Well, well, well. Last blogpost was on December 30th, just under 6 months ago. I am definitely not paying enough attention to this blog. Anyways, today I wanted to write about something cool. One year go, I was talking about Hackito Ergo Sum, a French infosec conference held annually in Paris, and how I got through its cryptography CTF challenges (here and here). This year Hackito was held once again, and even though a fork of the conference had been announced, Hackito, its speakers, and attendees, were just as awesome as they had announced. What follows is a very quick summary of the talks that I found the most interesting. Enjoy, and do try to come to Hackito next year ;-)
Yo dawg, I heard you like XORing…
You may not be familiar with the concept of transparent XORing. Of course – it started out as a joke between colleagues on a fancy theory I was putting forward, and ended being used to vaguely describe a security system turns out to be completely broken, thus giving a false sens of security to its users – as would be encrypting your files using a XOR mask set to \x00. But since explaining jokes is really lame, I wanted to share a nice little script I’ve developed that may help one malware analyst or two out there.
OPSEC and the written language
I recently had the pleasure to go through the slides of a presentation from The Grugq called “OPSEC for hackers“. As you might have guessed, the main topic is operational security . Operational security, operations security, OPSEC… it’s all about the measures one takes in order to make sure that its actions (or inactions) do not leak any (useful) information to an eventual adversary. Some call it paranoia, others call it… OPSEC. In any case, the presentation goes through a great deal of detail explaining why and how many hackers and hackers groups got caught. It relies heavily on examples from the LulzSec court files and proceedings, and does so in quite a humourous way.
SRP and password salting
Today, Blizzard US released a statement declaring that their North American servers had been breached and that players’ personal info had possibly been compromised. Fortunately, they say, all passwords are stored using to the SRP (Secure Remote Password) protocol. According to Blizzard, this makes password recovery “extremely difficult”. Unfortunately, that is not really the case.
The Bockel Report
French senator Jean-Marie Bockel, also member of France’s foreign affairs, defense, and armed forces commission, published on thursday a much-expected report on the current state of national cybersecurity in France. The 158 page report is pretty extensive and covers everything from well-known attacks against the nation, their instigators, and potential consequences. It also compares the strategies of different countries in cyberspace: The US, the UK, Germany, The EU, and France, pointing out strong points and potential weaknesses in each of them.