BSidesROC 2016 - Holly Turner - How To Hug A Hacker
•Download as PPTX, PDF•
1 like•542 views
Over the years, manufacturers have been schooled many times by hackers and ethical researchers. Manufacturers realized that they were treading the path of Wu Gang or Sisyphus, take your pick. The wisest learned to avoid the potholes and pack a snack. This presentation shares stories of that learning experience and some best practices to achieve ‘win-win’ results for hackers, manufacturers, and the user community.
Recommended
More Related Content
Viewers also liked
Viewers also liked (15)
More from BSidesROC
More from BSidesROC (6)
Recently uploaded
Recently uploaded (20)
BSidesROC 2016 - Holly Turner - How To Hug A Hacker
- 1. How to Hug a Hacker (Lessons from Manufacturing) Holly Turner, Xerox Information Security Manager CISSP, PMP, Six Sigma Black Belt
- 3. "My father taught me many things here — he taught me in this room. He taught me — keep your friends close but your enemies closer.“ "Michael Corleone" in The Godfather Part II (1974)
- 4. • Mike Lynn, age 24, presented vulnerabilities in Cisco IOS at Black Hat in Vegas https://www.blackhat.com/html/bh-blackpage/bh-blackpage-11092005.html https://www.schneier.com/blog/archives/2005/07/cisco_harasses.html • Resigned from ISS, after being asked to ‘edit’ presentation content • Lawsuit filed by Cisco, ISS 2005 “Ciscogate”
- 6. "No one really thought this …was possible, until Wednesday, so no one really looked to defend against it," [Mike]Lynn said. "A router is like any computer in that, when it has a vulnerability, you can hack it.“ Blowback - 1 http://www.securityfocus.com/news/11260
- 7. "The whole attempt at security through obscurity is amazing, especially when a big company like Cisco tries to keep a researcher quiet“ “ People are definitely going to want to find more vulnerabilities ... and now people aren't going to care to report things to Cisco.” Marc Maiffret, chief hacking officer for network protection firm eEye Digital Security Blowback - 2 http://www.securityfocus.com/news/11260
- 8. "You have EULAs that tell people they can't reverse engineer and companies who are ready to levy the most severe penalties for anyone who breaks those agreements,“[Jennifer] Granick said. "It is time to begin to worry about the rights that companies are trying to take away from us.” Blowback- 3 http://www.securityfocus.com/news/11260 EULA
- 9. • Processor • RAM, ROM, SDRAM • HD • NIC • Analog Fax Modem • Linux OS • Apache, Open SSL, Open LDAP, Samba, Kerberos, PHP, Netsnmp Say hello to my little friend.
- 10. • Brendan O’Connor, undergrad intern, presents “Vulnerabilities in embedded systems” https://www.blackhat.com/presentations/bh-usa-06/BH-US-06-OConnor.pdf Black Hat 2006
- 12. • Senior Security Advisor at Leviathan Security Group • Juris Doctor, Law, University of Wisconsin, MSE Computer Science, Johns Hopkins • CIPP/US, CIPP/G, CISSP, Certificate of Cloud Security Knowledge https://www.linkedin.com/in/ussjoin Where is he now?
- 13. • Researchers at Columbia School of Engineering and Applied Science reverse engineer printer • Software updates are not digitally signed and checked for authenticity • Malware can replace OS http://www.nbcnews.com/business/consumer/exclusive-millions-printers-open- devastating-hack-attack-researchers-say-f118851 Printers on Fire? 2012
- 14. • Dr. Ang Cui, CEO and chief scientist • Dr. Salvatore Stolfo, co-founder • Red Balloon Security https://www.redballoonsecurity.com/ • Project Symbiote – software to defend embedded devices, in HP devices Where are they now?
- 15. • Andrei Costin, presentation on “Embedded Devices Security and Firmware Reverse Engineering” https://www.blackhat.com/us-13/briefings.html#Costin Black Hat 2013
- 17. • Co-founder at Firmware.RE • PhD from EURECOM/Telecom ParisTech • Google Security Hall of Fame • 12/29/2015 presentation on “(In)Security of Embedded Devices' Firmware - Fast and Furious at Large Scale “ https://www.youtube.com/watch?v=Rum1e8ZJlys Where is he now?
- 18. • Andrew Auernheimer, Weev, hacktivist claims ‘mass printer trolling’ sending an unauthorized document to printers on open, unsecured Internet connections. • http://www.nytimes.com/2016/03/29/nyregion/hacker-weev-says-he-printed-anti- semitic-and-racist-fliers-at-colleges-across-us.html?_r=0 Fast forward, March 2016
- 20. • Self-Employed • Seeking Crowdfunding on Liberapay • Twitter – “Tons of Soviet bureaucracy. Submitted my request for a 15 year residency. If you don't travel to Eastern Europe I'll see you when I'm 45” https://www.linkedin.com/in/rabite Where is he now?
- 21. How hugging works 1. Contact – Dedicated webpage.com/security – Technical Support, phone or email 2. Publication Pause – Negotiated time period for manufacturer to develop patch, 60 to 90 days 3. Acknowledgement – Public recognition of researcher Options: • Contest/Challenge • Payment/Bug Bounty
- 23. Questions?
Editor's Notes
- Hi. My name is Holly Turner. I’ve been at Xerox roughly 20 years. I joined as Windows 95 was launched and have been hands-on with coding, project management, scrum, and test. Unlike most InfoSec professionals, I don’t work on the corporate HQ team writing policy, setting firewall rules, running scans, or doing forensics to protect the company’s assets. Instead, my focus has always been outwardly focused, on the customer experience and protecting their assets. If you’re going to stay in business, you soon learn that the ‘customer is always right’ and you work hard to keep customers happy. All the slides will be available to you after the presentation if you’d like to dig in a bit more. I’m going to run though them quickly so please hold your questions until the end. Let’s get started! When you’re a manufacturer, your product is your baby. It’s beautiful.
- Until some hacker bursts that bubble! From this side of the podium, hackers are pointing out flaws in your baby. Next thing you know, you’re holding an ugly baby. The sales team can’t sell an ugly baby. Support doesn’t want to deal with an ugly baby. And stockholders run from brands with ugly babies. The knee jerk reaction from manufacturers is to hit back. We’ll talk about an example of that today.
- I’m also going to talk about smart manufacturers. Like the Godfather, they recognize that it’s business, not personal. Manufacturers who befriend and embrace hackers, while counter-intuitive, will be more successful. Finally, I’m going to talk about some hackers I’ve observed. I’ll share some examples of smart hackers that have capitalized on their research professionally and financially. My first lesson came from Black Hat 2005 and a manufacturer called Cisco.
- Mike Lynn employed as a security researcher just out of college identified vulnerabilities in Cisco’s router operating system in 2005. Concerned about risks for the Internet and undeterred at that time by threats, he resigned his job and presented his findings at Black Hat.
- The judge ruled in favor of Cisco and as part of the settlement all copies of the presentation were deleted. Mike was unemployed and gagged, unable to share any of his findings or continue to participate in Black Hat.
- More interesting is the blowback from the Cisco decision to sue. Let’s look a few of these. Prior to this court case, all the heat and light was on operating systems on clients and servers. This case exposed vulnerabilities in routers and other IT components with embedded software. The same functionality that allows management over the network opens doors for attackers. The Internet of Things continues to expand the attack surface to your house and car. I like to use cheese as a thought model for hacking. Manufacturer specifications are the cheese, product features that customers are willing to pay for. Testers and the Common Criteria Certifications look at the cheese, ensuring that features work as specified and designed. Hackers look for the holes in the cheese – undocumented, unintended functionality. The lawsuit exposed this first hole in routers to the world in public records and news articles. In millions of lines of Cisco code, surely more holes could be found. No manufacturer wants their brand name on hacker radar. Unfortunately, after the long legal battle Mike Lynn, faded from the hacker stage.
- Cisco thought that going to court would keep the vulnerability hidden and intimidate others from looking for holes in their products. Instead, this action seemed to play out as a cover-up and tarnished the brand. It’s no longer an option for a manufacturer to bury their head in the sand and pretend that vulnerabilities don’t happen in their products. If your product includes software, you need to pay attention. Smart manufacturers listen to their customers. You don’t have to like hackers, but they are here to stay! Hacker knowledge is powerful and can help manufacturers respond with better quality software to protect systems and people. Getting your credit card number hacked is a first world problem, but as embedded software is built into healthcare systems and products, like pacemakers and insulin pumps, it could mean your life.
- One of the first Latin phrases I learned was ‘Caveat Emptor’ which loosely translates as ‘buyer beware’. The End User License Agreement, known as the EULA, protects manufacturers, not customers. Imagine if your local baker slapped one of these on a bread wrapper. Would you purchase and consume bread if you didn’t have confidence in the ingredients and manufacturing process? What if bakers didn’t have to recall tainted bread or warn you that it could make you sick? Smart manufacturers recognize that customers have some basic rights. The United States Consumer Product Safety Commission regulates many products, among them toys (no lead), electrical products (fires), and lawnmowers (toes). My thoughts are that product security may soon be regulated in a similar way. Certainly standards like ISO 27001 and NIST 800-53 are driving manufacturers to provide controls to protect information and the integrity of software components.
- My experience centers around the print environment, so that’s the story I’m going to share today. As you can see, multi-function devices have full operating systems that have a broad potential attack surface.
- In 2006, a Xerox multi-function device was the focus of a Black Hat presentation by Brendan O’Connor an undergrad at Johns Hopkins looking at embedded systems. So, what did Xerox learn from the Cisco experience?
- Rather than pursue legal action, Xerox sent a representative to the presentation. Engineers reached out to Brendan for more info, then issued security bulletins with software patches, and acknowledged his assistance. This soft approach closed vulnerabilities for customers, saved the company court costs, protected the brand, and established a respectful, productive relationship with the hacker that kept the door open for future engagement. While there were a few news articles at the time, the news cycle moved on very quickly.
- Brendan O’Connor has enjoyed great success in his career. He’s still hacking and based on his online profiles, is happy. Please note that his path was fueled by a solid foundation in education and certification.
- Columbia PhD student Ang Cui and Professor Salvatore Stolfo led a team exploring vulnerabilities in the software update process for HP printers and funded by government and industry grants. First disclosure was a private briefing to the government that was paying the bills, a week later to HP, and a week later to the national press. A sensational claim was made that malware commands could cause a printer to catch fire although print manufacturers uniformly responded that mechanical safeguards would prevent this.
- Andrei Costin is another researcher who worked with Xerox to resolve vulnerabilities in printers in an ethical manner back in 2013.
- Again rather than pursue legal action, Xerox engineers worked closely with the researchers to develop solutions for customers.
- And he’s still rocking embedded systems.
- In March 2016, hundreds of printers in the US were the victim of a hacktivist who used simple tools to scan the Internet for printers exposing port 9100. This wasn’t really a ‘hack’ but just a straight-forward print job containing highly controversial content. This generated headaches and unplanned emergency responses for network administrators. This hacktivist was not motivated by financial gain and did not attempt to work with any print manufacturer.
- Again, no printer hacking was involved this round. For most customers, putting the printer behind a firewall closed the door on this vulnerability. Additionally, most MFD provide access controls could be enabled to prevent insider copy cat attacks.
- Andrew pursues an alternate career path.
- It’s a win-win for manufacturers and hackers to work together when vulnerabilities are discovered. Customers also win as product security is maintained over time. <Go through motions, contact, pause, bow head in thanks> Smart manufacturers make contact easy. They’ll often have a dedicated landing page for security. Check out www.xerox.com/security, www.cisco.com/security, www.microsoft.com/security, www.xerox.com/security and others.
- Examples of Vulnerability Reporting links
- Namaste – Contact, Pause, Acknowledge