Archive for the ‘Conferences’ Category

« Older Entries
Newer Entries »

Black Hat USA 2009 – Vulnerabilities and Exploits Abound

Wednesday, July 29th, 2009

As always, the Black Hat USA Conference promises to deliver an avalanche of cutting-edge IT vulnerability and exploit research during 2009, and Core Security Technologies experts will be on hand to both surface their own new findings, as well as to absorb as much of the intelligence being provided by our many colleagues, partners and peers across the industry who are participating in the show.

Our CEO Mark Hatton also called out a number of the customer-oriented events that Core is sponsoring at the hacking summit is his blog posted last Friday.

black-hatAt first glance, the 2009 iteration of Black Hat would appear to offer a particularly sizeable array of presentations that are certain to strike a chord with our customers and other people interested in, or operating in and around the penetration testing space.

Of course, after drawing widespread interest with their advanced BIOS security research at the increasingly influential CanSecWest conference this Spring, some of our CoreLabs researchers will again take the stage at Black Hat to present some truly chilling discoveries that could affect millions of mobile computer users worldwide.

A potent follow-up to CoreLabs’ breakthrough Cisco IOS rootkit presentation given at Black Hat 2008, we of course feel that the findings that will be presented by Core exploit writers Alfredo Ortega and Anibal Sacco on Thursday will be among the most compelling reports of the entire week.

At the same time, it’s hard to ignore some of the other truly intriguing talks that are scheduled to commence Wednesday morning as Black Hat begins its briefings track in complement to its training programs, which are already in progress. Along with your predictable array of eye-opening Black Hat presentations planned by highly-recognizable industry researchers and experts, there will be a number that address issues directly of interest to the vulnerability analysis and penetration testing sector.

A Pen Tester’s Buffet

Among the planned speeches that would appear most relevant to pen testers, are presentations including those to be given by:

-Michael Eddington, who will address the notion of “Demystifying Fuzzers” as he reviews a number of both the commercial and open source fuzzing tools available on the market today and provides insight into their different strengths and use cases.

-Stefan Esser, who will talk about post exploitation techniques for pen testers working in hardened PHP environments, including challenges arising from the different protection mechanisms for PHP shellcode and the internal memory structures of PHP that are required to write stable local exploits.

-Riley Hassell, who will present on the topic of “Exploiting Rich Content” and show how vulnerabilities found in many advanced Internet applications can be used to carry out potential attacks.   

-Vincenzo Iozzo and Charlie Miller, who will discuss the “jailbreaking” of mobile devices including Apple’s iPhone and run high level payloads on phones by defeating code signing protections after exploitation – thereby improving the efficiency of such efforts.

-Mike Kershaw, who will speak about techniques used to execute “hijacking” on Wifi networks inside the MSF framework and demonstrate client attacks against popular Web sites by poisoning the TCP stream, feeding MSF payloads to clients, and modifying previously transmitted TCP streams.

-Felix “FX” Lindner, who will focus on “Router Exploitation” and how the art of pen testing of networking equipment has evolved over the recent past to its present state, including via attacks on Cisco equipment. Hello Cisco IOS Rootkit!

-Moxie Marlinspike, who will share “More Tricks For Defeating SSL” during pen testing and highlight new tools and tricks aimed at various points of communication using SSL technology and attacks on SSL/TLS connections themselves.

-John McDonald and Chris Valasek, who will offer practical tips for carrying out Windows XP/2003 heap exploitation, specifically techniques for attacking application data and heap meta-data, as well as tactics for creating predictable patterns in heap memory for use in supplying rogue data structures as part of exploitation.

-Charlie Miller and Collin Mulliner, who will outline how to find vulnerabilities in smart phones using fuzzing techniques and present tactics which allow researchers to inject SMS messages into iPhone, Android, and Windows Mobile devices.

-Michael Tracy, Chris Rohlf and Eric Monti, who will discuss the use of Ruby by pen testers, including everything from reverse engineering network protocols to fuzzing to static and dynamic analysis, all the way to attacking exotic proprietary enterprise network applications.

Use of the Metasploit open source pen testing framework has also gained its own presentation track at Black Hat 2009, with a number of different talks planned.

So, considering that there will also be pen testing content at the Defcon show later this week and at the ongoing, alternative Security B-Sides conference – launched to give a platform to researchers who didn’t make the cut at Black Hat – there should be no shortage of great intelligence to tap into this year.

Now, good luck finding the time to see them all, or even half of them.

And I’ll be manning the booth for Core, so stop by and say hello if you’re here on site.

-Matt Hines, Chief Blogger

 

To comment on this blog, please CLICK HERE.

Tags: , , , , , ,
Posted in Attacks, Automated penetration testing, Black Hat, Conferences, Core Security Technologies, CoreLabs, Cybercrime, Ethical hacking, Forensics, IT security, Penetration testing, Research, Vulnerability advisories | No Comments »

Core Ready to Put On its Black Hat

Friday, July 24th, 2009

It’s hard to believe that an entire year has passed since the ethical hacking community last convened amid the neon lights and desert sands of Las Vegas for the annual Black Hat convention, but here we are with just days left to go before the show kicks off again.

A year ago, I’d only been working in this corner of the IT security market for several months and Core Security was using Black Hat to re-launch our entire company and rebrand our CORE IMPACT automated penetration testing solutions. Now, on the eve of Black Hat USA 2009, a great deal has changed for both our business and the industry at large.

black-hatWhat remains the same about Black Hat is the incredible opportunity available for us to get in front of our peers in the security software and research sectors, and of course, the many organizations sending their employees to attend and hear about the fascinating new technical discoveries and product innovations that highlight the continued evolution of our market.

Looking back at the news that has come out of previous Black Hat shows, generated both by Core and its many colleagues in the industry, it’s clear that with each year the conference only becomes more mainstream and relevant to a wider audience – mirroring the maturation of ethical hacking, and in our case, the penetration testing solutions space, itself.

And it seems that 2009 will only see this trend continue. Perhaps the best evidence of the increasing acceptance and adoption of the critical IT security processes we address came in June when Jeff Moss, founder of Black Hat and Defcon and an ethical hacker himself, was sworn into the Homeland Security Advisory Council, which provides recommendations directly to Secretary of Homeland Security Janet Napolitano.

While we’d defend that our space, and the Black Hat community itself, have been embraced broadly by customers and experts including the news media for many years now, Mr. Moss’ appointment is about as high-profile an endorsement of the value we in this community provide as anyone could conjure.

Black Hat Remains at our Core 

For Core, Black Hat 2009 represents the culmination of many different efforts that highlight the rapid evolution and maturation of our company and its market space.

In addition to our traditional role in presenting research to Black Hat attendees – with researchers’ Alfredo Ortega and Anibal Sacco planning to reveal some truly eye-opening discoveries – Core is using this year’s conference to engage with our customers and users in a number of exciting new ways.

First off, Core will be meeting with a select group of senior executives representing our largest and most dedicated clients to launch its new Customer Advisory Board (CAB). This initiative likely represents the realities of where our company is moving more than any other planned Black Hat activity as we advance our enterprise relationships with influential end users, and seek their guidance in furthering the development of our products to meet their most significant security needs.

A second element of this effort around strengthening ties with our users will be found in the largest meeting yet of our existing Core Customer Community (CCC), which will be focused on getting feedback on our products from many more of the people using them in the trenches today.

I’m also proud to announce that Core will be launching its first official certification program for CORE IMPACT users, and another aimed at trainers who teach others how to best use our products in the field. This ties right back into the other efforts that I’ve listed. To be successful tomorrow, we must better communicate and engage those people driving our business today. Ensuring that users get the most out of our technologies via formalized training is one of the best ways that I can think of to realize that goal.

Finally, we’ll also be holding our second annual party for users and business partners, another important group with whom we’ll be meeting and communicating with at the show.

Considering everything that we’ve got scheduled, 2009 represents without question the biggest presence that Core Security has ever had at Black Hat, so it’s hard not to get excited to fly out there and get everything underway.

I hope to see many of you there.

-Mark Hatton, President and CEO

 

To comment on this blog, please CLICK HERE.

Tags: , , , , , , ,
Posted in Black Hat, Conferences, Core Security Technologies, CoreLabs, Ethical hacking, IT security, Penetration testing, Research, Vulnerability Management | No Comments »

Inside is the New Outside

Friday, May 29th, 2009


Client-side attacks are dominating when it comes to organizations’ top security concerns these days, and the only way to step up and ensure that your organization is protected is to go on the offensive and test your end users. 

phishingThis year at the RSA conference, Core Security held a user group meeting to help us gain a better understanding of  our customers’ thoughts on the current state of IT security and to talk about their primary areas of concern. 

During the discussion, one of our customers relayed their organizations’ results from using CORE IMPACT Pro  to conduct an internal client-side penetration test against their own end users – 85 percent of whom clicked on the link provided in the email-borne assessment. Obviously that number is very high, and the e-mail had been crafted to mimic a spear-phishing attempt.

However, after conducting new security education programs for its users based on the client-side testing results, training that highlighted the severity of clicking on links without first verifying their legitimacy, they followed up with another client side pen test that resulted in only 5 percent of the targeted audience clicking on the link that was provided. 

Now those are some impressive results.

Yet, where it only takes one person to compromise your entire network, and even though 5 percent is worlds better than 85 percent, the subsequent test shows that organizations need to work diligently to affect significant changes in their end users’ behaviors.

For you can be as diligent as you want and as paranoid as your firewalls, but in the end, no matter how much you patch and harden your systems, client-side attacks will continue to succeed unless you take greater lengths to secure your networks as well as train your employees. 

The truth is people inherently trust things that appear to be from a reliable source and hackers understand that reality and how to exploit it. 

Get rid of the “ZOMG I have a firewall!” attitude and start proactively securing the inside of your networks. Even if you feel like you’ve arrived at a place where you can get a night’s rest without worrying about your servers, it doesn’t mean anything if you have a happy link-clicker, MySpace-er, Facebook-er, or even YOU, the Twitter-er. Those tiny URL’s sure are cute, huh?   

Utilizing the Client-Side Pen Test functionality in IMPACT Pro could potentially save you a lot of  embarrassment, even if it means having to wait while cutting through the red tape that sometimes goes along with gaining approval for these types of end user tests.

And for those of you asking, “Will Microsoft IE 8 save us?,” I implore you to understand that the security hype around IE 8, much like any other software or Web app, will only last as long as it takes hackers to break it. This cycle will never stop and defensive solutions will always struggle to keep pace with new attacks.

In this economic downturn, where everyone wants to be the hero, cutting corners to save funds in this never ending arms race called IT security is not your best bet. Stand tall and learn precisely how your users behave when presented with potential attacks… pen-test!

-Caitlin Johanson, Technical Support Engineer

Tags: , , , , , , ,
Posted in Attacks, Compliance, Conferences, Core Security Technologies, Cybercrime, Data breach incidents, Exploits, IT security, Phishing, Regulation, Vulnerability Management | Comments Off

Money Talks: Saving Millions Via Pen Testing

Friday, April 24th, 2009

 

If you’re looking for an argument to present to your IT security management staff, CISO, CIO or anyone else who might ask for the explicit dollar value that adding automated penetration testing to your security and vulnerability management programs can deliver, boy, have we got the guy for you.

I finally had the chance to meet one of Core’s most valued customer references this week –  Bob Maley, Chief Information Security Officer for the Commonwealth of Pennsylvania – at the RSA Conference 2009 where he was presenting on the “Lessons Learned” track on the topic of “Defending Citizen Data: Proactively Preventing Government Breaches.”

And let me tell you, in addition to being one of the most candid, pragmatic security executives that you could ever care to meet, he’s also one heck of a super nice guy.

But beyond the personal pleasantries, even those of us who work for Core and have become familiar with Bob’s story over the last few years were pretty surprised when we saw some of the improvements and metrics that Bob and his team have been able to achieve using CORE IMPACT Pro, along with source code analysis and vulnerability scanners, under the state’s current programs.

RSA2007 logo textOverall, Pennsylvania’s ability to drive down its electronic record exposure incidents, and some of the financial metrics that Bob can tie to that work, are actually pretty staggering.

Basically, when he got his job three years ago, Pennsylvania had no capability for even finding or reporting security vulnerabilities in IT systems, such as the many public-facing Web applications through which the state gathers and distributes information to its constituents.

Unfortunately, the reality, Maley said at RSA, was that the state’s security team had not really even begun to move down the vulnerability management path.

But then the attacks on its Web sites started in earnest a few years ago, including SQL injection campaigns coming out of China, forcing the state to report a total of 500,000 stolen citizen and employee records during 2007.

And while the public attention that those incidents generated was painful for his department, the spotlight on data protection allowed Maley to make some radical changes to the way that IT security, specifically Web apps security, was being handled in his state.

Big changes – Serious results

By adopting a more proactive approach and penetration testing applications both before they went live and then again on an ongoing basis, specifically using CORE IMPACT Pro, the state saw a massive improvement.

To note, Pennsylvania dropped its total volume of exposed records to only 212 files during 2008. So far, in 2009, the state has only had 2 sensitive records compromised, the CISO contends.

And if those numbers aren’t enough to impress you, consider this: Using IMPACT Pro and other vulnerability management technologies throughout ’08, Maley said that Pennsylvania managed to find additional vulnerabilities that could have allowed data thieves to make off with some 408,000 sensitive personal records.

If you apply Gartner’s estimate that it costs an organization a minimum of $90 per lost record to inform affected individuals and provide those people with data monitoring services and the like, that means that the state saved over $37 million by finding those flaws before the bad guys could.

Using a more aggressive number – such as the $200 per record expense figure published by Ponemon Research in 2009 – Maley and his team might have saved Pennsylvania over $82 million in associated costs in one year alone.

And financial savings haven’t been the only benefit of adding penetration testing and other vulnerability management functions to their security programs, the CISO said. By implementing the solutions, the state has also been able to refine its entire applications development process. 

Whereas several years ago his security team, among others, was only being informed about new applications in development only a week, or several weeks ahead of deployment, now they’re being involved in the upfront planning years in advance, allowing the state to save time and money not just on security issues, but also in relation to its entire applications management program, from initial development through to de-commission.

“Through penetration testing, vulnerability scanning and source code analysis we’re trying to change our entire culture with this process; we’ve put a strategic plan in place and we’re moving toward a result of changing how applications are put out on Web,” Maley told the crowd at RSA. “We’d been fighting a losing battle, with all of the applications, with the size of the government, we didn’t know how to get our hands around the problem; now, anyone buying software or developing applications in house needs to initiate this process at the design phase.”

And of all the technologies PA has had at its disposal, Bob specifically highlighted automated penetration testing as one of the most important contributors to the state’s improved process and workflow.

“Penetration testing safely exploits vulnerabilities and eliminates false positives; we love scanning but it generates huge reports and when we give that information to remediation, it’s too much data, nothing ever gets done,” Maley said. “Now, we can show them how these problems can be compromised, to get immediate results so we can fix critical issues quickly; automated tools were key, we would have never had the same results without that.”

These are the kinds of things we’re constantly trying to communicate through our marketing efforts.

But, it means so much more when our customers deliver the message.

-Matt Hines, Chief Blogger

 

To comment on this blog, please CLICK HERE.

Tags: , , , , , ,
Posted in Conferences, Core Security Technologies, Cybercrime, Data breach incidents, Government policy, IT security, PCI, Vulnerability Management, Vulnerability scanners | No Comments »

Hathaway – U.S. Government Needs IT Risk Management

Thursday, April 23rd, 2009

 

The big news on Wednesday at the RSA Conference 2009 in San Francisco, and what many had touted as potentially the most important story coming out of this year’s annual industry confab, was acting Cyber Czar Melissa Hathaway’s update on the Obama Administration’s recently complete 60 day cyber-security review.

And while many RSA attendees seemed to find themselves somewhat disappointed by the level of detail that Hathaway – whose official title is Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils – was able to provide in her “Mission Impossible” themed keynote, one message that affects the vulnerability management space that Core Security plays in rang loud and clear: the U.S. government needs to foster a more risk-based IT security model than it ever has in the past.

RSA2007 logo textMany of the people that I spoke with – including IT security practitioners, solutions vendors, systems integrators and government experts like Core Security’s Vice President of Security Awareness, Tom Kellermann – feel that the Admin’s 60 day review will ultimately endorse many of the same recommendations made in last year’s report issued by the CSIS Commission on Cybersecurity for the 44th Presidency, to which Kellermann was a key contributor.

The conclusions that Hathaway was able to share on Wednesday seemed to highlight the need for the U.S. government to adopt many of the same risk-based security methodologies being championed in the private sector today.

“Despite all of our efforts, our global digital infrastructure, based largely on the Internet, is not inherently secure enough or resilient enough for what we use it for today, and what we will need it for in the future,” Hathaway told a packed room at the Moscone Center. “This reality poses one of the greatest technological and economic challenges of the twenty-first century.”

And while Hathaway stopped short of endorsing any specific types of technological solutions that will need to be adopted to help solve the many issues that plague the Internet in terms of stemming cybercrime, the Cyber Czar’s tone clearly evangelized a more comprehensive manner of identifying the Web’s most dangerous risks to subsequently roadblock the avenues that have been so widely available to cybercriminals in recent years.

For us at Core Security, that’s just the type of strategy we’re hoping to see leading officials adopt to help mature the IT vulnerability management models that already exist across the U.S. government today.

Some of our oldest and largest customers are federal agencies, who, as a vertical market, have actually led the way in their use of internal Red Teams, mandated IT security assessments and adoption of automated penetration testing solutions, including CORE IMPACT.

However, as Tom, and our government team, have been telling their counterparts in the federal space for years, the only way for the nation to truly improve its IT security posture as quickly and effectively as possible will be to embrace these programs even more broadly.

With last year’s publication by the National Institute of Technology and Standards (NIST) of its Special Document 800-53-A, specifically the document’s Appendix G segment, we saw those experts responsible for driving new federal security policies embrace the use of penetration testing as one of the most powerful methods for rapidly assessing individual agencies’ existing exposure to cyber-attacks and electronic data theft.

As Tom and many others working on Capitol Hill have been saying for years, it would only seem logical that the U.S. government begin pushing for broader use of penetration tests and other vulnerability management practices to help address the many IT-based risks that we face as a nation going forward.

In terms of improving matters of online security, we would argue that performing more frequent penetration tests on underlying Internet infrastructure, and Web applications themselves, is already one of the most effective means of advancing both public and private sector cyber-defenses.

Pretty soon we should find out just what the detailed conclusions of Hathaway and her team’s report will actually recommend.

Hopefully, by advancing more proactive risk management strategies via automated pen testing, we’re already headed in the right direction.

-Matt Hines, Chief Blogger

 

To comment on this blog, please CLICK HERE.

Tags: , , , ,
Posted in Attacks, Conferences, Core Security Technologies, Cybercrime, Data breach incidents, Disclosure, Government policy, IT security, PCI, Phishing, Regulation, Vulnerability Management | No Comments »

« Older Entries
Newer Entries »