Contenu connexe
Similaire à Apts and other stuff (20)
Plus de Positive Hack Days (20)
Apts and other stuff
- 1. APT s and other Stuff
PH days 2012
Version: 1.0
Author: Martin Eiszner
Responsible: Martin Eiszner
Date: 15.05.2012
Confidentiality: Public
- 2. Agenda
• Introduction
• Toxic Software and the Advanced persistence threat
• APT s on the rise
• Trusted Software vendors and the “Erosion of trust”
• How to find those little naughty 0 days for you personal APT
• Demonstrations
• Outlook
• QA
2 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 3. SEC Consult– Who we are ...
• Specialized consultancy for
application security
• Headquarter near Vienna, Austria
Lithuania
• Offices in Austria, Germany, Canada
Germany
Lithuania, Singapore and Canada Austria Central and Easter Europe
• Delivery Centers in Austria,
India
Lithuania and Singapore
• Strong customer base in Central-
Singapore
and Eastern Europe
• Increasing customer base of
clients with global business
• Partner of Top 30 Software
vendors
SEC Consult Headquarter
SEC Consult Office
Other SEC Consult Clients
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 4. Martin Eiszner - Whoami
• Security consultant
• Chief technology officer
• quite some other interests …
SW Developer Reverser The Web Mobile devices ?
tries to find the perfect approach for identifying security vulnerabilities
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 5. Agenda
• Introduction
• Toxic Software and the Advanced persistence threat
• APT s on the rise
• Trusted Software vendors and the “Erosion of trust”
• How to find those little naughty 0 days for you personal APT
• Demonstrations
• Outook
• QA
5 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 6. Toxic Software and the APT
• What is Software ?
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 7. Toxic Software and the APT
• Are there any problems with Software ?
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 8. Toxic Software and the APT
• Toxic software is all about security vulnerabilities !
Who creates “vulnerabilities” and who bears its costs ?
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 9. Toxic Software and the APT
• The “One way paradox”
When it comes to software there is only
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 10. Toxic Software and the APT
• So what is Toxic software really ?
• and is there a cure ?
Toxic software contains severe security vulnerabilities with a
high probability to harm confidentiality, availability and
integrity of its owners assets.
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 11. Toxic Software and the APT
• Advanced persistence threats ?
• What does an APT consist of
APT s are planned and orchestrated mostly illegal professional projects
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 12. Toxic Software and the APT
• Attacker -
• Target -
• Methodology so far ….
• Phishing
• Spreading heavily tailored malware
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 13. Toxic Software and the APT
• Spear phishing – the method of the trade ?
• There is always a better one ..
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 14. Agenda
• Introduction
• Toxic Software and the Advanced persistence threat
• APT s on the rise
• Trusted Software vendors and the “Erosion of trust”
• How to find those little naughty 0 days for you personal APT
• Demonstrations
• Outook
• QA
14 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 15. APT s on the rise
• Any examples ?
Stuxnet SCADA attack on nuclear powerplants
Mother of all APT s ?
… a security vendor ?
… wanna buy some stocks
BBC … the Iranian connection
The and and and ….
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 16. APT s on the rise
• Buzzword or the real thing ?
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 17. Agenda
• Introduction
• Toxic Software and the Advanced persistence threat
• APT s on the rise r
• Trusted Software vendors and the “Erosion of trust”
• How to find those little naughty 0 days for you personal APT
• Demonstrations
• Outook
• QA
17 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 18. The “Erosion of trust” lifecycle for SW - Vendors
11st
st
Erosion of Erosion of
Trust suspicious
suspicious Rebuild Trusted
Trust - Trust - Trust Vendor
Bubble Customer
Customer Customer Market
Ok, there might be some I bought a
security issues with our software product
product but.. from a good
…the customer is not trusted vendor
The vendor did not
demanding additional
mention that the
security
product might be
insecure
Ok. This product is
secure. Next topic…
Customer
The customer is
satisfied with our
Software Vendor level of security
18 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 19. The “Erosion of trust” lifecycle for SW - Vendors
11st
st
Erosion of Erosion of
Trust suspicious
suspicious Rebuild Trusted
Trust - Trust - Trust Vendor
Bubble Customer
Customer Customer Market
Are there any security
We have not seen
vulnerabilities in this
any major customer
software?
complaints yet, so we
are in the clear… Let’s invest (some) money
and check with a trusted
security expert if
everything is o.k.
Software
Customer
Produkt Customer
Customer
Customer
Customer
Software Vendor
19 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 20. The “Erosion of trust” lifecycle for SW - Vendors
11st
st
Erosion of Erosion of
Trust suspicious
suspicious Rebuild Trusted
Trust - Trust - Trust Vendor
Bubble Customer
Customer Customer Market
It was not a cheap
Is the security expert lying product, how can this
We did the security crash or the vendor? happen?
test and it is a disaster! Gosh, I spent money I wish I never bought
on Quality Assurance that product/asked the
We will discover many the vendor should have security expert to
more security done... check it.
problems if we
continue our How should I now What shall I do, now I
It is not enough to fix analysis… explain my (past) have a problem that
the now identified commitment for this should be resolved by
problems. vendor to my boss? the vendor...
Software
Customer
Produkt
20 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 21. The “Erosion of trust” lifecycle for SW - Vendors
11st
st
Erosion of Erosion of
Trust suspicious
suspicious Rebuild Trusted
Trust - Trust - Trust Vendor
Bubble Customer
Customer Customer Market
We will fix the reported
issues and we have a
satisfied client again… The second audit (re-check)
shows further sever
Of course we will solve
vulnerabilities…
the problem…
They have not a clue
what problem they cause
for me personally...
Customer
Software
Produkt
Software Vendor
21 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 22. The “Erosion of trust” lifecycle for SW - Vendors
11st
st
Erosion of Erosion of
Trust suspicious
suspicious Rebuild Trusted
Trust - Trust - Trust Vendor
Bubble Customer
Customer Customer Market
This vendor product is of
interest for us! Customer
Customer
International
Security Experts We should find a 0-day Customer Custome
Custome
r
Custome
r
Custome
vulnerability, make a r
Custome
r
r
public security advisory Make an audit and
give me your
and an conference Customer
Customer
opinion...
Customer
presentation Custome
Custome
Customer r
Custome
r
Bad news is good Custome
r
Custome
r
r
news: Vendor is not Customer
Customer
Customer Customer
able to solve security
issues. Customer
Make an audit and
give me your
I will tell anybody my opinion...
opinion on that vendor
Press
If I am asked.. Customer
Software
Produkt
22 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 23. The “Erosion of trust” lifecycle for SW - Vendors
11st
st
Erosion of Erosion of
Trust suspicious
suspicious Rebuild Trusted
Trust - Trust - Trust Vendor
Bubble Customer
Customer Customer Market
Will somebody blame me
for choosing this insecure
vendor?
Damn! We have to do a They don’t know or they
product selection before don’t care. They just
we buy from this vendor. ignore the problem.
Customer
We’ll keep using this
product if we have to - but This vendor is on the
hold on, is there really no blacklist. Our
alternative? headquarters will not
Software accept insecure products.
Produkt
23 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 24. The “Erosion of trust” lifecycle for SW - Vendors
11st
st
Erosion of Erosion of
Trust suspicious
suspicious Rebuild Trusted
Trust - Trust - Trust Vendor
Bubble Customer
Customer Customer Market
• We are investing in secure development processes
• We are investing in awareness of all employees and
partners
• We will invest in trusted external security experts
• We will invest in our product security as a key
feature The are definite
• We are honest and alert our customers about improvements in
security issues product security, but…
• We know that this will continue
Will somebody blame me
for choosing this insecure
vendor?
Damn! We have to do a
product selection before we They don’t know or they
buy from this vendor. don’t care. Either way, they
ignore the problem.
Software
Produkt Customer
We’ll keep using this
product if we have to - but
hold on, is there really no This vendor is on the
alternative? blacklist. Our headquarter
Software Vendor will not accept insecure
products.
24 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 25. The “Erosion of trust” lifecycle for SW - Vendors
11st
st
Erosion of Erosion of
Trust suspicious
suspicious Rebuild Trusted
Trust - Trust - Trust Vendor
Bubble Customer
Customer Customer Market
• We are investing in secure development
processes
• We are investing in awareness of all employees
and partners
• We will invest in trusted external security experts
• We will invest in our product security as a key
feature
The are proactive in
• We are honest and alert our customers about
security issues They are not completely informing me about
• We know that this will continue
secure but will they solve the risks and involve
these problems for me. leading security
experts.
At least they manage this
risks and work hard to
make their products as
secure as possible.
Customer
Software
Software Vendor Produkt
25 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 26. 0 days for your very personal APT
• Am I talking bull…. ?
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 27. Agenda
• Introduction
• Toxic Software and the Advanced persistence threat
• APT s on the rise
• Trusted Software vendors and the “Erosion of trust”
• How to find those little naughty 0 days for you personal APT
• Demonstrations
• Outook
• QA
27 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 28. 0 days for your very personal APT
• Methods for identifying … usable bugs in “Software products”
• Applicaton testing and Fuzzing
• Reverse engineering
• Sourcecode analyses
• Or just simple bye them on black markets …
• A short note on so called “security scanning” tools
• Just use your
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 29. 0 days for your very personal APT
• Applicaton testing and Fuzzing
• Dynamic and manual
testing based on
• Fault injection …
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 30. 0 days for your very personal APT
• Applicaton testing and Fuzzing
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 31. 0 days for your very personal APT
• Reverse engineering
• Closed source
• Decompiling
• Disassembling …
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 32. 0 days for your very personal APT
• Source code analyses
• Closed source
• SSA tools
• Brainwork
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 33. 0 days for your very personal APT
• Any other methods for getting hands on 0 day s
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 34. Agenda
• Introduction
• Toxic Software and the Advanced persistence threat
• Trusted Software vendors and the “Erosion of trust”
• APT s on the rise
• How to find those little naughty 0 days for you personal APT
• Demonstrations
• Outook
• QA
34 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 35. Demos
• What would be the best target for a high profile APT ?
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 36. Demos
• Reverse engineering
• Checkpoint – Client side remote command execution
Multiple Checkpoint appliances
CVE-2011-1827
• Fuzzing
• F5 Firepass – Remote command execution
F5 FirePass SSL VPN – Remote command execution
CVE-2012-1777
• Application testing
• Microsoft ASP.Net – Authentication bypass
Microsoft Security Bulletin MS11-100 - Critical
Vulnerabilities in .NET Framework Could Allow Elevation of
Privilege (2638420)
CVE-2011-3416
Security sofware products will be the target of the trade ... soon !
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 37. Demo I
• Reverse engineering
• SSL VPN appliances (Connectra / Security Gateway)
• SNX, SecureWorkSpace and
Endpoint Security On-Demand
• Patented light weight “security solution”
• Comes in 2 flavors
• ActiveX
• Signed JavaApplets
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 38. Demo I
• Reverse engineering
• Problem
• Programs are flawed with several critical security vulnerabilities
• Java classes are not obfuscated
• Any known problems with ActiveX or Signed applets ???
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 41. Demo I
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 42. Demo II
• Applicaton testing and Fuzzing
• F5 Firepass – SSL VPN
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 43. Demo II
• Applicaton testing and Fuzzing
• F5 Firepass – SSL VPN
• Problems – this time server side
• Any problems related to SQL queries and user input ?
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 44. Demo II
• SQL Injection is pretty old ..
• Concatenated SQL queries and user input ?
• File access rights for SQL schemas ?
• SUDO permissions for SQL users ?
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 45. Demo II
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 46. Demo III
• Application testing
• ASP.Net – Membership framework
• Part of the “Security Content Map”
• built-in - validate and
store user credentials
• Microsoft way
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 47. Demo III
• Application testing and fuzzing
• Some ASP.Net applicaton test
Database column truncation – vulnerabiliy
tries to create duplicate users and elevate privilges …
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 48. Demo III
• Application testing and fuzzing
• Problems
• Passing data between different
layers ( “managed” vs “unmanaged”)
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 49. Demo III
• Membership framework - a closer look
FormsAuthentication
MakeTicketIntoBinaryBlob()
webengine4.dll
CookieAuthConstructTicket()
CopyStringToUnAlingnedBuffer()
copies a unicode string to some array
lstrlenW()
determines the length of the unicode string using
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 50. Demo III
• Membership framework - not to forget
The membership framwork creates an
/Register.aspx
context „out of the Box“
… even if you dont want to.
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 52. Agenda
• Introduction
• Toxic Software and the Advanced persistence threat
• Trusted Software vendors and the “Erosion of trust”
• APT s on the rise
• How to find those little naughty 0 days for you personal APT
• Demonstrations
• Outlook
• QA
52 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 53. In one sentence …
Toxic Security Softwareproducts created
by Software vendors are real and they
are actively being used as a perfect and
stealth Point of departure for the bad
guys to carry out most successful
targeted Attacks !
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 54. Oulook - future of targeted attacks
We will see random attacks ..
but a good deal more targeted attacks against
high profile
organizations and
companies soon!
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 55. Oulook - future of targeted attacks
• … only two things
Neither
nor
ing your most hated foreign
countries will help You !
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 56. Oulook - future of targeted attacks
• … and
The war is not over yet …
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 57. Oulook - counter measures ?
• KISS
• Awareness
• Enforce warranty in terms of Information security from software
vendors
○ If the vendor refuses .. change vendor
• Implement quality gates for new Software product
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
- 58. QA
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved