apts and other stuff
TRANSCRIPT
APT s and other Stuff
PH days 2012
Version: 1.0Author: Martin EisznerResponsible: Martin EisznerDate: 15.05.2012Confidentiality: Public
Agenda
• Introduction
• Toxic Software and the Advanced persistence threat
• APT s on the rise
• Trusted Software vendors and the “Erosion of trust”
• How to find those little naughty 0 days for you personal APT
• Demonstrations
• Outlook
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
• Outlook
• QA
2
SEC Consult– Who we are ...
Canada
IndiaIndiaIndia
LithuaniaGermany
Austria Central and Easter Europe
• Specialized consultancy for application security
• Headquarter near Vienna, Austria
• Offices in Austria, Germany, Lithuania, Singapore and Canada
• Delivery Centers in Austria, Lithuania and Singapore
• Strong customer base in Central-
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
Singapore
SEC Consult OfficeSEC Consult Headquarter
Other SEC Consult Clients
• Strong customer base in Central-and Eastern Europe
• Increasing customer base of clients with global business
• Partner of Top 30 Software vendors
Martin Eiszner - Whoami
• Security consultant
• Chief technology officer
• quite some other interests …
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
SW Developer Reverser The Web Mobile devices ?
tries to find the perfect approach for identifying security vulnerabilities
Agenda
• Introduction
• Toxic Software and the Advanced persistence threat
• APT s on the rise
• Trusted Software vendors and the “Erosion of trust”
• How to find those little naughty 0 days for you personal APT
• Demonstrations
• Outook
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
• Outook
• QA
5
Toxic Software and the APT
• What is Software ?
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
Toxic Software and the APT
• Are there any problems with Software ?
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
Toxic Software and the APT
• Toxic software is all about security vulnerabilities !
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
Who creates “vulnerabilities” and who bears its costs ?
Toxic Software and the APT
• The “One way paradox”
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
When it comes to software there is only
Toxic Software and the APT
• So what is Toxic software really ?
• and is there a cure ?
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
Toxic software contains severe security vulnerabilities with a high probability to harm confidentiality, availability and
integrity of its owners assets.
Toxic Software and the APT
• Advanced persistence threats ?
• What does an APT consist of
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
APT s are planned and orchestrated mostly illegal professional projects
Toxic Software and the APT
• Attacker -
• Target -
• Methodology so far ….
• Phishing
• Spreading heavily tailored malware
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
• Spreading heavily tailored malware
Toxic Software and the APT
• Spear phishing – the method of the trade ?
• There is always a better one ..
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
Agenda
• Introduction
• Toxic Software and the Advanced persistence threat
• APT s on the rise
• Trusted Software vendors and the “Erosion of trust”
• How to find those little naughty 0 days for you personal APT
• Demonstrations
• Outook
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
• Outook
• QA
14
APT s on the rise
• Any examples ?
Stuxnet SCADA attack on nuclear powerplants
Mother of all APT s ?
… a security vendor ?
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
… wanna buy some stocks
BBC … the Iranian connection
The and and and ….
APT s on the rise
• Buzzword or the real thing ?
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
Agenda
• Introduction
• Toxic Software and the Advanced persistence threat
• APT s on the rise r
• Trusted Software vendors and the “Erosion of trust”
• How to find those little naughty 0 days for you personal APT
• Demonstrations
• Outook
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
• Outook
• QA
17
I bought a software product
from a good trusted vendor
The vendor did not mention that the
Ok, there might be some security issues with our
product but..
Trust Bubble
1st
suspicious Customer
1st
suspicious Customer
Erosion of Trust -Customer
Erosion of Trust -Market
Rebuild Trust
Trusted Vendor
The “Erosion of trust” lifecycle for SW - Vendors
…the customer is not demanding additional
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved18
Customer
mention that the product might be
insecure
Software Vendor
Ok. This product is secure. Next topic…
demanding additional security
The customer is satisfied with our level of security
The “Erosion of trust” lifecycle for SW - Vendors
We have not seen any major customer
complaints yet, so we are in the clear… Let’s invest (some) money
and check with a trusted
Are there any security vulnerabilities in this
software?
Trust Bubble
1st
suspicious Customer
1st
suspicious Customer
Erosion of Trust -Customer
Erosion of Trust -Market
Rebuild Trust
Trusted Vendor
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved19
CustomerCustomer
CustomerCustomer
Customer
and check with a trusted security expert if everything is o.k.
Software Vendor
Software Produkt
The “Erosion of trust” lifecycle for SW - Vendors
Is the security expert lying or the vendor?We did the security crash
test and it is a disaster!
We will discover many
Gosh, I spent money on Quality Assurance
the vendor should have
It was not a cheap product, how can this
happen?
I wish I never bought that product/asked the
security expert to
Trust Bubble
1st
suspicious Customer
1st
suspicious Customer
Erosion of Trust -Customer
Erosion of Trust -Market
Rebuild Trust
Trusted Vendor
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved20
We will discover many more security problems if we continue our analysis…It is not enough to fix
the now identified problems.
Customer
the vendor should have done...
How should I now explain my (past)
commitment for this vendor to my boss?
Software Produkt
security expert to check it.
What shall I do, now I have a problem that
should be resolved by the vendor...
The “Erosion of trust” lifecycle for SW - Vendors
We will fix the reported issues and we have a satisfied client again…
Of course we will solve
The second audit (re-check) shows further sever
Trust Bubble
1st
suspicious Customer
1st
suspicious Customer
Erosion of Trust -Customer
Erosion of Trust -Market
Rebuild Trust
Trusted Vendor
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved21
Customer
Of course we will solve the problem…
shows further sever vulnerabilities…
They have not a clue what problem they cause
for me personally...
Software Vendor
Software Produkt
The “Erosion of trust” lifecycle for SW - Vendors
International Security Experts We should find a 0-day
vulnerability, make a public security advisory
and an conference
CustomerCustome
rCustomerCustome
rCustomer
Customer
Customer
Make an audit and give me your
opinion...
Customer
Customer
This vendor product is of interest for us!
Trust Bubble
1st
suspicious Customer
1st
suspicious Customer
Erosion of Trust -Customer
Erosion of Trust -Market
Rebuild Trust
Trusted Vendor
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved22
PressCustomer
and an conference presentation
CustomerCustome
rCustomerCustome
rCustomer
Customer
Customer
Customer
Bad news is good news: Vendor is not
able to solve security issues.
I will tell anybody my opinion on that vendor
If I am asked..
Customer
Make an audit and give me your
opinion...
opinion...
Customer
Customer
Customer
Customer
Software Produkt
The “Erosion of trust” lifecycle for SW - Vendors
They don’t know or they don’t care. They just
Will somebody blame me for choosing this insecure
vendor?Damn! We have to do a product selection before
Trust Bubble
1st
suspicious Customer
1st
suspicious Customer
Erosion of Trust -Customer
Erosion of Trust -Market
Rebuild Trust
Trusted Vendor
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved23
Customer
We’ll keep using this product if we have to - but hold on, is there really no
alternative?
This vendor is on the blacklist. Our
headquarters will not accept insecure products.
don’t care. They just ignore the problem.
product selection before we buy from this vendor.
Software Produkt
The “Erosion of trust” lifecycle for SW - Vendors
• We are investing in secure development processes• We are investing in awareness of all employees and
partners• We will invest in trusted external security experts• We will invest in our product security as a key
feature The are definite
Trust Bubble
1st
suspicious Customer
1st
suspicious Customer
Erosion of Trust -Customer
Erosion of Trust -Market
Rebuild Trust
Trusted Vendor
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved24
Software Produkt
feature• We are honest and alert our customers about
security issues• We know that this will continue
improvements in product security, but…
Customer
We’ll keep using this product if we have to - but hold on, is there really no
alternative?This vendor is on the
blacklist. Our headquarter will not accept insecure
products.
They don’t know or they don’t care. Either way, they
ignore the problem.
Will somebody blame me for choosing this insecure
vendor?
Damn! We have to do a product selection before we
buy from this vendor.
Software Vendor
The “Erosion of trust” lifecycle for SW - Vendors
The are proactive in informing me about the risks and involve
They are not completely secure but will they solve
• We are investing in secure development processes
• We are investing in awareness of all employees and partners
• We will invest in trusted external security experts• We will invest in our product security as a key
feature• We are honest and alert our customers about
security issues• We know that this will continue
Trust Bubble
1st
suspicious Customer
1st
suspicious Customer
Erosion of Trust -Customer
Erosion of Trust -Market
Rebuild Trust
Trusted Vendor
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved25
the risks and involve leading security
experts.
secure but will they solve these problems for me.
• We know that this will continue
At least they manage this risks and work hard to make their products as
secure as possible.
Software VendorSoftware Produkt
Customer
0 days for your very personal APT
• Am I talking bull…. ?
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
Agenda
• Introduction
• Toxic Software and the Advanced persistence threat
• APT s on the rise
• Trusted Software vendors and the “Erosion of trust”
• How to find those little naughty 0 days for you personal APT
• Demonstrations
• Outook
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
• Outook
• QA
27
0 days for your very personal APT
• Methods for identifying … usable bugs in “Software products”
• Applicaton testing and Fuzzing
• Reverse engineering
• Sourcecode analyses
• Or just simple bye them on black markets …
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
• A short note on so called “security scanning” tools
• Just use your
0 days for your very personal APT
• Dynamic and manual
testing based on
• Fault injection …
• Applicaton testing and Fuzzing
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
0 days for your very personal APT
• Applicaton testing and Fuzzing
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
0 days for your very personal APT
• Reverse engineering
• Closed source
• Decompiling
• Disassembling …
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
0 days for your very personal APT
• Source code analyses
• Closed source
• SSA tools
• Brainwork
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
0 days for your very personal APT
• Any other methods for getting hands on 0 day s
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
Agenda
• Introduction
• Toxic Software and the Advanced persistence threat
• Trusted Software vendors and the “Erosion of trust”
• APT s on the rise
• How to find those little naughty 0 days for you personal APT
• Demonstrations
• Outook
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
• Outook
• QA
34
Demos
• What would be the best target for a high profile APT ?
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
Demos
• Reverse engineering• Checkpoint – Client side remote command execution Multiple Checkpoint appliances
CVE-2011-1827
• Fuzzing• F5 Firepass – Remote command execution F5 FirePass SSL VPN – Remote command execution
CVE-2012-1777
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
CVE-2012-1777
• Application testing• Microsoft ASP.Net – Authentication bypassMicrosoft Security Bulletin MS11-100 - Critical
Vulnerabilities in .NET Framework Could Allow Elevation of
Privilege (2638420)
CVE-2011-3416
Security sofware products will be the target of the trade ... soon !
Demo I
• Reverse engineering
• SSL VPN appliances (Connectra / Security Gateway)
• SNX, SecureWorkSpace and
Endpoint Security On-Demand
• Patented light weight “security solution”
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
• Patented light weight “security solution”
• Comes in 2 flavors• ActiveX
• Signed JavaApplets
Demo I
• Reverse engineering
• Problem • Programs are flawed with several critical security vulnerabilities
• Java classes are not obfuscated
• Any known problems with ActiveX or Signed applets ???
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
• Any known problems with ActiveX or Signed applets ???
Demo I
Cshell.jar
CreatePackageURL
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
RunPackageAction
Demo I
Cshell.jar
Method RunCommand in Cpls.class
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
Demo I
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
Demo II
• Applicaton testing and Fuzzing
• F5 Firepass – SSL VPN
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
Demo II
• Applicaton testing and Fuzzing
• F5 Firepass – SSL VPN
• Problems – this time server side
• Any problems related to SQL queries and user input ?
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
Demo II
• SQL Injection is pretty old ..
• Concatenated SQL queries and user input ?
• File access rights for SQL schemas ?
• SUDO permissions for SQL users ?
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
• SUDO permissions for SQL users ?
Demo II
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
Demo III
• Application testing
• ASP.Net – Membership framework
• Part of the “Security Content Map”
• built-in - validate and
store user credentials
• Microsoft way
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
• Microsoft way
Demo III
• Application testing and fuzzing
• Some ASP.Net applicaton test
Database column truncation – vulnerabiliy
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
tries to create duplicate users and elevate privilges …
Demo III
• Application testing and fuzzing
• Problems
• Passing data between different
layers ( “managed” vs “unmanaged”)
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
Demo III
• Membership framework - a closer look
FormsAuthentication
MakeTicketIntoBinaryBlob()
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
webengine4.dllCookieAuthConstructTicket()
CopyStringToUnAlingnedBuffer() copies a unicode string to some array
lstrlenW() determines the length of the unicode string using
Demo III
• Membership framework - not to forget
The membership framwork creates an
/Register.aspx
context „out of the Box“
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
… even if you dont want to.
Demo III
• Membership framework
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
Agenda
• Introduction
• Toxic Software and the Advanced persistence threat
• Trusted Software vendors and the “Erosion of trust”
• APT s on the rise
• How to find those little naughty 0 days for you personal APT
• Demonstrations
• Outlook
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
• Outlook
• QA
52
In one sentence …
Toxic Security Softwareproducts createdby Software vendors are real and theyare actively being used as a perfect and
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
are actively being used as a perfect andstealth Point of departure for the bad
guys to carry out most successful
targeted Attacks !
Oulook - future of targeted attacks
We will see random attacks ..
but a good deal more targeted attacks against
high profile
organizations and
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
organizations and
companies soon!
Oulook - future of targeted attacks
• … only two things
Neither
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
nor
ing your most hated foreign countries will help You !
Oulook - future of targeted attacks
• … and
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
The war is not over yet …
Oulook - counter measures ?
• KISS
• Awareness
• Enforce warranty in terms of Information security from software vendors
○ If the vendor refuses .. change vendor
• Implement quality gates for new Software product
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved
QA
© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved