You are on the Cert-IST public site
JSSI 2010 conference report

Date :April 08, 2010
The ninth JSSI (Journée de la Sécurité des Systèmes d'Information) conference organized by the OSSIR (Observatoire de la Sécurité des Systèmes d'Information) took place last March 16th, in Paris. A hundred attendees were at the conference, which topic was this year " Attack/Defense: score 2.0". Beyond this score without appeal, this day focused on showing the opposite and tackled many subjects.

Note: The present report does not deal with technical details of presentations. It tries to present main ideas raised by Cert-IST.

Just a printer ? - Thibault Koechlin, Jean Baron (NBS system)

This first presentation deals with the security of MFP (MultiFunctional Peripheral) or MFD (Multiple Function Devices) equipments. Behind these acronyms hide equipments such as printers, fax machines, photocopiers, IP cameras or PABX. All these equipments present the common characteristics to have a network interface, and to use advanced operating systems (often Linux). But also, they especially do have well-known network services (Web, ftp, TFTP, etc).

At the heart of corporate networks, they often do not attract attention, and thus, are seldom updated (if at all, they do allow it). De facto, they become potential targets.

Through 3 approaches of attacks (software, firmware and hardware) the speakers present their research on exploitation of the vulnerabilities inherent to this equipment. The first approach aims at corrupting opened services on a printer (overflow, brute forcing, XSS, etc). The second aims at modifying the embedded firmware on the target device. The last tries to interface the equipment at the hardware level in order to communicate with the device (serial port, addition of bridging material, etc).

Finally, these approaches are without appeal. Through various techniques of attacks, going from « social engineering » aiming at misleading users to use a fake peripheral, to the exploitation of a XSS vulnerability, or to the attack of firmwares, these equipments do not resist very long.


MacOSX memory - Matthieu Suiche (MoonSols)

Matthieu Suiche, author of the famous memory inspection tool for Windows called « WinDD », presents his research works regarding the physical memory of MacOS X 10.5 and 10.6 systems. Being based on hibernation functions, it is possible to recover the state of a system at the time of its activation. Using suitable tools and advanced techniques (debug functions, symbols table), it is possible to rebuild the address space of the operating system for then reaching various strategic core elements (handles, threads, structures of data, lists, etc.). This type of information can become essential for forensic analysis or for studying the behavior of malware.

Note: The tools presented are still under development and are not yet available.


Legal aspects of scan and intrusive testings - Yoann Garot (Itrust)

The presentation of Yoann Garot deals with the legal aspects related to « scanning » activities, frequently used within intrusive audits (pentesting). Behind this word are approached several types of “scanning”, that is to say; port scanning allowing the identification of the topology of networks and vulnerability scanning allowing to detect the potential flaws of equipments.

The speaker points out that few computer security consultancy company and few customers of such services, are feel concerned with legal aspects related to services of this type.

After short recalls on computer frauds, the Godfrain 1988 law, as well as a short history of the French legislation, one notes that the “computer science” terminology and more generally what is assimilated to it, has difficulties to find a place in the French laws. Its appreciation depends on the context in which it is employed, in terms of general legislation or common laws (used supports, means of communication, diffusion, etc….), of specific laws (electronic signature, copyrights, personal data protection, etc) or of infringements (P2P, counterfeit, etc.).

In the end the fuzzy remains. According to whether this activity of scanning is framed in a professional contract authorized between a customer and a contractor or that it is fact of an act of hacking, one notes that this is generally badly assisted in term of legal aspects. The decision will thus belong to the judge who will assess the « quality » of the act of scanning and the agreements between parties prior to its execution.

Being prepared to legal response against the computer attacks - Eric Freyssinet (DGGN)

Pursuing the presentation on legal aspects, Eric Freyssinet draws an international panorama of financial losses related to computer attacks. Over 2008-2009, despite average loss falls on a per victim basis, one notes that the overall malicious acts keep on progressing (increase of financial frauds, of malware propagations, etc.).

Beyond the usual cliché with respect to the young “cyber-delinquents”, he recalls that these young criminals have a phenomenal faculty of improving their skills and of adaptation to new technologies, which should be contained and controlled. The lack of complaints (in order to fight against this computer delinquency) tends to let them believe that they can do everything with impunity. Moreover this tends to trivialize their acts, and establish the feeling that what they do is not wrong.

In order to prepare and anticipate acts of hacking, data-processing frauds or computer systems attacks in companies, several laws or project-laws aim at allowing a better notification of the incidents; «Telecom Package voted in November 2009», «Détraigne-Escoffier law proposal discussed at the Senate last March», etc.

Finally he concluded by pointing out the importance of the proof. Collect and retention are major. The more the proof is valorized and integrated in processes of confidence and neutrality, the better chance it is admissible by a judge in a court. But this should not be improvised.


The French SMEs against Russian mafia and Chinese hackers - feedbacks - Nicolas Ruff (EADS IW)

Behind a teasing title, one expects a presentation worthy of a spy novel. Nicolas Ruff tackles the audience the opposite way by describing his hassle in his wife SME (Small and Medium Enterprise), for which he works in his spare time as a system administrator and security engineer.

Beyond this amusing wink, he reports his feedbacks on the difficulties encountered in such small structures in the realm of computer security. Using anecdotes, he shows that it is difficult for such companies to deal with cyber-attacks against information systems, which unfortunately do only speak to purists. It is hard to explain what is a SQL injection, or the dangers of inserting an unknown USB stick to people who will forget about it the next day when browsing the Internet without precaution. He recalls that it is difficult to train users and more generally to inform them about the dangers associated with information technology.

In conclusion he says that best practices are still necessary - a user does not need to be an administrator - if the system allows it is wise to log what needs to be logged - enable DEP functions on Windows systems if available, etc.


Whitepaper on logs - Eric Barbry (Cabinet Bensoussan), Christophe Labourdette (CNRS / ENS-CACHAN)

This presentation deals with the results of the working group led by Christophe Labourdette and Eric Barbry within OSSIR, aimed at drafting a whitepaper on the logs. Making a brief return to the difficulties the working group faced, especially regarding the understanding of computer vocabulary between the computer scientists and lawyers - «Logs » , « Traces» in one hand for computer scientists « identification data» or «log archiving» in the other hand for lawyers (CPCE, LCEN, CNIL).

In addition the working group quickly encountered a problem of scope, that is to say «no dedicated laws», «no commonly accepted definitions», « approaching terms» and « a lack of consistency». However, despite these problems, regulatory requirements and legal obligations exist for all, Telecom providers, Internet service providers, banks, sensitive sector actors, etc.

After a two years work, this paper recalls enterprises the need to log, to integrate logs management and logs retention in clear processes, in order to support the enterprise security policy.


Webshells - Renaud Dubourguais (HSC)

Renaud Dubourguais’ presentation concerns the exploitation of application backdoors (aka webshell), dropped in vulnerable web applications or vulnerable web servers. He addresses the technical operations of successive multiple vulnerability exploit allowing the upload of such exploit programs, bypassing network security measures supposed to protect the targeted server (firewall rules, authentication, etc.).

He describes the many features offered by webshells and remotely accessible. We can cite among other things; remote control, administrative command executions, spam relaying, database access, protocol encapsulation such as HTTP tunnelling, etc.

A demonstration shows the compromise of a JBoss server located on a DMZ and the bypass of firewall protections, and the upload of the webshell. Thus the webshell offers a full featured arsenal that allows an attacker to gather information on the compromised environment, to browse the neighbourhood of the compromised system, to redirect flows through an approved protocol (HTTP in this case). Finally, he shows he can take control of the target server from the outside (e.g. Internet) thanks to a terminal session encapsulated in an HTTP tunnel rerouted by webshell. Then he concluded with some recommendations to prevent attacks from this kind of tool (PHP Safe Mode, Java security manager, restrictions/permissions, sandboxing, etc.).


OWASP ASVS: a toolbox to improve Web application security - Sébastien Gioria (OWASP)

This presentation has been canceled.

Note: The slides of the presentations are not yet available. They will be available later on the official OSSIR web site.