Hacking Ahead of the Hackers
Upcoming SlideShare
Loading in...5

Hacking Ahead of the Hackers



Hacking Ahead of the Hackers...

Hacking Ahead of the Hackers

To stay ahead of the advanced persistent threats that continue to challenge security teams at organizations of all sizes, it’s helpful to understand the scope of what you’re up against. This presentation is a great primer on developing a vulnerability management strategy, presented by eEye Digital Security, the industry’s most consistent contributor to the information technology community of research and education .



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Hacking Ahead of the Hackers Hacking Ahead of the Hackers Presentation Transcript

  • Hacking Ahead of the HackersMorey J. Haber, Product Managementhttp://blog.eeye.comhttp://www.eeye.com© 2010 eEye Confidential & Proprietary
  • Vulnerabilities In The News “Monster.com waited five days to tell its “Monster.com waited five days to tell its users about a security breach that users about a security breach that resulted in the theft of confidential resulted in the theft of confidential information from some 1.3 million job information from some 1.3 million job seekers…” (August 2007) seekers…” (August 2007) 95% of all attacks come from known vulnerabilities and are preventable Heartland CEO, Robert Carr, “PCI “49 Congressional Websites compliance auditors failed the Hacked By Brazilian Red Eye company”, 100 million credit cards Crew‘” (February 2010) exposed (January - April 2009)© 2010 eEye Confidential & Proprietary CERT® Coordination Center (CERT/CC), Carnegie Mellon Software Engineering Institute
  • The Beginning of Modern Hacks• The Microsoft Security “Revolution” Started in 1999 – First major remote “SYSTEM” vulnerabilities – First proof of concept buffer overflow exploits – Many discovered by eEye Digital Security• Widespread Nature of Microsoft Software – No focus on security vulnerabilities by anyone. – Denial by programmers and executives that there is a problem.• Results: – Finding Microsoft bugs was “unique” and “cool” – Birth of the Microsoft Security Response Center – Security “is a marketing problem” … Response – “Purely theoretical” … Sure but it can not happen – “That is a denial of service” … Forcing a problem – “Heap overflows are not exploitable” … People did not believe© 2010 eEye Confidential & Proprietary
  • Why Security Got Better… Past • The Code-Red Worm as a Fact – Turning point for vulnerabilities and the way we deal with security – Government awareness; the White House web servers were the target – This became a press and financial issue (think PCI DSS and why?) – Over 2 billion USD in damages • Microsoft Improved For Many Reasons – Large corporations threatened to drop Microsoft because of insecurity – Microsoft wants to make money off of security, security company acquisitions, move into consumer anti-virus, etc. On July 19, 2001, more than 359,000 computers were infected with the Code-Red worm in less than 14 hours© 2010 eEye Confidential & Proprietary
  • Security Progression… Present• Microsoft has a better security process than any other software vendor!• Microsoft adds additional security defenses into their product with every release – Heap Randomization, Heap NX, DEP, ASLR• Windows 7, does improve security a lot, but still not perfect. Applications will always run on the operating system and ports will have to be open• Researchers, exploit developers, have all progressed greatly over the last 10 years. Popularity and focus. In the simplest terms, think of viruses compared to spyware. Remember all the problems with pop-ups?• Most major software companies have made zero progress in terms of a security response for developing software• What about all of the mission critical custom applications organizations have that have been custom written including web applications ? © 2010 eEye Confidential & Proprietary
  • Trends in Hacking, Ahead of the Hackers• Logic Bombs• Ransom Ware & Rogue Ware• Blend Threats Using Application Vulnerabilities and Social Engineering – What File Does Your HR Representative Open All the Time ? – New Web Application Threats: i.e. File Uploads, etc. Are the Swirls Moving ? © 2010 eEye Confidential & Proprietary
  • Rethinking Authentication to Beat a Hack… Graphical Passwords Leonardo Sobrado and Jean-Camille Birget Department of Computer Science, Rutgers University© 2010 eEye Confidential & Proprietary
  • What is Wrong with this Desktop for a COE ?© 2010 eEye Confidential & Proprietary
  • Malicious Software or Real Security?© 2010 eEye Confidential & Proprietary
  • Just a Clever Social Engineering Hack…© 2010 eEye Confidential & Proprietary
  • Social Web Sites…© 2010 eEye Confidential & Proprietary
  • Microsoft 11 Years Later…• More Microsoft “zero-day” vulnerabilities than ever• 14 out of 44 bulletins in 2009 contained zero-day fixes• Proliferation of “file format” vulnerabilities• Worms are dead, but we now have bots and focused attacks• However Microsoft has been better with not introducing more vulnerabilities within patches (Unlike 2006)• Imagine starting over with another leader in the industry and losing what we learned…• How many COE’s does your environment support ?© 2010 eEye Confidential & Proprietary
  • Custom Applications What about all of the mission critical custom applications?• Back to Basics – Clear text passwords in files – Data encryption – Temporary files• Based on Insecure Technology – Older non supported operating systems – Embedded open source using older versions• Built on Scripting Tools and Remote Command Shells – Targeted attacks – Internal exploitation – Human configuration error / Lack of expertise• Poorly Written Web Applications – Database Security – Easy Hacks for XSS© 2010 eEye Confidential & Proprietary
  • History Will Repeat Itself…• Researchers – There has never been a better time to be in vulnerability research – You have a 12 year head start on the average software company• Software Vendors and Custom Application Developers – You will save more money by investing in security now – Test your applications before production – Harden your applications and operating systems before production – Learn from history and test your systems regularly!• IT Community – You are stuck in the middle – Organizational awareness of non-Microsoft vulnerabilities – Security policies, plans, products, people, and policies that do not solely revolve around Microsoft when it comes to your Windows platforms including how applications get security updates© 2010 eEye Confidential & Proprietary
  • The Million Dollar Question:Where do you see hacks in the next year?• What Does Security Look Like… – When will corporations move to Windows 7 or virtual machines or even Apple? – Will consumer applications are be cloud based?• What Do Attacks Then Start to Look Like? – Sandbox: Does the value of local privilege escalation vulnerabilities increase? – Web apps: How do you research what you are not legally allowed to audit? – Work Anywhere: When users have full access to corporate data anywhere and from anything. i.e. PDA Cell Phones• How do you proactively protect and detect against these attacks when they are not even documented yet? (Google Aurora)• Are regulatory compliance initiatives live PCI, SOX, HIPAA good enough? – Answer: No – Just ask the CEO of Heartland, Robert Carr© 2010 eEye Confidential & Proprietary
  • Hacking Ahead of the Hackers, This Year…• Web Applications – Every application is different has zero-days even though the category is the same like SQL injection or cross site scripting – Every web application is a custom application• Social Engineering – Same exploit and result (money) different story• Fake Applications – Anti-Virus 2009 – Press “Continue for Your Free Coupon” – RogueWare, McAfee DAT Exploits• Browser Based Attacks – Innovative Active-X exploits – More page and frame manipulation – Browsers look like windows and real applications, RIA malware – Think MS Office in a browser or Google Chrome – Apple becoming a Real Target !© 2010 eEye Confidential & Proprietary
  • This Week… Opps© 2010 eEye Confidential & Proprietary 17
  • About eEye• Our Company • Founded in 1998 • Growing and profitable • Leaders in security & compliance• Our Strengths • World renowned research team • Trusted security advisors • Recognized product leadership • Unparalleled services & support• Our Difference • Fast, flexible deployment • Integrated end-to-end solution • Commitment to our customers© 2010 eEye Confidential & Proprietary 18
  • Unified Vulnerability Management10-Feb-2009 09-Dec-2008 08-Dec-2008Vulnerability exists in BlackBerry Application Web Windows Saved Search Vulnerability Linksys WVC54GC NetCamPlayerWeb11gv2Loader ActiveX control MS08-075 ActiveX control stack buffer overflowCVE-2009-0305 (http://www.microsoft.com/technet/security/bullet VU#639345© 2010 eEye Confidential & Proprietaryhttp://blackberry.com/btsc/KB16248 in/ms08-075.mspx) 19 (https://www.kb.cert.org/vuls/id/639345)
  • Questions and Answers ?© 2010 eEye Confidential & Proprietary 20