Learning Expeditions in Israël

After having an opportunity to go in Israël for a first learning expedition in 2015, i went back last july (2019). Israël is known to be one of the best startup nation. I am going to share with you my experiences: one in the field computer science and the other in cybersecurity.

SheCodes, Tel Aviv (2015)

SheCodes @ Campus Tel Aviv

The first time i went in Israël i was able to attend one of SheCodes meetup. They presented the different workshops: from basics of web programming to more advanced programming. In these workshops everyone is welcome no matter which level. You will get to learn by doing and be able to ask questions to other attendes or to the mentors.

If you have the opportunity to attend an event made by SheCodes, you definitely should do it, and if you live in Israël you should attend all of them. Since 2015 they even grew they are not only in Tel Aviv anymore but also in Jerusalem, Herzliya, Netanya, … Click here to get more info on their website.

Technion University (2015)

Technion, Dream it. Do it

During this learning expedition, i scheduled a visit of Technion University. If you want to do the same, you will have to contact them and provide them a short bio and a brief explanation of why you want to visit. Then, they will help you schedule a guided tour of the University.

Technion is among the world top ten science and technology research University. You can read the full history of this University here. Also, by going to Technion you will have the opportunity to visit the breath taking city of Haifa. Why not taking a snack break at Fattoush?

Fattoush restaurant

After this go and chill out at Bahaï gardens!

View of Bahaïa gardens

BSides Tel Aviv 2019

BSides TLV 2019

Workshop – Ethical Hacking 101 (July 2019)

For the first day of the Cyber Week of Tel Aviv I attended a workshop hosted by BSides Tel Aviv: Ethical Hacking 101 by Telspace Systems.

After a brief introduction on Ethical Hacking, we were able to practice a little. We used different scanners and tools. There were different environments set up just for us to hack them. We got the opportunity to practice SQL injections, vulnerability scanning, vulnerability exploitations. We saw the full process of pentesting, from looking for vulnerabilities to exploiting them with tips and tricks to stay stealthy while doing so. They also presented a very useful tool, really worth mentioning here: CherryTree. With this you can take notes about your process, this will make the pentest report easier to produce in the end.

This class was an awesome introduction to ethical hacking. The instructors were very clear and passionate. If you have the opportunity to attend a BSides meetup you should totally do it.

Talks

The day after the workshops, BSides had organized different talks. They were presented by Keren Elazari, Security Analyst, Author and TED Speaker. There was also a special tent for BSides where you could see their partners. There was an area if you were looking for a job and one just to chill out. I need to add a special mention to the decorations of the stage and the posters. They were awesome! You can see the picture below.

Eva Galperin: Where do we go from here, fighting Spouseware and Stalkerware

Eva Galperin is Director of Cybersecurity at the Electronic Frontier Foundation.

The main points in her talks were the following:

  • Stalkerware and Spouseware are not detected by anti-virus
  • She conviced Kaspersky to help with the detection of those apps and take privacey seriously
  • The tools to fight against this exist
  • Laws that already exist need to be enforced
  • She is shouting out for people to talk about this.

If you scroll down you will find in the « To go further » section a link to a video of her talk.

Amichai Shulman and Yuval Ron: Alexa and Cortana in Windowsland

They presented different vulnerabilities they found in Cortana and Alexa on windows operated devices.

In the « To go further section » you will find the youtube Channel of Yuval Ron in which you can find some demos.

Sofia Belikovetsky: The Butterfly Effect Actively manipulating VW through hypervisor introspection

Sofia Belikovetsky took the challenge to create a virtual router in order to find anomalies in the network. In this talk she explained how she proceeded to do this: How she was able to find what was going on in the VMs from the outside (from a list of running processes to a monitor of every new processes).

Tomer Zait and Nimrod Levy: ReDTunnel, Explore Internal Networks via DNS Rebinding Tunnel

Tomer Zait and Nimrod Levy presented ReDTunnel how it works and why they created it. In the « To go further » section you will find a link to ReDTunnel Github, why not contribute?

Yossi Sassi: PowerShell as a Hacking Tool

Yossi Sassi shared many tips to get the best of PowerShell as a hacking tool. In the « To go further » section you can find a link to his slides and… a link to Yossi Sassi & The Oriental Rock Ochestra.

Omri Misgav: Bypassing user-mode hooks 101

Omri Misgav is the team leader of the security research team of Ensilo. In this talk he explained hooking and user-mode hooks.

Yaron King: Low hanging (blue) fruit, Hacking and defending yourself using open-source tools

Yaron King explained how he got confronted to password spraying and what he did about it.

Eyal Itkin: Karta Source code assisted Geographic-based binary matching

Eyal Itkin is a vulnerability researcher at Check Point Research. In this talk he explained how Karta works. In the « To go further » section you can find Karta Source code.

Danny Grander and Yuval Ofir from Pasten CTF Team: Capture the Flag

In their talk Danny Grander and Yuval Ofir explained what a CTF is and their experience with them. They also presented how they resolve hard challenges.

Other events of the Cyberweek 2019 in Tel Aviv

Besides BSides (yeah i know xD ), there were plenty of events during the cyberweek. I went to some of them that i will present here.

Women in Cybersecurity: How to attract more diverse talent

Leading Cyber ladies invited inspiring women in. Firstly, Keren Elazari interviewed some of them. They shared their experience and gave some advices :

  • Hila Meller, VP Security Europe British Telecom. Her advice: if you want it don’t let anyone stop you. Believe in yourself
  • Helen Dixon, Comissioner, DataProtection Comission, Ireland. Her advice: Don’t listen to any advice you are perfect as you are
  • Maria Thompson, Chief Risk Officer State of North Carolina. Her advice: Learn foundations of IT if you are able to achieve and do that you will be more successful.

After those interview Eva Galperin, Director of Cybersecurity and Head of Threat Lab, Electronic Frontier Foundation, presented herself and her career in a brief talk.

Finally, there was a panel moderated by Reut Menashe, co founder of BSides TLV.

Each person from the panel presented their background. Then they shared what and why in their opinion companies should do more to attract more talent.

  • For Limor Kessem, mono culture has a bad effect. She also said that there is an impact on diversity with the « bring a friend policy ». In fact, with this kind of policy companies tend to hire the same kind of people.
  • For Mary McGinley, companies need to have an extremly diverse team to see all aspects of a problem. She reminded the study that said that women won’t apply to a job if they do not fit 100% of the criterias. She advises that even if many people tell you that you should not apply, apply anyway. She added « do something you love and make it work for yourself ».
  • Karine Ben-Simhon, said that it’s important to encourage private and public sector to make equal opportunities. She also said that there is also a problem with women because most of HR staff are women.
  • For Moran Weber, the best way to make a difference is by combining top down and bottom up approach. It’s also important to revise the job description and understand why women don’t apply. In her opinion those descriptions should avoid terms like « ninja code », « superstar », « rockstar », etc. She shared that her best decision was to start putting herself out there and to decide that her imposter syndrom would not decide for her. She used it to help her learn more.

Plenary talk CyberWar is the continuation of politics by other means: interview of Stevan Bernard by Keren Elazari

CyberWar is the continuation of politics by other means

In this interview Stevan Bernard explained how the attack on Sony Pictures of november 2014 was handled. Here are the main points he shared:

  • Never underestimate your enemy.
  • Decisions made on Day 1 are the decisions that saved the company. This day was all about global and big decisions. This is when they decided to call the FBI and cyber security companies.
  • The human link is the weakest link: the attack started with spear phishing.
  • With twelve thousand employees all over the world, in such attack, you need to find alternative ways to communicate: Sony used old blackberry phones.
  • You can’t prepare enough: hire the right people, make the right decisions, get every one on the same page and define roles and responsibilities.

FraudCON 3.0

Stage of FraudCon 3.0

This event was a full day event. All along the day awards for « Legends of fraud fighting » were given and the winners shared their experience. I am going to present some talks of the day.

Limor Kessem, executive security advisor at IBM opened the day. She made an iventory of the last few years in terms of malwares and presented some of them. After her introduction different talks were given.

Ori Wainshtein: Thinking beyond traditional fraud

Ori Wainshtein is Head of Risk Research and Intelligence at Intuit. After a presentation of Intuit, he explained that in his opinion we need to be able to educate our children about this. He presented different aspects of fraud prevention and some scams. To conclude he gave key advices: Invest in customer safety, optimize for brand protection and develop holistic point of view on fraud.

Panel: news from the kingdom

Panel news from the kingdom

In this panel participants shared the lancaspe of UK in terms of fraud. Some figures were presented: reported fraud increased by 6% since 2009. Indentity fraud has been the biggest issue for a while and in 2018 it is more than ever, 85% of it is perpetrated online. They also tackled the issue of fraud detection and how to detect it.

Panel: tales from the colonies

Panel tales from the colonies

In this panel, they started to talk about mobile attacks saying that the minute something is patched, something new is out. Companies have to make things safer without changing too much the customer experience.

Nadav Katzenell: Remote overlay trojans attack and detection

Nadav Katzenell is head of ecurity researcher at IBM Security. In this talk he explained Remote overlay trojan attack. It is an attack that originated in Brazil and then quickly expended in South America and to new industries. Then he explained how his team set up a solution to detect this kind of attack.

Yehonatan Bar-Lev: The power of fusion center

Yehonatan Bar Lev is head of Cyber Center at the Bank Hapoalim. Yehonatan Bar Lev showed us the organization of a drug ring from the inside. What skills they have, how they work, how they hire staff and what type of attack they launch.

Mirko Manske: A sunday in hell

Mirko Manske is a federal criminal police officer in Germany. In this talk he explained how his team and him confronted an internet « provider from hell » to collaborate with them on a special case. He gave us an inside view of how german police and prosecutors work on such cases.

Panel ecommerce fraud, the next generation

Panel ecommerce fraud, the next generation

In this panel, Noa Kind started to explain what Ad Fraud is and how it was countered. Then, other persons from the panel explained how consulting works.

Karisse Hendrix: fighting online fraud is a lot like fighting zombies

Karisse Hendrick is an eCommerce Chargebacks & Fraud Consultant. In this talk she explained how online fraud evolved and her insights as a consultant. She also co-host a podcast that you can find in the « to go further » section.

Spencer McLain: Fighting fraud with collaboration

Spencer McLain is Vice President at Ekata. In this talk he first explained that online sales are increasing in order to tackle the authorization rate and fraud problem. He showed how fraud and solutions to fraud evolved, he gave a holistic approach to fraud prevention.

Sergey Shykevich: Even idiots can do fraud

Sergey Shykevich is cyber threat intelligence team manager at Q6 Cyber. In this talk, Sergey Shykevich explained that even with very basic knowledge anyone could do fraud. To prove his point he even showed an example.

Raymond King: Robbing the digital train

Raymond King is a product manager at TransferWise. In this talk, firstly he presented TransferWise. Then he explained to what kind of fraud TransferWise is confronted and the consequences it has and how they prevented them.

Ethan Ram: Fraudulent App installs

Ethan Ram is VP R&D at ZoomD. In this talk he explains what is App Install Fraud, how it works and how to fight it.

Panel: What’s new in marketplace fraud

Panel: What’s new in marketplace fraud

In this panel, they all shared their insights from their different companies. Firstly they shared the kind of fraud they are confronted to. Then they gave their opinions about machine learning and artificial intelligence to detect fraud. They talked about the collaborations they have with other platforms in the marketplace. Finally they shared some advice to fraud fighting teams.

To hapilly finish the day at FraudCon we did a fun little game in which we had to define if the case presented to us was « friendly fraud » or « true fraud ».

Conclusion

Learning expeditions are a really good way to learn. You get to see different things and discover the world at the same time. The CyberWeek was an awesome experience, i really enjoyed the talks and got to learn a lot. If you have the opportunity to go to the CyberWeek you definitely have to go to BSides TLV and FraudCon.

To go further

Hackeuse pour la DGSE – Challenge Richelieu

Afin d’étoffer ses équipes la DGSE a organisé un challenge: le Challenge Richelieu.

Pour y accéder, il fallait se rendre sur le site https://challengecybersec.fr/ :

Page d’accueil du challenge Richelieu

Et c’est tout! A moi ensuite d’enquêter…

Premier réflexe donc, ouvrir la console web et regarder le code source de la page et là j’ai découvert l’existence d’un fichier PDF:

Code source de la page d’accueil du challenge Richelieu

J’accède au fichier en tapant dans le navigateur à la suite de l’adresse « /Richelieu.pdf » pour ainsi obtenir ce qui semblait être un fichier PDF de 364 pages avec un texte noir sur fond blanc à la première page:

Première page du PDF

Mais comme je ne suis pas dupe j’ai fait une sélection de tout le document:

Sélection sur le PDF

Et bien sur du texte était caché. J’ai donc sélectionné tout le texte et collé dans mon notepad préféré.

En voici un extrait:

/9j/2wBDADIiJSwlHzIsKSw4NTI7S31RS0VFS5ltc1p9tZ++u7Kfr6zI4f/zyNT/16yv+v/9//// ////wfD/////////////wgALCA20CD4BAREA/8QAGQABAQEBAQEAAAAAAAAAAAAAAAECAwQF/9oA CAEBAAAAAeFzUWUsiyzUFlgFgChLKud5lms2KluaLBNZs1neNSaRclSxqWLJ0xYVNQFyusxQlA1M 6iyhNRKQrUpCxKuNJqUEqyywmoIosUgmosZ1nSWxYlzbOYEWFlRZQssFlRUAqWGsgsspc6zZUsqW WWagXNlihKCywVZcrLZLYWLEspYssRalJqEmpTQzqCaSNXNualoEUzKQVQlSiklslFRKOUosLIai UlAChFhYohYCoVc6ksAsLLKSyzeNSakWwlsBSyClipKAlSpZpJSrJRFllKVneUpVzVkVFTUsLCFm kmoiyiWS1c0SyWrOVyssoRUsompYAVLBUqxLKlslhZUqUAJqWCWakqWWazpEtgsazrNlhYsti5qw WLBYWWxYljWRZWpWdJrnbc3UzaSqlSasiTSaJYkprNhYaixE1E05AlslRUsUlqFgssBZZZvBYsWL LNZVKjWbYJVkoubFE1JaRYllUSglJSahYm8ypVlCpYGsakVUq5E3Gue7lTNUsubFShYSoWWGoms6 ksKLnTiWSy2EUhZqShQRZrJYUiywssLLCpSW51C53m5KQqVKsWEsosVKXO8zeLLWaWNZ1JZYWVKs lJbnebnSWoE0lzpBQEhbGksAiy3G2dsyqZtzpmiuIssRSWLLYSgWWak1lYsssLLFJUWWGs2LNQJr OoItiW5WazU1BUCWoq5azSaRNSxrIsCxUbzYJrO83OmkY3Cpc6li5usXRLjZmhQICbxTNLqZ1mxL Y1eFgLJUoRbE0lgKgApc2VBUDWSzWVEqFSypbmhNSy5sqazSVrKoFiwtzZWsrKiakpZUVLKudZ1n 

J’ai reconnu un encodage de base64. J’ai ensuite décodé ce texte et testé un « strings » sur le fichier :

Strings sur le fichier décodé
Résultat de la commande

J’ai ainsi obtenu une liste de fichiers et un mot de passe.

Il y a donc des fichiers inclus dans le PDF. Je vous passe mes recherches approfondies sur les structures des PDF (je vous renvoie vers les liens de fin d’article si vous souhaitez en savoir plus, je vous y invite vivement car c’est passionnant).

Il est également intéressant de noter que si l’on renomme le fichier en jpg on obtient une image:

Renommage du fichier en jpg

Répondant maintenant à la question que l’on est amené à se poser, en tout cas que je me suis posée longuement en ce qui me concerne. Comment dois-je faire pour récupérer les fichiers et les extraire? Il existe un outil très pratique pour ceci: binwalk

Résultat de binwalk

Binwalk affiche tous les fichiers que l’on nous avait promis, c’est bon signe! Je vais pouvoir les extraire grâce à l’option -e

Ici mon fichier s’appelle base64.jpg, binwalk va créer un dossier _base64.extracted et y mettre tout ce qu’il aura pu extraire:

Résultat de binwalk -e

Voici le contenu du dossier créé par binwalk:

Résultat du ls dans le dossier créé par binwalk

J’ai ensuite tenté de dézipper le fichier 6CCBC.zip (le mot de passe du zip est celui trouvé précédemment dans le base64:

Mot de passe
Dézippage du fichier et récupération des fichiers

J’ai donc récupéré les fichiers et leur contenus.

Contenu et taille des fichiers que l’on vient d’extraire

Il est important de noter à cette étape qu’en voyant les fichiers obtenus et leur noms, il m’a semblé que j’allais devoir cracker une clé RSA… Je dispose en effet d’une clé publique « public.key » et d’un étrange fichier « prime.txt ».

Je me suis donc attaquée à la compréhension du .bash_history. En connaissant un peu Linux on peut savoir que le .bash_history contient l’historique des commandes tapées. J’ai donc fait un cat sur le fichier pour savoir ce qui a été tapé pour créer les fichiers.

Cat sur le fichier .bash_history

Je remarque plusieurs utilisation de la commande sed qui fonctionne avec des expressions régulières. Une petite recherche m’a permis d’en savoir plus:

The sed General Syntax

Je comprends que prime.txt est une clé RSA mais qu’elle a été modifiée avec la commande sed.

Voici ce qui a été effectué grâce à sed:

// 7f a été remplacé par fb sur tout le document
 1342  sed -i ‘s/7f/fb/g’ prime.txt

// e1 a été remplacé par 66 sur tout le document 
 1343  sed -i ‘s/e1/66/g’ prime.txt

// f4 a été remplacé par 12 sur tout le document
 1344  sed -i ‘s/f4/12/g’ prime.txt

// 16 a été remplacé par 54 sur tout le document
 1345  sed -i ‘s/16/54/g’ prime.txt

// a4 a été remplacé par 57 sur tout le document
 1346  sed -i ‘s/a4/57/g’ prime.txt

// b5 a été remplacé par cd sur tout le document
 1347  sed -i ‘s/b5/cd/g’ prime.txt

Ici il faudrait donc taper les commandes à l’inverse pour retrouver le fichier d’origine.

Je vais maintenant essayer de comprendre en quoi consiste la commande : openssl rsa -noout -text -in priv.key | grep prime1 -A 18 > prime.txt

Grâce à une recherche j’apprend ceci:

Openssl

Cette commande permet donc juste d’afficher la clé privé.

J’ai eu quelques difficultés sur cette partie du fait de mon manque de connaissances en cryptographie.

J’ai donc fait des recherches afin de continuer car j’étais curieuse de savoir sur quoi cela allait déboucher. J’ai pu trouver le mot de passe pour décompresser suite.zip.

Ce zip contenait un fichier texte avec des informations nécessaires à la continuation du défi.

Il était possible de se connecter en ssh à un serveur dédié au challenge.

Suite du challenge

On passait ensuite sur la partie Wargame du challenge.

Connexion en ssh au wargame richelieu

J’ai un peu joué avec le défi 1 mais j’ai malheureusement manqué de temps pour finir les défis. En manipulant un peu le défi 1, j’ai compris qu’il s’agit d’un buffer overflow à exploiter.

En effet voici le résultat d’un ls -al :

Commande ls -al

Je n’ai évidemment pas les droits nécessaire pour faire un cat sur « drapeau.txt ». Je sais que je peux exécuter le programme grâce aux droits que j’ai a sur prog.bin : -r-sr-sr-x

Je l’ai donc lancé et j’ai pu m’amuser un moment avec les différentes options… Fun fact: avec l’option 3 j’ai vu devant mes yeux ébahis un petit train qui passait sagement:

Petit train express DGSE

Le principe ici était d’exploiter le buffer overflow pour faire des commandes réservées à root. En effet, j’avais noté la présence du « s » sur le programme prog.bin. Ce « s » permet à l’exécutable d’effectuer des commandes que le propriétaire du fichier aurait pu faire. C’est grâce à ceci que j’ai pu en apprendre plus sur la fameuse attaque: « return oriented programming ». En exploitant cette attaque j’aurais pu essayer de faire faire un cat drapeau.txt par le programme.

Note importante: Grâce à Geluchat sur Twitter j’ai appris que la démarche était bien plus simple que ce que j’imaginais pour le défi 1 du wargame:

Voilà donc mon expérience sur le challenge Richelieu. J’ai beaucoup aimé parce-que j’ai appris énormément sur les pdf et j’ai pu découvrir la return oriented programming attack. Je trouve important de noter que même si l’on ne peut pas ou l’on a pas forcément le temps d’aller au bout des défis on apprend énormément même en y conscrant peu de temps.

Je vous invite donc si vous avez l’occasion à faire le prochain défi proposé par la DGSE, qui sait, vous serez peut-être embauchés!

Pour aller plus loin

Compte rendu de la participation de WoSEC Paris au Spying Challenge de LeHack 2019

Scroll down for english version

Teaser du Spying Challenge de LeHack 2019

Dans le cadre des activités du WoSEC Paris, j’ai créé une équipe de CTF pour le Spying Challenge 2019 de la conférence LeHack à Paris.

Logo du Spying Challenge

Qu’est-ce que le Spying Challenge ?

Pour cette troisième édition lors de « leHACK » et dans un contexte d’intelligence économique omniprésent, vous aurez comme mission de collecter des informations sur un ensemble de cibles avec pour but de satisfaire vos clients floués.

Cette mission fera intervenir des recherches en sources ouvertes, du vishing, de la filature, du social engineering, des intrusions physiques, du lockpicking, etc.

Comment ça marche ?

Une première épreuve de qualification avant « leHACK » permettra de départager les meilleures équipes qui pourront continuer l’expérience. C’est dans un second temps, le 6 juillet, que vous serez dans l’action réelle !

(source: https://spyingchallenge.com/edition-2019/)

Les phases du Spying Challenge

Phase 1: OSINT, GEOINT, Social Engineering et rapport

Les agents Dupont et Martin ont fait appel à des agences dont WoSEC Paris afin d’enquêter sur une entreprise suspecte, voici l’ordre de mission (mail et PDF joint décrivant l’objectif de la mission) :

Présentation des agentes du WoSEC Paris

Christine Granville aka @Gabrielle_BGB

Agente Granville

Ash aka @asdmhx

Agente Ash

Lucy Elizabeth Smith @catr42

Agente Smith

Pour être sélectionnées, il nous fallait réussir cette phase qui consistait à écrire un rapport documenté sur nos démarches telles que de l’OSINT, du GEOINT et du social engineering par téléphone ou par mail/chat.

Extraits du rapport

Voici le rapport que nous avons soumis aux agents Dupont et Martin:

Voici également l’enregistrement de l’appel de l’agent Ash à Lictor (le lien dans le rapport n’est plus valide):

Mail de sélection pour la phase 2

Nous avons été reçues pour passer aux phases suivantes que je vais ici vous décrire.

Phase 2: Le Spying Challenge Physique à LeHack Paris

Avant de commencer cette phase, nous avons reçu un e-mail avec de plus amples informations sur le déroulement de la mission:

Mail de description de la phase 2

Pour décrire la phase je vais présenter chaque mission qui nous ont été confiées tout au long de la journée.

1. Interagir avec le maximum d’interlocuteurs employés par Lictor afin de récupérer de nouvelles informations sur vos cibles.

Equipées de micros, les agentes ont rapidement repéré le stand de Lictor.

  • Ash portait un t-shirt Spartan et a du aborder Liliana (Ingénieure d’affaire chez Lictor) ;
  • Granville s’est fondue dans la salle pour arriver incognito au stand de Lictor et intéragir avec les différents employés ;
  • Smith joue le rôle de la stagiaire en recherche d’un poste stylé et aborda Lictor pour en savoir plus sur leur actions.

2. Identifier et prendre en photo l’employé Jack Barrel

Opération toujours en cours…

3. 11:35 am Rencontre avec le PDG de Lictor

A cette étape de nouvelles missions (en temps limité) nous ont été confiées:

  • Faire du Social Engineering sur le PDG de Lictor afin d’obtenir plus d’informations sur lui (effectué par l’agente Ash) tout en faisant diversion.
  • Récupérer discrètement le sac du PDG afin d’échanger un CD et de prendre un maximum de photo du contenu du sac (effectuée par agente Smith et agente Granville)

4. Neutralisation et fouille

Lors de cet entretien, on nous a confié les missions suivantes:

  • Les employés de Lictor ayant découvert que l’agent Dupont était sous couverture, ils décidèrent de l’éliminer. Pour les stopper, l’agente Smith eu pour mission d’empoisonner le verre de l’employé chargé de la neutralisation de l’agent Dupont.
  • Une salle suspecte certainement équipée de micro devait être fouillée à l’aide d’un détecteur. La salle étant sous surveillance, il fallait que l’agente Ash fasse diversion afin que l’agente Granville puisse entrer pour fouiller la salle et détecter les micros. Des employés surprirent l’agent Granville pendant sa fouille elle a du utiliser ses talents de persuasion pour ne pas éveiller les soupçons.

5. Filature

Lors de cette phase il était question de suivre les employés de Lictor qui avaient kidnappé Gustave Leproleau. Il s’agissait donc de retrouver l’endroit ou était enfermé Gustave. Les agentes ont procédé à différentes filatures et ont identifié la cachette ou était enfermé Gustave Leproleau.

6. Libérer Gustave

Pour la dernière nous devions libérer Gustave. Toutefois, nos plans ne se passèrent pas comme prévu. En effet une horde de sbires cagoulés et tout de noir vêtu nous ont poursuivi et enfermé séparément.

L’agente Ash et l’agente Granville, furent enfermées dans une salle. Menottée, l’agente Granville utilisa sa pince à cheveux pour se libérer. Les mains liées, l’agente Ash réussit à casser le filament de plastique afin d’ouvrir le coffre fort ou étaient dissimulées des informations TOP SECRÈTES.

Pendant ce temps, l’agente Smith subit un interrogatoire musclé qui ne l’impressionna pas du tout.

Les élites de la France selon l’équipe du Spying Challenge

WoSEC Paris: gagnantes du Spying Challenge 2019, LeHack Paris

Nous avons honoré notre mission en libérant Gustave Leproleau des griffes de cette entreprise peu scrupuleuse.

Agente Smith, Gustave Leproleau, Agente Granville, Agente Ash (sous le beau logo WoSEC)

Classement du top 3:

WoSECParis première place!
SpyKidsIH3 deuxième place
Project BlueBird troisième place

Les Rankings successifs de la journée

Ranking OSINT et phase de SE
Ranking phase 2 (SE, document theft, poisoning and surveillance)
Dernier ranking (lockpicking, lie detector, escape)

Tweet du Spying Challenge sur notre victoire

Write-up officiel de l’équipe WoSEC Paris

Remerciements

Merci à @asdmhx et à @catr42 pour leur enthousiasme et leur détermination!

WoSEC Paris remercie l’équipe du Spying Challenge pour l’organisation de ce palpitant challenge et les mise en situation réaliste lors de LeHack.

L’équipe du Spying Challenge

Merci également à tous les participants du Spying Challenge de nous avoir donné du fil à retordre.

Enfin, un grand merci à LeHack d’hoster un tel évènement.


Report on WoSEC Paris’ participation in the Spying Challenge of LeHack 2019

Teaser of Spying Challenge of LeHack 2019

As part of the activities of WoSEC Paris, I created a CTF team for the Spying Challenge 2019 of LeHack conference in Paris.

Logo du Spying Challenge

What is the Spying Challenge?

For this third edition during the “leHACK” and in a context of omnipresent economic intelligence, you will have the mission to collect information on a set of targets with the aim of satisfying your customers.

This mission will involve open source research, vishing, tracking, social engineering, physical intrusions, lockpicking, etc.

How does it work?

A first qualifying event before “leHACK” will allow to decide between the best teams who will be able to continue the experience. It is in a second time, on July 6, that you will be in the real action!

(source: https://spyingchallenge.com/en/2019-edition/)

The phases of the Spying Challenge

Phase 1: OSINT, GEOINT, Social Engineering and report

Agents Dupont and Martin called different agencies including WoSEC Paris to investigate a suspicious company, here is the mission order (email and PDF attached describing the objective of the mission):

Presentation of the agents of WoSEC Paris:

Christine Granville aka @Gabrielle_BGB

Agent Granville

Christine Granville, a social engineering enthusiast, is very persuasive. When she was a baby, she hacked the exit code from her mother’s womb. As a child, lockpicking was her favourite extracurricular activity. Today at the WoSEC Paris agency, nothing can resist her, her two favourite sidekicks (Ash and Lucy Elizabeth) and she are in charge of the most dangerous missions.

Ash aka @asdmhx

Agent Ash

Iron fist in a velvet glove, Ash has always known how to distinguish herself by her taste for fighting and high-risk excursions. Her passions in life: knee breaking and videos of axolotl babies. She recently joined the WoSEC Paris team to use her social engineering skills – and also to learn how to pull the worms out of a source without having it end up in an IKEA kit.

Lucy Elizabeth Smith

Agent Smith

Passionate since her early childhood about puzzles, investigations, coded messages and everything that makes knots in the brain, Lucy decided one day to put her talents at the service of the WoSEC Paris agency.

To be selected, we had to succeed in this phase, which consisted in writing a documented report on our approaches such as OSINT, GEOINT and social engineering by phone or email/chat.

Extract of the report

The report is available only in french

Mail for our qualification for phase 2

We had been qualified to move on to the next phases that I will describe here.

Phase 2: The Physical Spying Challenge at LeHack Paris

Before starting this phase, we received an e-mail with more informations about the mission:

Dear agents,

Reading your report convinced us of your ability to
collect relevant information. Your feedback has allowed us to
make great progress in our investigation of Lictor.
As indicated above, we have therefore decided to keep you on
this mission which will continue on July 6, 2019.

Between 10am and 12pm, you should:

  • Interact with as many people as possible employed by Lictor in order to
    retrieve new information about your targets;

  • Identify and take a picture of employee Jack Barrel (he is strong
    suspicious and only shows up at the stand from time to time);

  • Go to the place indicated in attachments at 11:35 a.m.
    (no delays will be tolerated), where you will have to meet the CEO
    of Lictor, and where you will be informed of your orders for the rest of
    the operation.

If possible, bring back a lockpicking kit, enough to take pictures,
write a report in digital format, and your boldness.
We expect a brief report on your new findings to
1:30pm.

PS: Do not follow or interact with targets until it is
wears a cap with the Lictor logo on it (according to our information, the
CEO of Lictor and Jack Barrel will not wear hats: you
will still be able to talk to them).
Similarly, you will only be able to interact with Gustave Leproleau if
when he wears his beret.

PPS: The service apologizes for the late hour, there was a pot.

Sincerely,

Agents Dupont and Martin


To describe the phase I will present each mission that was given to us throughout the day.

1. Interact with as many people as possible employed by Lictor to retrieve new informations about your targets.


Equipped with microphones, the agents quickly spotted Lictor’s booth.

  • Ash wore a Spartan t-shirt and had to approach Liliana (Business Engineer at Lictor);
  • Granville melted into the room to arrive incognito at the Lictor booth and interact with the different employees ;
  • Smith played the role of an intern in search of a cool position and came to see at Lictor’s stand to know more about their actions.

2. Identify and take a picture of the employee Jack Barrel

Operation still in progress…

3. 11:35 am Meeting with the CEO of Lictor


At this stage we have been entrusted with new missions (in limited time):

  • Social Engineering on the CEO of Lictor to get more information about him (done by Agent Ash) while diverting.
  • Secretly pick up the CEO’s bag to exchange a CD and take as many pictures as possible of the contents of the bag (done by Agent Smith and Agent Granville)

4. Neutralization and search

Agents,

Congratulations, your mission continues.
Meet us at 3:15 pm in front of the Lictor stand to receive your instructions.
Sincerely,

Agents Dupont and Martin

During this interview, we were given the following tasks:

  • When Lictor’s employees discovered that Agent Dupont was undercover, they decided to eliminate him.
    To stop them, Agent Smith was given the task of poisoning the glass of the employee responsible for Agent Dupont’s neutralisation.
  • A suspicious room certainly equipped with microphones had to be searched with a detector. With the room under surveillance, Officer Ash had to create a diversion so that Officer Granville could enter the room to search the room and detect the microphones. Some employees surprised Agent Granville during her search and she had to use her persuasive skills to avoid arousing suspicion.

Agents,

Phase 3 of your mission is not complete. We will meet at 4:30 pm at Lictor stand for a final spinning event. You will receive your orders on site.

At the end of this test, a selection will be made and only the
the best agents will participate in the final phase.

Sincerely,

Agents Dupont and Martin

During this phase, we had to follow Lictor’s employees who had kidnapped Gustave Leproleau. So it was a matter of finding the place where Gustave was locked up. The officers conducted various surveillance operations and identified the hiding place where Gustave Leproleau was locked up.

6. Releasing Gustave

For the last one we had to free Gustave. However, our plans did not go as planned. Indeed a horde of hooded and black-dressed minions chased us and locked us up separately.
Agent Ash and Agent Granville were locked in a room. Handcuffed, Agent Granville used her hair clip to free herself. With her hands tied, Agent Ash managed to break the plastic filament in order to open the safe in which were concealed TOP SECRET information.

Meanwhile, Agent Smith was subjected to a tough interrogation that did not impress her at all.

France’s elites according to the Spying Challenge team

WoSEC Paris: winners of the Spying Challenge 2019, LeHack Paris

We honoured our mission by freeing Gustave Leproleau from the clutches of this unscrupulous company.

Agent Smith, Gustave Leproleau, Agent Granville and Agent Ash (under the beautiful WoSEC logo)

Top 3 ranking

WoSECParis first place!

SpyKidsIH3 second place

Project BlueBird third place

Rankings of the day

OSINT and SE phase ranking

SE, document theft, poisoning and surveillance ranking

Last ranking (lockpicking, lie detector, escape)

Spying challenge tweet about our victory


Thanks

Thanks to @asdmhx et à @catr42 for their enthusiasm and commitment!

WoSEC Paris thanks the Spying Challenge team for organizing this exciting challenge and the realistic role-playing during LeHack.

L’équipe du Spying Challenge

Thanks also to all the participants of the Spying Challenge for giving us a hard time.

Finally, a big thank you to LeHack for hosting such an event.

Podcast #3 Tanya Janca, Microsoft

Tanya Janca is the founder of WoSEC (Women of Security) and Cloud Security Advocate at Microsoft.

If you are interested in knowing:

  • What is the ideal cyberspace for a cloud Advocate
  • How we can make this industry better for women and newcomers,
  • Or simply hear about an inspiring career path

Listen to this podcast and you will have some answers. (You can download the file in mp3)

Listen in this page

Nuit de la gestion de crise par les jeunes de l’IHEDN

Le 29 mars 2019 a eu lieu la nuit de la gestion de la crise. Cet évènement est organisé par l’association des jeunes de l’IHEDN. J’ai ainsi pu assister à des conférences et des ateliers (gestion de crise, risques de gestion de crise, Social Room, Création d’un exercice de crise, Exercice de crise sociale)

Inscription et préparation

Cet évènement est très prisé et les places pour les ateliers sont parties en moins de deux heures, il faut donc bien lire le programme et préparer son planning à l’avance. Inscrivez vous à l’avance et restez réactifs aux e-mails pour l’inscription aux ateliers.

La gestion de crise aujourd’hui, Gilles Malié

Gilles Malié, Chef d’Etat Major de la Zone de Défense et Sécurité de Paris

L’évènement a été ouvert par une conférence de Gilles Malié, Chef d’Etat Major de la Zone de Défense et Sécurité de Paris. Gilles Malié a présenté son travail et tenté de définir la résilience. Toutefois, selon lui, il est impossible de promettre la résilience dans la gestion de crise: « on ne sait pas ce qu’est la résilience, on connait seulement l’absence de résilience ».

Voici ci-après un slide permettant de comprendre les missions de Gilles Malié.

Gestion de crise

Il a ensuite évoqué, à titre d’exemples, quelques cas pratiques.

Pour conclure, il a rappelé la difficulté de donner une bonne définition de la résilience et souligné que lorsque trop de personnes s’occupent d’un problème, cela débouche sur une mauvaise gestion. Dans ce type de mission, il faut donc être préparé et rester humble.

Les risques de la gestion de crises, Patrick Lagadec

Lors de son intervention, Patrick Lagadec, a donné des exemples de crises et de la façon dont elles ont été gérées. Il a évoqué les imprévus, les mauvaises préparations ainsi que la gestion d’évènements inédits.

Je vous invite à consulter son site internet qui est fascinant et qui propose ses travaux dans différentes langues. C’est ici.

Atelier: Social Room

Social Room est un outil mis au point par Crisotech pour s’entrainer à la communication de crise via les réseaux sociaux. Crisotech met en place différents outils de formation à la gestion de crise.

Formation à la gestion de crise – Crisotech

Après une brève présentation de Crisotech, l’exercice a commencé. Voici le scénario:

Scénario Starwhite – Crisotech

Et nous voici devant la social room de Starwhite. Un exercice délicat, périlleux et passionnant!

Social Room du Starwhite Explorer – Crisotech

Ce qui était important dans cet exercice, était de bien comprendre la crise, de tenter d’anticiper au maximum, d’établir une bonne cartographie de la situation et bien sûr de rédiger des billets pertinents. En résumé la priorité ici est d’être rassurant et de protéger la réputation de Starwhite grâce à une communication de crise adaptée.

Atelier création d’un exercice de crise, Resiliency

Lors de cet atelier, Resiliency nous a présenté les processus de création des différents types d’exercices de gestion de crise. Voici quelques slides de la présentation:

La notion d’exercice

Celui qui m’a le plus intéressé est l’exercice de terrain. Cet exercice se fait sur de longues durées (36h), il s’agit de s’entrainer à sentir ses limites personnelles et physiques.

Un exercice effectué en Corse a été donné en exemple: Les participants occupaient chacun 4 postes de 6h. L’exercice était découpé en plusieurs phases. Les participants ne savaient pas à l’avance ce qu’il se passerait. Voici une vidéo qui présente cet exemple:

Exercice Resiliency en Corse

Exercice de crise sociale, Patrick Cansell

Cet exercice était très bien ficelé. Toutefois, je ne peux pas en dire trop pour le cas ou vous seriez amené à participer à la prochaine nuit de gestion de crise. Il s’agissait d’un exercice en immersion total ou il fallait déployer des stratégies pour gérer une (ou plusieurs 😉 ) crise(s) en entreprise. Chaque participant avait un rôle et des objectifs à respecter. Bref, un atelier à faire et à refaire 😀

En attendant, je vous invite à vous rendre sur le site de Artem-is

Comme vous avez pu le constater dans cette article, j’ai adoré cet évènement. Je vous invite à consulter le site officiel de la nuit de la gestion de crise si vous souhaitez participer à la prochaine édition.

Pour aller plus loin

Podcast #2: Anouk Vos, Cyberworkplace

Anouk Vos is founder of Revnext, a strategy consultancy firm in Technology Driven Strategies in Netherlands and chairman of Cyberworkplace a non-profit initiative that helps reduce the current shortage of cyber security experts in the labor market (see my article about it here).

If you want to know more about:

  • Cyberworkplace and how to help reduce the shortage of cybersecurity expert
  • Cybersecurity from a former diplomat point of view

Listen to this podcast! (you can download the file in mp3)

Listen in your browser


Podcast #1: Melanie Rieback, Radically Open Security

Melanie Rieback is co-founder and CEO of Radically Open Security the world’s first not-for-profit computer security consultancy company (see about my internship with them here).

If you want to know more about:

  • The first not for profit computer security consultancy company
  • The vision of Cybersecurity of social entrepreneur

Listen to this podcast! (You can download the file in mp3)

Listen in this page

My internship at Radically Open Security

One of my goal in this ethical hacker challenge was to volunteer for a GREAT organization. This is what i did with Radically Open Security who welcomed me as an intern for six months.

How did i get this opportunity?

When i started to work in the IT I quickly had concerns about the lack of safety on the Internet.
Therefore, my curiosity and thirst for learning led me to wonder about the construction of a safer cyberspace.
This quest has shaped the type of company I wanted to be involved with. This is when I discovered the existence of ROS (Amsterdam, Netherlands) and Melanie Rieback in a press article.
This initiative was an evidence and in line with the values I want to promote.
Transparency is the central point of this company and its business model is a promise of a better social future.

What is Radically Open Security?

« Radically Open Security is the world’s first not-for-profit computer security consultancy company. We are prototyping an innovative new business model – using a Dutch « Fiscaal Fondswervende Instelling » (Fiscal Fundraising Institution) to provide a commercial front-end that sends 90% of our profits tax-free to a backend foundation (Stichting NLnet) that has supported open-source, Internet research, and digital rights organizations for almost 20 years. The other 10% of our profits will go to an employee profit-sharing scheme, in which the secretary accumulates profit-sharing rights as quickly as the CEO. Additionally, due to our low management/overhead costs, we can afford to pay competitive wages to our computer security consultants.  »
At ROS everybody works remotely.
(source: https://radicallyopensecurity.com/business-model.htm)

Wait! Not for profit?

Yes not for profit! Let Melanie Rieback co-founder and CEO explain this to you:

What service do they offer?

  • Penetration testing, ethical hacks and social engineering
  • Malware reversing and analysis
  • Network monitoring and threat detection
  • Forensics
  • CSIRT and incident response
  • Code audits
  • DDoS Testing
  • Cryptographic analysis
  • Custom R&D Projects
  • Workshops, trainings and mentoring
  • Misc: Embedded, Android and RFID Security

(source: https://radicallyopensecurity.com/services.htm)

What did i do?

Participation in the creation of a Capture-The-Flag (CTF) game

ROS helped to build a CTF for the CyberHeroes week of the non profit organization Cyberworkplace (see my article about the CyberHeroes week here).
The theme of the week was Heroes in cyber, I build a list with many heroes from the cybersecurity world, cryptography and cybersecurity resources.

Observation of pentests

I was added to some pentesting channels on RocketChat a chatroom that was used for communication for work purposes. This way, i was able to peek over the shoulders of pentester and see how they work, how they communicate with the client as the pentests are completely available to the clients from the begining to the end (this is one of the core principle of ROS).

Review of pentest reports

I was able to read and review some pentests reports. This really helped me to see how proper pentest reports are build, what pentesters look for while pentesting and which tools they use.

Improvement of the onboarding manual for new staff members

When i onboarded i was provided with an onboarding manual. As i encountered some little problems to set up my work environment i added some entrees in the onboarding manual in order to help future onboarders who had the same configuration i had.

Creation of a wiki page with relevant onboarding information for new staff members

ROS wanted to improve the onboarding process and provide the onboarders resources and useful informations.
This is why i created a wiki page with many resources for every type of positions (project management, software development, pentesting, …). I also added a section for general informations about ROS.
After the set up of this wiki i invited everyone to contribute and share their knowledge with relevant links like their favorite tools that help them in their tasks, great articles they’ve read, anything they would find relevant.

Submission of a process for improving internal training

We wanted to improve the internal training that is why i created a documentation to propose some ideas on the subject.

Helping a coworker with the use of Gitlabs (Radically Open Security’s file storage system)

One of the other intern was new to Gitlabs. As i had previously encountered Git and worked with it, i was able to provide my help.

Organizing folders in Gitlabs

ROS puts their projects and documentation on an internal Gitlabs system. I updated the organization of the folders.

Use of Pentext and XML

« The OWASP PenText XML documentation project can help your software security company produce offers, reports, invoices and generic documents by offering a well-structured and easy to maintain documenting system you can modify to your liking. »
This tool was created by ROS they open sourced it and made it available on Github.
In order to use Pentext you need to know XML.
I really enjoyed using pentext. XML is really useful and you get to generate great looking documents. This saves a lot of work mainly for pentesting reports but it can also be use to save time on other types of reports.

What did i get from this experience

As I plan to build a company, ROS was an inspiring and innovative model for tomorrow’s companies.
More specifically, I learned how a holocratic system works in a company. This system in which everyone has a place and a voice has been a beautiful discovery.
On a more technical aspect I have used many tools such as Pentext.
Finally, I have appreciated working remotely because it requires a personal work organization that invites to be autonomous and rigorous.

(source cyberheroes week flickr) During the CyberHeroes week i had the opportunity to meet Daan, Steven, Melanie and Anh from ROS.

To go further

About the forum / A propos du forum

Note: Le forum n’ayant pas attiré beaucoup de monde, je réfléchis à une autre façon de proposer un échange de connaissances et une entraide ouvert à tou.te.s.

Note: As the forum did not attract many people, I am thinking about another way to offer an exchange of knowledge and a mutual support open to all.

Faire défiler le texte pour lire la version française

A Forum to self-study cybersecurity collectively

A few days ago I published my article in peerlyst about how to create an open education degree for free in cybersecurity. In a comment, someone tackled a very important issue : how stay focused when you study alone online?
Because:

    • you can easily be distracted,
    • We tend to scatter ourselves,
  • It is not always easy to learn alone.

To answer to these questions, i first suggested this very good Mooc by Dr Barbara Oakley (McMaster University, University of California San Diego): Learning how to learn on Coursera.

This Mooc is really helpful to understand the process of learning. You get tips and tricks to learn more efficiently.

I also answered that what helps a lot is to make lists of objectives. For instance you can make a list of things to achieve for the day, the week or the month.
The most important thing is to define what you want to learn and where you want to go. Then write it down as objectives you’ll like to fulfill in the end at a certain time pace.


And to break the loneliness while self-studying, I decided to create a forum to gather people who want to learn collectively. It is a place open to everyone who want to learn and share knowledge no matter your age, gender, level, country and so on.

In brief it is a forum that can be use to learn a specific subject or lookup for an answer when you tackle an issue.

picture of the forum


Here is a picture of the forum as it currently is. It is not it’s final look, it will evolve with users and their needs.

As you can see there is an english and a french part for now.

If you speak another language you can ask me to add a category. This would open the forum even more to everyone no matter where they live and which language they speak.

private part for women

This part is only for women or people who identify as women to feel more comfortable learning together. This part is private and you need to ask me the access for it.


Feel free to make this forum a place where learning is free and open to everyone. Learning with peers and meeting for a specific topic or Mooc would be easier to achieve.

Finally, people from the industry and experts are welcome to share their experiences and build a community for open education in cybersecurity.

So let’s build a safe internet by learning together cybersecurity.


Un forum d’auto-apprentissage collectif pour la cybersécurité


Il y a quelques jours, j’ai publié un article sur peerlyst pour décrire le processus de création d’une formation complète en cybersécurité. Dans un commentaire, une personne a évoqué un point important: comment rester concentré lorsque l’on apprend seul?
En effet:

  • On est facilement distrait
  • On peut avoir tendance à se disperser
  • Et ce n’est pas toujours évident d’apprendre seul

Pour répondre à ces questions, j’ai d’abord suggéré l’excellent Mooc du Dr Barbara Oakley « Apprendre à apprendre » sur Coursera (disponible sous titré en français).

Ce Mooc est vraiment très intéressant pour comprendre le processus d’apprentissage. Vous repartirez avec des outils et des astuces pour apprendre de façon plus efficace.

J’ai ajouté qu’il était utile de faire des listes d’objectifs. Par exemple, vous pouvez lister vos objectifs pour la journée, la semaine ou même le mois.

Le plus important, c’est de bien identifier ce que vous voulez apprendre et vers quoi vous souhaitez vous diriger. Ecrivez ensuite cela sous forme d’objectif à accomplir dans un délai prédéfini.

Aussi pour casser la solitude que peut parfois apporter l’auto-apprentissage, j’ai décidé de créer un forum pour réunir les personnes qui souhaiteraient apprendre collectivement. Il s’agit d’un espace ouvert à tous ceux qui veulent apprendre et partager leur connaissances quels que soit leur niveau, leur âge, leur genre, leur pays, etc.

En bref, c’est un forum qui peut être utilisé pour apprendre un sujet spécifique ou répondre à une question lorsque l’on rencontre un problème.
visuel du forum
Voici une photo du forum tel qu’il est. Ce n’est pas son aspect final, il évoluera en fonction des utilisateurs et de leurs besoins et envies.

Comme vous pouvez le voir il y a pour le moment une partie en français et une partie en anglais.

Si vous parlez une autre langue vous pouvez me contacter pour ajouter une catégorie pour cette langue. Ceci permettra d’ouvrir le forum plus largement.
forum privé réservé aux femmes
Cette partie est pour les femmes ou les personnes s’identifiant au genre féminin afin de se sentir plus à l’aise et d’apprendre ensemble. C’est une partie privée pour laquelle il faut me demander un accès.

N’hésitez pas à faire de ce forum un endroit ou l’apprentissage est gratuit et ouvert à tous. Apprendre avec ses pairs ou se rencontrer pour échanger sur certains sujets sera facilité.

Pour finir, les professionnels et experts sont les bienvenus pour partager leur expérience et construire une communauté d’apprentissage ouverte pour la cybersécurité.

Allez, construisons un internet sécurisé en apprenant ensemble la cybersécurité!

List of communities for women Cybersecurity, STEM, Programming, …

Please help me make the list of women in cybersecurity communities bigger.

Women in cybersecurity (specific cybersecurity)

List of Women of Security (WoSEC) chapters in the world

Map of every WoSEC chapter

Click here for a full screen map

List of other communities of Women in Cybersecurity

List of other communities for women

Women in programming

Women in STEM (general)

Gender Equality, Diversity or programs for younger women