apts and other stuff

APT s and other Stuff

PH days 2012

Version: 1.0Author: Martin EisznerResponsible: Martin EisznerDate: 15.05.2012Confidentiality: Public

Agenda

• Introduction

• Toxic Software and the Advanced persistence threat

• APT s on the rise

• Trusted Software vendors and the “Erosion of trust”

• How to find those little naughty 0 days for you personal APT

• Demonstrations

• Outlook

© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved

• Outlook

• QA

2

SEC Consult– Who we are ...

Canada

IndiaIndiaIndia

LithuaniaGermany

Austria Central and Easter Europe

• Specialized consultancy for application security

• Headquarter near Vienna, Austria

• Offices in Austria, Germany, Lithuania, Singapore and Canada

• Delivery Centers in Austria, Lithuania and Singapore

• Strong customer base in Central-


Singapore

SEC Consult OfficeSEC Consult Headquarter

Other SEC Consult Clients

• Strong customer base in Central-and Eastern Europe

• Increasing customer base of clients with global business

• Partner of Top 30 Software vendors

Martin Eiszner - Whoami

• Security consultant

• Chief technology officer

• quite some other interests …


SW Developer Reverser The Web Mobile devices ?

tries to find the perfect approach for identifying security vulnerabilities

Agenda

• Introduction





• Demonstrations

• Outook


• Outook

• QA

5

Toxic Software and the APT

• What is Software ?



• Are there any problems with Software ?



• Toxic software is all about security vulnerabilities !


Who creates “vulnerabilities” and who bears its costs ?


• The “One way paradox”


When it comes to software there is only


• So what is Toxic software really ?

• and is there a cure ?


Toxic software contains severe security vulnerabilities with a high probability to harm confidentiality, availability and

integrity of its owners assets.


• Advanced persistence threats ?

• What does an APT consist of


APT s are planned and orchestrated mostly illegal professional projects


• Attacker -

• Target -

• Methodology so far ….

• Phishing

• Spreading heavily tailored malware


• Spreading heavily tailored malware


• Spear phishing – the method of the trade ?

• There is always a better one ..


Agenda

• Introduction





• Demonstrations

• Outook


• Outook

• QA

14

APT s on the rise

• Any examples ?

Stuxnet SCADA attack on nuclear powerplants

Mother of all APT s ?

… a security vendor ?


… wanna buy some stocks

BBC … the Iranian connection

The and and and ….

APT s on the rise

• Buzzword or the real thing ?


Agenda

• Introduction


• APT s on the rise r



• Demonstrations

• Outook


• Outook

• QA

17

I bought a software product

from a good trusted vendor

The vendor did not mention that the

Ok, there might be some security issues with our

product but..

Trust Bubble

1st

suspicious Customer

1st

suspicious Customer

Erosion of Trust -Customer

Erosion of Trust -Market

Rebuild Trust

Trusted Vendor

The “Erosion of trust” lifecycle for SW - Vendors

…the customer is not demanding additional

© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved18

Customer

mention that the product might be

insecure

Software Vendor

Ok. This product is secure. Next topic…

demanding additional security

The customer is satisfied with our level of security


We have not seen any major customer

complaints yet, so we are in the clear… Let’s invest (some) money

and check with a trusted

Are there any security vulnerabilities in this

software?

Trust Bubble

1st

suspicious Customer

1st

suspicious Customer



Rebuild Trust

Trusted Vendor


CustomerCustomer

CustomerCustomer

Customer

and check with a trusted security expert if everything is o.k.

Software Vendor

Software Produkt


Is the security expert lying or the vendor?We did the security crash

test and it is a disaster!

We will discover many

Gosh, I spent money on Quality Assurance

the vendor should have

It was not a cheap product, how can this

happen?

I wish I never bought that product/asked the

security expert to

Trust Bubble

1st

suspicious Customer

1st

suspicious Customer



Rebuild Trust

Trusted Vendor


We will discover many more security problems if we continue our analysis…It is not enough to fix

the now identified problems.

Customer

the vendor should have done...

How should I now explain my (past)

commitment for this vendor to my boss?

Software Produkt

security expert to check it.

What shall I do, now I have a problem that

should be resolved by the vendor...


We will fix the reported issues and we have a satisfied client again…

Of course we will solve

The second audit (re-check) shows further sever

Trust Bubble

1st

suspicious Customer

1st

suspicious Customer



Rebuild Trust

Trusted Vendor


Customer

Of course we will solve the problem…

shows further sever vulnerabilities…

They have not a clue what problem they cause

for me personally...

Software Vendor

Software Produkt


International Security Experts We should find a 0-day

vulnerability, make a public security advisory

and an conference

CustomerCustome

rCustomerCustome

rCustomer

Customer

Customer

Make an audit and give me your

opinion...

Customer

Customer

This vendor product is of interest for us!

Trust Bubble

1st

suspicious Customer

1st

suspicious Customer



Rebuild Trust

Trusted Vendor


PressCustomer

and an conference presentation

CustomerCustome

rCustomerCustome

rCustomer

Customer

Customer

Customer

Bad news is good news: Vendor is not

able to solve security issues.

I will tell anybody my opinion on that vendor

If I am asked..

Customer

Make an audit and give me your

opinion...

opinion...

Customer

Customer

Customer

Customer

Software Produkt


They don’t know or they don’t care. They just

Will somebody blame me for choosing this insecure

vendor?Damn! We have to do a product selection before

Trust Bubble

1st

suspicious Customer

1st

suspicious Customer



Rebuild Trust

Trusted Vendor


Customer

We’ll keep using this product if we have to - but hold on, is there really no

alternative?

This vendor is on the blacklist. Our

headquarters will not accept insecure products.

don’t care. They just ignore the problem.

product selection before we buy from this vendor.

Software Produkt


• We are investing in secure development processes• We are investing in awareness of all employees and

partners• We will invest in trusted external security experts• We will invest in our product security as a key

feature The are definite

Trust Bubble

1st

suspicious Customer

1st

suspicious Customer



Rebuild Trust

Trusted Vendor


Software Produkt

feature• We are honest and alert our customers about

security issues• We know that this will continue

improvements in product security, but…

Customer

We’ll keep using this product if we have to - but hold on, is there really no

alternative?This vendor is on the

blacklist. Our headquarter will not accept insecure

products.

They don’t know or they don’t care. Either way, they

ignore the problem.

Will somebody blame me for choosing this insecure

vendor?

Damn! We have to do a product selection before we

buy from this vendor.

Software Vendor


The are proactive in informing me about the risks and involve

They are not completely secure but will they solve

• We are investing in secure development processes

• We are investing in awareness of all employees and partners

• We will invest in trusted external security experts• We will invest in our product security as a key

feature• We are honest and alert our customers about

security issues• We know that this will continue

Trust Bubble

1st

suspicious Customer

1st

suspicious Customer



Rebuild Trust

Trusted Vendor


the risks and involve leading security

experts.

secure but will they solve these problems for me.

• We know that this will continue

At least they manage this risks and work hard to make their products as

secure as possible.

Software VendorSoftware Produkt

Customer

0 days for your very personal APT

• Am I talking bull…. ?


Agenda

• Introduction





• Demonstrations

• Outook


• Outook

• QA

27


• Methods for identifying … usable bugs in “Software products”

• Applicaton testing and Fuzzing

• Reverse engineering

• Sourcecode analyses

• Or just simple bye them on black markets …


• A short note on so called “security scanning” tools

• Just use your


• Dynamic and manual

testing based on

• Fault injection …





• Closed source

• Decompiling

• Disassembling …



• Source code analyses

• Closed source

• SSA tools

• Brainwork



• Any other methods for getting hands on 0 day s


Agenda

• Introduction





• Demonstrations

• Outook


• Outook

• QA

34

Demos

• What would be the best target for a high profile APT ?


Demos

• Reverse engineering• Checkpoint – Client side remote command execution Multiple Checkpoint appliances

CVE-2011-1827

• Fuzzing• F5 Firepass – Remote command execution F5 FirePass SSL VPN – Remote command execution

CVE-2012-1777


CVE-2012-1777

• Application testing• Microsoft ASP.Net – Authentication bypassMicrosoft Security Bulletin MS11-100 - Critical

Vulnerabilities in .NET Framework Could Allow Elevation of

Privilege (2638420)

CVE-2011-3416

Security sofware products will be the target of the trade ... soon !

Demo I


• SSL VPN appliances (Connectra / Security Gateway)

• SNX, SecureWorkSpace and

Endpoint Security On-Demand

• Patented light weight “security solution”


• Patented light weight “security solution”

• Comes in 2 flavors• ActiveX

• Signed JavaApplets

Demo I


• Problem • Programs are flawed with several critical security vulnerabilities

• Java classes are not obfuscated

• Any known problems with ActiveX or Signed applets ???


• Any known problems with ActiveX or Signed applets ???

Demo I

Cshell.jar

CreatePackageURL


RunPackageAction

Demo I

Cshell.jar

Method RunCommand in Cpls.class


Demo I


Demo II


• F5 Firepass – SSL VPN


Demo II


• F5 Firepass – SSL VPN

• Problems – this time server side

• Any problems related to SQL queries and user input ?


Demo II

• SQL Injection is pretty old ..

• Concatenated SQL queries and user input ?

• File access rights for SQL schemas ?

• SUDO permissions for SQL users ?


• SUDO permissions for SQL users ?

Demo II


Demo III

• Application testing

• ASP.Net – Membership framework

• Part of the “Security Content Map”

• built-in - validate and

store user credentials

• Microsoft way


• Microsoft way

Demo III

• Application testing and fuzzing

• Some ASP.Net applicaton test

Database column truncation – vulnerabiliy


tries to create duplicate users and elevate privilges …

Demo III

• Application testing and fuzzing

• Problems

• Passing data between different

layers ( “managed” vs “unmanaged”)


Demo III

• Membership framework - a closer look

FormsAuthentication

MakeTicketIntoBinaryBlob()


webengine4.dllCookieAuthConstructTicket()

CopyStringToUnAlingnedBuffer() copies a unicode string to some array

lstrlenW() determines the length of the unicode string using

Demo III

• Membership framework - not to forget

The membership framwork creates an

/Register.aspx

context „out of the Box“


… even if you dont want to.

Demo III

• Membership framework


Agenda

• Introduction





• Demonstrations

• Outlook


• Outlook

• QA

52

In one sentence …

Toxic Security Softwareproducts createdby Software vendors are real and theyare actively being used as a perfect and


are actively being used as a perfect andstealth Point of departure for the bad

guys to carry out most successful

targeted Attacks !

Oulook - future of targeted attacks

We will see random attacks ..

but a good deal more targeted attacks against

high profile

organizations and


organizations and

companies soon!


• … only two things

Neither


nor

ing your most hated foreign countries will help You !


• … and


The war is not over yet …

Oulook - counter measures ?

• KISS

• Awareness

• Enforce warranty in terms of Information security from software vendors

○ If the vendor refuses .. change vendor

• Implement quality gates for new Software product


QA


apts and other stuff

Technology

apt toxic software

software product product

risetrusted software

rise trusted software

apt spear

rise rtrusted software

security product

apt attacker target