Pass-The-Salt 2018 Wrap-Up Day #3

The day three started quietly (let’s call this fact the post-social event effect) with a set of presentations around Blue Team activities. Alexandre Dulaunoy from CIRCL presented “Fail frequently to avoid disaster” or how to organically build an open threat intelligence sharing standard to keep the intelligence community free and sane! He started with a nice quote: “There was never a plan. There was just a series of mistakes”.  After a brief introduction to MISP, Alex came back to the history of the project and explained some mistakes they made. The philosophy is to not wait for a perfect implementation from the beginning but to start small and extend later. Standardisation is required when your tool is growing but do not make the mistake to define your own new standard. Use the ones already existing. For example, MISP is able to export data in multiple open formats (CVS, XML, Bro, Suricata, Sigma, etc). Another issue was the way people use tags (the great-failure of free-text tagging). They tend to be very creative when they have a playground. The perfect example is how TLP levels are written (TLP:Red, TLP-RED, TLP:RED, …). Taxonomies solved this creativity issue. MISP is designed with an object-template format which helps organisations to exchange specific information they want. Finally, be happy to get complaints about your software. It means that it’s being used!
The next slot was assigned to Thomas Chopitea from Google who presented FOSS tools to automate your DFIR process. As you can imagine, Google is facing many incidents to be investigated and their philosophy is to write tools for their own usage (first of all) but also to share them. As they use the tools they are developing, it means they know them and improve them. The following tools were reviewed:
  • GRR
  • TimeSketch
  • dfTimeWolf
To demonstrate how they work, Thomas prepared his demos with a targeted attack scenario based on a typo-squatting. All tools were used one by one them investigation was performed via dfTimeWolf which is a “glue” between all the tools. Turbinia is less known. It’s an automation of forensic analysis tools in the cloud. Note that it is not restricted to the Google cloud. It was an excellent presentation. Have a look at it if you’re in the process to build your own DFIR toolbox.
After a short coffee break, a set of sessions related to secure programming started. The first one was about LandLock by Mickaël Salaün from ANSSI. Landlock is a stackable Linux Security Module (LSM) that makes it possible to create security sandboxes. After a short demo to demonstrate the capabilities, the solution was compared to other ones (SELinux seccomp-bpf, namespaces). Only Landlock has all features: Fine-grained control, embedded policy and non-privileged use. Then Mickaël dived into the code and explained how the module works. The idea is to have user-space hardening:
  • access control
  • designed for unprivileged use
  • apply tailored access controls perprocss
  • make it evolve over time

This is an ongoing research that is not yet completely implemented but it’s still possible to install and play with it. It looks promising. Then, Pierre Chifflier (@) presented “Security, Performance, which one?

The last presentation about secure programming was “Immutable infrastructure and zero trust networking: designing your system for resilience” by Geoffroy Couprie. Here is the scenario used by Geoffroy: You just got pwned. Your WordPress instance was compromised. Who accessed the server? Was it updated? Traditional operations are long-lived servers (sysadmins like big uptimes). Is it safe to reinstall the same server? They are techniques to make the server reinstall reproducible (puppet, ansible, chef, …)
The idea presented by Geoffroy: Why not reinstall from scratch on every update with an immutable infrastructure (do not modify directly a running server.  The process of image creation is based on Exherbo, they remove unwanted software, build a kernel statically. The resulting image is simple, safe and it boots in 7”. Images are then deployed via BitTorrent to hypervisors.
Machines are moving so how to reach them? Via a home-made load-balancers called “sozu”  which can be reconfigured live. A very interesting approach!
After the lunch, the topic switched the security of IoT devices. Sébastien Tricaud presented some tests he performed via honeypots mimicking IoT devices. After a brief introduction about the (many) issues introduced by IoT devices, he explained how he deployed some honeypots with results. The first example is called Gaspot. The second one is Conpot which simulates a Siemens PLC or a Guardian AST device). Interesting fact: Nmap has a script to scan such devices:
nmap —script atg-info -p 10001 <host>
Sébastien put a honeypot only for 3 months and got 5 uniques IP addresses. The second test was to accept much more connections (S7, Modbus or IPMI). In this case, he got much more hits, the first one after only three hours. The question is: are those IP addresses real attackers, bots (Shodan?) or other security researchers?
Rayna Stamboliyska was the next speaker and she presented “Io(M)T Security: A year in review”. Rayna focussed on connected sex toys but respected the code of conduct defined during the conference, no offensive content, just facts. Like any other “smart” device, they suffer from multiple vulnerabilities. And don’t think that it’s a niche market, there is a real business for connected sex toys. Rayna also presented her project called PiRanhalysis. It’s a suite of tools running on a Raspberry Pi that helps to collect traffic generated by IoT devices.
  • PiRogue collects all the traces
  • PiRahna automates install and capture
  • PiPrecious is the platform to store and version them
The last slot related to IoT was assigned to Aseem Jakhar who presented his pentesting framework called “Expl-IoT”. In was interesting but Assem started by complaining about the huge number of frameworks available and then it started his own!? Why not contribute to an existing one or just write Metasploit modules?
The last sessions were oriented to red teaming / pentesting. Ivan Kwiatkowski presented “Freedom Fighting Mode – Open Source Hacking Harness”. Already presented at SSTIC a few weeks ago. Then, Antoine Cervoise presented some cool attack scenarios based on open source hardware like Teensy devices or Raspberry Pi computers. Niklas Abel presented his research ShadowSocks, a secure SOCKS5 proxy which is… not so secure! He explained some vulnerabilities found in the tool and, last but not least, Jérémy Mousset explained how he compromized a Glassfish server via the admin interface.
The PST18 Crew
This closes the first edition of Pass-The-Salt. It seems that a second edition is already on its way at the same location and same place! The event occurred smoothly in a very relaxed atmosphere, put it on your agenda for next year because this event is free (important to remind) but the quality of talks is high!