Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Lumension Security - Adjusting our defenses for 2012
1. Adjusting
Our
Defenses
For 2012
The following presentation reflects the opinions of the author
Paul A. Henry
MCP+I, MCSE, CCSA, CCSE, CISSP-ISSAP, CISM, CISA, CIFI, CCE, ACE, GCFA, VCP4/5, vExpert
Security & Forensic Analyst
2. Quick Review – Notable Issues In 2011
•Notable issues in 2011
» DigiNotar
» The Beast
» Epsilon Breach
» Sony Breach
» RSA Breach
» Android Malware Growth
» BYOD Adoption
2
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
3. DigiNotar
• Hackers compromised DigiNotar and made off with 500
Certificates
• They quickly generated numerous illegal certificates
including one for Google.com which reportedly was used by
the Iranian government to spy on 300,000 Iranians
• Apple, Google, Microsoft, Mozilla and Opera released
updates to block users from sites using DigiNotar related
certificates
» Apple was slow in pushing out an update that actually worked
» The issue highlighted a problem in updating mobile devices as users
were dependent on the update from their carrier
• Fast responses from (some) vendors mitigated a HUGE risk
but it was perhaps to little to late for dissidents in Iran
3
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
4. The Beast
• The Beast - Hackers found a weakness in version 1.0 and
earlier versions of TLS that could allow an attacker to silently
decrypt data that's passing between a webserver and an
end-user browser
» Plain text recovery attack
• Problem was that at the time of its discovery that was the
predominate version of TLS used by most browsers
• Browser vendors responded quickly with updates to newer
and unaffected versions of TLS in their browsers
» What about all the VoIP phones in use today
» We have not heard the last of the issue
• Fast responses from (some) vendors mitigated a HUGE
risk
4
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
5. Epsilon
• Epsilon – The company handled mailing lists for 2500 clients
including 7 of the Fortune 10
» …. Jonathan Zittrain, a professor of law at Harvard Law School and co-
founder of the Berkman Center for Internet & Society, told Brian Krebs,
Epsilon was lazy in its security. "Worse, customers who specifically asked to
opt out of marketing emails were also affected. Opting out should mean
genuine removal from the database, rather than retention in the database with
a marker indicating that someone has opted out.”…. Source Computerworld
• Epsilon - a rolodex for hackers in Spear Phishing attacks
• The Epsilon hack highlights the danger of a large amount of
data entrusted to a single vendor… and perhaps highlights
the potential risks of large data-stores in the Cloud
• Don’t keep all the eggs in a one basket and validate the
security of your provider
5
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
6. Sony Breaches
• Sony – Perhaps targest theft of identity information on record
» Un-patched Redhat server connected directly to the Internet
without a firewall
• What did they really expect was going to happen….
• We can not confirm that Credit Card information was taken…
» Yes when you don’t have a firewall in front of the server you will
not have logs to determine what was removed from the
server…
• The estimated costs to Sony as a result of the breach go as
high as $5.6 BILLION
• Using good security to prevent a breach is cheaper then
cleaning up the mess afterwards…
6
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
7. RSA (1)
• When a small to medium sized company has a breach they
are punished for being irresponsible
» When it happens to a behemoth it is unapologetically called
APT
• So many questions remain…
» Why was RSA not using their own products to protect their
environment?
» Why was Amazon not taken to task after it was revealed that
the Amazon Cloud was used in cracking the internal passwords
to facilitate the RSA breach?
» Why has no one mentioned that the current issue with RSA
Tokens seems eerily similar to the problem with the Pre-AES
Tokens back in 2000 – See Cain & Able
7
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
8. RSA (2)
• With the RSA breach what did we learn?
» Policies without technical safeguards are useless
» Passwords still suck
» Hard shell / soft center is not simply not an acceptable security
posture in the current threat environment
» Apparently if you’re a behemoth you can get away with
having poor security and calling the attack an APT
8
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
9. Android Malware (1)
•Fastest growing mobile OS
•Over 300,000 Android activations a day
•Android overtook iOS as the dominant
OS in US during 2H 2010
•First phone launched HTC G1 in 2008
•Currently an OS of choice for Motorola,
HTC, Samsung, Sony Ericsson, among
others
10. Android Malware (2)
•With all of the news about malicious
Droid Apps downloaded from the Droid
Marketplace it is clearly apparent that
testing apps is perhaps not a high priority
before turning them loose on users
11. Android Malware (3)
•A good example of Android security
issues was highlighted with Angry Birds.
Duo Security showed us that it was
possible to install an app that allowed the
unprompted installation of arbitrary
applications with arbitrary permissions on
a victim’s device
http://blog.duosecurity.com
14. The Droid Dream Fiasco
•There are serious issues over at Google’s
Android Market
15. Android – The Road Ahead In 2012
• If you use an Android smartphone you are
now 2.5 times more likely to encounter
malware (malicious software) than you were
six months ago.
•In 2011, 30% of Android users were likely to
encounter a Web-based threat such as
phishing scams, "drive by downloads" and
browser exploits.
http://www.cnn.com/2011/TECH/mobile/08/04/lookout.threat.report.gahran/
15
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
16. BYOD – Blind Adoption
• A recent survey
of Companies
with 2,000 or
more employees
indicated that
70% permitted
BYOD yet less
then 30% had
policies to
address device
security
16
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
17. Considerations - Moving Forward in 2012
•Java
•QRCodes
•BYOD
•Injection Malware
•VoIP Attacks
•Virtualization
17
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
18. Our Flaw Remediation Is Missing The Target
• Since 2009 the most hacked
software was 3rd party apps
and browser add-ons like
Adobe and Quicktime.
• In Q4 2011 the new leading
threat vector became Java
• Yet we focus our attention on
patching Microsoft
OS/Applications.
The bad guys know it…
and are taking full advantage
18
19. QR Codes
• QR codes are becoming the new SPAM
» In the simplest of terms a QR Code (or Quick Response
code) is a two dimensional barcode that can contain up
to 4,296 alphanumeric characters.
» Their popularity has of course exploded one recent study
showed that in June of 2011 over 14 million Americans
scanned QR Codes with their mobile phone.
20. Talk About Bad Timing
•Malicious URLs are at all time highs – from Q2
2011 to Q4 2011 they are up an additional 89%
•QR scanning growth is exploding – the Mobile
Barcode Trend Report provides interesting statics:
» Active users of QR Codes is up 525%
» Average number of scans per code is up 39%
21. Talk About Bad Timing (2)
•Mobile Marketer reports QR code scanning is up
4,549%
• It’s easy for anyone to create a QR code with any
kind of content
• Mobile devices such as iPhones and Androids out
of the box are poorly equipped to deal with filtering
QR codes and their underlying URLs
22. Talk About Bad Timing (3)
•Malicious QR codes are already making money for
the bad guys. It is a certainty that the use of
malicious QR codes will expand.
23. BYOD (1)
• Organizations are
embracing BYOD without
considering the security
risks
• At the same time the
landscape of mobile
devices is changing
dramatically
24. BYOD (2)
• The time to get serious
about security in BYOD is
long over due
38. 2012 Initiatives
1. Adjust flaw remediation program immediately to
include Java
2. Establish policies for QRcodes and deploy
technical safeguards – Mobile device URL
filter?
3. Establish policies for BYOD and deploy
technical safeguards – many are free !
4. No longer your grandfathers malware - Migrate
to White Listing / Application Control
5. Get control of VoIP before it controls you
6. Virtualization is ripe for the picking, the party is
over Host and Guest security must be a priority
Notes de l'éditeur
Insert a small stub of code which allocates a larger chunk of memory. The last instruction in this stub code is the software breakpoint instruction to transfer control back to the debugging process. Limitations are that the process you are infecting needs to have enough memory allocated past where the instruction pointer is pointing to support the shellcode. Approximately 40 bytes. The debugging process then inserts code to clean up the old process memory space and allocate room for the new image in its ideal location. The code also sets up the heap for the new process. The last instruction in this code is a software breakpoint. The debuger is then resumed so that this code may execute and allocate memory. When control returns to the debugger, it copies the new executable into the process memory in the appropriate manner. The debugger process modifies the stack and registers for the process as necessary Point at the new entry point. Detach.
Not to overly simplify it but here is a Windows example of how this works 1. We exploit a vulnerability that allows us to inject shell code (typically 40 to 100 bytes or less) in to a running process 2. The shell code allocates additional memory for the process 3. Via backdoor established by shell code downloads malicious code, inserts it directly in to memory allocated in step 2 and establishes hooks to call malicious code 4. Shell code is removed from original code Allocated in RAM never touching the hard drive = no evidence ! Why a Linux example ? This is RAM resident so if you reboot it goes away… how often do you reboot Windows servers vs Linux servers…. Nuff said If you were doing forensics on this incident …. What would you do?
Additionally, Wireshark allows recording the audio for the VoIP conversation into a file. Through the “Telephony” menu and selecting the “RTP” menu item, it is possible to get this functionality: The “Stream Analysis – Show All Streams…” (Step 1) menu item can be selected to analyze in depth the Real-time Transport Protocol (RTP) stream associated with the currently selected RTP packet. From the RTP Streams window select the stream with the desired initial callers IP address (Step 2), select “Find Reverse” (Step 3) to automatically select mark both streams and then press “Analyze” (Step 4).
Additionally, Wireshark allows recording the audio for the VoIP conversation into a file. Through the “Telephony” menu and selecting the “RTP” menu item, it is possible to get this functionality: The “Stream Analysis – Show All Streams…” (Step 1) menu item can be selected to analyze in depth the Real-time Transport Protocol (RTP) stream associated with the currently selected RTP packet. From the RTP Streams window select the stream with the desired initial callers IP address (Step 2), select “Find Reverse” (Step 3) to automatically select mark both streams and then press “Analyze” (Step 4).