Author Archive

Alex Horan

Alex Horan is a Senior Product Manager for Core Security Technologies. Previously he ran the System Engineering team at Core Security Technologies, helping to provide training and customer support services to CORE IMPACT'S user base. Alex has over 12 years of experience working with both software and hardware-based security tools. He brings a deep knowledge and understanding of vulnerability assessment and penetration testing, as well as systems and network administration and auditing to his work at Core. Alex has previously worked for mid and large-sized companies helping to design and maintain their security posture.

Rapid Response: Testing for the Microsoft LNK Zero Day

Tuesday, July 20th, 2010

If you’re a member of the IT security community, unless you’ve either been on vacation at the beach or hiding under a rock, you likely haven’t missed the emergence of the critical Microsoft Windows LNK zero day vulnerability first publicized over the weekend.

According to industry watchers including the Internet Storm Center (ISC) – which in a rare move shifted its Infocon threat indicator to yellow, indicating that it is “tracking a significant new threat” – widespread attacks targeting the flaw are already in motion around the globe.

Experts with SANS, the IT security training specialist organization that sponsors the ISC, have also reported that related threats, including those specifically targeting SCADA infrastructure control systems, are rapidly turning up all over the globe, with many more campaigns likely to arrive.

The involved vulnerability affects all versions of Windows, including the latest beta of Windows 7 (SP1), and allows attackers to use a malicious shortcut file, identified by the “.lnk” extension, to automatically execute malware if they can merely lure users into viewing the contents of a folder containing such a shortcut, or get them to plug an infected USB drive into their PC.

I am going to repeat that: “merely lure users into viewing the contents of a folder” – no other action is required by the victim.

Long story short, this is a big one, and organizations everywhere are likely scrambling right now to determine whether or not (or most likely where) the vulnerability has left their systems and end users open to a wide range of related threats.

That’s where our latest targeted “Vulnerability Outbreak Alert” response efforts come into play, and we’re proud to say that if you have our CORE IMPACT Pro penetration testing software in place right now, you’re already capable of doing just that.

Zeroing in on Zero Days

Core Security has never pitched itself as a “fix for the zero day problem.” For starters, as our CTO Ivan Arce is always quick to point out, anyone taking a purist view of the concept has to concede that if a flaw is a true zero day by academic standards, it has never been detailed in the public domain, at all.

And when our researchers find something new, for instance, they immediately inform the involved vendor and ask them to find a way to protect their customers ASAP, thereby eliminating the factor of it existing as an unknown/un-patched threat. We do not release an exploit until at least after a patch or workaround has been created, and a related advisory has been distributed.

As a Caveat, if attacks are being seen in the wild (again eliminating the purist zero day interpretation), we will move to disclose something new right away and release code to help our customers test their defenses.

Our exploit writers also don’t immediately respond to every zero day vulnerability hitting the wires, as their development cycle is traditionally driven by widespread issues that have already been identified as something our customers are telling us that they want to test for.

But when something this big, which affects so many organizations around the globe, and nearly all of our customers, comes out, that’s not to say they can’t push the envelope, and that’s why we hit the “go” button on our Vulnerability Outbreak Alert program, and set the wheels in motion to initiate a rapid response.

Last night the exploit and product development teams in Buenos Aires burned the midnight (and daybreak) oil, and today we’ve got a working exploit loaded into IMPACT Pro for our customers to go ahead test themselves. To see a video of the exploit in action, click here.

Of course we’d always argue that organizations that are performing ongoing penetration testing would already be best positioned to address such a flaw as they likely already know the ins-and-outs of IT infrastructure far better than those companies who are not. But it will also be vital for users to continue to test the Windows LNK flaw for a while, as it won’t be going anywhere, and even when people have attempted to employ Microsoft’s patch there’s a need to ensure that the fix has taken properly and not introduced additional risks.

It’s true, Core will never be a big “zero day company” but we’ll always keep an eye toward the wires, and more importantly the needs of our installed base, to ensure that we’re helping them address their most critical risks.

If you’re one of those organizations today, avail yourself of the new capability and test any defenses you have put in place to mitigate this vulnerability while you wait for a patch to be released.

And if you’re not, well, maybe you should make sure that you are next time this sort of situation arises.

Be proactive, pen test today.

–Alex Horan, Director of Product Management

 

To comment on this blog, please CLICK HERE.

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in Assessing defenses, Attacks, Automated penetration testing, CORE IMPACT Pro, Conducting Tests, Core Security Technologies, CoreLabs, Cybercrime, Data breach incidents, Disclosure, Enterprise security testing, Enterprise security testing and measurement, Ethical hacking, Exploits, IT security, Infrastructure security, Modules, Penetration testing, Research, Risk management, Risk mitigation, Security benchmarking, Security measurement, The future of security, Uncategorized, Vulnerability Management, Vulnerability advisories, Vulnerability assessment, controls validation | No Comments »

I Can Hear You Now: IMPACT Pro v10.5 – The People’s Version

Wednesday, April 21st, 2010

For those of you who have met me in person at the hundreds (thousands?) of events and conferences that I‘ve attended during my years at Core, you likely already know that my preferred mode of communication is to listen to what others are talking about rather than to try to convince them that my view of the world is “how it is.”

Following suit, in CORE IMPACT Pro v10.5 we‘ve added a number of capabilities that people have specifically told us would be important to them; capabilities that enable them to meet the true promise of IMPACT Pro and allow their organizations to quickly assess the security posture of an environment, and accurately report both their current standing, as well as how that posture may have changed over time.

IMPACT.logoOf these additions, the functionality that has generated the most excitement is the new integration offered between IMPACT Pro and the Metasploit Framework. Considering that Metasploit has been around almost as long as IMPACT Pro has been available, it’s no surprise that our customers have asked for us to make it easier to use Metasploit alongside IMPACT Pro.

The Meterpreter plugin now allows our customers to easily deploy an IMPACT Pro Agent onto any machine that they have gain access to via Metasploit. And for those customers who simply want to run Metasploit alongside IMPACT Pro, they can now have the Attack and Penetration Wizard call and run Metasploit’s db_autopwn feature directly from our product.

Continuing on that the theme of extending the way that IMPACT Pro interacts with the many other security applications and tools employed by our users is a newly added ability to export our results in Security Content Automation Protocol (SCAP) format.

This standard language for communicating information about a machine – and the actual vulnerabilities present on that machine – allows any system that can report or act on such information to more easily understand the results of an IMPACT Pro test.

Also count among the new methods of exporting data from IMPACT Pro our added delivery of an integration with vulnerability assessment specialist Qualys’ PCI Connect SaaS Platform.

And for our friends who work in the public sector, the change of agent encryption to the AES standard will also prove handy for those specifically bound by FIPS-140.

Supplementing these additions driven directly by my time spent talking to people working to secure their environments or measure the security of their environments are the IMPACT Pro usage stats that a growing number of our customers have chosen to share with us in an anonymous fashion.

By analyzing this data we’re beginning to draw some interesting conclusions about just how people utilize IMPACT Pro and that state of the world as seen by penetration testers using the product.  

With IMPACT Pro v10 we began sharing this data back to those customers who are sending their testing information to help them better understand how their testing practices and results stack up compared to the rest of the participating customer community.

With v10.5, we’ve now added the ability for organizations to tell us what industry that they belong to – so now you use this feature to see just how you compare to other IMPACT Pro users from within your specific area of business.

Speaking of community, this month marks the one year anniversary of the formalized Core Customer Community (CCC) program. For those of you who best know Core (and myself), you know that our customers have always been very important to us in terms of driving our overall development plans.

Over the past year we’ve held 19 individual CCC events at which we’ve been able to meet with over 200 users from within more than 130 different customer accounts to talk to them about IMPACT Pro and how it fits into their overall security strategy.

This has pushed us to introduce the over 200 other enhancements arriving in v10.5, including the availability of vulnerability CVSS scores, new e-mail domain and address gathering capabilities from social network sites, more resilient agent “keepalives” and some scheduler improvements – along with countless numbers of other user-driven improvements that we know will help IMPACT Pro provide even more value.

So, can I hear you now? Quite simply, yes, and the proof is in the product, so check it out for yourself and let us know what you think. I for one feel that more than ever this attentiveness shows in what we’ve delivered in IMPACT Pro v10.5, and I look forward to continuing the conversation.

-Alex Horan, Product Management Director

 

To comment on this blog, please CLICK HERE.

Tags: , , , , , , , , , , , , , , , ,
Posted in Assessing defenses, Automated penetration testing, CORE IMPACT Pro, Compliance, Conducting Tests, Core Security Technologies, Data breach incidents, Enterprise security testing, Ethical hacking, Exploits, IT security, Metasploit, Modules, Penetration testing, Regulation, Risk management, Security benchmarking, Security measurement, The future of security, Uncategorized, Vulnerability Management, Vulnerability assessment, Vulnerability scanners | No Comments »

Tracing Gonzalez’ Footsteps: Exploiting “Low-Risk” SQL Injection

Friday, September 4th, 2009

Here’s what we need to learn from the many crimes of Albert Gonzalez unwrapped in the federal indictments pending against him for allegedly breaking into the networks of several giant corporations and stealing mountains of their most closely-guarded electronic data – sometimes what appears to be your least critical IT vulnerability, from a business perspective, might prove to be the one that gets you.

(And why most organizations, based on that reality, need to find a more efficient manner of understanding the implications of individual vulnerabilities to better assess their overall level of IT risk.)

519-albert_gonzalez_embedded_prod_affiliate_56In the case of the much maligned Heartland Data Systems, this scenario is exactly what appears to be what did them in, at least based on the charges leveled at Gonzalez and some of his unidentified (and yet-to-be incarcerated) “business” partners.

For these companies, which were already spending copious amounts of time and money trying to protect their customers’ credit card information, it looks as if Gonzalez et al were able to identify flaws that did not by themselves expose protected data – and as a result likely received less attention from risk assessors than other vulnerabilities – and then leverage those “low-priority” weak points to tunnel deeper into the businesses’ most sensitive networks and databases.

The real irony is that, since they’d already been certified as compliant with the Payment Card Industry (PCI) Data Security Standard – a set of data security regulations required by the world’s largest credit and debit card providers, these organizations almost certainly had the information that would have helped them figure out just how someone like Gonzalez could do exactly what he did in their hands – they just didn’t have the right filter through which to translate it to show them just what was indeed possible.

These companies had been compelled to conduct fairly thorough vulnerability scanning of their networks and even some penetration testing, as these are processes required under PCI, but couldn’t see through the data to identify the broader risks.

The Problem With Most Risk Assessments

core_icon_redAs I recounted this story during a Webcast that Core Security hosted for roughly 1,000 attendees yesterday, many of the security auditors that I speak to can cite stories similar to the fate that befell the companies compromised by Gonzales; where auditors have identified a vulnerability that allows some level of access to a server or data that is of little value to the organization and the business focuses on the value of the data exposed, but ends up paying for that mistake.

The pain the auditors express to me is in finding a way to convince IT and business management that this issue should not be examined in a vacuum (and as a result be given a low risk rating) but be seen in the context of the network as a whole.

Fortunately for those auditors armed with IMPACT Pro, they can produce an attack graph that diagrams just how a single vulnerability often exposes other parts of the network, and try to use that to convince decision makers what they really need to do to prioritize risks.

And I’d argue that this example provided by Gonzalez is a virtual template for most of the successful data theft incidents that we’re seeing throughout corporate and government IT environments today.

Because of the pervasiveness of security vulnerabilities, particularly in newer technologies such as Web applications, and the intrinsic interconnectivity of IT systems, attackers are able to find small fissures in organizations’ security perimeters and then use those weak points to eventually get their hands on their most valuable electronic assets.

In illustrating the specific SQL injection and escalation techniques employed by Gonzalez in his campaigns utilizing our flagship penetration testing solution, IMPACT Pro, and demonstrating precisely how these actions can be carried out using the product’s patented agent technology – which allows testers to exploit a single vulnerability and then pivot internally using other vulnerabilities resident across Web applications networks, endpoints – I think we also provide the strongest case for the incredible strategic value that our technology provides to its users.

By going one step further and performing penetration tests against those vulnerabilities discovered during the PCI assessment process using a system like CORE IMPACT that allows you to understand how a low-level SQL injection vulnerability in your Web application can provide attackers with subsequent access to your most closely protected databases, the organizations targeted by Gonzalez could have sorted through their security data and gotten a much clearer view of their most critical risks before these types of electronic data catastrophes ever occurred.

Again, for those of you who didn’t see the Gonzalez webcast, you can find it here.

-Alex Horan, Product Management Director

To comment on this blog, please CLICK HERE.

Tags: , , , , , , , , , , , ,
Posted in Attacks, Automated penetration testing, CORE IMPACT Pro, Compliance, Conducting Tests, Core Security Technologies, Cybercrime, Data breach incidents, Ethical hacking, Exploits, IT security, Penetration testing, Vulnerability Management, Vulnerability assessment, Vulnerability scanners | No Comments »

The Thing with Zero Days…

Friday, May 8th, 2009

People frequently ask us at security conferences, or during product demos: “What does CORE IMPACT do to help customers address zero-days?”

Zero days are an interesting topic to consider, one where I believe there is still some misunderstanding of the actual phenomenon, though it’s clearly an area of IT risk that a lot of people are talking about.

I assume that people are concerned with this issue because they’ve been hearing about malware campaigns that target vulnerabilities that no one has reported publicly before the attacks are discovered. That’s the true definition of a “zero-day” flaw – one that was unheard of, and therefore un-patched, before it was found in the wild.

zdt_bookjacket_hirezHowever, some people confuse known vulnerabilities that haven’t been patched, or those that haven’t previously been used in attacks, as falling under the zero-day umbrella. That’s not the case, as anything that’s been reported, whether it’s been fixed or remains unfixed, has already been elevated beyond true zero-day status.

So, to the question, “does CORE IMPACT test for zero days?” The answer is no, but only because we embrace public disclosure, not because we aren’t working to keep our users ahead of new threats. With known issues that remain un-patched, or those that are simply new to the malware community, we’ll always try to have working exploits.

With true zero-day vulnerabilities uncovered by CoreLabs, our first action will always be to contact the involved vendor to tell them everything we know about the problem – and to help in the timely development of a solution for vulnerable users.

The existence of the problem, along with all the details necessary to understand its risk and to obtain and deploy a solution must be disclosed to all affected users, as well as other stakeholders.

And at that point, it’s no longer a zero day.

In the real world vulnerabilities are exploited whether they are publicly disclosed or not, and attackers pick those they use based on their potential value and “return on investment.”

One of the biggest advantages of embracing public disclosure is that by informing everyone about known issues, this effectively turns a zero day into a known commodity and increases its “decay rate,” thereby decreasing its malicious value.

This highlights one of the main reasons that Core is in business today – because we can level the playing field for organizations when it comes to issues like zero day vulnerabilities by arming them with the same information that people are using to create electronic attacks.

Vendors and customers need to be informed of new security vulnerabilities ASAP to educate the vulnerable population about problems and provide them with sufficient information to make informed decisions about managing risk.

In cases when a vendor delays publication of an advisory or patch beyond reasonable expectations, or enough information becomes public for in-the-wild exploitation – including the release of any so-called “silent patches” – we are forced to release our security advisories and exploit code to customers so that they can test workarounds and defenses against any emerging threats.

As vendors prepare their solutions, our developers are already building and testing exploits addressing the involved vulnerabilities so our customers can ensure that they’re protected as soon as problems go public.

So, does Core release zero days? The simple answer is that we do not. The moment our researchers discover a new vulnerability we report it to the vendor and begin leading the process to help everyone become informed of and protected from the issue.

While not everyone in the community shares this approach, to us, it’s just the best way to do business.

-Alex Horan, Senior Product Manager

Tags: , , , ,
Posted in Attacks, Core Security Technologies, CoreLabs, Cybercrime, Disclosure, Exploits, IT security, Research, Vulnerability Management | Comments Off