Hacking Ahead of the Hackers

© 2010 eEye Confidential & Proprietary

Morey J. Haber, Product Management

http://blog.eeye.com

http://www.eeye.com

Hacking Ahead of the Hackers


Vulnerabilities In The News

95% of all attacks come from known

vulnerabilities and are preventable

“Monster.com waited five days to tell its users about a security breach that resulted in the theft of confidential

information from some 1.3 million job seekers…” (August 2007)

“Monster.com waited five days to tell its users about a security breach that resulted in the theft of confidential

information from some 1.3 million job seekers…” (August 2007)

“49 Congressional Websites Hacked By Brazilian 'Red Eye

Crew‘” (February 2010)

Heartland CEO, Robert Carr, “PCI compliance auditors failed the

company”, 100 million credit cards exposed (January - April 2009)

CERT® Coordination Center (CERT/CC), Carnegie Mellon Software Engineering Institute


The Beginning of Modern Hacks

•The Microsoft Security “Revolution” Started in 1999 – First major remote “SYSTEM” vulnerabilities

– First proof of concept buffer overflow exploits

– Many discovered by eEye Digital Security

• Widespread Nature of Microsoft Software – No focus on security vulnerabilities by anyone.

– Denial by programmers and executives that there is a problem.

• Results: – Finding Microsoft bugs was “unique” and “cool”

– Birth of the Microsoft Security Response Center

– Security “is a marketing problem” … Response

– “Purely theoretical” … Sure but it can not happen

– “That is a denial of service” … Forcing a problem

– “Heap overflows are not exploitable” … People did not believe


Why Security Got Better… Past

•The Code-Red Worm as a Fact

– Turning point for vulnerabilities and the way we deal with security

– Government awareness; the White House web servers were the target

– This became a press and financial issue (think PCI DSS and why?)

– Over 2 billion USD in damages

• Microsoft Improved For Many Reasons

– Large corporations threatened to drop Microsoft because of insecurity

– Microsoft wants to make money off of security, security company acquisitions, move into consumer anti-virus, etc.

On July 19, 2001, more than

359,000 computers were

infected with the Code-Red

worm in less than 14 hours


Security Progression… Present

•Microsoft has a better security process than any other software vendor!

•Microsoft adds additional security defenses into their product with every

release – Heap Randomization, Heap NX, DEP, ASLR

•Windows 7, does improve security a lot, but still not perfect. Applications will

always run on the operating system and ports will have to be open

•Researchers, exploit developers, have all progressed greatly over the last 10

years. Popularity and focus. In the simplest terms, think of viruses compared

to spyware. Remember all the problems with pop-ups?

•Most major software companies have made zero progress in terms of a

security response for developing software

•What about all of the mission critical custom applications organizations have

that have been custom written including web applications ?


Trends in Hacking, Ahead of the Hackers

•Logic Bombs

•Ransom Ware & Rogue Ware

•Blend Threats Using Application Vulnerabilities and Social Engineering

– What File Does Your HR Representative Open All the Time ?

– New Web Application Threats: i.e. File Uploads, etc.

Are the Swirls Moving ?


Rethinking Authentication to Beat a Hack…

Graphical Passwords

Leonardo Sobrado and Jean-Camille Birget

Department of Computer Science, Rutgers University

mailto:[email protected]





What is Wrong with this Desktop for a COE ?


Malicious Software or Real Security?


Just a Clever Social Engineering Hack…


Social Web Sites…


Microsoft 11 Years Later…

•More Microsoft “zero-day” vulnerabilities than ever

•14 out of 44 bulletins in 2009 contained zero-day fixes

•Proliferation of “file format” vulnerabilities

•Worms are dead, but we now have bots and focused attacks

• However Microsoft has been better with not introducing more vulnerabilities within patches (Unlike 2006)

• Imagine starting over with another leader in the industry and losing what we learned…

•How many COE’s does your environment support ?


Custom Applications

What about all of the mission critical custom applications?

•Back to Basics – Clear text passwords in files

– Data encryption

– Temporary files

•Based on Insecure Technology – Older non supported operating systems

– Embedded open source using older versions

•Built on Scripting Tools and Remote Command Shells – Targeted attacks

– Internal exploitation

– Human configuration error / Lack of expertise

• Poorly Written Web Applications – Database Security

– Easy Hacks for XSS


History Will Repeat Itself…

•Researchers

– There has never been a better time to be in vulnerability research

– You have a 12 year head start on the average software company

• Software Vendors and Custom Application Developers

– You will save more money by investing in security now

– Test your applications before production

– Harden your applications and operating systems before production

– Learn from history and test your systems regularly!

• IT Community

– You are stuck in the middle

– Organizational awareness of non-Microsoft vulnerabilities

– Security policies, plans, products, people, and policies that do not solely revolve around Microsoft when it comes to your Windows platforms including how applications get security updates


The Million Dollar Question: Where do you see hacks in the next year?

•What Does Security Look Like… – When will corporations move to Windows 7 or virtual machines or even Apple?

– Will consumer applications are be cloud based?

•What Do Attacks Then Start to Look Like? – Sandbox: Does the value of local privilege escalation vulnerabilities increase?

– Web apps: How do you research what you are not legally allowed to audit?

– Work Anywhere: When users have full access to corporate data anywhere and from anything. i.e. PDA Cell Phones

•How do you proactively protect and detect against these attacks when they are not even documented yet? (Google Aurora)

•Are regulatory compliance initiatives live PCI, SOX, HIPAA good enough?

– Answer: No – Just ask the CEO of Heartland, Robert Carr


Hacking Ahead of the Hackers, This Year…

•Web Applications

– Every application is different has zero-days even though the category is the same like SQL injection or cross site scripting

– Every web application is a custom application

•Social Engineering

– Same exploit and result (money) different story

•Fake Applications

– Anti-Virus 2009

– Press “Continue for Your Free Coupon”

– RogueWare, McAfee DAT Exploits

•Browser Based Attacks

– Innovative Active-X exploits

– More page and frame manipulation

– Browsers look like windows and real applications, RIA malware

– Think MS Office in a browser or Google Chrome

– Apple becoming a Real Target !


This Week… Opps

17


About eEye

•Our Company

• Founded in 1998

•Growing and profitable

• Leaders in security & compliance

•Our Strengths

•World renowned research team

• Trusted security advisors

•Recognized product leadership

•Unparalleled services & support

•Our Difference

• Fast, flexible deployment

• Integrated end-to-end solution

•Commitment to our customers

18


Unified Vulnerability Management

19

10-Feb-2009

Vulnerability exists in BlackBerry Application Web

Loader ActiveX control

CVE-2009-0305

http://blackberry.com/btsc/KB16248

09-Dec-2008

Windows Saved Search Vulnerability

MS08-075

(http://www.microsoft.com/technet/security/bullet

in/ms08-075.mspx)

08-Dec-2008

Linksys WVC54GC NetCamPlayerWeb11gv2

ActiveX control stack buffer overflow

VU#639345

(https://www.kb.cert.org/vuls/id/639345)

http://blackberry.com/btsc/KB16248

http://www.microsoft.com/technet/security/bulletin/ms08-075.mspx




https://www.kb.cert.org/vuls/id/639345


Questions and Answers ?

20

Hacking Ahead of the Hackers

Technology

Transcript of Hacking Ahead of the Hackers