Monday, March 21, 2011

Honeynet Project : Day 1 (Public)

Efficient Bytecode Analysis : Linespeed Shellcode Detection (Georg Wicherski - McAfee)
  • GetPC sequences ((call $+5, pop r32), (fnop, fnstenv [esp+0x0c], pop r32), structured exception handling)
  • detecting shellcodes (static) (eg: markov chains)
  • detecting shellcodes (getpc + backtraking + emulation)
  • libscizzle : identification of possible getpc sequences, bruteforce possible starting location around sequence, use efficient sandbox
  • libscizzle Code Execution (disassemble guest code, execute one basic blocks, emulate all other instructions, exception)
  • Performance of libscizzle : 99 MiB/sec to 795 MiB/sec, 1000x faster than libemu
  • Evaluation of libscizzle : no false positives, no false negatives
High performance packet sniffing and traffic mining(Tillmann Wener)
  • pcap file format (straight-forward file format)
  • packet drops (sniffer too slow, lost information cannot be recovered), sniffing performance
  • multicap : minimiez memory allocations, no system calls to get packet times, memory-mapped dump files
  • streams : reassembly tcp streams
  • tools available @
Reversing android malware (Mahmud Ab rahman)
  • Dalvik VM : registered based
  • Dex file format (odex : optimized dex)
  • infection methods : remote install (victim's gmail credential is required, browser market and install)
  • dex (baksmali)-> class (jad)-> java
  • SMS.trojan : oldest android malware
  • Geinimi : infecting legitimate software, C&C server, encrypted data, steal data
  • DroidDream : infecting legitimate software, android official market
  • Need new tools (GSOC Honeynet ?)
VOIP Security (Sjur Usken and Ben Reardon)
  • SIP, request and response type, same familiar status codes as HTTP
  • Major difference between SIP and HTTP (in SIP, all devices are both server and client)
  • used to connect to the PSTN network
Glastopf - Looking for trouble ? (Lukas Rist)
  • Web application honeypot
  • collecting attacks
  • gain intelligence

Sunday, March 20, 2011

iAWACS 2011

Hi !!

The CFP of iAWACS 2011 is here.

This year, we have 2 challenges :
  • LibPerseus challenge. A file protected by the PERSEUS technology will be proposed for analysis. The aim is to recover the underlying file. Award 3000 euros.
  • Forensics challenge. The content of an Android Phone will be given (as an iso image). In the tactical context of a terrorist attack to be prepared, the aim will be to discover the critical information regarding this attack in order to make it fail. Award 5000 euros.

See ya !

Friday, March 18, 2011


Following the Stuxnet conference (see previous post in March), a number of sequels and reaction have been made with interesting feedbacks from various speakers (e.g. Jeffrey Carr). You will find everything here. You can also read a report in the Globes online journal.

I do not agree on Jeffrey Carr's comments, at least for some of them. He seems not to be aware of how the hackers community is thinking, working and sharing things. More concerning, he seems to ignore most of the operational stuff when designing and deploying real attacks.

However the echange of ideas was great. Thanks to him and to the organizers of this event.
Have a nice day

Tuesday, March 15, 2011

Friday, March 11, 2011

Feedbacks from CanSecWest 2011


CanSecWest 2011 is nearly over. It is a very exciting place for hacking stuff. Without doubt it is one the very few hacking events that everyone concerned with operational IT security should attend. Thanks to Dragos and all the SecWest team. Perfect job and the party.... waouuuh what a party!!!! Just the kind of pure moment of pleasure that deserves to work hard on technical stuff during the year.

As usual the technical program is rich and of a very high level. But no comment can replace reading the slides of the different talks. One of the strong point of CanSecWest up to me lies in the fact that the attendees are not just passive. They ask questions and are really interested. So sharing and exchanging ideas has been intense and constructive.

After my talk on Dynamic Cryptographic Backdoors, I had very interesting feedback from OpenBSD developpers. Regarding the second technique I have presented (patching and modifying encryption algorithms in memory to weaken them on-the-fly), they make a very interesting comment about encryption systems like Blowfish or Twofish. These two algorithms have some sort of polymorphism that makes almost impossible to use S-box signature. Well, it is partly true but using some local entropy measure should help to locate area to patch (or special functions like the PHT).

But it is sure that this is a challenging problem. So we are going to address the particular case of Blowfish and Twofish. So to be continued...

From that exchange I draw the conclusion that "polymorphic, design" in cryptographic algorithms provide more security against applied cryptanalysis techniques like that I have presented. In this respect, aside the fact that Twofish was not significantly weaker than Rijndael (damned academic research!), I am more than ever surprised about the fact that NIST did not select Twofish.


Wednesday, March 9, 2011

Voting machine attack


Here is a prospective paper describing an unconventional yet efficient attack again voting machines, perverting the precautionary principle.
Paper here.
Have a nice reading


Monday, March 7, 2011

Saturday, March 5, 2011

CanSecWest 2011

Hi to all

I will give a talk at CanSecWest 2011 in Vancouver (a very nice, among the best hacking conference) entitled "Dynamic cryptographic trapdoors". Here is the conference abstracts.

Come and learn how to
  • make data evade from {vpn, ipsec, tor...}-protected networks
  • dynamically weaken strong cryptosystem for a limited period of time only (dynamic trapdoors) to enable easier cryptanalysis
  • how mathematical trapdoors could also be imagined and implemented.
Have a nice week end

Stuxnet conference

Hi to all/bonjour a tous

Here is the video teaser of the Stuxnet conference on March 8th, 2011.

Voici la vidéo d'annonce de la conférence Stuxnet à Paris le 8 mars 2011.