Hack.lu 2015

Posted by   Virus Bulletin on   Nov 2, 2015

Great research presented in a stimulating environment.

I had heard many good stories about previous Hack.lu conferences, so I was excited this year to finally be able to make it to Luxembourg itself, where the conference took place in a hotel just outside the country's eponymous capital.

With more than 400 people in attendance, the conference has become one of Europe's bigger security events, but it still managed to feel informal, friendly and welcoming. Wearing my VB Editor's hat, it was also nice to see a number of Virus Bulletin authors and speakers presenting their research at the conference.

Hack.lu is primarily a single-stream event, but there were a number of workshops taking place in parallel with the main stream. I only attended one of these, by Didier Stevens, in which he explained how to use his popular oledump.py tool for analysing potentially malicious Office documents.

Unsurprisingly, there were several talks on Internet-connected devices, including one by Axelle Apvrille, who talked about her research into Fitbit trackers. Although her proof-of-concept of using a tracker to crash a computer it was connecting to received quite a bit of media attention, I was more intrigued by the idea of using such a device to automatically lock a computer when you walk away from it.

The two keynotes also looked at the subject of IoT. In the first of them, Paul Rascagnères looked at the possibilities of hacking (often Internet-connected) devices, a session which included the presentation of the world's first Internet-connected underwear and, much to the audience's bemusement, looked at the possibilities of hacking certain adult toys.

The second keynote, by Marie Moe on medical device security, was more serious. This is a popular topic, yet also one that can easily turn into rather unrealistic horror scenarios. For Marie, however, the subject is very important: she herself wears a pacemaker. "The Internet of Medical Things is real", she said, "and my heart is wired into it." Marie explicitly urged hackers to look for vulnerabilities in medical devices, thus helping to make them more secure.

  Marie Moe on stage. Photo: Claus Cramon Houmann.

Another interesting presentation was given by Saumil Shah, who promised to show us a way to serve a browser exploit with just one image. This sounded far-fetched, but actually wasn't: textbook steganography was used to hide well-known exploit code inside an image file, which was then modified so that its visible content didn't change, yet at the same time it became an accepted HTML file (which, through JavaScript, triggered the exploit) that was accepted by all major browsers.

Saumil's goal, of course, wasn't to tell us how to serve browser exploits more effectively, but rather to warn about the dangers of the second part of Postel's law: being liberal about what 'errors' you accept in content provided by others, while sounding nice in theory, can have pretty serious consequences.

Later, Ange Albertini re-emphasized the same point. Ange gave an interesting talk on his favourite subject, that of 'polyglots': files that can be opened as more than one file type, like Saumil's example of an image that is also an HTML file or, as Ange and Axelle Apvrille had shown at Black Hat Europe last year, an image that is also an Android package file. While a nice ingredient for CTFs and other kinds of puzzles, polyglots could also be used to bypass security measures.

The subject was also touched upon briefly in a more theoretical presentation by Jacob Torrey on Crema, a programming language inspired by the LangSec principles, the idea behind which is that programmers are going to make mistakes, so the language should reduce their chances of doing so and also reduce the damage caused by mistakes once they are made — and that includes file parsers being more strict about how they treat external input.

Several talks, rather than look forward to possible future attacks and solutions, looked back at what has already happened. Marion Marschalek, Paul Rascagnères and Joan Calvet spoke about the 'cartoon' malware family, which has been linked to French intelligence. Marion had presented some of this at VB2015, but as it is a fascinating subject, I didn't mind seeing it again.

Dhia Mahjoub spoke about using DNS 'big data' to track exploit kits and the companies hosting them. This was essentially an updated version of the paper he presented at VB2014 last year and it was nice to see these methods continue to work.

  Malicious ASN leaf nodes made an appearance in Dhia Mahjoub's talk.

As the conference programme was rather full, there were a number of interesting-looking talks I sadly missed, including talks on the Android exploits used by Hacking Team, on automatic unpacking, and one on using a KVM device to bridge an air gap.

Two of the talks I made sure I didn't miss were on a subject close to my heart: the encryption (or lack thereof) of messaging protocols.

Frederic Jacobs presented an overview of the work that is being done on encrypting email and chat protocols and the many issues involved, including the lack of forward secrecy (which has been an important requirement, especially following Snowden's revelations), the fact that many messaging protocols need to work asynchronously and, perhaps most importantly of all, that encrypted messaging protocols tend to be difficult to use.

The latter shouldn't be an issue when it comes to the use of STARTTLS in email, where it is often used to encrypt the message as it travels over the public Internet, which should happen transparently to the user. However, in his talk Aaron Zauner presented the result of an Internet-wide scan of mail servers which found that many don't support encryption at all, while those that do often implement it poorly. The take-away message here was one that I have made in the past: if you send an email, unless you explicitly add encryption yourself, you should assume it is sent unencrypted over the Internet.

There was, however, a small silver lining to this talk. Aaron and his colleagues received a number of complaints following their scanning. This shows that some people do check their server logs for anomalies and thus suggests that 'noisy' attacks, such as ones requiring a protocol downgrade, are less interesting for those who desperately want to stay under the radar.

  Some people don't respond in a very friendly manner to scans of their mail server.

After three long days, I left Luxembourg with a lot of ideas for new research and a great feeling from all the kind people I met. I also left with a strong desire to come back for the 12th Hack.lu next year.

While writing this blog post ten days after the event, Xavier Mertens's conference blogs (day 1, 2, 3) were very helpful. Slides from many talks are available here.

Posted on 02 November 2015 by Martijn Grooten



Latest posts:

VB2019 paper: APT cases exploiting vulnerabilities in region-specific software

At VB2019, JPCERT/CC's Shusei Tomonaga and Tomoaki Tani presented a paper on attacks that exploit vulnerabilities in software used only in Japan, using malware that is unique to Japan. Today we publish both their paper and the recording of their…

New paper: Detection of vulnerabilities in web applications by validating parameter integrity and data flow graphs

In a follow-up to a paper presented at VB2019, Prismo Systems researchers Abhishek Singh and Ramesh Mani detail algorithms that can be used to detect SQL injection in stored procedures, persistent cross-site scripting (XSS), and server‑side request…

VB2020 programme announced

VB is pleased to reveal the details of an interesting and diverse programme for VB2020, the 30th Virus Bulletin International Conference.

VB2019 paper: Cyber espionage in the Middle East: unravelling OSX.WindTail

At VB2019 in London, Jamf's Patrick Wardle analysed the WindTail macOS malware used by the WindShift APT group, active in the Middle East. Today we publish both Patrick's paper and the recording of his presentation.

VB2019 paper: 2,000 reactions to a malware attack – accidental study

At VB2019 cybercrime journalist and researcher Adam Haertlé presented an analysis of almost 2000 unsolicited responses sent by victims of a malicious email campaign. Today we publish both his paper and the recording of his presentation.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.