09h30 – 10h30 – Accueil – Café

10h30 – 10h50 – Introduction, Éric Freyssinet

250 pax cette année. amphi complet, changement d’ami l’an prochain

Environ 1/3 de résents ne vont pas au FIC, environ 10% son des locaux

10h50 – 11h30 – L’investigation numérique saisie par le droit des données personnelles, Eve Matringe

Première intervention par @evematringe pour des regards croisés loi/judiciaire et technique

RGPD : « Règlement n°2016/679 du Parlement Européen et du Conseil du 27 avril 2016 relatif à la protection des personnes physiques à l’égard du traitement des données à caractère personnel et à la libre circulation de ces données »

+ Directive 2016/680 : Directive (UE) 2016/680 du Parlement européen et du Conseil du 27 avril 2016 relative à la protection des personnes physiques à l’égard du traitement des données à caractère personnel par les autorités compétentes à des fins de prévention et de détection des infractions pénales, d’enquêtes et de poursuites en la matière ou d’exécution de sanctions pénales, et à la libre circulation de ces données, et abrogeant la décision-cadre 2008/977/JAI du Conseil

11h30 – 12h10 – Full packet capture for the masses, Xavier Mertens – @XMe

Moloch = Full Packet Capture Framework : https://github.com/aol/moloch

les sondes (sensors) sont installées sur les serveurs dans un docker et envoient leur capture via cron over ssh

#balancetonpcap

12h10 – 12h50 – Analyse des jobs BITS, Morgane Celton et Morgan Delahaye (ANSSI)

https://github.com/ANSSI-FR/bits_parser (bientôt)

12h50 – 14h00 – Pause déjeuner

14h00 – 14h40 – CCleaner, Paul Rascagnères

14h40 – 15h20 – Retour d’expérience – Wannacry & NotPetya, Quentin Perceval et Vincent Nguyen (CERT-W)

15h20 – 16h00 – Pause Café

16h00 – 16h40 – Comment ne pas communiquer en temps de crise : une perspective utile pour la gestion d’incident cybersécurité, Rayna Stamboliyska

16h40 – 17h20 – Wannacry, NotPetya, Bad Rabbit: De l’autre coté du miroir, Sébastien Larinier

17h20 – 18h00 – Forensic Analysis in IoT, François Bouchaud

18h00 – Mot de clôture

In the field of computer security, security information and event management (SIEM) software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware.

Vendors sell SIEM as on-premise software or appliances but also as managed services, or cloud-based instances; these products are also used to log security data and generate reports for compliance purposes.^[1]

Overview

The acronyms SEM, SIM and SIEM have been sometimes used interchangeably.^[2]

The segment of security management that deals with real-time monitoring, correlation of events, notifications and console views is known as security event management (SEM).

The second area provides long-term storage as well as analysis, manipulation and reporting of log data and security records of the type collated by SEM software, and is known as security information management (SIM).^[3]

As with many meanings and definitions of capabilities, evolving requirements continually shape derivatives of SIEM product-categories. Organizations are turning to big data platforms, such as Apache Hadoop, to complement SIEM capabilities by extending data storage capacity and analytic flexibility.^[4][5]

Advanced SIEMs have evolved to include user and entity behavior analytics (UEBA) and security orchestration and automated response (SOAR).

The term security information event management (SIEM), coined by Mark Nicolett and Amrit Williams of Gartner in 2005 describes,^[6]

• the product capabilities of gathering, analyzing and presenting information from network and security devices
• identity and access-management applications
• vulnerability management and policy-compliance tools
• operating-system, database and application logs
• external threat data

A key focus is to monitor and help manage user and service privileges, directory services and other system-configuration changes; as well as providing log auditing and review and incident response.^[3]

Capabilities/Components

• Data aggregation: Log management aggregates data from many sources, including network, security, servers, databases, applications, providing the ability to consolidate monitored data to help avoid missing crucial events.
• Correlation: looks for common attributes, and links events together into meaningful bundles. This technology provides the ability to perform a variety of correlation techniques to integrate different sources, in order to turn data into useful information. Correlation is typically a function of the Security Event Management portion of a full SIEM solution^[7]
• Alerting: the automated analysis of correlated events and production of alerts, to notify recipients of immediate issues. Alerting can be to a dashboard, or sent via third party channels such as email.
• Dashboards: Tools can take event data and turn it into informational charts to assist in seeing patterns, or identifying activity that is not forming a standard pattern.^[8]
• Compliance: Applications can be employed to automate the gathering of compliance data, producing reports that adapt to existing security, governance and auditing processes.^[9]
• Retention: employing long-term storage of historical data to facilitate correlation of data over time, and to provide the retention necessary for compliance requirements. Long term log data retention is critical in forensic investigations as it is unlikely that discovery of a network breach will be at the time of the breach occurring.^[10]
• Forensic analysis: The ability to search across logs on different nodes and time periods based on specific criteria. This mitigates having to aggregate log information in your head or having to search through thousands and thousands of logs.^[9]

Usage cases

Computer security researcher Chris Kubecka at the hacking conference 28C3 Chaos Communication Congress successful SIEM use cases.^[11]

• SIEM visibility and anomaly detection could help detect Zero-day (computing) or Computer_virus#Polymorphic_code. Primarily due to low rates of anti-virus detection rates against this type of rapidly changing type of malware.
• Automatic parsing, log normalization and categorization can occur automatically. Regardless of the type of computer or network device as long as it can send a log.
• Visualization with a SIEM using security events and log failures can aid in pattern detection.
• Protocol anomalies which can indicate a mis-configuration or a security issue can be identified with a SIEM using pattern detection, alerting, baseline and dashboards.
• SIEMS can detect covert, malicious communications and encrypted channels.
• Cyberwarfare can be detected by SIEMs with accuracy, discovering both attackers and victims.

Today, most SIEM systems work by deploying multiple collection agents in a hierarchical manner to gather security-related events from end-user devices, servers, network equipment, as well as specialized security equipment like firewalls, antivirus or intrusion prevention systems. The collectors forward events to a centralized management console where security analysts sift through the noise, connecting the dots and prioritizing security incidents.

In some systems, pre-processing may happen at edge collectors, with only certain events being passed through to a centralized management node. In this way, the volume of information being communicated and stored can be reduced. Although advancements in machine learning are helping systems to flag anomalies more accurately, analysts must still provide feedback, continuously educating the system about the environment.

Here are some of the most important features to review when evaluating SIEM products:

• Integration with other controls – Can the system give commands to other enterprise security controls to prevent or stop attacks in progress?
• Artificial intelligence – Can the system improve its own accuracy by through machine and deep learning?
• Threat intelligence feeds – Can the system support threat intelligence feeds of the organization’s choosing or is it mandated to use a particular feed?
• Robust compliance reporting – Does the system include built-in reports for common compliance needs and the provide the organization with the ability to customize or create new reports?
• Forensics capabilities – Can the system capture additional information about security events by recording the headers and contents of packets of interest?

Pronunciation

The SIEM acronym is alternately pronounced SEEM or SIM (with a silent e).

Magnifique …. Flottes de Combat 1914.  La Préface du Commandant de Balincourt : Priceless !

Chopé sur ebay à un prix raisonnable : 68 €

Le précédent achat remontait au 6 août 2017.

Il ne m’en manque plus beaucoup !

Install MySQL Server

sudo apt-get install mysql-server

During the installation process, you will be prompted to set a password for the MySQL root user as shown below. Choose a strong password and keep it in a safe place for future reference (Why not usin KeePass ?).

mysql-rootpw-debian

MySQL will bind to localhost (127.0.0.1) by default. Then you can connect locally on to your databases.

Allowing unrestricted access to MySQL on a public IP is not advised, but you may change the address it listens on by modifying the bind-address parameter in /etc/my.cnf. If you decide to bind MySQL to your public IP, you should implement firewall rules that only allow connections from specific IP addresses and then you’ll be able to connect using SSH from another computer.

Harden MySQL Server

It’s also a good thing to harden you database server. Fo taht, run the mysql_secure_installation script to address several security concerns in a default MySQL installation.

sudo mysql_secure_installation

You will be given the choice to :

1. change the MySQL root password;
2. remove anonymous user accounts;
3. disable root logins outside of localhost,
4. and remove test databases.

It is recommended that you answer yes to these options.

You can read more about the script in the MySQL Reference Manual.

Using MySQL

The standard tool for interacting with MySQL is the mysql client which installs with the mysql-server package. The MySQL client is used through a terminal. In a very firts time, it’s definitely bad thing to use web GUI to discover mysql functionalities.

Logging as root

1. To log in to MySQL as the root user:

   mysql -u root -p
   

2. When prompted, enter the root password.You’ll then be presented with a welcome header and the MySQL prompt as shown below:

   mysql>
   

3. To generate a list of commands for the MySQL prompt, enter \h. You’ll then see:

   List of all MySQL commands:
   Note that all text commands must be first on line and end with ';'
   ?         (\?) Synonym for `help'.
   clear     (\c) Clear command.
   connect   (\r) Reconnect to the server. Optional arguments are db and host.
   delimiter (\d) Set statement delimiter. NOTE: Takes the rest of the line as new delimiter.
   edit      (\e) Edit command with $EDITOR.
   ego       (\G) Send command to mysql server, display result vertically.
   exit      (\q) Exit mysql. Same as quit.
   go        (\g) Send command to mysql server.
   help      (\h) Display this help.
   nopager   (\n) Disable pager, print to stdout.
   notee     (\t) Don't write into outfile.
   pager     (\P) Set PAGER [to_pager]. Print the query results via PAGER.
   print     (\p) Print current command.
   prompt    (\R) Change your mysql prompt.
   quit      (\q) Quit mysql.
   rehash    (\#) Rebuild completion hash.
   source    (\.) Execute an SQL script file. Takes a file name as an argument.
   status    (\s) Get status information from the server.
   system    (\!) Execute a system shell command.
   tee       (\T) Set outfile [to_outfile]. Append everything into given outfile.
   use       (\u) Use another database. Takes database name as argument.
   charset   (\C) Switch to another charset. Might be needed for processing binlog with multi-byte charsets.
   warnings  (\W) Show warnings after every statement.
   nowarning (\w) Don't show warnings after every statement.
   
   For server side help, type 'help contents'
   
   mysql>
   

Create a New MySQL User and Database

1. In the example below, testdb is the name of the database, testuser is the user, and password is the user’s password.

   create database testdb;
   create user 'testuser'@'localhost' identified by 'password';
   grant all on testdb.* to 'testuser';
   

   You can shorten this process by creating the user while assigning database permissions:

   create database testdb;
   grant all on testdb.* to 'testuser' identified by 'password';
   

2. Then exit MySQL.

   exit
   

Create a Sample Table

1. Log back in as testuser.

   mysql -u testuser -p
   

2. Create a sample table called customers. This creates a table with a customer ID field of the type INT for integer (auto-incremented for new records, used as the primary key), as well as two fields for storing the customer’s name.

   use testdb;
   create table customers (customer_id INT NOT NULL AUTO_INCREMENT PRIMARY KEY, first_name TEXT, last_name TEXT);
   

3. Then exit MySQL.

   exit
   

Reset the MySQL Root Password

If you forget your root MySQL password, it can be reset.

1. Stop the current MySQL server instance.

   sudo systemctl stop mysql.serivce
   

2. Use dpkg to re-run the configuration process MySQL goes through on first installation. You will again be asked to set a root password.

   sudo dpkg-reconfigure mysql-server-5.5
   

dpkg will restart MySQL automatically and you’ll now be able to log in again using mysql -u root -p.

Tune MySQL

MySQL Tuner is a Perl script that connects to a running instance of MySQL and provides configuration recommendations based on workload. Ideally, the MySQL instance should have been operating for at least 24 hours before running the tuner. The longer the instance has been running, the better advice MySQL Tuner will give.

1. Install MySQL Tuner from Ubuntu’s repositories.

   sudo apt-get install mysqltuner
   

2. To run it:

   mysqltuner
   

   You will be asked for the MySQL root user’s name and password. The output will show two areas of interest: General recommendations and Variables to adjust.

MySQL Tuner is an excellent starting point to optimize a MySQL server but it would be prudent to perform additional research for configurations tailored to the application(s) utilizing MySQL on your Linode.

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

• MySQL 5.5 Reference Manual
• PHP MySQL Manual
• Perl DBI examples for DBD::mysql
• MySQLdb User’s Guide
• MySQL Tuner Tutorial

exemple de recherche

Ngram Viewer est une application linguistique proposée par Google, permettant d’observer l’évolution de la fréquence d’un ou de plusieurs mots ou groupe de mots à travers le temps dans les sources imprimées (numérisées par Google).

L’outil est entré en service en 2010 et n’a malheureusement plus été mis à jour depuis 2013.

Le terme Ngram désigne dans ce contexte une suite de « n » mots¹, ce qui n’est lié que faiblement à la notion de n-gramme.

L’outil Ngram de Google repose sur la base de données textuelles de Google Livres. Les textes issus de Google Livres sont classés en fréquence de séquences de mots (appelées ngrams) par année d’édition, chaque séquence de mots est alors affectée d’un « poids ».

Lorsque l’utilisateur demande une comparaison de plusieurs séquences de mots, l’outil trace alors des courbes permettant de comparer leur fréquence d’usage au cours du temps.

Un exemple de recherche via ce lien et pour les amoureux du Google Search, le détail d’une requête constitutive :

https://www.google.fr/search?

q=%22european+union%22&

tbm=bks&

tbs=cdr:1,cd_min:2000,cd_max:2000&

lr=lang_en

&gws_rd=cr

&dcr=0

&ei=QtpNWrHdB8zUkwWtoKGIBg

14/12/2017

France Culture : L’Invité des Matins (2ème partie) par Guillaume Erner  (24min)
Neutralité du net, hégémonie des GAFA : la démocratie prise dans la toile (2ème partie)

Avec Benjamin Bayart et Sébastien Soriano

https://www.franceculture.fr/emissions/linvite-des-matins-2eme-partie/neutralite-du-net-hegemonie-des-gafa-la-democratie-prise-dans-la-toile-2eme-partie

Podcast France Culture

Kubernetes

Kubernetes is Google’s open source system for managing Linux containers across private, public and hybrid cloud environments.

<wikipedia> Kubernetes (commonly referred to as « K8s ») is an open-source system for automating deployment, scaling and management of containerized applications that was originally designed by Google and donated to the Cloud Native Computing Foundation. It aims to provide a « platform for automating deployment, scaling, and operations of application containers across clusters of hosts ». It supports a range of container tools, including Docker.</wikipedia>

Kubernetes automates the deployment, scaling, maintenance, scheduling and operation of multiple application containers across clusters of nodes. Kubernetes contains tools for orchestration, service discovery and load balancing that can be used with Docker and Rocket containers. As needs change, a developer can move container workloads in Kubernetes to another cloud provider without changing the code.

With Kubernetes, containers run in pods. A pod is a basic unit that hosts one or multiple containers, which share resources and are located on the same physical or virtual machine. For each pod, Kubernetes finds a machine with enough compute capacity and launches the associated containers. A node agent, called a Kubelet, manages pods, their containers and their images. Kubelets also automatically restart a container if it fails.

Other core components of Kubernetes include:

• Master: Runs the Kubernetes API and controls the cluster.
• Label: A key/value pair used for service discovery. A label tags the containers and links them together into groups.
• Replication Controller: Ensures that the requested numbers of pods are running to user’s specifications. This is what scales containers horizontally, ensuring there are more or fewer containers to meet the overall application’s computing needs.
• Service: An automatically configured load balancer and integrator that runs across the cluster.

Containerization is an approach to virtualization in which the virtualization layer runs as an application on top of a common, shared operating system. As an alternative, containers can also run on an OS that’s installed into a conventional virtual machine running on a hypervisor.

Containers are portable across different on-premises and cloud platforms, making them suitable for applications that need to run across various computing environments.

Kubernetes is mainly used by application developers and IT system administrators. A comparable tool to Kubernetes is Docker Swarm, which offers native clustering capabilities.

Météo :

3 sources pour essayer de fiabiliser le truc (et se faire des faux espoirs et frayeurs avant noël)

Météociel

Météociel

Météofrance

Meteociel

Météoblue

MétéoBlue

Trafic :

Par ou y aller ? Trois possibilités (depuis Lyon) :

1. Le Lautaret : C’est la voie royale. La plus courte, la plus rapide, la moins chère. Col vraiment facile, suivre direction depuis Grenoble. Attentions dès que les conditions sont pourries, le col est fermé.
2. Grenoble-Gap-Briançon : c’est souvent la pire solution au moment des chassé-croisés des vacances scolaires; Outre le fait que c’est le trajet le plus long (compter 4h30 si circulation OK), dès que la neige apparait, l’Argentière et le col Bayard sont bien merdiques.
3. Le Tunnel du Féjus : petit détour par l’Italie, vous y laisserez quelques plumes car le passage coûte 44,90 € + autoroutes françaises à suivre. Attention, deux points de vigilance la gendarmerie vous obligera certainement à chaîner au pied du Col de Mongenèvre (même si vous avez 4 pneus contact – sauf pour le 4×4). Ensuite, il vous faudra parfois 2h30 pour parcourir les 3 derniers kilomètres avant le tunnel

Les cams :

1. La Cucumelle (Monetier)
2. Ratier (Chantemerle)
3. Le Lautaret
4. Le Bachas / Flocon

Divers :

1. les remontés mécaniques : abominable, le forfait semaine pour tout le domaine (Monet, La Villeneuve, Chantemerle, Briançon) coûte vraiment une blinde : 250 € !!!
2. les sorties (ski … pas tatapoum) : ESF Monet, possibilités de cours classiques (bien pratique pour les branlos qui s’imaginent en Luc Alphand et finissent en barquette) et sorties découvertes/hors piste à la journée. Là aussi ça vous coûtera une blinde: 233 € pour les Team Riders (programme mixte piste / free style / hors piste / Fleche 9h00 -13h00 /  jours – génial pour vos petits furieux), 166 € pour 5 x 2,5h de cours adulte classe 4, 85 € pour sortie à la journée

Encore une bien belle semaine de glisse et de gamelles à Monet’

Retour de la bonne poudreuse pour cette édition 2017. Des cris, des rires, du stress, des chants (de MwakaMoon à Opium… kamem)  … et quelques larmes ! On a dopé notre hématopoïèse, fabriqué du rouge (des globules … et on en a bu aussi, en pichet) et retrouvé quelques muscles oubliés.

On ne félicite pas notre hôte pour ce mémorable réveillon de noël : panini/ coca sur une aire d’autoroute.

De trop bons moments avec Nico B. et Raph (trop bien à la Raphalakart …) pour les 2 apprentis riders (J & P).

Une journée hors-piste mémorable avec Louis-Paul, pour le vieux-aux-jambes-toutes-molles entre les Lauzières et le Clot Gauthier. Bref, l’ESF SerreChe-Monetier ça reste trop la base !!!

De bien pénibles galères sur la route pour rentrer vers la Bretagne via Le Frejus / Mongenèvre et un paquet de €€€€€ cramés. Y’a plus qu’à retourner bosser …

Souvenir de la cam de la Cucumelle le 25/12/2017 à 15h20

Rdv à SerreChe le 23/12/2018 !

Déjà hâte d’y être …

Bonne année 2018

Team 2017

Where is my car ?

Italian joke

Dream Team

Ready to go (back home)

Soleil avant la neige

Sortie poudreuse

Capture du 2017-12-25 à 15h20