Friday, 16 March 2012

BlackHat EU 2012 - Day two and three summaries

I have been enjoying myself at BlackHat Europe 2012, soaking up some of the leetness, absorbing some of the technologies I am less familiar with, meeting great people, and talking with them about things which really interest me - which is all good.

BlackHat EU 2012 - Day two

My Presentation seemed to go well, with several interested people coming up to ask various questions afterwards, maybe due to the fact that I described and showed around 10 exploits I recently discovered in common security products (all patched now BTW - but some very interesting, some creative, and several rather ironic - for example: "a spam the reconfigures the spam-filter", "a URL that owns the URL-filter").

My favourite presentation of Day two was "Data mining a mountain of Vulnerabilities" with Chris Wysopal.

This was quite a dry subject, but very well presented. Lots of data on vulnerabilities, with statistics on vulnerabilites sorted by application language, platform, horizontal and vertical markets, (among many other things)

Really interesting data, and something I feel that I might consult when doing application testing.

Chris had some really interesting graphs, the one above showing clearly that most web-apps contain at least one of the most serious flaws.

Day three

Some really interesting presentations today on mobile/smartphone security. It's hard to choose the best one really, as the following three were very good, and looked like the conclusions were based on very solid research (and many hours of work).

  • "Secure Password Managers" and "Military-Grade Encryption" on Smartphones: Oh Really? by Andrey Belenko + Dmitry Sklyarov
    • Hmm... so password managers on smartphones are not very well coded - not a surprise really but, a lot of work has been done by these guys to review some of the most popular ones and find some bugs
  • Apple vs. Google Client Platforms by Felix 'FX' Lindner
    • A great talk this, delivered in FX's highly amusing style
  • The Mobile Exploit Intelligence Project by Dan Guido + Mike Arpaia
    • Interesting perspective from acedemia on the stats behind mobile exploits, it seems that the hype might be just hype (at least on the iOS platform, more potential on Android though, but still, not a great deal of real platform-pwnage happening)

Anyway, I am in the airport on the way home, and it has been a very good week...

Thursday, 15 March 2012

McAfee Security Gateway patched this week for the issues I reported

Fair play to McAfee for fixing these issues, giving an accurate description of the issues and crediting me with the discovery. This is probably one of the best customer notifications I have seen from the vendors I have dealt with during my research project.

Affected Software: McAfee Email and Web Security 5.x, McAfee Email Gateway 7.0

NGS00153 – Reflected XSS
McAfee Email and Web Security Appliance Software 5.x/ McAfee Email Gateway 7.0 is prone to reflective XSS allowing an attacker to gain session tokens and run arbitrary Javascript in the context of the administrators browser and the McAfee Security Appliance Management Console/Dashboard.

NGS00154 – Logout Failure (I would have called this session-management issues, but whatever)
When an administrator closes the Management console/Dashboard without clicking logout and returns to the Dashboard later, they appear to be logged out, however, this is simply the state of the Javascript in his browser, and the session-token is still be active on the server-side. If an attacker gains a session-cookie (perhaps using XSS, or by some other means), they can make a dummy login attempt (with a dummy password) and simply edit the (failure) response. They will then be logged-in, and can use the Dashboard as if he had logged-in as the administrator.

NGS00155 – Password Reset issue
Any logged-in user can bypass controls to reset passwords of other administrators.

NGS00156 – Session Disclosure
Active session tokens of other users are disclosed within the Dashboard.

NGS00157 – Weak Encryption of Backups
Password hashes can be recovered from a system backup and easily cracked.

NGS00158 – File Download Issue
Arbitrary file download is possible with a crafted URL, when logged in as any user.

NGS00159 – File Content Leakage
File contents disclosure as if root user, when logged in as any user.

BlackHat EU 2012 - Day one summary

I am currently enjoying BlackHat Europe 2012

My favourite presentation for Day 1 was:

Jeff Jarmoc - SSL/TLS interception proxies (and transitive trust)
Really interesting research (to me) as it was kind of adjacent to some of the research I have been doing, and Jeff has looked at some very similar products that I have, but from a different perspective.

Jeff described his research into an issue that I have felt could be a problem (but that I hadn’t investigated, and he has done a great job with his investigation, so this answers some of the questions I had in the back of my mind ;o).

Put simply; When companies implement content-security for encrypted web-traffic (anti-virus, exe-blocking and content analysis for HTTPS traffic) the way to do this is usually to get all the clients within the environment to trust the proxy’s CA cert. Then, traffic is decrypted on the proxy and scanned (the proxy handles the external encryption to the target site) and the traffic is then re-encrypted internally to the client (using the proxy’s trusted cert).

The issue is; “What happens when there is a problem with the cert of the original target site?” and the answer is - “These issues are largely ignored, and the information is dropped, so that everything looks fine on the client-side”.

To paraphrase the reason for this is dropping the baby is that; “SSL was not designed to do this, and this solution is hard enough to implement as it is, so vendors of these products try to make the product set-up and management as easy as possible, and iron-out any of these minor ‘issues’ by ignoring them”.

However, this causes a big security hole because certificates that are spoofed, expired or revoked are often made to look like they are “fine and dandy” to the client  – which from a security-perspective, in short, is crap.

Great presentation Jeff!

Quote of the day: “Humanity needs crime, otherwise we would have stomped it out by now.. and the internet needs crime too..”
(Whitfield Diffie, philosophising about “life, the internet and everything”)