Why current security solutions fail


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Antivirus software is one of the most complicated applications. It has to deal with hundreds of file types and formats: executables (exe, dll, msi, com, pif, cpl, elf, ocx, sys, scr, etc); documents (doc, xls, ppt, pdf, rtf, chm, hlp, etc); compressed archives (arj, arc, cab, tar, zip, rar, z, zoo, lha, lzh, ace, iso, etc); executable packers (upx, fsg, mew, nspack, wwpack, aspack, etc); media files (jpg, gif, swf, mp3, rm, wmv, avi, wmf, etc), Each of these formats can be quite complex. Hence, it is extremely difficult for antivirus software process all these format appropriately.
  • Why current security solutions fail

    1. 1. © iViZ Security Inc1May 2013Bikash Barai, Co-Founder & CEOWhy Current Security Solutions Fail?
    2. 2. © iViZ Security Inc2May 2013Introduction• About iViZ– Cloud based Application Penetration Testing– Zero False Positive Guarantee– Business Logic Testing with 100% WASC coverage– 400+ customers. IDG Ventures Funded.– Gartner Hype Cycle mention• About myself– Co-founder and CEO of iViZ– Worked in areas of AI, Anti-spam filters, Multi stage attacksimulation etc– Love AI, Security, Entrepreneurship, Magic /Mind Reading
    3. 3. © iViZ Security Inc3May 2013Vulnerabilities in Security Products
    4. 4. © iViZ Security Inc4May 2013Symantec Email Appliance(9.5.x)Description RatingOut-of-band stored-XSS - delivered by email CriticalXSS (both reflective and stored) with session-hijacking HighEasy CSRF to add a backdoor-administrator (for example) HighSSH with backdoor user account + privilege escalation to root HighAbility for an authenticated attacker to modify the Web-applicationHighArbitrary file download was possible with a crafted URL MediumUnauthenticated detailed version disclosure LowCredits: Brian Smith
    5. 5. © iViZ Security Inc5May 2013Trend Email Appliance(8.2.0.X)Description RatingOut-of-band stored-XSS in user-portal - delivered via email CriticalXSS (both reflective and stored) with session-hijacking HighEasy CSRF to add a backdoor-administrator (for example) HighRoot shell via patch-upload feature (authenticated) HighBlind LDAP-injection in user-portal login-screen HighDirectory traversal (authenticated) MediumUnauthenticated access to AdminUI logs LowUnauthenticated version disclosure LowCredits: Brian Smith
    6. 6. © iViZ Security Inc6May 2013Microsoft Auto-update Hijacking• MD5 collision attack to generate a counterfeitcopy of a Microsoft Terminal Server LicensingService certificate.• Used the counterfeit certificate to sign codesuch that malware appeared like genuineMicrosoft code and hence remainedundetected.
    7. 7. © iViZ Security Inc7May 2013Preboot Authentication Attacks• iViZ identified flaws in numerous BIOS’s and pre-boot authentication and disk encryption software– Bitlocker, TrueCrypt, Mcaffee Safeboot, DriveCryptor,Diskcryptor, LILO, GRUB, HP Bios, Intel/Lenevo BIOSfound to be vulnerable.• Flaws resulted in disclosure of plaintext pre-bootauthentication passwords.• In some cases, an attacked could bypass pre-bootauthentication.
    8. 8. © iViZ Security Inc8May 2013Vulnerabilities in Anti-Virus• Discovered by iViZ Security• Antivirus products process different types offiles having different file-formats.• We found flaws in handling malformedcompressed, packed and binary files in AVG,Sophos, Avast etc• Some of the file formats for which we foundflaws in AV products are– ISO, RPM, ELF, PE, UPX, LZH
    9. 9. © iViZ Security Inc9May 2013More Vulnerabilities in AV products• Detection Bypass– CVE-2012-1461: The Gzip file parser in AVG Anti-Virus, Bitdefender, F-Secure , Fortinet antiviruses,allows remote attackers to bypass malwaredetection via a .tar.gz file• Denial of Service (DoS)– CVE-2012-4014: Unspecified vulnerability inMcAfee Email Anti-virus (formerly WebShieldSMTP) allows remote attackers to cause a denialof service via unknown vectors.
    10. 10. © iViZ Security Inc10May 2013Vulnerabilities in VPN products• Remote Code Execution– CVE-2012-2493: Cisco AnyConnect SecureMobility Client 2.x does not properly validatebinaries that are received by the downloaderprocess, which allows remote attackers to executearbitrary code.– CVE-2012-0646: Format string vulnerability inVPN in Apple iOS before 5.1 allows remoteattackers to execute arbitrary code via a craftedracoon configuration file.
    11. 11. © iViZ Security Inc11May 2013Report Findings
    12. 12. © iViZ Security Inc12May 2013About the Report/Study• iViZ used databases such as the CommonVulnerability Enumeration (CVE), CommonProduct Enumeration (CPE) and NationalVulnerability Database (NVD) for the Analysis
    13. 13. © iViZ Security Inc13May 2013Key Findings• Vulnerabilities increasing at CAGR of 37.29% over the last 3 Years.• Anti-Virus accounts for 49% of the vulnerabilities, next Firewall (24%)• Top 3 Security vendors with maximum vulnerabilities: McAfee, Ciscofollowed by Symantec.• Top 3 Security products with maximum vulnerabilities: Rising-Global’sAntivirus , Cisco’s Adaptive Security Appliance and Ikarus Virus Utilities.• Access Control is the most prominent weakness in Security Productsfollowed by Input Validation.• SQL Injection is the least found vulnerability among Security products
    14. 14. © iViZ Security Inc14May 2013Vulnerability TrendsIn All Products In Security Products
    15. 15. © iViZ Security Inc15May 2013Vulnerability by Product Types in 2012
    16. 16. © iViZ Security Inc16May 2013Vulnerabilities by Vendors
    17. 17. © iViZ Security Inc17May 2013
    18. 18. © iViZ Security Inc18May 2013Comparative Analysis
    19. 19. © iViZ Security Inc19May 20135 Predictions..• We predict an increase in attacks on securityproducts, companies or solutions• APT and Cyber-warfare makes “SecurityProducts” as the next choice• Majority of vulnerabilities discovered will notbecome public and shall remain in the hands ofAPT actors• Security Products are “High Pay-off” targets sincethey are present in most systems• More vulnerabilities would be sold in Zero Day –Black Market
    20. 20. © iViZ Security Inc20May 2013What should we do to protect us?• Test and Don’t Trust (blindly): Conduct properdue diligence of the security product• Ask for audit reports• Patch security products like any other product• Treat security tools in similar manner as othertools during threat modeling• Have proper detection and monitoringsolutions and multi-layer defense
    21. 21. © iViZ Security Inc21May 2013Thank Youbikash@ivizsecurity.comBlog: http://blog.ivizsecurity.com/Linkedin:http://www.linkedin.com/pub/bikash-barai/0/7a4/669Twitter: https://twitter.com/bikashbarai1DISCLAIMERWe have used well known vulnerability standards and database like Common Vulnerability Enumeration (CVE), Common Product Enumeration(CPE) and Nation Vulnerability Database (NVD). One of the major challenges we faced was in classifying the products into security and non-security products, as the current product standard (CPE) does not support it. We solved this challenge by considering that security products havecertain keywords like, ‘ ID‘virus’, ‘firewall‘, ‘IPS‘, ‘scan’ etc. Hence there are chances of some date being missed and the report should beconsidered as indicative. iViZ disclaims all warranties, expressed or implied, with respect to this research for any particular purpose.