A Recap of the Hack.lu Infosec Conference – Days 1, 2, and 3

By   ISBuzz Team
Writer , Information Security Buzz | Dec 04, 2014 05:05 pm PST

**NOTE: This is a compilation of three posts published separately during the week of December 1st, 2014.**

Recently, I attended a highly technical infosec conference (Hack.lu) as a “Non-Technical Individual of No Consequence.”

In other words, here is a Hack.lu 2014 write-up as I experienced it. For any technical misinterpretations or if I’m just plain wrong, then please let me know and I will endeavor to learn and not make the same mistake next time. Attending a conference like this is interesting but also challenging for a librarian like myself.

Day 1

I must admit that I was anticipating this conference a lot. I moved around my work days so that I could attend all three days in full, and it’s something I’ll never regret. The day started with registration, receiving as I did last year a pretty cool T-shirt upon paying the three-hundred something euro for attendance. I should have registered online to make it easy for the organizers, but due to stress in general and several personal issues, I didn’t. I had a morning coffee, took a look around and realized that things were already in motion. Running to my chosen workshop, I entered at the last moment and didn’t get a seat.

The workshop was the “Better Crypto Workshop” by the Cert.At team. Better Crypto is a community project that advocates for better crypto documentation because good crypto is too hard to achieve for many people in many places. Put another way, there are simply too many trade-offs and too scarce of good documentation.

Better Crypto is a crypto guide project being run by a host of experts. The motto is “Keep everything open source” and you can find it at Git.bettercrypto.org or GitHub/bettercrypto. They’re looking for more participation and are asking potential volunteers to send small commits only since it’s much easier to review than large ones. A nice history of cryptography was presented – names and events. Book recommendations were also given, with “The Code Breakers” by David Kahn and “Applied Cryptography” by Bruce Schneier as notable inclusions. Finally, the group discussed ECC, recommended PFS, explained the importance of pRNGs., and presented a nice list of SSL test tools for both internal systems and web application tools. (OpenSSL sclient, sslscan, ssllabs, and more were all on the list.) You can choose your own cipher suites on Bettercrypto, and its guides exist for a lot of systems already.

At one point, the history of SSL and TLS was presented with known attacks on these certifications. Historic advice tells us to turn off TLS compression, which sparked a lively discussion: Are ECDSA and ECDH broken or not? A patent for secure implementations of these exists, so my personal take is that you should consider them broken for sure. Someone should do a pull request and commit this info to the project. List of IETF and other working groups working on countering pervasive monitoring incl. TCPINC and more good initiatives. Brain pool authors made a summary on eprint.iacr.org.

After lunch, I presented iamTheCavalry in a lightning talk on the main “Stage.” I think this went rather well, but I haven’t seen any new sign-ups. Even so, I’m hoping people are thinking and letting it simmer with the ultimate intention of contributing to the cause even if they decide to ultimately not join. You can read more about the Cavalry on www.iamthecavalry.org.

I then had the pleasure of watching a lightning talk with a speed-version of Axelle Apvrille’s “APK as PNG” presentation from Black Hat EU 2014. The demo worked, and it was very nice to see Angecryption live for the first time.

Philippe Teuwen presented Angecryption in a lightning talk called “the electronic coloring book” which shows that AES, CBC picture encryption isn’t very optimal and that basically all the data can be recovered.

Next, Ludovic Apvrille presented: “If I secure my car, will it still brake?” His research indicates that if you secure the CANbus traffic with encryption mechanisms, the car won’t be able to brake in time if it has automated or partially automated braking systems. The increased delay can be fatal. A modern car can have as much as 100 chips installed, which are in reality 100 mini-computers, so everything is/can be controlled via chips. Very interesting presentation and totally fits with IamTheCavalry.

Following Apvrille’s presentation, Filippo Valsorda spoke about “The Heartbleed test adventure.” When Valsorda first heard about Heartbleed, he checked the info he could find, but he needed more, so checked the underlying RFC. He didn’t understand the patch, so he tried writing an exploit based on the RFC information, and it worked. He then created a scalable test, published it and went to bed. The next morning, he woke up to around 500-2000 requests to the blog. Per minute. But then over a period of time, this increased to 22,000 requests per minute – and stayed like that for weeks. Now, so long after the initial exploit, still 4k per minute due to mostly browser extensions checking Heartbleed on all visited websites. His Heartbleed test has since received a lot of intention. A Github pages page with a backend of up to 40 EC2 on AWS with ELB was created to support it.

The server running Valsorda’s presentation are Pure Go concurrent web/test servers (way later using 1h Cache on Amazon when no technical people were testing for Heartbleed anymore). DB setup: NoSQL (dynamoDB)- No google analytics, no ads, only logged results of tests. So here we have an example of someone not looking to monetize, not looking to gather a huge DB of potentially vulnerable companies/private individuals. I like the ethical aspect this revealed about the presenter.

Andrzej Dereszowski next presented “Rapid reversing with Ida Pro.” Olly debugger and IDA pro aren’t integrated, which isn’t optimal, so Dereszowski then created funCap, thereby creating this integration in the form of IDA Pro. This speeds up the reversing process.

Dereszowski’s talk was followed by Attilo Marosi’s dissection of the infamous Finfisher Trojan for Android with some nice demos.

Next up, Paul Jung of the local Luxembourgish security-play Excellium Services presented “Bypassing sandboxes for fun and profit.” This was about how malware detects sandboxes without API calls – basically invisibly. The PEB is the resource for this. Playing for time -> sleeping or detecting mouse movement. Paul successfully showed bypasses of a large number of sandboxes due to fully detecting them from the POV of malware.

This directly led into “Python code obfuscation” by Serge Guelton, a talk that revolved around obfuscating the obfuscating part of code. Guelton determined that he can obfuscate any scripting language in general. It’s now available on github under Quarkslab.

I find this year’s Hack.lu slogan very interesting. It read as follows: “Within a few months of its availability, new technology helps the bad guys at least as much as the good guys.” Unfortunately, it seems the organizers didn’t much use this slogan for follow-up comments nor evaluated presentations against this, which could have been an interesting angle.

The last talk I attended on Day 1 was something I probably should have been aware of but wasn’t really. I’ve since had to incorporate the subject of the talk into my universe of risks that you should be aware of and consider mitigating. The presentation was called “Extreme privilege escalation on windows 8. / UEFI” and was presented by Xeno Kovah but was based on research by Corey Kallenberg.

Xeno said that BIOS level hacking is interesting now because of the NSA. Trust computing is what they do – (they being the Mitre corporation). Exploits gaining root isn’t the awesomeness, but owning something invisibly forever is. It unlocks more power, persistence, and stealth, and this is obviously what any attacker wants if able to achieve it…. This is a post-exploitation exploit. Others have covered things in this area – for example, Post Exploitation privilege escalation – using as existing signed drivers that are vulnerable. Xeno wants to go to MBR, SMM, UEFI (platform firmware). SMM is a separate execution mode – 16 bit dos-like execution. The obligatory UEFI diagram shows a kill chain for endpoint exploitation. SetfirmwareEnvironmentvariable -> SPI flash contains non-volatile variables controlled from Windows 8 admin land. Using an Intel reference implementation of UEFI, “anyone” can find integer overflows. Independent bios vendors sell modified images of the reference implementation which then gets used by Dell and other OEM vendors. Names of vuln’s/exploits presented: Kings gambit and Queens gambit. Exploits were developed by reading the reference implementation source code, which had developer code remarks in it still. Demo of exploit – warm reboot not enough after exploit due to lacking windows 8 drivers on the chosen board. “The watcher” was written to this bios and can scan the memory, waiting for a signal and a payload. An ICMP demo was performed next. The payload overwrote the target vector – the first instruction had been nullified. How likely is it that there aren’t already watchers watching us? We can’t know until people start integrity checking their BIOSs. Copernicus is a defensive tool for this sort of exploit, freely available from the Mitre Corporation.

Subzero.io – bios binary file hash collection soon.

I learned something new on day 1 (maybe my own laziness is to blame for not already knowing; I did fail to watch all the presentations from the past few years’ conferences). I also thoroughly enjoyed seeing a diverse crowd of presenters sharing tools, experience and knowledge with their peers. It was a very promising day 1, and I met and talked to some awesome people, some of whom I will hopefully one day be able to proudly call friends.

Day 2

I got there to the conference hall a little bit earlier on Day 2 to make sure I had time enough to finish my morning coffee before things started. Turns out the program started 20 minutes earlier on Day 2, and I just barely managed to grab a coffee and find a seat in the room before the keynote started:

Marion Marschalek presented “Star Wars” instead of the official title “TS NOFORN.” Her keynote consisted of an in-depth discussion of several infosec topics, including information warfare, malware, and cyber adversaries. First, she discussed a piece of malware named Callientefever, which was compiled in 2010 and whose HTTP accept language is always FR. The malware uses Dynamic API loading by name hash and seems to have been written to ”flood all the things.” At some point, Marschalek encountered a sinkhole domain operated by Kaspersky with a flame@kaspersky.com contact e-mail address, so she contacted them about it. I’m not exactly sure what followed, but I got the distinct feeling that they didn’t agree on how to proceed. I believe this piece of malware became “#Suspect 1.” Then similar samples were identified by her and her peers who had huge databases of malware samples. “#Suspect 4” stood out in particular. It was larger than the other samples but used same basic functionalities and LUA script to do AV product enumeration – select * from antivirus product Firewall product enumeration – select all from firewall product Sandbox check – KLavme, my app, test app,afyjevmv. It also checked that Perfmon was running to ensure that the malware itself did not use too much cpu power. When decrypted, the malware revealed three domain names: Le-progres.net and 2 others, all three seemingly fake. For instance, one of them, Ghatreh.org, is a magazine based in Iran.

Marion has since done a write-up on this malware family, which she has named “Bunny”: http://0x1338.blogspot.co.at/2014/11/hunting-bunnies.html.

Featured Download: Social media access at work. Do your employees know the rules?

A take away from this keynote is the fact that malware samples and IOCs don’t make it to the people who need them because many vendors within this industry are creating venues of information to build their market. Marion did some free marketing for solutions that currently don’t have access to marketing but are nonetheless worthy, which include whisper systems, fire chat, open garden, sub graph OS, bettercrypto.org, RCE tool library, and viper.

After Marion’s keynote, Claudio Guarnieri presented his “viper project.” Malware, exploits, and analysis scripts, Guarnieri explained, are all over the place when you’re a malware analyst or reverse engineer. It becomes an unmanageable mess. First, he tried VxCage as his first attempt at a structured file system, but it failed. Now he’s trying again with “Viper.” It is a framework to store, organize and analyze malware. You can create new modules, with 30 already available. The Framework is modular, Open Source, and can help interested parties with the library functions required by RE’s/Forensics analysts.

Next, Shahar Tal presented “I hunt TR-069 admins.” The talk focused on SOAP RPC, a piece of SOHO hardware – a CPE (Customer placed equipment) that talks to an ACS (access control server). The CPE initiates the connection always, which is a widely used de facto device management standard. With this type of set-up, one hopes that the ACS is a “good guy” because the CPE can be a zero touch configuration device where the help desk/call center can fix issues remotely. One server at the ISP controls the entire fleet of CPE routers; if someone hacks the ACS, they gain access to passwords and usernames for everything. You can then get SSIDs, change the WAN surface, and upload new firmware. Boom. TR-069 is vulnerable when unprotected, and ACS is a great attack vector.

Following Tal’s talk, Fyodor Yarochkin, Vitaly Chertvertakov, Vladimir Kropotov delivered their talk “Detecting bleeding edge malware.” The presentation consisted of malware collected this year from within Ukraine. The main take aways for me were that attackers change the domain name every the minutes. As a result of this, security professionals must watch the mime types on their network streams. They’ve also published Cif v1 on github/collectiveintel, which can help in validating anyone’s findings.

Next up was Aleksandr Timorin, whose presentation was “SCADA deep inside: protocols and security mechanisms.”Methods whitelisting and TLS (the latter of which is in theory supported but not so in reality) are two well known security measures for SCADA implementations. Many attacks exist against SCADA. Passwords are easily extracted and badly protected/encrypted. SCADA <> PLC authentication is easily broken and passwords cracked, with the example of JTR. We were then shown a demo of IP spoofing and accessing the PLC. The presentation drew on a number of security tools, including wireshark, ncat, socat, scapy, Zulu.

Philippe Teuwen then presented “Belgian elections bug” as a lightning talk. Pardon me Philippe, my attention strayed to Twitter for a quick catch up. Since we’ve never met, I’m sure you won’t mind.

There was also a Lightning talk on “Luxembourg use or not use of APIs” by Thierry Degeling, who succeeded in creating better APIs for some large (For Luxembourg) public services — better in fact than the APIs offered by the companies themselves. He argued that this simply needs to be improved, which is obviously correct. I think he has since had to take at least some of these APIs down because the companies were objecting to them a bit.

A quick comment on the fast responder application presented by @sebdraven. It is designed to detect and understand large scale compromise, and it looks like great for Windows environments: https://github.com/SekoiaLab/FastResponder.

Ludovic and Axelle Apvrille next presented together on “Sherlockdroid.” It’s an inspector for Android marketplaces. The app makes it feasible for malware researchers to analyze only probable malware samples using low false positive/negative values. This allows researchers to focus only on unknown malware.

Xeno Kovah, who presented on Day 1, then presented again. This time “a dark fairy tale of smite’em versus Copernicus.”

Copernicus 2 is a new tool that can help prevent against the SMM mitm’ing presented in his first presentation. The calls to read the bios/SMM can now be blocked using Intel trusted execution (TXT) that creates a nugget of trust via asymmetrical cryptography. This allows code to run, which in turn enables SENTER to run. The newly running code measures stuff and allows stuff to run, it tears down the system, and builds up a new one. Then it measures the new launch environment and tells you if trusted code in fact ran. If trusted code did not run, your BIOS/SMM has probably been compromised.

At that point, Kovah shifted the focus of his talk to Charizard, a new an attack revealed at Syscan that subverts the Copernicus 2 defense.

There is also a brand new attack called Sandman about which Kovah also spoke. This is an attack that executes the MLE with an attacker inside which enables the attacker to suppress SMI’s, win then by mitm’ing the SMM-read, and then writing to the flash chip.

Intel isn’t shipping SMT’s atm, which makes all BIOS potentially vulnerable to Sandman.

Following Kovah’s talk, Anamika Singh (#Because #Joel) presented on WiHawk – a router vulnerability scanner tool that is now included as a module in the Ironwasp web vulnerability scanner. It includes some demos and stuff for router back doors, authentication bypass, and password recovery. Singh emphasized that it’s now time to include routers/WIFI/APIs in your security posture if it wasn’t already part of it. I came away with a new appreciation for the topic.

One of the last talks I attended was presented by Enno Rey on the evasion of high-end IDPS devices in IPv6.

IPv6 is a mess, and fragmentation rules leave a hole. Visit www.langsec.com – this wasn’t taken into account when writing the IPv6. They managed to evade all four tested IDPS devices easily, and Cisco bungled disclosure pretty badly it sounded like. One of the researchers behind this just handed in his thesis on this issue, which obviously is a big thing. Congratulations to them! Also, ERNW seems to be one of the IPv6 research-hotspots on the planet, and I can only recommend following their research actively.

Day 2 was followed by a speakers dinner, but as I was not a speaker and the wifey wanted to go to yoga, I left early.

Day 3

Let’s get right into the presentations this time, shall we?

First up was “Scanning 0/0,” a talk presented by Mark Schloesser from Rapid7. There are several players active in this area of Internet-wide scanning, including shadowserver, the University of Michigan, shodan, and Erratasec. They all use specific tools, such as nmap, massscan, zmap. Those tools enable entities to scan the entire internet in 45 minutes from 1 machine with 1 gb/s.

Schloesser talked a bit about “The Internet Census 2012” – the guy who hacked 400,000-500,000 devices that had standard passwords and used them to scan the entire internet for all ports and banners. A little history on worldwide vulnerabilities was presented. IPMI, UPnP, and NTP were all covered. Scholesser emphasized the fact that Rapid7 has always been paying attention to these issues.

There are currently around 10k routers with no telnet password at all; you’re just logged in as admin per default upon connecting. There are also devices with SNMP strings with username/pw in string, which include Windows command shell access applications/devices, Linux root shells applications/devices (3k vulnerable of each), web-based license plate readers, and serial port readers — all of them devices that make network disabled devices into network enabled devices.

Rapid7 is running a “scan all the things” project to raise awareness these and other issues. It’s a big data collection project.

Saumil Shah presented next on “Hacking with pictures.” Shah is focused primarily on offensive security; he researches how attackers are able to deliver exploits and slip under/avoid the radar. Attackers are able to avoid detection using JS obfuscation, broken file formats, OLE embedding, split code across JavaScript and actionscript, and spreading the payload. (Loading resources from different places hides it from security tools.)

Shah then went on to show how we can use CANVAS to pull out characters from a picture and reassemble it as JavaScript hidden inside the picture. First, he presented a perfect PNG file and a perfectly valid piece of JavaScript. It’s a polyglot method like angecryption. Then came demo time. Shah presented a picture of a cat with JavaScript showing the current time. (The time updated on every click or refresh.) He also announced that he had found out how to do it with JPGs. JPEG is more powerful for hiding stuff, after all. He ultimately broke it thanks to EXIF in IE 9 and above using Canvas for exploit dev and heap spray through Pixel arrays. Calc.exe popped on the heap spray demo, and the exploit here would even have avoided EMET. So now any picture can be an exploit delivery. When you decouple the image file containing the exploit from the decoder file, both files are clean in the eyes of security engines. Then the decoder pulls the script out of the image file for you.

Shah then brought everything together with three imagines on a page. The heap spray only started when the user moused over on the third picture; the other two were safe.

So what does this mean? Now payloads can go back in time, meaning that time travel — at least from a security standpoint — has almost become possible. Send a target a picture with an exploit, and it does nothing by itself. But then you push them the decoder, which is also safe, which creates a get 304 (data already present), and boom!

This attack vector will work in the wild, so it is reasonable to expect that we will see instances of it pretty soon.

But how do you defend against something that is not limited to just browsers but implicates anything that parses images?

This ought to be a wakeup call for browser security guys. After all, why should a JavaScript file load with a picture?

Next up were Paul Rascagneres and Eric Leblond, who presented on “D&D of malware with exotic CNC.”

The researchers went through various malware and interesting exfil methods and then showed how to detect and/or block using Suricata (YAY For defenses). Feasible methods include:

1. Named pipes from a non-Internet connected machine.
2. DNS, such as FrameworkPOS being used in the Home Depot breach. (A funny detail was revealed here. A bad guy implemented his malware with double XOR obfuscation. That gives plaintext.) To block this using Suricata, you find DNS exfil via LUA. When the fast pattern matches, then you do a deep check.
3. Steganography methods, i.e. Uroboros hid data in image files. Suricata provides no direct detection options, but when it comes to saving image files and manually inspecting them, iNotify is your friend.

Humans always beat magic boxes, as Paul said during his presentation.

Dominique Bongard then presented on “weak random number generator in WPS external pin protocol implementations.” His presentation went through some history of WPS, attacks, and why it’s insecure. A static WPS pin is very insecure due to pin re-use. A brute force attack on the pin has already been demonstrated in other conference presentations. What’s new this time is that actors can launch an offline WPS attack.

The next part of Bongard’s presentation consisted mainly of basic mathematics applied to crypto unknown variables. 2 constants (E-S1 and 2) are generated with PNRGs, which are often weak pseudo random generators. Can we recover the state of the PNRGs? Yes, you can recover the state and brute force the PIN, so you’re on the router in very little time (24-bit brute force). In Ralink E-S1 and 2 are 0x0 = o. The vulnerabilities can be widespread in WPS implementations, so Bongard contacted some vendors about his research. His efforts did not yield any productive results. Indeed, it is shameful how the security industry still isn’t able to handle disclosures from researchers.

Broadcom, Ralink, Cisco were all bad contacts. The WiFi alliance did actually contact him regarding how he should have done the incident reporting/disclosure, but then he never heard back.

Vendors use easily sniffed info like MAC addresses for generating random numbers, which is never a good idea. The takeaway? Disable WPS on all APs; disabled firmware is only secure way, I guess.

Following Bongard’s presentation, Glib Pakharenko discussed “Cyber attacks during the revolution in Ukraine and the war with Russia.”

Cyber attacks were common before the revolution, but as Glib reveals, things changed once the revolution started. Malicious traffic was rerouted out of Belarus and Cyprus instead of Ukraine, causing an unprecedented drop in the global attribution of attacks to Ukraine IPs. But ultimately it was just rerouted and not gone. Banks and corporations supporting the revolution were attacked, and police confiscated servers, computers, and phones to gain access to protestor social media accounts. PSTN phones were not working in some areas, and the opposition main TV channel was taken offline. Also, massive DDoS attacks were launched against the new government directly following its establishment.

Obviously, communication channels between the Ukraine and Crimea/Russia were limited, with data and servers hosted in Crimea stolen. Russian terrorists attacked cabling infrastructure and ATMs in Kiev, with traffic re-routing into Russia for interception (BGP hijacking?). Via the coordination of its military on television, Russia was able to intercept talk (voice) traffic and media and to hack media, state, and personal accounts

An interesting note: artillery fire was being corrected using mobile phone communication. This has in part led Ukrainians to fear everything made in Russia, including Kaspersky Internet Security suites.

At this point in his talk, Glib shared a plea with us. He urged us to send cheap and efficient ideas for national cyber security to his email. If you have ideas, reach out to Glib. You can find his email in the talk-2014 Hack.lu archive.

Next a few lightning talks took place. My take here is brief for some, for I was talking to some nice people.

First up, a debugging tool called Radare2 was presented. It seemed similar to IDA in what it does.

Bettercrypto announced the public availability of IntelMQ manager – a tool to enrich and visualize data. (Remember the motto – always Open Source!)

I distinctly recall Maximilian Hils presenting “miTM proxy – mitmproxy the man-in-the-middle HTTPS proxy. This is a very flexible proxy in that it can perform upstream proxy, reverse proxy, and transparent proxy. Batteries are included, with client server replay, replacement patterns, and TCP generics available.

Eric Leblond also presented. His talk addressed SELKS, an installable and live ISO based on Debian live. In essence, it is a Suricata configured and manageable via a web interface. Nice that it is helping to make Suricata more accessible to the community in general. Definitely need to try it out.

Next up was aresentation by Didier Stevens: “Detecting security cameras with an IR camera.” I apologize, but I wasn’t paying a lot of attention here.

Following Stevens, Amihai Neiderman presented “How I hacked my city.” Neiderman found a weird free WiFi access point once while travelling. This WIFI and it’s website led to a company that had an allegedly “unbreakable VPN” product among a host of other products (Cue: Challenge to a researcher/hacker). Neiderman accepted the challenge. He started downloading and reversing firmwares to see what he could find. A lot of work later, he received access to parts of firmware and started looking for vulnerabilities. He eventually found one, at which point he wrote an exploit and set up a test system. But the test didn’t work, for it needed to use a larger HTTP header than is usually allowed in order to deliver it. Too bad.

Neiderman at this point started over again. A new search revealed a new vulnerability, which led to a new exploit being successfully proven. He then responsibly disclosed the exploit to the company, who handled it nicely and wondered how anyone could break their XOR encryption.

At one point, a Ukrainian hacker contacted him in an attempt to obtain the exploit!

Neiderman’s talk was followed by Francisco Falcon presentation on “Breaking out of virtualBox through 3d acceleration.” The Oracle VirtualBox hypervisor was broken into during this presentation. It was a very technical presentation of how he discovered several 0days in the Chromium server and in VirtualBox. Non-ASLR modules, he noted, can be relocated, so you cannot always trust that they are in a static address. He conducted a new exploit search and found one with full ASLR bypass. After figuring out a way to heap spray (second vulnerability), he was able to use the first vulnerability, control two fields of a structure, and read the memory on the hypervisor. Then he got control of a pointer directing to a known address which he leaked to the guest side using the established controlled buffer. This gave him the ability to calculate the address of the Chromium server DLL and allowed him to build the ROP chain to break out of the guest,!

The demo worked; the calc.exe popped.

With regards to reducing the risk of a VM breakout, Falcon suggested the following:

– Run EMET on host
– Remove VirtualBox guest additions
– Reduce guest/host integration features

This means you essentially give up useability for security. VirtualBox added the Chromium library to the hypervisor without even thinking about its security. But as we know, you must always think in security! Security by design/default is the end goal. Never forget that, people!

Next up was Sebastian Garcia, who presented “On botnets behavioral patterns in the network: How are we detecting malware?” His talk dealt with analyzing both the binaries and the network traffic. Currently, there are 39 products in the market that do this. But what is working? Few machine learning approaches exist, and anomaly detection especially may not work at all or only under specific circumstances. How long does an indicator sit in a threat intel feed?

A lot of of things are not working in machine learning, including algo descriptions and decently labeled datasets. Also, there is a lack of good evaluations in real environments, the results depend on the dataset and metrics, and generalization is very difficult. Garcia presented a very good graph of botnet CnC traffic and how it can develop over time.

His proposal: we need to deal with this complexity by analyzing and dealing with each single connection, that is, by defining a connection as a type of traffic connected with a certain type of action.

He then presented the 4-tuples method, which simply aggregates NetFlows by ignoring the source port. It extracts three features from each of these NetFlows, and from this data it’s possible to compute a state for each NetFlow. Traffic patterns when 4-tupled are different between a normal PC/server and a botnet PC. The state of the connection is important, but also the transitions between states may give even more information. It is therefore recommended that one matches the stored and trained models to new data streams in order to reliably detect malware/botnets.

Garcia’s botnet detection results: 78% – best 93% and FPR of 0,2% to 10%. (The best results occurred after the model was trained.)

The system was compared to three other models: CAMnEP system, BotHunter system, and BClus systems.

Is this research on par with the current security needs of the world? Or is it 10 years behind like so many others? I don’t know. The next step is behavioral IPS, where we block selected behaviors based on known models. Behavior is key to long-term detection.

Finally, Jeremy Brown and David Seidman from Microsoft presented “Microsoft vulnerability research: how to be a finder as a vendor.” Jeremy brown has been a contributor since 2011. He likes bugs, but he also enjoys fixing things.

MSVR is the product of MS’s need to coordinate the disclosure of vulnerabilities affecting other vendors but that affect products used by or affected by MS products. They do responsible disclosure, reproduction, advice on severity to vendors, and test fixes; they only ask for credit in fixes from vendors in return.

The day ended with a researcher’s dinner arranged by one of the presenters, where I was lucky enough to be invited as a guest. This was an amazing experience. I was surrounded by technical people who possess amazing skills and insight into infosec. I obviously didn’t contribute much except for #TwitterBrain knowledge absorbed through my marathon Twitter sessions. Keeping up with a Twitter feed of 450+ following is quite a task, but it seems a necessity to be able to stay in the know.

I’d recommend the Hack.lu team to arrange something for each of the evenings of this conference since a lot of useful knowledge sharing comes also from the more informal peer-to-peer sessions. To summarize this conference, Hack.lu was a value-proposition from one end to the other for both Defenders, Researchers and Analysts. I highly recommend you sign up next year, if you have the chance. I hope my summaries of the different talks weren’t inaccurate or boring. For any mistakes I made, my apologies.

Claus Cramon Houmann | IT Security Consultant | @ClausHoumann

To find out more about our panel members visit the biographies page.