"GS-Days 2010" conference report
Date : December 06, 2010
The 2nd edition of the "GS Days" conference has been held in Paris on November 30th, 2010. This event is organized yearly by the founder of the Global Security Mag French IT news magazine. It was attended by more than one hundred participants. The conference program included more than twenty presentations (running in parallel into 3 meeting rooms) covering legal (7 presentations), technical (8 presentations) and organizational (6 presentations) topics.
We present the sessions Cert-IST attended. The full agenda and presentation materials are available (in French) on the conference website.
Incident handling: legal and technical aspects
This presentation was performed by a set of presenters including a lawyer and two technical experts. It combines legal aspects (such as precautions, legal limits, etc ...) and technical aspects (such as data collection tools of analysis techniques). Following are the most significant aspects we noted.
It is extremely important to be very rigorous when collecting the evidences. For example: disc seizure must be done in the presence of a bailiff; the disc must be copied immediately (using a "write blocker" protection mechanism) ; the copy must be digitally seal using MD5 hash ; … There is no formal obligation to do so in the French law, but a case built that way cannot be challenged (on technical aspects) by the opposing party (it could be challenged if these precautions have not been taken).
The speaker recalled that in France we cannot use entrapment techniques (e.g. set up a fake website to attract the hacker and then sue him because of his illegal actions against the fake web site), because these techniques are not legal in France.
For blind attacks (the ones where the attacker just search for new vulnerable sites but has no real malicious intents against your organisation), it is difficult to be successful when suing for damage. On the other hand, targeted attacks (from a competitor or an insider attacker) could often be successfully investigated. 70% of such cases end in a mutual agreement between the parties rather than in a lawsuit. To be in a strong position when establishing this agreement (and for example obtain significant compensation from the other party), it is important to have built a case strong enough to be presented to a justice court.
On technical matters, one of the speakers recommended to insert some "canary values" in its own data. Canari values are fictive data which are easy to recognize for you (but not for the attacker) that could help you to identify the attacker when he re-uses it. This tactic is also known as « honeytokens ».
H@ckRAM : exploiting the Windows RAM memory
This presentation is an inventory of the attack techniques against Windows computer memory.
It first presented the different ways to capture an image of memory: dump of the physical RAM, or copies of the Windows hibernation file, or copy of the "crashdump" file generated when Windows crashes, or even extraction of the physical memory chips (attack called 'cold boot' described in an article of our March 2008 Bulletin). It also describes 2 attack scenarios that do not require the theft of the attacked computer:
- A remote attack that uses the metasploit toolkit to gain access to the targeted system and remotly install a tool which copies the RAM.
- Another attack where the attacker plugs a specially equipped iPod on the Firewire port of the targeted PC (this attack is known as « Winlockpwn » and was first demonstrated in 2006 by Adam Boileau). It can be used against a PC that was left unattended even if the session has been locked.
The speaker then explains how to explore the memory image (many references to the work of Matthieu Suiche are made) and the useful information that we can find there. They are typically passwords which are stored without protection in memory (e.g. Gmail, Facebook or OpenVPN passwords). These passwords can be found using specific tools that search for some data patterns (they are known search patterns for each vulnerable tool). He also explained how it is possible (with a tool such as Passware which is based on a study published in 2008 by Princeton University) to capture in memory the encryption key of a TrueCrypt full-encrypted hard drive.
In his conclusion, the speaker gives several recommendations to protect against these attacks, such as physically protect the computers (with antitheft screws, or by disabling DMA or RS232 ports, etc. ...) and regularly change the passwords (in case these passwords have been stolen).
New generation Smartphones: How CSO could deal with that threat?
The presentation focuses on ways to secure smartphones (Blackberry, iPhone, etc ...) that are used at work.
It first explains the explosion of that market segment and the security potential of the main offers:
- Blackberry (RIM): It was the first to cover that market and is the current leader. It is currently the most mature offer from a security standpoint, with security features (such as the ability to remotely wipe the contents of a stolen terminal) included from the beginning of the product design.
- The iPhone (Apple) which is the most serious competitor of the Blackberry. It gains market shares because it looks attractive to end-users (with a friendly look&feel and the ability to install multiple applications). Since version 4.1, the iOS operating system offers fleet management features that enable an easy deployment of these devices in an enterprise.
- The Android (Google) and the Phone 7 (Microsoft) both seem for the moment too focused on end-users audience, and too young (Phone 7 is only available since October 2010) for a usage in an enterprise environment.
The speakers then describe the architectural elements typically implemented in a company to deploy a fleet of mobile phones.
- The ActiveSync protocol (from Microsoft) seems to become the de facto standard for the access (from the smartphone) to the PIM functions ("Personal Information Management" which combines e-mail, calendar and contacts features) hosted on the company's Exchange server.
- The fleet management is performed using a MDM (Mobile Device Management) software. Various offers are available in this field such as: Airwatch, Sybase, MobileIron, Ibelem, McAfee or TrustDigital.
- It is probably not viable to try to take the complete control of the mobile phones devices (e.g. to prevent users from installing on them applications not approved by the company), especially if personal telephones are used in the company. Speakers therefore recommend an approach called "Application Silos" where all the business applications are installed on the device in an isolated environment called the “Entreprise Application Silo”. Personal applications (installed by the user) are located in another silo.
Human intelligence is the heart of the Information and Security
This presentation is an overview of the various concepts (e.g., explaining the different categories of information: white data, grey data and black data) and techniques (e.g., manipulation, influence, authority) in the field of human intelligence ("Humint").
The speaker highlights the fact that the intelligence (especially human intelligence) is too often overlooked. He indicates that strategic businesses should spend 30% of its effort in intelligence gathering, 30% in communication and the remainder in areas such as training or technical means. One can also consider that 50% of the security of a company depends on the human being and that only 10% depends on technical matters. Unfortunately the same ratio is generally not applied when looking at the efforts spent in intelligence gathering.
Is a wise usage of social networks possible?
This presentation was led by two lawyers and discussed the dangers of social networks such as Facebook:
- Hunting ground for cyber-criminals (who collect information there, or seek for victims)
- Source of danger for the company, first by the lost time for employees (who according to a study in France, spend up to 86 minutes per day on social networks during their work time) and second due to the risk for the reputation of the company (e.g. due to careless behaviour or malicious dissemination of information via social networks).
The recent ruling in the case between ALTEN employees laid off due to insulting remarks posted on Facebook was analyzed. The court decision (rejecting the complaint of the terminated employees) surprised the general public but not the speakers:
- Except in the case of a very restrictive use, FaceBook conversations can not be considered as private exchanges.
- The employee has a duty of loyalty to his employer.
The speakers recommend to:
- educate people about the dangers of social networks and make everyone aware that these networks are not private (and safe) places,
- define usage charters to clarify the company policy on the topic of social networks,
- strengthen the confidentiality and non-competition clauses in employee’s contract.
They mention that a first significant step has been done at European level for the protection of users with the publication in June 2009, by the G29 (a European group which works on the topic of privacy protection), of recommendations for social networks: see the article published by the French CNIL on this topic.
They conclude the presentation by answering two questions from the audience:
- Is it safe to use social networks? No, using social networks exposes to some risks. You must know these risks and act carefully to avoid them.
- Can we have a wise usage of social networks? Yes, it is a powerful communication tool that can be worth using for the company.
Measure, monitor and improve your security
The speakers first note the limitations of current security monitoring practices:
- Audits (such as pen-test or source code review) are sometimes conducted without having first established a global strategy for the corporate security activities.
- The current security dashboards are often incomplete and constructed simply by juxtaposing the various technical data available (e.g. the percentage of viruses detected).
They recommend to design a more structured methodology and propose the following approach:
- First the monitoring strategy must rely on a structured set of corporate security policies, defined in line with the company security objectives (and in respect with the risk analysis results). This repository is typically built hierarchically using 3 levels: the corporate security policy, the security procedures (operational policies) and the security standards.
- In line of these three levels we should define three levels of controls. At the lowest level are the basic controls (which could be technical or non-technical) which focus on verifying that security standards are enforced. This provides inputs to build a monitoring dashboard that refers to the "procedures" level. This in turn gives the inputs for a strategic dashboard that refers to the corporate security policies.
On the topic of the basic controls, the speakers recommend:
- To assign confidence levels to each control. Some controls will be considered as reliable, while others may be classified as low confidence level.
- To clearly define the perimeter on which a given control will apply, and not try to apply the same controls everywhere.
The security of personal data finally taken seriously?
The presentation was performed by AFCDP representatives (Association Française des Correspondants aux Données Personnelles : www.afcdp.net) which is a French association on the topic of data privacy.
This association aims at helping people in charge of CIL matters within the company (CIL stands for « Correspondant Informatique et Liberté » and is equivalent to "Chief Privacy Officer" in U.S.).
The presentation particularly covers a French bill (introduced late 2009 by Senators Détraigne and Escoffier) that proposes (in its Article 7) to make mandatory for companies to declare (to the French CNIL authority and to the affected end-users) the incidents involving personal data. This will be equivalent to the data breach notification which exists in US. It is not sure that this proposal will be adopted by the French National Assembly. But it is likely that this sort of requirement will, one day or later, be added in the French law because it already exists at European level for the Telecom operators (see. the "Telecoms Package", which was adopted by the EC in November 2009) and the European Community already mentioned its intent to extend this requirement to other market sectors.
This will have a significant impact for all companies (since any company has a client file, and probably other data considered as personal data) and it must be prepared.
Conclusion
This second edition of the GS-Days conference was a very interesting day, especially because of the diversity of the topics presented that day. Legal aspects were very present which indicates the increasing importance of law enforcement in IT security. The organizational topics (such as the one on security controls and monitoring) or the technological topics (such as the one on smartphone usage within the company) are also very adapted to current concerns.