Black Hat/DEFCON: The Usual Suspects

July 26th, 2010

Who is Kaiser Soze?

When it comes to Black Hat USA 2010/DEFCON 18, only time will tell who and what becomes legendary, and whatever else represents only myth – as personified by Kevin Spacey’s seminal criminal mind portrayed in the film bearing the same moniker as this blog  post.

But, either way, it’s that time of the year again. And everyone, or at least almost everyone who has a recognizable name in the vulnerability research community, is headed back out to Vegas for the Black Hat USA/DEFCON ethical hacking summit.

By this time next week we’ll have heard about an array amazing new methods for breaking (into) a whole range of assorted technologies – from consumer digital cameras to corporate networking gear, and quite a bit in between.

Some of the same experts we see out there every year will have reinforced their leadership status in the research space, while other newcomers will have surely added their faces to the crowd.

A look at the Black Hat USA and DEFCON agendas surfaces a lot of the big names from years past… from Beaker to Barnaby Jack, to Jeremiah Grossman and Robert Hansen to Dan Kaminsky and Charlie Miller. In no particular order: Chris Paget, Moxie Marlinspike, Ivan Ristic, Mikko H., Adam Shostack, Gunter Ollmann, Dino DV, Cesar Cerrudo, and I could go on. And those well-known names represent only a fraction of the people who are speaking.

As always, Core Security will also have a noticeable presence at the two shows, in the form of multiple research presentations and across many other elements of our business, as well as in the role of a sustaining sponsor.

And not to be forgotten, longtime Core partner Chris Nickerson of “Tiger Team” fame and Lares Consulting will be hosting the “Security B-Sides” conference for its second straight year. Something tells me if you’re hanging out over there you’ll run into a good sized group of our research folks too.

In terms of scheduled speaking engagements, we’ll have Senior Security Consultants Leandro Meiners and Diego Sor with their talk “WPA Migration Mode: WEP Is Back to Haunt You” at Black Hat, which focuses on security issues in Cisco equipment; there will also be Senior Exploit Writers Oren Isacson and Alfredo Ortega with their highly interesting “Exploiting Digital Cameras” presentation going off later in the week over at DEFCON.

Meanwhile, also at DEFCON, the CoreLabs CoreTex Competitions Team will be hosting its “Hiding Backdoors in Plain Sight” competition, which is also available online to those people unable to attend the conference (or unwilling to leave their hotel rooms to do so).

Aside from its sizeable expo floor presence, Core is hosting meetings all week for its customers, business partners and many of the other gathered constituencies, from industry analysts to aspiring employees. There are also the many social events, including Core-sponsored parties – one in partnership with Qualys at Jet, and once again for our customers at Sushi Roku.

Basically there’s enough activity and content packed into Vegas this week to span a few weeks (as duly noted by our longtime PR guy and Black Hat vet Tim Whitman of Schwartz), so the big question is, who will you choose to see, and what will you be forced to read about later?

As any of us who have been going to black Hat for years can attest, some of this stuff will become myth, some of it legend, with most of it eventually fitting somewhere in between.

Who is Kaiser Soze? Well, as stated, in terms of this year, that remains yet to be seen.

The only way to find out will be to talk to the folks who were really there. Or, at least to read about it.

Check back in this same space sometime next week.

–Matt Hines, Chief Blogger

 

To comment on this blog, please CLICK HERE.

Tags: , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in Assessing defenses, Attacks, Automated penetration testing, Black Hat, CORE IMPACT Pro, Conferences, Core Security Technologies, CoreLabs, Cybercrime, DEFCON, Enterprise security testing, Enterprise security testing and measurement, Ethical hacking, Exploits, Forensics, Government policy, IT security, Infrastructure security, Metasploit, Penetration testing, Phishing, Regulation, Research, Security benchmarking, Security measurement, The future of security, Uncategorized, Vulnerability Management, Vulnerability advisories, Vulnerability assessment, Vulnerability research | No Comments » | Posted by: mhines at 5:07 pm

Rapid Response: Testing for the Microsoft LNK Zero Day

July 20th, 2010

If you’re a member of the IT security community, unless you’ve either been on vacation at the beach or hiding under a rock, you likely haven’t missed the emergence of the critical Microsoft Windows LNK zero day vulnerability first publicized over the weekend.

According to industry watchers including the Internet Storm Center (ISC) – which in a rare move shifted its Infocon threat indicator to yellow, indicating that it is “tracking a significant new threat” – widespread attacks targeting the flaw are already in motion around the globe.

Experts with SANS, the IT security training specialist organization that sponsors the ISC, have also reported that related threats, including those specifically targeting SCADA infrastructure control systems, are rapidly turning up all over the globe, with many more campaigns likely to arrive.

The involved vulnerability affects all versions of Windows, including the latest beta of Windows 7 (SP1), and allows attackers to use a malicious shortcut file, identified by the “.lnk” extension, to automatically execute malware if they can merely lure users into viewing the contents of a folder containing such a shortcut, or get them to plug an infected USB drive into their PC.

I am going to repeat that: “merely lure users into viewing the contents of a folder” – no other action is required by the victim.

Long story short, this is a big one, and organizations everywhere are likely scrambling right now to determine whether or not (or most likely where) the vulnerability has left their systems and end users open to a wide range of related threats.

That’s where our latest targeted “Vulnerability Outbreak Alert” response efforts come into play, and we’re proud to say that if you have our CORE IMPACT Pro penetration testing software in place right now, you’re already capable of doing just that.

Zeroing in on Zero Days

Core Security has never pitched itself as a “fix for the zero day problem.” For starters, as our CTO Ivan Arce is always quick to point out, anyone taking a purist view of the concept has to concede that if a flaw is a true zero day by academic standards, it has never been detailed in the public domain, at all.

And when our researchers find something new, for instance, they immediately inform the involved vendor and ask them to find a way to protect their customers ASAP, thereby eliminating the factor of it existing as an unknown/un-patched threat. We do not release an exploit until at least after a patch or workaround has been created, and a related advisory has been distributed.

As a Caveat, if attacks are being seen in the wild (again eliminating the purist zero day interpretation), we will move to disclose something new right away and release code to help our customers test their defenses.

Our exploit writers also don’t immediately respond to every zero day vulnerability hitting the wires, as their development cycle is traditionally driven by widespread issues that have already been identified as something our customers are telling us that they want to test for.

But when something this big, which affects so many organizations around the globe, and nearly all of our customers, comes out, that’s not to say they can’t push the envelope, and that’s why we hit the “go” button on our Vulnerability Outbreak Alert program, and set the wheels in motion to initiate a rapid response.

Last night the exploit and product development teams in Buenos Aires burned the midnight (and daybreak) oil, and today we’ve got a working exploit loaded into IMPACT Pro for our customers to go ahead test themselves. To see a video of the exploit in action, click here.

Of course we’d always argue that organizations that are performing ongoing penetration testing would already be best positioned to address such a flaw as they likely already know the ins-and-outs of IT infrastructure far better than those companies who are not. But it will also be vital for users to continue to test the Windows LNK flaw for a while, as it won’t be going anywhere, and even when people have attempted to employ Microsoft’s patch there’s a need to ensure that the fix has taken properly and not introduced additional risks.

It’s true, Core will never be a big “zero day company” but we’ll always keep an eye toward the wires, and more importantly the needs of our installed base, to ensure that we’re helping them address their most critical risks.

If you’re one of those organizations today, avail yourself of the new capability and test any defenses you have put in place to mitigate this vulnerability while you wait for a patch to be released.

And if you’re not, well, maybe you should make sure that you are next time this sort of situation arises.

Be proactive, pen test today.

–Alex Horan, Director of Product Management

 

To comment on this blog, please CLICK HERE.

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in Assessing defenses, Attacks, Automated penetration testing, CORE IMPACT Pro, Conducting Tests, Core Security Technologies, CoreLabs, Cybercrime, Data breach incidents, Disclosure, Enterprise security testing, Enterprise security testing and measurement, Ethical hacking, Exploits, IT security, Infrastructure security, Modules, Penetration testing, Research, Risk management, Risk mitigation, Security benchmarking, Security measurement, The future of security, Uncategorized, Vulnerability Management, Vulnerability advisories, Vulnerability assessment, controls validation | No Comments » | Posted by: Alex at 4:56 pm

Hide and seek the backdoor: Let’s play a game

July 16th, 2010

Backdoors are most often defined in terms of  their creators’ motives.

For starters,  a backdoor is said to be a piece of code intentionally added to a program to  grant remote control of the program — or the host that runs it – to its author, that at the same time remains difficult to detect by anybody else.

But this last aspect of the definition  actually limits its usefulness, as it implies that the validity of the backdoor’s existence is contingent upon the victim’s failure to detect it. It does not provide any clue at all into how to create or detect a backdoor successfully.

Backdoors are of course as old as security audits themselves, and date at least to the days of the security audit report by Karger and Schell on Multics (c. 1974). While some backdoors have been spotted since then,  we still know relatively little about how to hide them, as well as  how to detect them.

It is not surprising then, that one of the seminal publications in the field by Turing award winner K. Thompson (“Reflections on trusting trust,” in his 1983 Turing lecture) is a fictional story with a moral, and does not include any methodology for successfully hiding or finding backdoors. But Myer’s cry was clear enough 30 years ago: do not neglect attacks
originating from (intentionally-embedded) backdoors!

How then, can one be trained to audit code for backdoors? As with security bugs, or bugs in general, the problem of detecting backdoors is “undecidable” and cannot be tackled even in the simplest practical cases. Moreover, since backdoors are inserted intentionally, they are typically more difficult to find. Where things stand today, intention appears to be the main difference between a bug and a backdoor, right?

On the other hand, how can one learn to hide backdoors? A simple recipe would be: learn how all detection procedures work and come up with a backdoor that fools all of them. Yet, the software development lifecycle – and security auditing in particular – are still highly manual tasks, so detection techniques cannot be enumerated – only the manual practices of code inspection can be learned.

Successful backdoor hiding or finding cannot be done analytically (e.g., through algorithms or formal procedures). It can be learned, as an art or a craft. Disappointed scientists can only perform experiments: Do. Gather data. Analyze.

However, engaging in experiments in the form of games may provide this learning experience. It definitely sheds some light in this obscure art. After this brief prolegomenon I state my purpose: I want to help to improve our collective skill-set and our ability to prevent backdoor threats. I want you to play a game and learn, with me, how to hide and detect backdoors.

A few years ago, the CoreTex team did an internal experiment at Core and designed the Backdoor Hiding Game,  which mimics the old game Dictionary. In this new game, the game master  provides a description of the functionalities of a program, together with the setting where it runs, and the players must then develop programs that fulfill these functionalities and have a backdoor. The game master  then mixes all these programs with one that he developed and has no backdoors, and gives these to the players. Then, the players must audit all the programs and pick the benign one.

Each round played, a few new hiding tricks and techniques are introduced. When a backdoor is not discovered, its developer will know that his technique has passed the test. When it is detected by the other players,  its confirmed that their detection techniques are good. Also, players that fail to detect backdoors learn about their limitations and developers of backdoors that are discovered learn what techniques do not pass a simple test.

This fun-to-play game invites participants to experiment and learn about backdoors. When we played this game, every player used a different hiding technique. During the game and in its aftermath, we discovered many new hiding techniques.

To take this internal game to the globe and Internet, the CoreTex Competitions Team is launching a contest, The Backdoor Hiding and Finding Contest, to be played online and in the DEFCON 18 conference. Everybody interested is invited to participate in either or both games. Code review tools are invited to participate in the finding contest as well.

The contest will be conducted live over the Internet and all the programs will also be published after the event closes. With this open effort, we can start collecting data. Analysis and understanding will follow.

In any case, if you are going to DEFCON this year: buy the ticket, take the ride.

–Ariel Waissbein, Director of Research and Development

 

To comment on this blog, please CLICK HERE.

Tags: , , , , , , , , , , , , , , , , , , , ,
Posted in Assessing defenses, Attacks, Black Hat, CORE IMPACT Pro, Conducting Tests, Conferences, Core Security Technologies, CoreLabs, Cybercrime, DEFCON, Data breach incidents, Disclosure, Enterprise security testing, Enterprise security testing and measurement, Ethical hacking, Exploits, IT security, Penetration testing, Research, Risk management, Risk mitigation, Security benchmarking, Security measurement, The future of security, Uncategorized, Vulnerability Management, Vulnerability assessment, controls validation | 1 Comment » | Posted by: ariel.waissbein at 6:42 pm

International ISP Standards Could Help Unplug Botnets

July 7th, 2010

Top U.S. cyber-security strategists are considering a move to adopt an emerging set of best practices aimed at helping ISPs better address the issue of pervasive botnets operating across their customer networks. 

This is just the sort of proactive approach that needs to be put into action if infrastructure providers and regulators hope to significantly weaken the hordes of zombie networks currently encircling the globe.

As those who closely follow the world of IT security know all too well, botnets have evolved to become the de facto underground infrastructure that supports cybercriminal activities ranging from DDoS campaigns and malware distribution to so-called hacktivism – another name for politically driven cyber-attacks.

One of the reasons for this ubiquitous use of botnet infrastructure of course is that by employing these networks of infected devices – owned by otherwise innocent bystanders – cybercriminals have been able to make it ever harder for lawmakers and law enforcement agencies to find and prosecute assailants for their nefarious actions.

And while ISPs have long recognized the botnet issue in their midst and sought methods for identifying and staving off the attacks before they can proliferate across their networks and infect customers, clearly these efforts have not had any substantial affect in stomping out the problem in the long-term.

Consider that leading industry experts have said in recent days that the botnet style of attack remains “remarkably resilient” as an entry point into corporate systems – and that it will likely become even more ubiquitous as enterprises further embrace technologies including cloud-based services, virtualization and social networks.

At Gartner’s annual Security and Risk Management Summit here in Washington two weeks ago, longtime security industry guru John Pescatore told the assembled crowd that for the next two years we’ll continue to see botnets as the primary mechanism used to deliver “the most damaging attacks” we will see.

Meanwhile, researchers at Georgia Tech’s Information Security Center (GTISC) reported this week that the Kraken botnet – a notorious iteration of the breed that once commanded at least 650,000 infected machines, and subsequently became the focus of aggressive anti-botnet efforts across the security community – has once again begun to regroup itself, growing back to over 318,000 machines.

As it stands we’ve known quite about botnets for many years now, and ISPs have been a focal point for intervention based on their view into larger network behavior, but the reality is that we’re still losing this fight.

Addressing the Problem ISP-Up, from Down Under

Australia hasn’t frequently been called out on the global stage out as a world-renown center for IT security innovation, but in the arena of stomping out botnets – and working with the ISP community to do so – our friends down under have recently made some interesting strides.

Namely, the Australian Internet Industry Association (IIA), along with some influential partners, has created an extensive “e-security code of conduct” which lays out a specific set of best practices for ISPs to follow to help themselves, and the broader community, identify and choke off ongoing botnet attacks while they attempt to proliferate.

A more complete summary of the practices are outlined here, but the program is aimed primarily at arming ISPs and end users with a standardized information resource regarding botnet activity, and a method of reporting ongoing attacks, to help speed and lend consistency to information sharing.

As an added benefit for meeting the program’s guidelines, ISPs that comply with the code, which goes into effect in Australia  Dec. 1, earn the right to publicly display a “trustmark” that indicates to customers that they are making their best effort to comply with the higher standards.

And while many onlookers will certainly observe that this level of information sharing is merely a band-aid for a problem that actually requires reconstructive surgery, I’d point to the growing use of similar standards – including the adoption of CVE data in the world of vulnerability reporting – as evidence that adoption of such standards can have a very positive affect. In the government sphere we often talk about improving situational awareness to respond to cyber-threats, and this is just the sort of effort that concept applies to.

The long story short is this: targeting botnet command and control nodes is absolutely critical to disrupting the current ecosystem of the cybercrime shadow economy. We must civilize cyberspace. Governments must help influential constituencies such as ISPs help themselves, and must also do to more actively regulate the alternative payment channels that serve as the money laundry for the cybercrime industry.

Ultimately, the current prevalence of truly pervasive botnets and further commoditization of compromised devices depicts the bugeoning economy of scale that current exists within the cybercrime community.

ISPs need many new tactics for choking off this problem, but the adoption of Australia’s e-security code of conduct can be a key step in moving U.S. policies in the right direction.

–Tom Kellermann, Vice President of Security Awareness

 

To comment on this blog, please CLICK HERE.

Tags: , , , , , , , , , , , , ,
Posted in Assessing defenses, Attacks, Conducting Tests, Cyber-war, Cybercrime, Data breach incidents, Government policy, IT security, Infrastructure security, Regulation, Risk management, Security data overload, The future of security, Vulnerability advisories, Vulnerability assessment | No Comments » | Posted by: tkellermann at 12:21 pm

Of Serious Tests… and Public Launches

June 22nd, 2010

An interesting event occurred on June 17th, 2010 – Boeing completed 1000 hours of testing on its new Dreamliner as the airplane heads towards initial production.

This brought back a fond memory – you see, my first job at a real company was as an intern at Rockwell Collins, which was developing all-electronic control systems for Boeing at the time; and my first job, as an engineering sophomore, was to help to test these control systems.

If you’ve ever walked by an open airplane cockpit and seen the electronic displays with all those complex instruments, you know exactly what systems I’m talking about. Yours truly tested a small piece of them. It was very glamorous and exciting at the time as electronic instrumentation was just being invented.

What I don’t talk about too much is the specific job that I had during this work as an intern. My assignment was to test the software code that computed the basic trigonometric functions on these displays – sine, cosine, tangent, and their inverses. Boeing and the FAA required that you had to test every input value that was capable of generating a unique result – down to 32 bits of floating point precision.

It was not sufficient to test the boundary conditions, and a well chosen set of random values; it was not possible to put a flight at risk because a software glitch caused the software to go into an infinite loop for some particular input value.

Much as it was mind numbing work, it taught me that good engineering wasn’t all about inspiration and ravishing design – it was also about a rigorous discipline of testing and measurement. Indeed, as I learned, testing and measurement was a significant element of good design. Working with Boeing personnel at the time, I came to truly admire the way that they practiced engineering.

So, it was great to read about the Dreamliner and that Boeing is continuing its tradition and core competency of testing.

While the testing is obviously very sophisticated and thorough, it occurred to me that as a business traveler, the tests and their results are not consumable by me. As a traveler, I want to know how the deep technical data in the testing correlates to, say, the historical causes of accidents, as documented here – http://www.boeing.com/news/techissues/pdf/statsum.pdf (see slide 23, for example).

In other words, how do I map technical data to various different business impact assessments, so different stakeholders have what they need to make their own decisions 

There are some interesting parallels to consider in the world of IT security.

Real Testing for IT Security

The testing we’ve been doing within the realm of IT security up to this point has also produced limited returns. If you consider Core’s historic lifeblood of penetration testing, for instance, it has had, unfortunately, a limited affect on driving high-level decision making, as results rarely leave the domain of security experts and auditors.

The same can be said of other types of common analysis in our world, from source code analysis (developers) to vulnerability scanning (network management). The parameters and results involved have always been highly specialized. Therefore their results don’t emanate upward, at least not as much as you might think or hope.

This is a recurring theme that I’ve been hearing when speaking to IT security professionals everywhere.

Meanwhile, the technology stack that they’re supposed to secure is getting more complex, more interconnected, and, with cloud computing, more abstract and outside of their administrative control, than ever.

Correspondingly, the sets of technologies and best practices that are being used to secure the IT networks are also getting more complex and interconnected. Today’s testers of IT security also run into internal and external administrative boundaries that constrain them; yet, those same parameters obviously do not constrain the attackers against whom they are trying to provide security in the first place, and this is clearly a serious disadvantage.

And, when they actually attempt to raise the red flag about all the things that they’re finding during testing that they are worried about, it often falls on deaf ears – for the simple reason that no one other than other security professionals, or whoever the experts doing the testing may be, can typically comprehend what they are saying, or understand what the results really mean.

That’s about to change.

Today, we at Core Security launched an innovative new product – CORE INSIGHT Enterprise – that brings the discipline of testing and measurement to the art and science of securing IT systems, and a far broader audience in terms of sharing results.

Based on a combination of fundamental research and our field-proven commercial grade penetration testing engine, this entirely new product allows today’s security officers to test their IT security defenses across the enterprise in a real-world, holistic, manner. A unique, innovative system maps the technical information about IT risk directly to meaningful business data in a manner that the average business unit head can actually understand.

In this way, INSIGHT Enterprise gives you a sophisticated, timely and extremely relevant point of view into the security posture of your IT assets in a way that’s never before been possible.

As we’re still in Beta, it’s obviously fair to say that we’re still in a test phase of our own, but I still think you’ll be impressed with the results.

You can read more about Core Insight Enterprise here: http://www.coresecurity.com/content/CORE-INSIGHT-Enterprise

-Milan Shah, Senior Vice President of Engineering

 

To comment on this blog, please CLICK HERE.

Tags: , , , , , , , , , , , , , , , , , , ,
Posted in Assessing defenses, Attacks, Automated penetration testing, Cloud computing, Compliance, Conducting Tests, Core Security Technologies, CoreLabs, Cybercrime, Data breach incidents, Enterprise security testing, Enterprise security testing and measurement, Ethical hacking, Exploits, FISMA, Government policy, INSIGHT Enterprise, IT security, Penetration testing, Risk management, Risk mitigation, Security benchmarking, Security data overload, Security measurement, Source code analysis, The future of security, Uncategorized, Vulnerability Management, Vulnerability assessment, controls validation | No Comments » | Posted by: milan.shah at 9:02 am

« Older Entries