Talks

Talks will take place at the main stage (Zone#1 : Time Square) during the Saturday 2nd July from 10 am to 10:45pm. See the planning for more information.


Keynote

at 10:00 AM

Zone 1

Louis Pouzin was born in 1931 in France. He invented the datagram (connectionless communication) and he is known as one of internet’s fathers. He graduated from École Polytechnique in Paris.

Louis POUZIN has acquired an international reputation as an expert in computer communications and network techniques. Most of his career has been devoted to the design and implementation of computer systems, such as CTSS the first large time sharing system at the Massachusetts Institute of Technology (MIT), or the French CYCLADES computer network and its datagram based packet switching network. His work was used by Robert Kahn, Vinton Cerf, and others in the development of TCP/IP protocols in the Internet.

Besides his capacity in leading teams of top professionals, he is known internationally for his participation in early network standardisation activities within IFIP, ISO and CCITT (now ITU-T), and his numerous publications, many of them have become educational material in network courses. As a lecturer, he is especially appreciated for presenting complex subjects in clear and understandable terms.

He has published more than 80 articles and a book on computer networks and received various awards. Among them: IFIP Silver Core, ACM SIGCOMM, IEEE Internet, ISOC Hall of Fame, and Chevalier of Légion d’Honneur. Louis was one of five Internet and Web pioneers awarded with the 1st Queen Elizabeth Prize for Engineering (QEPrize). The UK government initiated the QE Prize as a companion to the Nobels to raise the profile of engineering. On 25th June, 2013, he received his award from Her Majesty Queen Elizabeth II at Buckingham Palace.

In 2012, he founded with Chantal Lebrument an alternative root company called Open-Root, offering a new business model for the management of top level domain names (TLD), independently from ICANN. TLDs are sold, not rented, and cannot be seized by the US FBI.

Still an activist in the field of internet governance, Louis is a regular in the World Summit of the Information Society (WSIS), on the side of an internet for people instead of transnational monopolies.

with Louis POUZIN

Louis POUZIN

Windows 10 - Security and Privacy

at 10:45 AM

Zone 1

We started our research by looking at what were the legal rights of Microsoft about our data. Reading the term of use is often seen as a chore, people accept and pays no attention to it. However, its contents can sometimes be interesting and hide important informations. In this part we speak about what data are collected and danger for us to disclose them. What power has Microsoft on our data?

If there is a privacy issue in Windows, there will be communications. This is why we tought that analyzing network streams was a good idea. We will mainly talk about our setup and what we found while examining those streams.

A brief talk about how an SSL MITM is working for those who don’t know. This will explain how we set up our environment to study Windows communications

We decrypted some SSL packets and found that data was not anonymized at all. Each user of a computer got a identifier used in differents tools from Windows 10 (Cortana, online searches etc.) We were not able to decrypt every packet. We don’t really know why, it seems that it detected our MITM, bypassed it or did not accept using another certificate

After Windows 10 release some developers wanted to preserve their private life and decided to create a software to block automatically all IPs and DNS from Microsoft. The database of their software must be updated regularly. Some programs allow them more options like uninstall metro applications or updates.

Looking at different kind of existing solutions we choose to spend some time analyzing the most used one (DWSLite). Being open-sourced we went through its code and found some disturbing modifications it is applying to the system.

Rather than blocking all services why not confuse and fool Microsoft about our profile ? Users can then continue to use the service without being registered. The idea is to send a lot of confusing data, so real data are merged among the large number of requests made. We decided to realise a proof on concept on one service : Cortana (it could have been done with another service like the diagnostic one). The software we developped is named CortaSpoof This software continuously sends random expression to Bing server.

with Thomas AUBIN

Thomas AUBIN

Currently in fourth year in the French engineering school ESIEA specialized in Information systems. I am a student researcher at the CVO (Operational Cryptology and Virology) laboratory. I have done research on Windows systems and in automotive security. I really discovered the world of computer security during my first year at ESIEA from classmates and projects. I want to work in security audit or develop secure application.

with Paul HERNAULT

Paul HERNAULT

I am a 22 years old french student, at ESIEA - Graduate School of Engineering in Laval (France) which is oriented in IT security.

I have been working closely with the CVO laboratory for some years now. This year we conducted researches about the new Microsoft Operating System Windows 10. Our main goal was to determine whether or not Windows 10 was that intrusive in our private life, what data it is collecting about us and how it is doing it.

I am currently in an internship in NECST Laboratory (Italy) with the aim of working in the field of Malware Analysis or Exploit research and developpement. I often play CTF games, struggling with the steganography challenges for days. This will be my first conference, so be nice !


Tails - Security, Maintainability and Usability, pick three!

at 11:30 AM

Zone 1

Tails is an amnesic incognito live operating system, that aims at preserving your privacy and anonymity, by forgetting everything that you have done once turned off, and by routing everything through Tor.

For seven years, Tails has been used and advocated by a wide range of people, including Edward Snowden and Laura Poitras. Called by the NSA a "major threat", with more than half a million boots per month, outliving other privacy-oriented distributions, Tails is a big player in the security for the masses game since a long time, and is here to stay! But how does this project make itself accessible, usable and appealing to non-technophile users, while maintaining a good level of security and privacy?

While it's quite easy to make a secure pet-project for a small group of technical friends, it is completely different when it comes to make it usable for a really big set of different people, and to keep it running for years.

This is what we'd like to talk about, how the Tails team manages to combine security for its users, usability, and keeping the boat afloat. And also a few cool tricks about Tails and opsec;)

We'll talk about doing unit-testing a whole livecd, getting everything translated, nation-state adversaries, handling support on a 24/7 schedule, making contributors build a complete distribution, and keeping up with emergency security updates while assuring a complete transparency about everything.

with Julien VOISIN

Julien VOISIN

Julien Voisin was a contributor to Tails, he's now doing mostly support and audit for the project.

Infosec consultant by day, exploit writer by night, he's also a contributor to the radare2 project and gave several talks about it.

with Jérôme BOURSIER

@fr33tux
Jérôme BOURSIER

Jérôme Boursier (fr33tux) is still a student, sysadmin at heart, running several high-speed Tor nodes with jvoisin (both are part of Nos oignons, a french organization dedicated to running Tor exit nodes in France.)


Microservices hacking & security

at 0:15 PM

Zone 1

We will review :

  • what are microservices (breaking the moniliths, the "microservice" word only became popular after nov 2013) - what are the technos behind microservices (docker, lxc, rkt, kubernetes and co...) : kernel technos behind MS and orchestration solutions - strengths and weaknesses of microservices from a security perspective : why it can help you harden your infra, but also why it is harder to secure... - pentest strategies for microservices : how to organize an audit, what to look for, what to expect

with Fabien KERBOUCI

Fabien KERBOUCI

Fabien Fabien KERBOUCI is a former hacker, The Hackademy & NDH member, and actually working as associate manager for OpenSense, a finntech company developing financial and core banking 2.0 microservices.


A Dozen Years of Shellphish, from DEFCON to the DARPA Cyber Grand Challenge

at 2:00 PM

Zone 1

Shellphish is a group of security enthusiasts born in the University of California, Santa Barbara (UCSB) in 2004. Since then Shellphish played countless Capture the Flag (CTF) security competitions, winning the DEFCON CTF finals in 2005 (and Nuit du Hack CTF Quals in 2016).

In 2015, Shellphish enrolled in the DARPA Cyber Grand Challenge (CGC). Differently from other security competitions, in which humans have to solve security challenges (such as exploiting binaries or web services), during the CGC participants have to build an automatic system that solves them! In particular, teams have to build a system that is able to automatically find vulnerabilities in binaries, exploit them, and patch them, without any human intervention.

In this talk we will present the system we developed to participate in the CGC. Our system was able scored among the top 7 teams during the qualification event of the CGC, qualifying us for the CGC final event, and winning a 750000$ qualification prize. During the talk, we will also introduce how we are preparing for the CGC final event, which will be held in August 2016 at Las Vegas. During this event, qualified teams will compete against each other to win a first-place prize of 2 millions dollars (and eternal bragging rights).

Part of the system we developed is based on angr, the open source binary analysis framework developed at UCSB. During the talk we will demo angr, showing how it can be used to automatically find vulnerabilities in binaries.

with Antonio BLANCHI

@_antonio_bc_
Antonio BLANCHI

Antonio Bianchi is a PhD student at UCSB (University of California, Santa Barbara), working, under the supervision of professors Christopher Kruegel and Giovanni Vigna, in the Computer Security Group (seclab).

He worked on different projects about mobile security and he is also very interested in anything related to reverse engineering and low-level binary analysis. He played many different CTF security competitions as a member of the Shellphish hacking group, qualifying multiple times for the DEFCON CTF and, recently, for the DARPA Cyber Grand Challenge.


Revue de sécurité du protocole ZigBee d'une box TV française

at 2:45 PM

Zone 1

ZigBee protocol is widely used for home automation and remote control operations. However, the protocol design and common implementations suffer from several vulnerabilities.

We will talk about ZigBee (based on IEEE 802.15.4 standard) and ZigBee RF4CE security designs (the latest being popular in the USA) and review the security implementation of a well-known set-top box, using different commercial and home-made tools. We will focus in particular on various security mechanisms like key exchange, authentication and encryption.

We will see that ZigBee main practical vulnerability is the lack of a secure key echange scheme and assess how easy it is to intercept and use the key for an attacker. We will talk about the associated risks and best practices in this field. The goal of the talk will be to sketch the minimal security basics for IoT devices and recommendations for future protocols.

Keywords: IoT, ZigBEE, IEEE 802.15.4, RF4CE, home automation, set-top box, security

with Renaud LIFCHITZ

Renaud LIFCHITZ

Renaud Lifchitz is a French senior IT security consultant. He has a solid penetration testing, training and research background.

His main interests are protocol security (authentication, cryptography, protocol security, information leakage, zero-knowledge proof, RFID security) and number theory.

He currently mostly works on wireless protocols security and was speaker for the following international conferences: CCC 2010 (Germany), Hackito Ergo Sum 2010 & 2012 & 2014 (France), DeepSec 2012 (Austria), Shakacon 2012 (USA), 8dot8 2013 (Chile).


An In-Depth Dive into the Ethereum Protocol

at 3:30 PM

Zone 1

This talk will attempt to familarize the reader with what is Ethereum and how it achieves its mission of being both a decentralized ledger protocol and a platform for smart contracts.

We will have a short introduction to the basic concepts of Ethereum and then take a deep dive into the core Protocol and its Virtual Machine.

We will keep going by talking about what happened with the hack of Etherum, how the DAO has been taken down , what has been compromised and how we work to fix everything.

with Lefteris KARAPETSAS

@lefterisjp
Lefteris KARAPETSAS

After graduating from the University of Tokyo, Lefteris developed backend software for companies such as Oracle.

He has been part of Ethereum as a C++ core developer since November 2014, having worked on Solidity, the ethash algorithm, the core client and the CI system.


House intercoms attacks, when frontdoors become backdoors

at 5:15 PM

Zone 1

To break into a building, several methods have already been discussed, such as trying to find the code paths of a digicode, clone RFID cards, or the use of some social engineering attacks. New methods are now possible with recent intercoms. Indeed, these intercoms are used to call the tenants to access the building. But little study has been performed on how these boxes communicate to request and grant access to the building.

In the past, they were connected with wires directly to apartments. Now, these are more practical and allow residents to open doors not only from their classic door phone, but to forward calls to their home or mobile phone. Private houses are now equipped with these new devices and its common to find these "connected” intercoms on recent and renovated buildings.

In this presentation we will introduce the Intercoms and focus on one particular devices that is commonly installed in buildings today. Then we will present our analysis on an interesting attack vector, which already has its own history. After this analysis, we will introduce our environment to test the intercoms, and show some practical attacks that could be performed on these devices.

with Sébastien DUDEK

@FlUxIuS
http://www.synacktiv.fr/en/
Sébastien DUDEK

Sébastien Dudek is a security consultant at Synacktiv. His main fields of interest are radio communication technologies and network and software security. He has been a speaker at NoSuchCon and Hack.lu. He has also contributed for the French magazine MISC and blogged about various security mechanisms.


Improvised LockPicking tools

at 6:00 PM

Zone 1

Let's imagine you get kidnapped in a foreign country by an hostile criminal group. Your only way out is to open your handcuffs, get back your passport, escape the room and leave with your aggressor car.

This talk will help you to build the necessary tools from scrap material available anywhere to get you out of those unwanted situations.

with Till LENZE

http://www.frenchkey.fr/
Till LENZE

Tactical locksmith and security trainer for the military, Till develops downgraded mode techniques to open locks in harsh situations such as kidnappings, aggressions, weaponized attacks...

with Alexandre TRIFFAULT

@frenchkey_fr
http://www.frenchkey.fr/
Alexandre TRIFFAULT

Security trainer for locksmiths, computer scientists and the military for 8 years, Alexandre is continuously developing tools and techniques to circumvent physical security devices.


Turning a GPS-based dating application into a tracking system

at 6:45 PM

Zone 1

In a context of global insecurity, governments set up mass-surveillance programs. While some people have spoken out against, the majority continue to dangerously expose their private life on various social networks. When talking about mass surveillance systems, most people imagine expensive programs and backdoors implemented together with vendors and constructors. While this might be right, another question can be asked: Can people’s widespread uses be turned against themselves? States and agencies have a lot of money to buy and develop complete solutions to track people but, unfortunately, we don't have that money. Instead, we will present how to track someone with a cheap -but not complete- solution. We will focus on a famous Android GPS-based dating application. This application's purpose is to notify the user when he's crossing or have crossed the way of people matching his preferences. Using only the initial specifications and features of the application, we will explain how to turn it into a GPS tracker.

with Julien LEGRAS

@Julien_Legras
http://www.synacktiv.com/en
Julien LEGRAS

Graduated from the IT Security Master from Rouen University, Julien Legras joined Synacktiv 2 years ago. He's never missed a NDH since 2012 and he likes to study various subjects such as mobile applications. He performed a talk at the JSSI Rouen conference 2014 which dealt about Advanced password breaking and published an article about the famous tool John the Ripper in Linux Magazine in 2015.

with Julien SZLAMOWICZ

@szLam_
http://www.synacktiv.com/en
Julien SZLAMOWICZ

Also graduated from the IT Security Master from Rouen University, Julien Szlamowicz joined Synacktiv a year ago. He is present at HzV monthly meetings from time to time since 2010 and was a part of the ghosts team in 2011 and 2012. Challenges enthusiast, he often participates in NDH wargames since 2010 and regularly in various online CTF. His preferred fields for such competitions are cryptography, web-based and mobile applications.


Developing x64dbg

at 7:30 PM

Zone 1

Three years ago we desperately needed a user-friendly 64-bit debugger. Today there is one and it’s called x64dbg.

This talk will give you an insight in what inspired it, how the development process went and where this project is going in the future. OllyDbg reigned the 32-bit debugging era for years, but it has it flaws and sadly no support for 64-bit debugging. Many of x64dbg’s features are inspired by OllyDbg, reinventing the good parts and discarding the bad parts.

The talk will end with a demo showing off x64dbg’s features on a real-life scenario.

with Duncan OGILVIE

@mrexodia
http://mrexodia.cf
Duncan OGILVIE

Duncan Ogilvie (mrexodia), 20 years old. Started reverse engineering somewhere around 2009. Currently a student computer science at Utrecht University. Notable projects: - TitanHide (kernel mode debug hider) - TitanEngine Community Edition (debug engine used by x64dbg) - GleeBug (new debug engine used by x64dbg) - x64dbg (x64 debugger for windows)


Mass-pwning with a small IoT spy bug

at 9:15 PM

Zone 1

Nowdays, our world is made of connected and miniaturised objects, what's better than using connected and miniaturised tools? The author will show the ProbeZeor, a portable attacking tool based ont wireless communication protocols.

The ProbeZero allows you to track people using their connected equipements, automatically attack the selected equipements and finally do some replay/ interception attacks. A few demonstrations will be done to show you what can actually do that tool.

The ProbeZero is a little IoT bug, portable, easy to hide and very effective.

Building, operation and framework : The author will talk about the design of the ProbeZero, especially the electronic components, the hardware and software configuration, how to develop an Android application linked to the ProbeZero and finally the 3D printing available with this project.

The conception files, a part of the source code from the framework and a guide will be published during the presentation.

with Damien CAUQUIL

@virtualabs
http://virtualabs.fr
Damien CAUQUIL

Damien Cauquil is an experienced reverse-engineer. He started reversing binaries at the age of 17, with some friends and a lot of coke and pizzas, using old tools such as Win32dasm or procdump. Until now (oh wait, maybe with more recent tools).


Trust No One. ATMs and their dirty little secrets

at 10:00 PM

Zone 1

During several years, ATMs were jackpotted so many times with malware. They had various names, but equal possibility – malware based on financial applications standard. However, when banks tried to protect their ATMs from malware attacks, fraudster continued the cat-and-mouse game by ignoring host and using different attack vectors.

For last year, banker’s minds were full by other pain. Sometimes ATMs become empty and it looks like a miracle for banks. Malicious guys use so called “black boxes” to connect directly to dispenser to eject money. Such attack circumvent all software protections on the host machine.

But host to dispenser is only one side. On the other side, we have all kinds of connections to the outer world. From X.25 to Ethernet and cellular networks. Thousands of ATMs can be attacked by MiTM-attack called fake processing center. Or many of them can be identified with Shodan and then be attacked due to security misconfiguration, administrators laziness and lack of communication between different departments in banks.

In course of our presentation, we won’t speak about XFS, different Typkins or plain old skimmers. We will concentrate on different aspects of network and internal security problems of ATMs. We will cover some basic controls that are already there and why they are important, as well as we will provide some advices to be implemented. Remember, trust zone – it’s not about ATMs!

We will continue our presentation from previous year.We will dig into technical details of attacks on ATMs produced by more wide spread vendors. Presentation will concentrate on two aspects: network communications of ATMs with processing centers and communication of host with it's peripherals. We will describe how attackers transform ATM into skimming device without any physical access to it or steal all money without any forensic evidence in ATM logs.

with Olga KOCHETOVA

@_Endless_Quest_
Olga KOCHETOVA

Field of interest consist of various devices interacting with cash or plastic cards. Senior Specialist of Penetration Testing Team at Kaspersky Lab. Author of multiple articles and webinars in the field of ATM (in-)security.

Author of advisories for various vulnerabilities for major ATM vendors. Speaker at international conferences: Black Hat Europe, Hack in Paris, Positive Hack Days, Security Analyst Summit and other.

with Alexey OSIPOV

Alexey OSIPOV

Lead Expert on a Penetration Testing Team at Kaspersky Lab. An author of variety of techniques and utilities exploiting vulnerabilities in XML protocols, an author of advisories for various vulnerabilities for major ATM vendors. A speaker at international security conferences: Black Hat Europe and Hack in Paris (presenting the paper on ATM vulnerabilities), Black Hat USA, NoSuchCon Paris, Positive Hack Days, Chaos Communication Congress.