office documents new weapons of cyberwarfare
play

Office Documents: New Weapons of Cyberwarfare Jonathan Dechaux - PowerPoint PPT Presentation

May 05, 2023 •42 likes •342 views

Outline Introduction (Open)Office security architecture Fun and Profit - How to Bypass (Open)Office security Conclusion Office Documents: New Weapons of Cyberwarfare Jonathan Dechaux dechaux@et.esiea-ouest.fr , Eric Filiol filiol@esiea.fr ,

  1. Outline Introduction (Open)Office security architecture Fun and Profit - How to Bypass (Open)Office security Conclusion Office Documents: New Weapons of Cyberwarfare Jonathan Dechaux dechaux@et.esiea-ouest.fr , Eric Filiol filiol@esiea.fr , Jean-Paul Fizaine fizaine@esiea-recherche.eu Ecole Supérieure en Informatique, Electronique et Automatique Operational virology and cryptology Lab. 38 rue des docteurs Calmette & Guerin, 53000 Laval France J. Dechaux, E. Filiol, J.-P. Fizaine Office Documents: New Weapons of Cyberwarfare

  2. Outline Introduction (Open)Office security architecture Fun and Profit - How to Bypass (Open)Office security Conclusion Introduction 1 Cyberwarfare and Cyberweapons (Open)Office security architecture 2 Macro Security in MSO Macro Security in Openoffice Automatic execution of macros Digital Signature Fun and Profit - How to Bypass (Open)Office security 3 Proof of concept Attacks Strategies Man-in-Middle Attack for MSO Protection and Counter-measures News for Office 2010 Security Conclusion 4 J. Dechaux, E. Filiol, J.-P. Fizaine Office Documents: New Weapons of Cyberwarfare

  3. Outline Introduction (Open)Office security architecture Cyberwarfare and Cyberweapons Fun and Profit - How to Bypass (Open)Office security Conclusion Cyberwarfare and Cyberweapons Reallity of cyberwarfare August 2007: Espionage case of China against German chancelery. 163 Gb of Gouvernemental data stolen through a Trojan-infected Office document. 2009 - 2010: Chinese hackers succeeded in stealing economic and financial data from European Banks, through malicious PDFs. Document as cyberweapons (Open)Office document are good vectors. PDF documents are also used nowadays J. Dechaux, E. Filiol, J.-P. Fizaine Office Documents: New Weapons of Cyberwarfare

  4. Outline Introduction (Open)Office security architecture Cyberwarfare and Cyberweapons Fun and Profit - How to Bypass (Open)Office security Conclusion A Critical Context The Cyberwarfare picture PWN2KILL, May 2010 Paris, challenge has proved the risk is real and high. http://www.esiea-recherche.eu/iawacs2010.html Huge technical possibilities on one side, quite no protection and detection capability on the other side. Many critical systems are rather secure with a strong security policy enforced. Classical approaches are less and less possible, not say impossible. J. Dechaux, E. Filiol, J.-P. Fizaine Office Documents: New Weapons of Cyberwarfare

  5. Outline Introduction (Open)Office security architecture Cyberwarfare and Cyberweapons Fun and Profit - How to Bypass (Open)Office security Conclusion Context of the Study Which applications are concerned? Office 2010 OpenOffice 3.x All office applications. The Purpose To install malicious payload into the operating system, whithout being detected by any AV. We do not want to exploit any vulnerability (target = secure sensitive systems; e.g. combat systems). J. Dechaux, E. Filiol, J.-P. Fizaine Office Documents: New Weapons of Cyberwarfare

  6. Outline Macro Security in MSO Introduction Macro Security in Openoffice (Open)Office security architecture Automatic execution of macros Fun and Profit - How to Bypass (Open)Office security Digital Signature Conclusion Introduction 1 Cyberwarfare and Cyberweapons (Open)Office security architecture 2 Macro Security in MSO Macro Security in Openoffice Automatic execution of macros Digital Signature Fun and Profit - How to Bypass (Open)Office security 3 Proof of concept Attacks Strategies Man-in-Middle Attack for MSO Protection and Counter-measures News for Office 2010 Security Conclusion 4 J. Dechaux, E. Filiol, J.-P. Fizaine Office Documents: New Weapons of Cyberwarfare

  7. Outline Macro Security in MSO Introduction Macro Security in Openoffice (Open)Office security architecture Automatic execution of macros Fun and Profit - How to Bypass (Open)Office security Digital Signature Conclusion MSO: Execution level security settings Possible level of security Level 4 (0x00000004): Disable all macros without notification. Level 3 (0x00000002): Disable all macros with notifiation. Level 2 (0x00000003): Disable all macros except digitally signed macros. Level 1 (0x00000001): Enable all macros. Location of settings Registery key : HKEY_CURRENT_USER \ Software \ Microsoft \ Office \ 12.0 \ < Application > \ Security Application = {Word, Excel, Powerpoint, Access} J. Dechaux, E. Filiol, J.-P. Fizaine Office Documents: New Weapons of Cyberwarfare

  8. Outline Macro Security in MSO Introduction Macro Security in Openoffice (Open)Office security architecture Automatic execution of macros Fun and Profit - How to Bypass (Open)Office security Digital Signature Conclusion MSO: Trusted Location Definition Trusted location: A trusted location is a directory where macros of documents stored inside are allowed to be executed automatically. Stored in the registery HKEY_CURRENT_USER \ Software \ Microsoft \ Office12 \ 12.0 \ < Application > \ Security \ Trusted Location . trust value. Standalone settings: modifying Word’s settings does not affect other Office programs’ settings. J. Dechaux, E. Filiol, J.-P. Fizaine Office Documents: New Weapons of Cyberwarfare

  9. Outline Macro Security in MSO Introduction Macro Security in Openoffice (Open)Office security architecture Automatic execution of macros Fun and Profit - How to Bypass (Open)Office security Digital Signature Conclusion OO: Macro Security Security settings Both Macro security level and trusted location are defined in " Common.xcu " file at: Openoffice.org \ 3 \ user \ registery \ data \ org \ openoffice \ Office Example <node oor:name="Security"> <node oor:name="Scripting"> <prop oor:name="MacroSecurityLevel" oor:type="xs:int"> <value>0</value> </prop> </node> </node> J. Dechaux, E. Filiol, J.-P. Fizaine Office Documents: New Weapons of Cyberwarfare

  10. Outline Macro Security in MSO Introduction Macro Security in Openoffice (Open)Office security architecture Automatic execution of macros Fun and Profit - How to Bypass (Open)Office security Digital Signature Conclusion OO: Trusted Location Example Set the root directory as Trusted location <node oor:name="Security"> <node oor:name="Scripting"> <prop oor:name="SecureURL" oor:type="oor:string-list"> <value>file:///C:/</value> </prop> </node> </node> J. Dechaux, E. Filiol, J.-P. Fizaine Office Documents: New Weapons of Cyberwarfare

  11. Outline Macro Security in MSO Introduction Macro Security in Openoffice (Open)Office security architecture Automatic execution of macros Fun and Profit - How to Bypass (Open)Office security Digital Signature Conclusion The use of ’AutoExec’ event with MSO The fact Able to naturally bypass the level 2 of execution. Several events are available: AutoNew, Open, Close, Exit, Exec Applied on template named Normal.dotm and stored inside MSO’s users settings file. Execute the macro at opening event even if any macro are not allowed to be executed (Level 2). J. Dechaux, E. Filiol, J.-P. Fizaine Office Documents: New Weapons of Cyberwarfare

  12. Outline Macro Security in MSO Introduction Macro Security in Openoffice (Open)Office security architecture Automatic execution of macros Fun and Profit - How to Bypass (Open)Office security Digital Signature Conclusion MSO & OO.ORG: The integration MSO&OO.ORG are both: Based on the W3C specification. But the integration is totally different. MSO’s integration Office makes it easier to create signatures. It is possible to create self-signed certificates. They are stored inside _rel \ .rel file whithin the document. Openoffice’s integration: X509Certificate No significant change about signature since 2006, the first study. Black Hat 2009, Amstersdam, E.Filiol J.-P. Fizaine, Openoffice v3.x Security Design Weaknesses. J. Dechaux, E. Filiol, J.-P. Fizaine Office Documents: New Weapons of Cyberwarfare

  13. Outline Proof of concept Introduction Attacks Strategies (Open)Office security architecture Man-in-Middle Attack for MSO Fun and Profit - How to Bypass (Open)Office security Protection and Counter-measures Conclusion News for Office 2010 Security Introduction 1 Cyberwarfare and Cyberweapons (Open)Office security architecture 2 Macro Security in MSO Macro Security in Openoffice Automatic execution of macros Digital Signature Fun and Profit - How to Bypass (Open)Office security 3 Proof of concept Attacks Strategies Man-in-Middle Attack for MSO Protection and Counter-measures News for Office 2010 Security Conclusion 4 J. Dechaux, E. Filiol, J.-P. Fizaine Office Documents: New Weapons of Cyberwarfare

  14. Outline Proof of concept Introduction Attacks Strategies (Open)Office security architecture Man-in-Middle Attack for MSO Fun and Profit - How to Bypass (Open)Office security Protection and Counter-measures Conclusion News for Office 2010 Security MSO case Change to the lowest level: 0 Interessting Keys: HKEY_CURRENT_USER Path: Software \\ Microsoft \\ Office \\ 12.0 \\ Word \\ Security Windows API: RegOpenKeyEx, RegSetValueEx, RegCreateKeyEx, RegCloseKey Example RegOpenKeyEx(HKEY_CURRENT_USER, path, 0, KEY_ALL_ACCESS, &hkey); RegSetValueEx(hKey, warning, 0, REG_WORD, (const BYTE*)nNumber, sizeof(number)); RegClose(hkey); J. Dechaux, E. Filiol, J.-P. Fizaine Office Documents: New Weapons of Cyberwarfare

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CyberWarfare Defense against Penetration T esting and distributed Denial-of-Service Attacks The

CyberWarfare Defense against Penetration T esting and distributed Denial-of-Service Attacks The

CyberWarfare Defense against Penetration T esting and distributed Denial-of-Service Attacks The Foundation of Network Security Stand-alone (ISP/Carrier Server Farm) modular TIPS for Perimeter Defense We brought a prototype for you!

263 views • 24 slides
Cybersecurity for Future Presidents Lecture 14: Cyberwarfare and Other Topics for Future

Cybersecurity for Future Presidents Lecture 14: Cyberwarfare and Other Topics for Future

Cybersecurity for Future Presidents Lecture 14: Cyberwarfare and Other Topics for Future Presidents My office hours: Any Questions? Wed. afternoon, 12-3pm, 442 RH. About previous lecture? About homework? About reading? (Cyber

640 views • 22 slides
2007 Aurora Test Cyberwarfare is generally state-on-state action equivalent to an armed attack

2007 Aurora Test Cyberwarfare is generally state-on-state action equivalent to an armed attack

2007 Aurora Test Cyberwarfare is generally state-on-state action equivalent to an armed attack or use of force in cyberspace that may trigger a military response with a proportional kinetic use of force. Cyberterrorism can be considered

237 views • 12 slides
Nuclear Weapons Nuclear Weapons They produce incredible temperatures They produce incredible

Nuclear Weapons Nuclear Weapons They produce incredible temperatures They produce incredible

Nuclear Weapons 2 Observations about Nuclear Weapons 1 Observations about Nuclear Weapons Nuclear Weapons They release enormous amounts of energy They release enormous amounts of energy Nuclear Weapons Nuclear Weapons They produce

393 views • 3 slides
Autonomous Weapons Systems and the Obligation to Exercise Discretion Presentation at the 2016

Autonomous Weapons Systems and the Obligation to Exercise Discretion Presentation at the 2016

1 Autonomous Weapons Systems and the Obligation to Exercise Discretion Presentation at the 2016 Meeting of Experts on Lethal Autonomous Weapons Systems, Convention on Certain Conventional Weapons (CCW), Geneva, 14 April 2016 Eliav Lieblich 1

259 views • 9 slides
Nuclear Weapons 101 Nuclear Smuggling p. Nuclear Weapons 101 Fissile materials ( 235 U , 233

Nuclear Weapons 101 Nuclear Smuggling p. Nuclear Weapons 101 Fissile materials ( 235 U , 233

Nuclear Weapons 101 Nuclear Smuggling p. Nuclear Weapons 101 Fissile materials ( 235 U , 233 U , 239 Pu ) are used to make weapons of devastating power. Nuclear Smuggling p. Nuclear Weapons 101 Fissile materials ( 235 U , 233 U , 239 Pu

398 views • 29 slides
Preparing for the Deliberate Use of Biological Weapons: The Relevance of the Biological Weapons

Preparing for the Deliberate Use of Biological Weapons: The Relevance of the Biological Weapons

Preparing for the Deliberate Use of Biological Weapons: The Relevance of the Biological Weapons Convention to Central Asian States Parties Regional Workshop for Central Asian States Parties to the BWC On Preparedness to Respond to the

698 views • 25 slides
Weapons and Combat Systems Division Dr Shane Canney Acting Chief Weapons and Combat Systems

Weapons and Combat Systems Division Dr Shane Canney Acting Chief Weapons and Combat Systems

UNCLASSIFIED Weapons and Combat Systems Division Dr Shane Canney Acting Chief Weapons and Combat Systems Division 1 UNCLASSIFIED Weapons and Combat Systems Division (WCSD) Vision: To be at the forefront of the application of science and

378 views • 37 slides
Weapons and Combat Systems Division Dr John Riley Chief Weapons and Combat Systems Division 1

Weapons and Combat Systems Division Dr John Riley Chief Weapons and Combat Systems Division 1

UNCLASSIFIED Weapons and Combat Systems Division Dr John Riley Chief Weapons and Combat Systems Division 1 UNCLASSIFIED Weapons and Combat Systems Division Vision: To be at the forefront of the application of science and technology to

420 views • 38 slides
WHITE PAPER: ELECTROSHOCK WEAPONS (ESWs) AND PUBLIC SAFETY: THE NEED FOR LAW ENFORCEMENT

WHITE PAPER: ELECTROSHOCK WEAPONS (ESWs) AND PUBLIC SAFETY: THE NEED FOR LAW ENFORCEMENT

WHITE PAPER: ELECTROSHOCK WEAPONS (ESWs) AND PUBLIC SAFETY: THE NEED FOR LAW ENFORCEMENT AGENCIES (LEAs) TO UPDATE POLICIES, PRACTICES AND TRAINING TO REFLECT THE LATEST RESEARCH AND RISKS OF THESE POTENTIALLY DEADLY WEAPONS DEFEND. PROTECT.

467 views • 9 slides
We dont know more about the biological weapons threat than we did five years ago, and five

We dont know more about the biological weapons threat than we did five years ago, and five

We dont know more about the biological weapons threat than we did five years ago, and five years from now, we will know even less. Senior CIA official, Counterproliferation Division with regard to biological weapons intelligence,

761 views • 59 slides
Understanding Biological Weapons and an Introduction to the BWC Daniel Feakes @dfeakes Chief, BWC

Understanding Biological Weapons and an Introduction to the BWC Daniel Feakes @dfeakes Chief, BWC

Understanding Biological Weapons and an Introduction to the BWC Daniel Feakes @dfeakes Chief, BWC Implementation Support Unit United Nations Office for Disarmament Affairs Amb. Mazlan Muhammad, Malaysia What are biological weapons? Systems

336 views • 30 slides
Nuclear Weapons Nuclear Weapons Yes Yes Y Y A. A. No No B. B. Nuclear Weapons 3

Nuclear Weapons Nuclear Weapons Yes Yes Y Y A. A. No No B. B. Nuclear Weapons 3

Nuclear Weapons 1 Nuclear Weapons 2 Introductory Question Introductory Question Is it possible to have 100 tons of plutonium Is it possible to have 100 tons of plutonium and not have it explode? and not have it explode? Nuclear Weapons

529 views • 4 slides
Banning Nuclear Weapons: Labors R ole Presentation by International Campaign to Abolish

Banning Nuclear Weapons: Labors R ole Presentation by International Campaign to Abolish

Banning Nuclear Weapons: Labors R ole Presentation by International Campaign to Abolish Nuclear Weapons (ICAN) NSW Labor Annual State Conference Fringe Program Sunday 14 February 2016 Sydney Town Hall This presentation addresses a crucial

477 views • 3 slides
Look around the neighborhood in which your school sitsDoctors offices, Dentist offices, Urgent

Look around the neighborhood in which your school sitsDoctors offices, Dentist offices, Urgent

Look around the neighborhood in which your school sitsDoctors offices, Dentist offices, Urgent Care, car repair placesdo they all have books for kids in the waiting rooms? What if they dont? Wouldnt it be great if kids read more?

337 views • 30 slides
The Biological Weapons Program of the Soviet Union Submitted by: Milton Leitenberg Senior

The Biological Weapons Program of the Soviet Union Submitted by: Milton Leitenberg Senior

The Biological Weapons Program of the Soviet Union Submitted by: Milton Leitenberg Senior Research Scholar University of Maryland School of Public Policy Center for International and Security Studies 7 May 2014 1 The Biological Weapons

232 views • 5 slides
Motivation (1 of 2) Data are medium-sized, but things we want to compute are intractable,

Motivation (1 of 2) Data are medium-sized, but things we want to compute are intractable,

Motivation (1 of 2) Data are medium-sized, but things we want to compute are intractable, e.g., NP-hard or n 3 time, so develop an approximation algorithm. Data are large/Massive/BIG, so we cant even touch them all, so develop a

321 views • 28 slides
Dual Finite Element Formulations and Associated Global Quantities for Field-Circuit Coupling

Dual Finite Element Formulations and Associated Global Quantities for Field-Circuit Coupling

Dual Finite Element Formulations and Associated Global Quantities for Field-Circuit Coupling Edge and nodal finite elements allowing natural coupling of fields and global quantities Patrick Dular, Dr. Ir., Research associate F.N.R.S. Dept. of

913 views • 31 slides
Monotone Graphical Multivariate Markov Chains Roberto Colombi 1 , Sabrina Giordano 2 1 Dept of

Monotone Graphical Multivariate Markov Chains Roberto Colombi 1 , Sabrina Giordano 2 1 Dept of

Monotone Graphical MMCs Monotone Graphical Multivariate Markov Chains Roberto Colombi 1 , Sabrina Giordano 2 1 Dept of Information Technology and Math. Methods, University of Bergamo - Italy 2 Dept of Economics and Statistics, University of

698 views • 44 slides
Maximum Flow Applications Max flow extensions and applications. Disjoint paths and network

Maximum Flow Applications Max flow extensions and applications. Disjoint paths and network

Maximum Flow Applications Contents Maximum Flow Applications Max flow extensions and applications. Disjoint paths and network connectivity. Bipartite matchings. Circulations with upper and lower bounds. Census tabulation (matrix

492 views • 20 slides
( ) ( ) if = M DFA 1 2 0 , 1 2 0 L ( M ) { 10 } * 2 = 1 q q q 1 2 0 1

( ) ( ) if = M DFA 1 2 0 , 1 2 0 L ( M ) { 10 } * 2 = 1 q q q 1 2 0 1

Review Languages and Grammars Alphabets, strings, languages CS 301 - Lecture 3 Regular Languages NFA DFA Equivalence Deterministic Finite Automata Regular Expressions Nondeterministic Finite Automata Today: Fall 2008

444 views • 11 slides
Results from DoD HPCMP CREATE TM - AV Kestrel for the 3 rd AIAA High Lift Prediction Workshop

Results from DoD HPCMP CREATE TM - AV Kestrel for the 3 rd AIAA High Lift Prediction Workshop

Results from DoD HPCMP CREATE TM - AV Kestrel for the 3 rd AIAA High Lift Prediction Workshop Ryan S. Glasby and J. Taylor Erwin Joint Institute for Computational Sciences, University of Tennessee, Oak Ridge, TN 37831 Timothy A. Eymann United

375 views • 34 slides
Draft Results Review In-person Workshop 10/11/2019 Arne Olson, Senior Partner Gabe Mantegna,

Draft Results Review In-person Workshop 10/11/2019 Arne Olson, Senior Partner Gabe Mantegna,

MN Storage Cost-Benefit Analysis Draft Results Review In-person Workshop 10/11/2019 Arne Olson, Senior Partner Gabe Mantegna, Consultant Agenda 9:05am-9:50am: E3 presentation on study background, methods, and market prices

791 views • 54 slides
Measuring*Pay-Per-Install:** The*Commodi8za8on*of*Malware*Distribu8on* Juan*Caballero,*

Measuring*Pay-Per-Install:** The*Commodi8za8on*of*Malware*Distribu8on* Juan*Caballero,*

Measuring*Pay-Per-Install:** The*Commodi8za8on*of*Malware*Distribu8on* Juan*Caballero,* Chris&amp;Grier ,** Chris8an*Kreibich*and*Vern*Paxson* * IMDEA*SoGware*Ins8tute,*UC*Berkeley,** Interna8onal*Computer*Science*Ins8tute* 2* 3* 4*

624 views • 27 slides

More recommend