Recently, I attended a highly technical infosec conference (Hack.lu) as a “Non-Technical Individual of No Consequence.”
In other words, here is a Hack.lu 2014 write-up as I experienced it. For any technical misinterpretations or if I’m just plain wrong, then please let me know and I will endeavor to learn and not make the same mistake next time. Attending a conference like this is interesting but also challenging for a librarian like myself.
Day 1
I must admit that I was anticipating this conference a lot. I moved around my work days so that I could attend all three days in full, and it’s something I’ll never regret. The day started with registration, receiving as I did last year a pretty cool T-shirt upon paying the three-hundred something euro for attendance. I should have registered online to make it easy for the organizers, but due to stress in general and several personal issues, I didn’t. I had a morning coffee, took a look around and realized that things were already in motion. Running to my chosen workshop, I entered at the last moment and didn’t get a seat.
The workshop was the “Better Crypto Workshop” by the Cert.At team. Better Crypto is a community project that advocates for better crypto documentation because good crypto is too hard to achieve for many people in many places. Put another way, there are simply too many trade-offs and too scarce of good documentation.
Featured Download: Social media access at work. Do your employees know the rules?
Better Crypto is a crypto guide project being run by a host of experts. The motto is “Keep everything open source” and you can find it at Git.bettercrypto.org or GitHub/bettercrypto. They’re looking for more participation and are asking potential volunteers to send small commits only since it’s much easier to review than large ones. A nice history of cryptography was presented – names and events. Book recommendations were also given, with “The Code Breakers” by David Kahn and “Applied Cryptography” by Bruce Schneier as notable inclusions. Finally, the group discussed ECC, recommended PFS, explained the importance of pRNGs., and presented a nice list of SSL test tools for both internal systems and web application tools. (OpenSSL sclient, sslscan, ssllabs, and more were all on the list.) You can choose your own cipher suites on Bettercrypto, and its guides exist for a lot of systems already.
At one point, the history of SSL and TLS was presented with known attacks on these certifications. Historic advice tells us to turn off TLS compression, which sparked a lively discussion: Are ECDSA and ECDH broken or not? A patent for secure implementations of these exists, so my personal take is that you should consider them broken for sure. Someone should do a pull request and commit this info to the project. List of IETF and other working groups working on countering pervasive monitoring incl. TCPINC and more good initiatives. Brain pool authors made a summary on eprint.iacr.org.
After lunch, I presented iamTheCavalry in a lightning talk on the main “Stage.” I think this went rather well, but I haven’t seen any new sign-ups. Even so, I’m hoping people are thinking and letting it simmer with the ultimate intention of contributing to the cause even if they decide to ultimately not join. You can read more about the Cavalry on www.iamthecavalry.org.
I then had the pleasure of watching a lightning talk with a speed-version of Axelle Apvrille’s “APK as PNG” presentation from Black Hat EU 2014. The demo worked, and it was very nice to see Angecryption live for the first time.
Philippe Teuwen presented Angecryption in a lightning talk called “the electronic coloring book” which shows that AES, CBC picture encryption isn’t very optimal and that basically all the data can be recovered.
Next, Ludovic Apvrille presented: “If I secure my car, will it still brake?” His research indicates that if you secure the CANbus traffic with encryption mechanisms, the car won’t be able to brake in time if it has automated or partially automated braking systems. The increased delay can be fatal. A modern car can have as much as 100 chips installed, which are in reality 100 mini-computers, so everything is/can be controlled via chips. Very interesting presentation and totally fits with IamTheCavalry.
Following Apvrille’s presentation, Filippo Valsorda spoke about “The Heartbleed test adventure.” When Valsorda first heard about Heartbleed, he checked the info he could find, but he needed more, so checked the underlying RFC. He didn’t understand the patch, so he tried writing an exploit based on the RFC information, and it worked. He then created a scalable test, published it and went to bed. The next morning, he woke up to around 500-2000 requests to the blog. Per minute. But then over a period of time, this increased to 22,000 requests per minute – and stayed like that for weeks. Now, so long after the initial exploit, still 4k per minute due to mostly browser extensions checking Heartbleed on all visited websites. His Heartbleed test has since received a lot of intention. A Github pages page with a backend of up to 40 EC2 on AWS with ELB was created to support it.
The server running Valsorda’s presentation are Pure Go concurrent web/test servers (way later using 1h Cache on Amazon when no technical people were testing for Heartbleed anymore). DB setup: NoSQL (dynamoDB)- No google analytics, no ads, only logged results of tests. So here we have an example of someone not looking to monetize, not looking to gather a huge DB of potentially vulnerable companies/private individuals. I like the ethical aspect this revealed about the presenter.
Andrzej Dereszowski next presented “Rapid reversing with Ida Pro.” Olly debugger and IDA pro aren’t integrated, which isn’t optimal, so Dereszowski then created funCap, thereby creating this integration in the form of IDA Pro. This speeds up the reversing process.
Dereszowski’s talk was followed by Attilo Marosi’s dissection of the infamous Finfisher Trojan for Android with some nice demos.
Next up, Paul Jung of the local Luxembourgish security-play Excellium Services presented “Bypassing sandboxes for fun and profit.” This was about how malware detects sandboxes without API calls – basically invisibly. The PEB is the resource for this. Playing for time -> sleeping or detecting mouse movement. Paul successfully showed bypasses of a large number of sandboxes due to fully detecting them from the POV of malware.
This directly led into “Python code obfuscation” by Serge Guelton, a talk that revolved around obfuscating the obfuscating part of code. Guelton determined that he can obfuscate any scripting language in general. It’s now available on github under Quarkslab.
I find this year’s Hack.lu slogan very interesting. It read as follows: “Within a few months of its availability, new technology helps the bad guys at least as much as the good guys.” Unfortunately, it seems the organizers didn’t much use this slogan for follow-up comments nor evaluated presentations against this, which could have been an interesting angle.
The last talk I attended on Day 1 was something I probably should have been aware of but wasn’t really. I’ve since had to incorporate the subject of the talk into my universe of risks that you should be aware of and consider mitigating. The presentation was called “Extreme privilege escalation on windows 8. / UEFI” and was presented by Xeno Kovah but was based on research by Corey Kallenberg.
Xeno said that BIOS level hacking is interesting now because of the NSA. Trust computing is what they do – (they being the Mitre corporation). Exploits gaining root isn’t the awesomeness, but owning something invisibly forever is. It unlocks more power, persistence, and stealth, and this is obviously what any attacker wants if able to achieve it…. This is a post-exploitation exploit. Others have covered things in this area – for example, Post Exploitation privilege escalation – using as existing signed drivers that are vulnerable. Xeno wants to go to MBR, SMM, UEFI (platform firmware). SMM is a separate execution mode – 16 bit dos-like execution. The obligatory UEFI diagram shows a kill chain for endpoint exploitation. SetfirmwareEnvironmentvariable -> SPI flash contains non-volatile variables controlled from Windows 8 admin land. Using an Intel reference implementation of UEFI, “anyone” can find integer overflows. Independent bios vendors sell modified images of the reference implementation which then gets used by Dell and other OEM vendors. Names of vuln’s/exploits presented: Kings gambit and Queens gambit. Exploits were developed by reading the reference implementation source code, which had developer code remarks in it still. Demo of exploit – warm reboot not enough after exploit due to lacking windows 8 drivers on the chosen board. “The watcher” was written to this bios and can scan the memory, waiting for a signal and a payload. An ICMP demo was performed next. The payload overwrote the target vector – the first instruction had been nullified. How likely is it that there aren’t already watchers watching us? We can’t know until people start integrity checking their BIOSs. Copernicus is a defensive tool for this sort of exploit, freely available from the Mitre Corporation.
Subzero.io – bios binary file hash collection soon.
I learned something new on day 1 (maybe my own laziness is to blame for not already knowing; I did fail to watch all the presentations from the past few years’ conferences). I also thoroughly enjoyed seeing a diverse crowd of presenters sharing tools, experience and knowledge with their peers. It was a very promising day 1, and I met and talked to some awesome people, some of whom I will hopefully one day be able to proudly call friends.
Claus Cramon Houmann | IT Security Consultant | @ClausHoumann
To find out more about our panel members visit the biographies page.
