BruCON 2013 conference (Part 2 of 2)
Date : December 11, 2013
In September, Cert-IST attended the BruCON security conference near Brussels.
Last month, we published the first part of our report for this event. We now publish the rest.
Note: The presentation slides are available on the conference website (at this location). For each presentation, we give below a link for the video recording of the talk, as well as the link to the presentation slides when available.
Presented by: Aloria
While many studies (and vulnerabilities) have already been published about Java, very little exists about the .NET technology. This is one of the reasons that pushed Aloria to study this area. Her presentation explains how she was able to reverse a .NET application, and then to patch it to add a feature. And obviously it is not easy: a lot of data is obfuscated to make the code unreadable, and the code is very difficult to reconstruct because many structures (for both code and data) are stored in tables. Despite these difficulties, Aloria achieved her aims. The presentation is very technical, and people who have already looked at the .NET internals will for sure find valuable information in this presentation!
Presented by: Dan Guido (Trail of bits)
In this presentation, Dan Guido performs an update of the EIP (Exploit Intelligence Project) study that he published in 2011 about cyber criminals and their modus operandi. He shows that:
- The cyber-criminal groups (who use crime-packs such as BlackHole, Cool or Sweet Orange) seem to have little technical know-how, and little capacity for innovation. In fact, they simply integrate in their tools the exploits published elsewhere (and especially the exploits published by Metasploit). He mentioned that an up-to-date Windows 7 environment, if not equipped with Java, cannot be breached by such attackers.
- The APT groups (including state intelligence) have much higher technical skills that allow them to build their own attack programs and to successfully attack targets like Google (Aurora attack in 2010) or Bit9 (in 2013).
- However, the level of technical expertise deployed in these APT attacks is much lower than the one a student who follows specialized courses (such as the ones provided by Dan Guido at New York University) can produce after a year. APT groups so obviously do just enough to compromise their targets: they do ”as must as they have” while students do “as must as they can".
Paint by Numbers vs. Monet (video)
Presented by: Russ Gideon (AttackResearch.com)
The speaker compares the techniques used by attackers during APTs, to those used by pen-testers during their audits. Overall the two are very close:
- Attackers frequently use Metasploit modules, where they just customized the payload.
- They also sometimes use tools such as Mimikatz (to capture passwords) and Psexec (Metasploit module to create a backdoor on the compromised system). But as these tools are well known and therefore easily detectable, attackers now prefer to use similar programs that they have re-written by themselves.
He recommends the pen-testers (and system owners that buy pen-test services) to perform penetration testing that simulate real attacks (infection, lateral movement, data exfiltration), rather than just limit it to research infection vectors (vulnerabilities). The former will test the whole chain of reaction within the company.
A panel on DevOPS and Security (video)
Presented by: Alex Hutton, David Mortman, Kris Buytaert, Patrick Debois
The DevOps movement was born in 2009, and aims at breaking down the barrier that often exists between developer and operation teams. This session was organized as a panel discussion and is consequently difficult to sum-up. The DevOps movement seems to gain in popularity. It is sometimes explained as being the equivalent, for the operations world, to the Agile movement that exists in the development world. Puppet or Chef are some examples of the tools used by DevOps.
Presented by: Robert Graham
The terms "data plane" and "control plane" refer here to the way the software is architected:
- The « Control plane » model is the classical software design where execution flow is driven by logic (functional approach).
- The « Data plane » model is a new model where software architecture is designed on data flow. It typically uses mechanisms such as: non-blocking I/O, independent threads, ring buffers, etc.
Both models are currently used mainly in the context of network architectures and software routers (typically SDN: Software Defined Networks), but the speaker proposes to apply the “data-plane” model more generally to all software which must handle large flows of data: DNS servers, web servers, etc. According to the speaker, Apache+PHP or Bind (which are built on a "Control-plane" model) are not suited anymore to support the raising of data traffic. In order to test the "Data-plane" model, he has developed two reference implementations:
- A DNS server named « robdns ». This server is 100 times faster than Bind, and processes 3 million packets per second.
- A port scanner named « masscan ». This server generates 25 million packets per second. In comparison, the fast scanner "ZMap" generates "only" 1.3 million packets per second.
Presented by: Stephan Chenette (IO-Active)
The speaker first gives an overview of the Android architecture, and then reviews the different types of malware that currently exist. Finally, it presents a general approach to build an Android malware.
Geolocation of GSM mobile devices, even if they do not want to be found. (video)
Presented by: David Perez and Jose Pico
The speakers’ objective was to build a tracking system for GSM phones that is completely independent of the native localization features that exist on this type of device, and without having access to the GSM operator infrastructure. The guiding principles are: to build a fake GSM station (with OpenBTS), to observe the received mobile 2G signal (signal strength, transmission time), and to locate the device by triangulation. If these principles are simple, implementing them raises a large number of difficulties. The presentation explains step by step the progress of the project, and how the difficulties have been resolved.
For more information:
- Presentation materials:
http://files.brucon.org/2013/
- Public reports published :
http://www.cupfighter.net/index.php/2013/09/brucon/
https://www.attackdebris.com/?p=117