Are you disappointed to know that your tool is being used offensively around the world?
The first time Mimikatz was used publicly was during the Diginotar case1. In hindsight, if we find a weakness we also need visibility to change things. In particular, Windows changed its strategy "thanks" to exposure to Mimikatz, including with its largest customers. The use of Mimikatz is not the real problem: it highlights underlying problems on information systems because being able to "run" an executable on a terminal proves a greater problem.
Do you think that after the malicious use of Mimikatz, Microsoft regrets not having admitted that it was a breach in their security?
No. There was no major change at the time but the release of Windows 10 made it possible to have greater security.
Are there other Mimikatz planned for the future?
No, there is only one Mimikatz. It’s currently in version 2.1, and there will be no major developments because Mimikatz follows Microsoft developments.
Do you think you will recode Mimikatz in a higher-level language like C# (and take the opportunity to provide true documentation)?
There is no real documentation but there is a wiki that is now available in English. To understand a Windows system, you need to be at the same level, so C is preferable for authentication engines, even though this forces us to live dangerously using pointers!
To what extent can an open-source cyber weapon be published in France? Is legislation different for post-exploitation and hacking tools?
This isn’t very clear in France. Even binary reverse engineering is unclear at the legislation level. Publishing on an exploitation could be problematic. But in the case of Mimikatz, it is post-exploitation; we don’t take advantage of loopholes but just the Windows architecture.
What’s your opinion on future types of virus?
We no longer talk about viruses, but malware or APT! Some are truly specific frameworks that have the capacity to destroy an entire IS. But most are just simple spy droppers, generating advertising revenue or ransomware.
Is IoT truly the fight of the future?
IoT is just a commercial term, and has existed for a long time. We didn’t wait for the invention of this term to connect something other than computers to networks.
What do you think is most vulnerable: Linux, Mac OS or Windows?
Windows is currently one of the most secure. At least, Microsoft is making a real effort. One simple example that I demonstrated at NoSuchCon: with a Mac, you can do a dump on all Kerberos tickets with a few lines of Bash script without having administration rights. Apple focusses its security more on protecting its equipment and intellectual property. With Linux, you can do anything if you’re administrator; there are no brakes.
How would you rate France’s position as a cyber world power?
We’re pretty good, especially in cryptology and innovations. But we’re very discreet and don’t communicate much/enough on what we're doing.
How do you train/inform yourself?
I attend a lot of conferences like BlackHat, which also lets you share knowledge. Otherwise, I use Twitter, a large part of the InfoSec community is on it, and I use my network to share information.
What are the technical challenges in your work at the Banque de France?
There are many. The biggest challenge is to gain a sufficient level of abstraction to help people understand, because the issues are often very technical.
[1] DigiNotar was a certification root authority. In 2011, it was the victim of an attack that compromised all certificates issued to that point, because it was impossible to distinguish legitimate certificates from illegitimate ones. DigiNotar went bankrupt as a result of this attack.