Report on the security conference INSA-2017

Date : February 07, 2017

The French Engineering school INSA, and the LAAS-CNRS research institute have organized the fourth edition of a conference during one day on security in Toulouse on January 25, 2015. The agenda is available here, with some various topics, including the awareness of computer security for the less technical people, but also software and industrial security, as well as new digital solutions payment for the most technical. Below we summarize some conferences of this day.

A morphological approach to detect code similarities and to analyse x86 binaries

By Jean-Yves Marion (Professor at the University of Lorraine)

The problem is: how to know if a code is malicious or not? The answer to this question cannot be find quickly. Several solutions exist, one of which is code analysis by disassembly. But disassembling binary code is long and difficult, and is reserved for experts. Additionally, malicious code writers use code obscuration techniques such as using packers to mask the payload and to protect themselves from reverse engineering. The author proposes a method of identifying malicious code by a morphological study to identify the form of the malicious software. This study is based on the analysis of control flow diagrams, and graph rewriting rules to normalize these graphs and give them a sufficient level of abstraction. The graph produced by the analysis makes it possible to recognize the code and thus to answer the initial question.

Social engineering: hacking the human operating system

By Romain Bouvet (Researcher in psychology at University of Toulouse II Jean-Jaurès)

The speaker presents one of the favorite methods used by cybercriminals, the social engineering. The aim is to exploit users’ credulity in order to make them become an involuntary accomplice.

To achieve their ends, hackers exploit human flaws using various influencing and mental manipulation technics such as engaging communication or anchoring, to get users to perform an action.

The speaker describes an experience that he led with people who had been made aware of phishing technics, including persons working in the human resources department. For that, he created a fake CV that he had previously infected with a malware to obtain the victim's password when he opens the file and executes a macro. By applying to a job offer by mail in an appropriate language and without fault, explaining that to access the full CV it is necessary to activate the macro. From the results that he was able to obtain, it appears that the majority of people have activated the macro despite their IT security awareness.

The speaker mentions that this method is widely used, because human beings, even though they are mostly rational, are in fact irrational. He takes the smokers example: if smoking is not good for health, it does not necessarily mean that the smoker is going to stop.

 

Donjons, Dragons and Security

By Thiphaine Romand-Latapie (Airbus Group Innovations)

The speaker presented a method that she developed during her previous job to raise awareness and convince colleagues about computer security through a role play game (RPG). On one side a team representing the attackers (hackers) and the other side a team representing the defenders (security team).

Its approach is very interesting, indeed, it is a matter of addressing computer security without speaking technical aspects. The interlocutors are of different backgrounds (CEO, Project Manager, secretary, engineers ...).

The goals are:

  • Answering questions "What is in-depth defence?" and "what are attackers’ motives?
  • Fight stereotypes like:
    • Hackers are genius (not necessarily),
    • Security team is not aware about the real life and prevent people from working.

This idea comes from remarks that she heard when she spoke with people having few or not security knowledge, for example:

  • “We are safe: it’s in the LAN”
  • “We have never been hacked!”
  • ...

Moreover, the speaker explain that novices often apply physical security measures in their daily lives:

  • Close the doors of the house in the morning before to go to work,
  • Have insurance (auto, home …),
  • Hide valuables before leaving on vacation,
  • Does not let any stranger enter in their home,

and agree with the security when they feel that it protects them (home alarm, locks, cameras …).

The goal is to do an analogy between physical and IT security.

It takes place from 4 to 8 people over a period of 30 to 45 minutes led by a master of the game (a security expert). Once the time is over a debriefing is organized with teams.

The goal of the game is to steal a valuable object in a building that is not secure at all. For that, Attackers teams write in turn on a paperboard, a method to steal the object, and then defenders suggest a method to counter the attack. Each team has an unlimited budget to facilitate the game.

Constraints:

  • The defence team must respect laws enforcement,
  • The laws of physics apply, no super powers.

It is easy for participants to find lots of ideas. During the debriefing, it’s necessary to do a parallel with IT security. For that, each defensive and offensive methods are analysed:

  • Security operational and technical measures, access control (privilege), defence in-depth, bad security measure deployment (the object is not put in the safe),
  • Social Engineering, password theft, path of least resistance,
  • Hardware security, supervision (SOC),
  • Credential theft,
  • Biometry, multi-factor authentication.

The advantage of this game is the interaction between participants. It’s also easier to interest and to prove the value to apply IT security to non-technical people, but also to offer them security advice.

Previous Previous Next Next Print Print