APT s and other Stuff   PH days 2012Version:           1.0Author:            Martin EisznerResponsible:       Martin Eiszn...
Agenda•   Introduction•   Toxic Software and the Advanced persistence threat•   APT s on the rise•   Trusted Software vend...
SEC Consult– Who we are ...• Specialized consultancy for  application security• Headquarter near Vienna, Austria          ...
Martin Eiszner - Whoami• Security consultant• Chief technology officer• quite some other interests …     SW Developer     ...
Agenda•   Introduction•   Toxic Software and the Advanced persistence threat•   APT s on the rise•   Trusted Software vend...
Toxic Software and the APT• What is Software ?                       © 2012 SEC Consult Unternehmensberatung GmbH – All ri...
Toxic Software and the APT• Are there any problems with Software ?                    © 2012 SEC Consult Unternehmensberat...
Toxic Software and the APT• Toxic software is all about security vulnerabilities !    Who creates “vulnerabilities” and wh...
Toxic Software and the APT• The “One way paradox”   When it comes to software there is only                  © 2012 SEC Co...
Toxic Software and the APT• So what is Toxic software really ?• and is there a cure ? Toxic software contains severe secur...
Toxic Software and the APT• Advanced persistence threats ?• What does an APT consist of APT s are planned and orchestrated...
Toxic Software and the APT• Attacker -• Target -• Methodology so far ….   • Phishing   • Spreading heavily tailored malwar...
Toxic Software and the APT• Spear phishing – the method of the trade ?• There is always a better one ..                   ...
Agenda•    Introduction•    Toxic Software and the Advanced persistence threat•    APT s on the rise•    Trusted Software ...
APT s on the rise• Any examples ?Stuxnet                  SCADA attack on nuclear powerplants                         Moth...
APT s on the rise• Buzzword or the real thing ?                    © 2012 SEC Consult Unternehmensberatung GmbH – All righ...
Agenda•    Introduction•    Toxic Software and the Advanced persistence threat•    APT s on the rise r•    Trusted Softwar...
The “Erosion of trust” lifecycle for SW - Vendors                        11st                         st                  ...
The “Erosion of trust” lifecycle for SW - Vendors                        11st                         st                  ...
The “Erosion of trust” lifecycle for SW - Vendors                               11st                                st    ...
The “Erosion of trust” lifecycle for SW - Vendors                         11st                          st                ...
The “Erosion of trust” lifecycle for SW - Vendors                           11st                            st            ...
The “Erosion of trust” lifecycle for SW - Vendors                          11st                           st              ...
The “Erosion of trust” lifecycle for SW - Vendors                         11st                          st                ...
The “Erosion of trust” lifecycle for SW - Vendors                                     11st                                ...
0 days for your very personal APT• Am I talking              bull…. ?                 © 2012 SEC Consult Unternehmensberat...
Agenda•    Introduction•    Toxic Software and the Advanced persistence threat•    APT s on the rise•    Trusted Software ...
0 days for your very personal APT• Methods for identifying … usable bugs in “Software products”   • Applicaton testing and...
0 days for your very personal APT• Applicaton testing and Fuzzing• Dynamic and manual  testing based on• Fault injection …...
0 days for your very personal APT• Applicaton testing and Fuzzing                    © 2012 SEC Consult Unternehmensberatu...
0 days for your very personal APT• Reverse engineering• Closed source• Decompiling• Disassembling …                 © 2012...
0 days for your very personal APT• Source code analyses• Closed source• SSA tools• Brainwork                  © 2012 SEC C...
0 days for your very personal APT• Any other methods for getting hands on 0 day s                   © 2012 SEC Consult Unt...
Agenda•    Introduction•    Toxic Software and the Advanced persistence threat•    Trusted Software vendors and the “Erosi...
Demos• What would be the best target for a high profile APT ?                     © 2012 SEC Consult Unternehmensberatung ...
Demos• Reverse engineering    • Checkpoint – Client side remote command execution    Multiple Checkpoint appliances    CVE...
Demo I• Reverse engineering• SSL VPN appliances (Connectra / Security Gateway)• SNX, SecureWorkSpace and  Endpoint Securit...
Demo I• Reverse engineering• Problem   • Programs are flawed with several critical security vulnerabilities   • Java class...
Demo ICshell.jarCreatePackageURLRunPackageAction                   © 2012 SEC Consult Unternehmensberatung GmbH – All righ...
Demo ICshell.jarMethod RunCommand in Cpls.class                       © 2012 SEC Consult Unternehmensberatung GmbH – All r...
Demo I         © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
Demo II• Applicaton testing and Fuzzing• F5 Firepass – SSL VPN                    © 2012 SEC Consult Unternehmensberatung ...
Demo II• Applicaton testing and Fuzzing• F5 Firepass – SSL VPN• Problems – this time server side• Any problems related to ...
Demo II• SQL Injection                           is pretty old ..• Concatenated SQL queries and user input ?• File access ...
Demo II          © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
Demo III• Application testing• ASP.Net – Membership framework• Part of the “Security Content Map”• built-in - validate and...
Demo III• Application testing and fuzzing• Some ASP.Net applicaton test   Database column truncation – vulnerabiliy   trie...
Demo III• Application testing and fuzzing• Problems• Passing data between different  layers ( “managed” vs “unmanaged”)   ...
Demo III• Membership framework - a closer look       FormsAuthentication       MakeTicketIntoBinaryBlob()     webengine4.d...
Demo III• Membership framework - not to forgetThe membership framwork creates an/Register.aspxcontext „out of the Box“… ev...
Demo III• Membership framework                  © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
Agenda•    Introduction•    Toxic Software and the Advanced persistence threat•    Trusted Software vendors and the “Erosi...
In one sentence …Toxic Security Softwareproducts created  by Software vendors are real and they are actively being used as...
Oulook - future of targeted attacks We will see                         random attacks .. but a good deal more            ...
Oulook - future of targeted attacks• … only two things               Neither         nor                                  ...
Oulook - future of targeted attacks• … and                 The war is not over yet …              © 2012 SEC Consult Unter...
Oulook - counter measures ?• KISS   • Awareness   • Enforce warranty in terms of Information security from software     ve...
QA     © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
Upcoming SlideShare
Loading in...5
×

Apts and other stuff

708

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
708
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
25
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Apts and other stuff

  1. 1. APT s and other Stuff PH days 2012Version: 1.0Author: Martin EisznerResponsible: Martin EisznerDate: 15.05.2012Confidentiality: Public
  2. 2. Agenda• Introduction• Toxic Software and the Advanced persistence threat• APT s on the rise• Trusted Software vendors and the “Erosion of trust”• How to find those little naughty 0 days for you personal APT• Demonstrations• Outlook• QA2 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  3. 3. SEC Consult– Who we are ...• Specialized consultancy for application security• Headquarter near Vienna, Austria Lithuania• Offices in Austria, Germany, Canada Germany Lithuania, Singapore and Canada Austria Central and Easter Europe• Delivery Centers in Austria, India Lithuania and Singapore• Strong customer base in Central- Singapore and Eastern Europe• Increasing customer base of clients with global business• Partner of Top 30 Software vendors SEC Consult Headquarter SEC Consult Office Other SEC Consult Clients © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  4. 4. Martin Eiszner - Whoami• Security consultant• Chief technology officer• quite some other interests … SW Developer Reverser The Web Mobile devices ? tries to find the perfect approach for identifying security vulnerabilities © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  5. 5. Agenda• Introduction• Toxic Software and the Advanced persistence threat• APT s on the rise• Trusted Software vendors and the “Erosion of trust”• How to find those little naughty 0 days for you personal APT• Demonstrations• Outook• QA5 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  6. 6. Toxic Software and the APT• What is Software ? © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  7. 7. Toxic Software and the APT• Are there any problems with Software ? © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  8. 8. Toxic Software and the APT• Toxic software is all about security vulnerabilities ! Who creates “vulnerabilities” and who bears its costs ? © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  9. 9. Toxic Software and the APT• The “One way paradox” When it comes to software there is only © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  10. 10. Toxic Software and the APT• So what is Toxic software really ?• and is there a cure ? Toxic software contains severe security vulnerabilities with a high probability to harm confidentiality, availability and integrity of its owners assets. © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  11. 11. Toxic Software and the APT• Advanced persistence threats ?• What does an APT consist of APT s are planned and orchestrated mostly illegal professional projects © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  12. 12. Toxic Software and the APT• Attacker -• Target -• Methodology so far …. • Phishing • Spreading heavily tailored malware © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  13. 13. Toxic Software and the APT• Spear phishing – the method of the trade ?• There is always a better one .. © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  14. 14. Agenda• Introduction• Toxic Software and the Advanced persistence threat• APT s on the rise• Trusted Software vendors and the “Erosion of trust”• How to find those little naughty 0 days for you personal APT• Demonstrations• Outook• QA14 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  15. 15. APT s on the rise• Any examples ?Stuxnet SCADA attack on nuclear powerplants Mother of all APT s ? … a security vendor ? … wanna buy some stocksBBC … the Iranian connectionThe and and and …. © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  16. 16. APT s on the rise• Buzzword or the real thing ? © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  17. 17. Agenda• Introduction• Toxic Software and the Advanced persistence threat• APT s on the rise r• Trusted Software vendors and the “Erosion of trust”• How to find those little naughty 0 days for you personal APT• Demonstrations• Outook• QA17 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  18. 18. The “Erosion of trust” lifecycle for SW - Vendors 11st st Erosion of Erosion of Trust suspicious suspicious Rebuild Trusted Trust - Trust - Trust Vendor Bubble Customer Customer Customer Market Ok, there might be some I bought a security issues with our software product product but.. from a good …the customer is not trusted vendor The vendor did not demanding additional mention that the security product might be insecure Ok. This product is secure. Next topic… Customer The customer is satisfied with our Software Vendor level of security18 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  19. 19. The “Erosion of trust” lifecycle for SW - Vendors 11st st Erosion of Erosion of Trust suspicious suspicious Rebuild Trusted Trust - Trust - Trust Vendor Bubble Customer Customer Customer Market Are there any security We have not seen vulnerabilities in this any major customer software? complaints yet, so we are in the clear… Let’s invest (some) money and check with a trusted security expert if everything is o.k. Software Customer Produkt Customer Customer Customer Customer Software Vendor19 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  20. 20. The “Erosion of trust” lifecycle for SW - Vendors 11st st Erosion of Erosion of Trust suspicious suspicious Rebuild Trusted Trust - Trust - Trust Vendor Bubble Customer Customer Customer Market It was not a cheap Is the security expert lying product, how can this We did the security crash or the vendor? happen? test and it is a disaster! Gosh, I spent money I wish I never bought on Quality Assurance that product/asked the We will discover many the vendor should have security expert to more security done... check it. problems if we continue our How should I now What shall I do, now I It is not enough to fix analysis… explain my (past) have a problem that the now identified commitment for this should be resolved by problems. vendor to my boss? the vendor... Software Customer Produkt20 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  21. 21. The “Erosion of trust” lifecycle for SW - Vendors 11st st Erosion of Erosion of Trust suspicious suspicious Rebuild Trusted Trust - Trust - Trust Vendor Bubble Customer Customer Customer Market We will fix the reported issues and we have a satisfied client again… The second audit (re-check) shows further sever Of course we will solve vulnerabilities… the problem… They have not a clue what problem they cause for me personally... Customer Software Produkt Software Vendor21 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  22. 22. The “Erosion of trust” lifecycle for SW - Vendors 11st st Erosion of Erosion of Trust suspicious suspicious Rebuild Trusted Trust - Trust - Trust Vendor Bubble Customer Customer Customer Market This vendor product is of interest for us! Customer Customer International Security Experts We should find a 0-day Customer Custome Custome r Custome r Custome vulnerability, make a r Custome r r public security advisory Make an audit and give me your and an conference Customer Customer opinion... Customer presentation Custome Custome Customer r Custome r Bad news is good Custome r Custome r r news: Vendor is not Customer Customer Customer Customer able to solve security issues. Customer Make an audit and give me your I will tell anybody my opinion... opinion on that vendor Press If I am asked.. Customer Software Produkt22 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  23. 23. The “Erosion of trust” lifecycle for SW - Vendors 11st st Erosion of Erosion of Trust suspicious suspicious Rebuild Trusted Trust - Trust - Trust Vendor Bubble Customer Customer Customer Market Will somebody blame me for choosing this insecure vendor? Damn! We have to do a They don’t know or they product selection before don’t care. They just we buy from this vendor. ignore the problem. Customer We’ll keep using this product if we have to - but This vendor is on the hold on, is there really no blacklist. Our alternative? headquarters will not Software accept insecure products. Produkt23 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  24. 24. The “Erosion of trust” lifecycle for SW - Vendors 11st st Erosion of Erosion of Trust suspicious suspicious Rebuild Trusted Trust - Trust - Trust Vendor Bubble Customer Customer Customer Market • We are investing in secure development processes • We are investing in awareness of all employees and partners • We will invest in trusted external security experts • We will invest in our product security as a key feature The are definite • We are honest and alert our customers about improvements in security issues product security, but… • We know that this will continue Will somebody blame me for choosing this insecure vendor? Damn! We have to do a product selection before we They don’t know or they buy from this vendor. don’t care. Either way, they ignore the problem. Software Produkt Customer We’ll keep using this product if we have to - but hold on, is there really no This vendor is on the alternative? blacklist. Our headquarter Software Vendor will not accept insecure products.24 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  25. 25. The “Erosion of trust” lifecycle for SW - Vendors 11st st Erosion of Erosion of Trust suspicious suspicious Rebuild Trusted Trust - Trust - Trust Vendor Bubble Customer Customer Customer Market • We are investing in secure development processes • We are investing in awareness of all employees and partners • We will invest in trusted external security experts • We will invest in our product security as a key feature The are proactive in • We are honest and alert our customers about security issues They are not completely informing me about • We know that this will continue secure but will they solve the risks and involve these problems for me. leading security experts. At least they manage this risks and work hard to make their products as secure as possible. Customer Software Software Vendor Produkt25 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  26. 26. 0 days for your very personal APT• Am I talking bull…. ? © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  27. 27. Agenda• Introduction• Toxic Software and the Advanced persistence threat• APT s on the rise• Trusted Software vendors and the “Erosion of trust”• How to find those little naughty 0 days for you personal APT• Demonstrations• Outook• QA27 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  28. 28. 0 days for your very personal APT• Methods for identifying … usable bugs in “Software products” • Applicaton testing and Fuzzing • Reverse engineering • Sourcecode analyses • Or just simple bye them on black markets …• A short note on so called “security scanning” tools• Just use your © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  29. 29. 0 days for your very personal APT• Applicaton testing and Fuzzing• Dynamic and manual testing based on• Fault injection … © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  30. 30. 0 days for your very personal APT• Applicaton testing and Fuzzing © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  31. 31. 0 days for your very personal APT• Reverse engineering• Closed source• Decompiling• Disassembling … © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  32. 32. 0 days for your very personal APT• Source code analyses• Closed source• SSA tools• Brainwork © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  33. 33. 0 days for your very personal APT• Any other methods for getting hands on 0 day s © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  34. 34. Agenda• Introduction• Toxic Software and the Advanced persistence threat• Trusted Software vendors and the “Erosion of trust”• APT s on the rise• How to find those little naughty 0 days for you personal APT• Demonstrations• Outook• QA34 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  35. 35. Demos• What would be the best target for a high profile APT ? © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  36. 36. Demos• Reverse engineering • Checkpoint – Client side remote command execution Multiple Checkpoint appliances CVE-2011-1827• Fuzzing • F5 Firepass – Remote command execution F5 FirePass SSL VPN – Remote command execution CVE-2012-1777• Application testing • Microsoft ASP.Net – Authentication bypass Microsoft Security Bulletin MS11-100 - Critical Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420) CVE-2011-3416 Security sofware products will be the target of the trade ... soon ! © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  37. 37. Demo I• Reverse engineering• SSL VPN appliances (Connectra / Security Gateway)• SNX, SecureWorkSpace and Endpoint Security On-Demand• Patented light weight “security solution”• Comes in 2 flavors • ActiveX • Signed JavaApplets © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  38. 38. Demo I• Reverse engineering• Problem • Programs are flawed with several critical security vulnerabilities • Java classes are not obfuscated• Any known problems with ActiveX or Signed applets ??? © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  39. 39. Demo ICshell.jarCreatePackageURLRunPackageAction © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  40. 40. Demo ICshell.jarMethod RunCommand in Cpls.class © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  41. 41. Demo I © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  42. 42. Demo II• Applicaton testing and Fuzzing• F5 Firepass – SSL VPN © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  43. 43. Demo II• Applicaton testing and Fuzzing• F5 Firepass – SSL VPN• Problems – this time server side• Any problems related to SQL queries and user input ? © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  44. 44. Demo II• SQL Injection is pretty old ..• Concatenated SQL queries and user input ?• File access rights for SQL schemas ?• SUDO permissions for SQL users ? © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  45. 45. Demo II © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  46. 46. Demo III• Application testing• ASP.Net – Membership framework• Part of the “Security Content Map”• built-in - validate and store user credentials• Microsoft way © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  47. 47. Demo III• Application testing and fuzzing• Some ASP.Net applicaton test Database column truncation – vulnerabiliy tries to create duplicate users and elevate privilges … © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  48. 48. Demo III• Application testing and fuzzing• Problems• Passing data between different layers ( “managed” vs “unmanaged”) © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  49. 49. Demo III• Membership framework - a closer look FormsAuthentication MakeTicketIntoBinaryBlob() webengine4.dll CookieAuthConstructTicket() CopyStringToUnAlingnedBuffer() copies a unicode string to some array lstrlenW() determines the length of the unicode string using © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  50. 50. Demo III• Membership framework - not to forgetThe membership framwork creates an/Register.aspxcontext „out of the Box“… even if you dont want to. © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  51. 51. Demo III• Membership framework © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  52. 52. Agenda• Introduction• Toxic Software and the Advanced persistence threat• Trusted Software vendors and the “Erosion of trust”• APT s on the rise• How to find those little naughty 0 days for you personal APT• Demonstrations• Outlook• QA52 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  53. 53. In one sentence …Toxic Security Softwareproducts created by Software vendors are real and they are actively being used as a perfect and stealth Point of departure for the bad guys to carry out most successful targeted Attacks ! © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  54. 54. Oulook - future of targeted attacks We will see random attacks .. but a good deal more targeted attacks against high profile organizations and companies soon! © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  55. 55. Oulook - future of targeted attacks• … only two things Neither nor ing your most hated foreign countries will help You ! © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  56. 56. Oulook - future of targeted attacks• … and The war is not over yet … © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  57. 57. Oulook - counter measures ?• KISS • Awareness • Enforce warranty in terms of Information security from software vendors ○ If the vendor refuses .. change vendor • Implement quality gates for new Software product © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  58. 58. QA © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×