I briefly talked about some of the vulnerabilities I have previously found in Security Appliances, but talked in much more detail about recent research I have been developing for automated enumeration of email filtering services, products and policies (offensively, from the outside).
Specifically, I talked about the enumeration techniques, and how this information could be used by malicious hackers to improve the efficiency of attacks against organizations. This type of automated reconnaissance can be combined with Phishing attacks and to quickly find and exploit vulnerable systems and users.
Feedback from both these talks has been very good, and I am planning to release tools, and a white paper over the coming months.
In terms of the loopholes, well, there are a lot, and I will probably talk about that more in a future post, but for a brief three bullet-point summary:
- Most email filtering solutions do not block embedded executable code or scripts in office documents.
- Almost all companies tested had no filtering for common encrypted attachments (password protected office documents or zip files for example).
- A small but significant percentage of organizations had direct bypasses in their email filtering (i.e. in around 5% - 10 % of cases, it was possible to directly deliver to relays or mail-servers behind the filtering solution, by enumerating the relevant IPs from SMTP header information).
Tools I am currently working on include:
MailFEET - Mail Filter External Enumeration Tool - For finding vulnerable email filtering products, and flaws or bypasses in email filtering policy (written in Python and SQLite) - This just needs tidying up a bit before release.
DAPHT - Document and Archive Payload Hiding Tool - For automatically embedding test payloads in a variety of formats, to hide them from most email and web filtering solutions (written in C#).