Hello Readers, here is my wrap-up of the second day. Usually, the second day is harder in the morning due to the social events but, at TROOPERS, they organize the hacker run started at 06:45 for the most motivated of us. Today, the topic of the 3rd track switched from SAP to Active Directory. But I remained in track #1 and #2 to follow a mix of offensive vs defensive presentations. By the way, to have a good idea of the TROOPERS’ atmosphere here is their introduction video for 2018:
 As usual, the second day started also with a keynote which was assigned to Rossella Mattioli, working at ENISA. She’s doing a lot of promotion for this European agency across multiple security conferences but it’s special with TROOPERS because their motto is the same: “Make the world (the Internet) a safer place”. ENISA’s rule is to remove the gap between industries, the security community and the EU Member States. Rossella reviewed the projects and initiatives promoted by ENISA like the development of papers for all types of industries (power, automation, public transports, etc). To demonstrate the fact that today, the security must be addressed at a global scale, she gave the following example: Think about your journey to come to TROOPERS and list all the actions that you performed with online systems. The list is quite long! Another role of ENISA is to make CSIRT’s work better together. Did you know that they are 272 different CSIRST’s in the European Union? And they don’t always communicate in an efficient way. That’s why ENISA is working on common taxonomies to help them. Their website has plenty of useful documents that are available for free, just have a look!
After a short coffee break and interesting chats with peers, I move to the defensive track to follow Matt Graeber who presented “Subverting trust in Windows”. Matt warned that the talk was a “hands-on” edition of his complete research that is available online. Today’s presentation focuses more on live demos. First, what is “trust” in the context of software?
  • Is the software from a reputable vendor?
  • What is the intent of the software?
  • Can it be abused in any way?
  • What is the protection status of signing keys?
  • Is the certificate issuer reputable?
  • Is the OS validating signer origin and code integrity properly?
Trust maturity level can be matched with enforcement level:
Trust Maturity Levels
But what is the intent of code signing? To attest the origin and integrity of software.  It is NOT an attention of trust or intent! But, it can be used to enforce the mechanism for previously established trust. Some bad assumptions reported by Matt:
  • Signed == trusted
  • Non-robust signature verification
  • No warning/enforcement of known bad certs
One of the challenges is to detect malicious files and, across millions of events generated daily, how to take advantage of signed code? Signature can be valid but the patch suspicious C:\Windows\Tasks\notepad.exe)
A bad approach is to just ignore because the file is signed… Matt’s demonstrated why! The first attack was based on the subject Interface package hijacks (attack the validation infrastructure). He manually added a signature to a non-signed PE file. Brilliant! The second attack scenario was to perform a certificate cloning and Root CA installation. Here again, very nice but it’s more touchy to achieve because the victim has to install the Root CA on his computer. The conclusion to the talk was that even signed binaries can’t be trusted… All the details of the attacks are available here:
Then, I switched back to the offensive track to listen to Salvador Mendoza and Leigh-Anne Galloway who presented “NFC payments: The art of relay and replay attacks“. They started with a recap of the NFC technology. Payments via NFC are not new: The first implementation was in 1996 in Korea (public transports). In 2015, ApplePay was launched. And today, 40% of non-cash operations are performed over NFC! Such attacks are also interesting because the attacker can gain easily some money, banks are accepting the risk to lose a percentage of transactions, some limits on the amount are higher in other countries and finally, there is no additional card holder identification. The explained two types of attacks: the replay and relay. Both are based on RFC readers coupled with Raspberry devices. They tried to perform live demos but it failed (it’s always touchy to play live with NFC). Hopefully, they had pre-recorded videos. Demos are interesting but, in my opinion, there was a lack of details for people who don’t play with NFC every day, just like me!
After the lunch, Matt Domko and Jordan Salyer started the last half-day with an interesting topic: “Blue team sprint: Let’s fix these 3 thinks on Monday”. Matt presented a nice tool last year, called Bropy. The idea was to automatically detect unusual traffic on your networks. This year, he came back with more stuff. The idea of the talk was: “What to do with a limited amount of resources but in a very effective way?“. Why? Many companies don’t have the time, the stuff and/or the budget to deploy commercial solutions. The first idea was to answer the following question: “What the hell is on my network?”. Based on a new version of his tool, rewritten in Python3 and now supported IPv6 (based on last year comments). The next question was: “Why are all my client systems mining bitcoin?”. Jordan explained how to deploy AppLocker from Microsoft to implement a white-list of applications that can be executed on a client computer.  Many examples were provided, many commands based on PowerShell. I recommend you to have a look at the slide when they will be available online. Finally, the 3rd question to be addressed was the management of logs based on an ELK stack… classic stuff! Here, Matt gave a very nice tip when you’re deploying a log management solution. Always split the storage of logs and the tools used to process them. This way, if you deploy a new tool in the future, you won’t have to reconfigure all your clients (ex: if you decide to move from ELK to Splunk because you got some budget).
If Matt is using Bro (see above), the next speaker too. Joe Slowik presented “Mind the gap, Bro: using network monitoring to overcome lack of host visibility in ICS environments“. What does it mean? Monitoring of hosts and networks are mandatory but sometimes, it’s not easy to get a complete view of all the hosts present on a network. Environments can be completely different: a Microsoft Windows-based network does not have the behaviour of an ICS network. The idea is to implement Bro to collect data passing across the wire. Bro is very powerful to extract files from (clear-text) protocols. As said Joe: “If you can see it, Bro can read it“. Next to Bro, Joe deployed a set of YARA rules to analyze the files carved by Bro. This is quite powerful. Then, it presented some examples of malware impacting ICS networks and how to detect them with his solution (Trisis, Dymalloy and CrashOverride). The conclusion of the presentation was that reducing the response time can limit an infection.
The last time slot for me was in the offensive track where Raphaël Vinot, from CIRCL.lu, presented “Ads networks are following you, follow them back”. Raphaël presented a tool he developed to better understand how many (to not say all) websites integrate components from multiple 3rd party providers. If the goal is often completely legit (and to gain some revenue), it has already been discovered that ads networks were compromized to distribute malicious content. Based on this, we can consider that any website is potentially dangerous. The situation today as described by Raphaël:
  • Some website homepages are very big (close to 10MB for some of them!)
  • The content is extremely dynamic
  • Dozen of 3rd party components are loaded
  • There was a lack of tools to analyze such website.

The result is “Lookyloo” that downloads the provided homepage and all its objects and present them in a tree. This kind of analyze of very important during the daily tasks of a CERT. The tool emulates completely the browser and stores data (HTML core, cookies, etc) in an HTML Archive (.har) that is processed to be displayed in a nice way. The tool is available online but a live demo is available here: lookyloo.circl.lu. This is very nice tool that must certainly be in your incident handling toolbox!


This is the end of the 2018 edition of TROOPERS… Congratulations to the team for the perfect organization!