO helps in particular to set up bypass techniques against the measures set up by "repressive" State government to block Internet accesses as it was the case of Tunisia, for example, during the Arab springs. Another mission of the NGO is to explain the basics of IT security, and to provide the necessary tools (VPN, TOR...) for people working in conflictual countries and difficult environments, to protect themselves and their information.  Indeed, the speaker explained that journalists are often gathered and confined to "journalists' hotels" where it is easy to eavesdrop their communications and where NGOs are heavily monitored.

The second speaker (The Citizen Lab) describes the threats against civil society groups (NGOs) and the political context that can motivate them. The organization has highlighted several cyber-espionage campaigns targeting various persecuted communities around the world. The speaker focuses here on the evolution of threats, particularly in Tibet, where he describes spear-phishing attacks whose attachments exploit old vulnerabilities unlike advanced APT attacks exploiting 0days. The organization tracked an attack campaign for several months and recommended that users stop to directly open attachments and preferably use online services such as Google Drive. Of course this is not an absolute protection: it will just work until the attacker adapt and use online services to trap users again.

 

2nd Conference: Marion Lafon (CEA): Trap your keyboard 101.

The speaker introduce her degree study project internship: implement a remote attack against a USB keyboard to add it a keylogger feature for malicious purposes.

She stated that today's keyboards are programmable, have large memory spaces and an increasingly high computing power. She therefore recommands to take into account these new devices in IT security policies.

The speaker's objective was to record and later replay a targeted password keystroke. But the constraints were to not modify the keyboard hardware and to perform the attack through USB (instead of opening the keyboard). That way, it shoud be theorical possible to perform the attack remotely.

To develop this keylogger, the speaker analyzed and modified the microcontroller firmware of the keyboard by reverse engineering. This was possible because the firmware is unencrypted. The firmware reversing has been done with MIASM which allows to emulate the functions and get input and output values. After understanding how memory addressing works and the different firmware functions, she was able to modify the firmware to change the colour of a key's backlight, and to add a keylogger feature which starts when a key combination is pressed, and finally replay the keystroke captures as soon as a second key combination is pressed.

The speaker gave a live demonstration of how its keylogger works and also a video showing that if the keyboard is trapped with the keylogger and connected to a computer, this one is able to record the Windows session password, and when the session is locked, it is possible to replay the typed keys by performing a specific key combination to unlock the session thus allowing to take control of the computer.

 

4th Conference: Christophe Broca (SNAM): CertStreamMonitor: Threat Detection & Certificate Transparency, 9 month later.

The speaker presents the risks covered and the advantages of Certificate Transparency technology. To understand the purpose of Certificate Transparency, the speaker presents a certificate from 2011, where an attacker compromised the DigiNotar certification authority to issue a wildcard certificate for Google. This certificate has been then used by unknown atatckers in Iran to carry out a man-in-the-middle attack against Google's services. To prevent this type of incident, certification authorities are now required to publish root and intermediate public signed certificates on public log servers. These log servers have specific characteristics (append-only), are cryptographically signed and accessible by anyone.

The objective is to facilitate the detection of malicious or invalid certificates by setting up log servers freely readable that keep a trace of all the certificates issued by the certificate authorities trusted by the web browsers. This helps protecting the domain names.

In order to understand how Certificate Transparency works the speaker presented the diagram of how this technology works. The French National Cybersecurity Agency (ANSSI) released a document on Certificate Transparency, which is available here.

Note: Currently Mozilla still has problems with the Certificate Transparency implementation in its Firefox browser.

To conclude his presentation the speaker explains how they set up the monitoring of the certificates for their legitimate domain names using Cert Spotter (sslmate). If a certificate for one of their domains is issued but was not initiated by an internal teams, then an alert is raised and this triggers a security incident. The speaker also presents an Open Source tool they developed and dubbed  CertStreamMonitor for monitoring nearby domain names in real time.

Note: The DHS released in January 2019 a recommandation to raise the monitoring of Certificate Transparency logs as a best practice.

 

If you are interested in others presentations (listed below), they are available on Youtube at this address.

  • Stéphane Duverger & Anaïs Gantet: GUSTAVE: Fuzzing OS kernels like simple applications
  • Julien Lenoir & Benoît Camredon: Deep Dive into an ICS Firewall, Looking for the Fire Hole
  • Pierre Schweitzer & Johanna Harpon: Feedback on end-user web connections cleaning through proxy with TLS bump
  • Vincent Nicomette: Vulnerability analysis of ADSL Boxes and Smart TVs
Previous Previous Next Next Print Print