IO Shield is a personal platform to share Cyber Security expertise, offering:

  • Resources to build field kit for CyberSecurity researcher
  • IOT devices Reversing experiences
  • Pentesting and auditing Services
  • Tutorials
  • Cheat sheets

How to consider an IOT device ?  What are the interesting fields ? What kind of services are connected and distributed in the cloud ?

December 2016 :

Bears in the Midst: Intrusion into the Democratic National Committee, by crowdstrike : APT29 ( COZY BEAR, CozyDuke), APT28 (FANCY BEAR,Sofacy)

2013:

<SU Bin > Document de la Cour américaine :

http://www.theglobeandmail.com/news/national/article19704622.ece/BINARY/Su+Bin+1030+complaint.pdf

Businessman living in Vancouver faces extradition orders for hacking U.S. military info

http://www.metronews.ca/news/vancouver/2015/09/03/judge-orders-committal-of-chinese-businessman-in-vancouver.html

APT1

Année de date de compilation connue Nom de la famille de malwares (Source : Mandiant)
2004 WEBC2.KT3
2005 GETMAIL
2006 LIGHTDART, MAPIGET
2007 BISCUIT, MANITSME, STARSYPOUND, WEBC2.Y21K, WEBC2.UGX, TARSIP
2008 DAIRY, SWORD, HELAUTO, HACKSFASE, WEBC2.AUSOV, AURIGA
2009 GREENCAT, WEBC2.CLOVER, MACROMAIL, GOGGLES, NEWSREELS, WEBC2.RAVE, WEBC2. ADSPACE, WEBC2.HEAD, BANGAT
2010 SEASALT, LONGRUN, WEBC2.TOCK, WEBC2.YAHOO, WEBC2.CSON, WEBC2.QBP, WARP, TABMSGSQL
2011 LIGHTBOLT, COMBOS, WEBC2.DIV, GDOCUPLOAD, COOKIEBAG, GLOOXMAIL, MINIASP, BOUNCER
2012 CALENDAR, WEBC2.TABLE, WEBC2.SOLID, KURTON

SRC MISC 85

 

Trust me, trust me not ...

How Google detect local interception in French private network ?

In dec 2013, French Government ANSSI responsible of a MITM against Google SSL-TLS ? ... Not Exactly ...

 

Adware :

  • Superfish, installed on somes lenovo devices, uncrypted HTTPS stream for proper advertissment. The same certificate  and and key for all targets.
  • Privdog, intercept server certificate and replace it by his own (signed by his own root) . Create a certificate and a key on each device.

 

Vulnerabilities :

  • FREAK (Factoring RSA Export Keys) CVE-2015-0204, ex the Kaspersky Anti-Virus with a bad implementation of TLS and no HPKP
  • CRIME (Compression Ratio Info-Leak Made Easy) CVE-2012-4929 , ex Kaspersky Anti-Virus 16.0.0.614

Tools:

Mitigation, audit:

  • HSTS -  HTTP Strict Transport Security - web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking
  • HPKP - HTTP Public Key Pinning - security mechanism which allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates (Not supported by IE !)
  • Weak Ciphers auditing : on server side with nmap ssl-enum-ciphers and on client side with SSL Cipher suites of your browser

References :

ANSSI - 2014 - Recommandations de sécurité concernant l’analyse des flux HTTPS