Apts and other stuff

APT s and other Stuff

PH days 2012

Version: 1.0
Author: Martin Eiszner
Responsible: Martin Eiszner
Date: 15.05.2012
Confidentiality: Public

Agenda

• Introduction
• Toxic Software and the Advanced persistence threat
• APT s on the rise
• Trusted Software vendors and the “Erosion of trust”
• How to find those little naughty 0 days for you personal APT
• Demonstrations
• Outlook

• QA

2 © 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved

SEC Consult– Who we are ...

• Specialized consultancy for
application security
• Headquarter near Vienna, Austria
Lithuania
• Offices in Austria, Germany, Canada
Germany

Lithuania, Singapore and Canada Austria Central and Easter Europe

• Delivery Centers in Austria,
India
Lithuania and Singapore
• Strong customer base in Central-
Singapore
and Eastern Europe
• Increasing customer base of
clients with global business
• Partner of Top 30 Software
vendors

SEC Consult Headquarter
SEC Consult Office
Other SEC Consult Clients

© 2012 SEC Consult Unternehmensberatung GmbH – All rights reserved

Martin Eiszner - Whoami
• Security consultant
• Chief technology officer
• quite some other interests …

SW Developer Reverser The Web Mobile devices ?

tries to find the perfect approach for identifying security vulnerabilities


Agenda

• Introduction
• Demonstrations
• Outook

• QA


Toxic Software and the APT
• What is Software ?


• Are there any problems with Software ?


• Toxic software is all about security vulnerabilities !

Who creates “vulnerabilities” and who bears its costs ?


• The “One way paradox”

When it comes to software there is only


• So what is Toxic software really ?
• and is there a cure ?

Toxic software contains severe security vulnerabilities with a
high probability to harm confidentiality, availability and
integrity of its owners assets.


• Advanced persistence threats ?

• What does an APT consist of

APT s are planned and orchestrated mostly illegal professional projects



• Attacker -
• Target -

• Methodology so far ….
• Phishing
• Spreading heavily tailored malware



• Spear phishing – the method of the trade ?

• There is always a better one ..


Agenda

• Introduction
• Demonstrations
• Outook

• QA


APT s on the rise
• Any examples ?

Stuxnet SCADA attack on nuclear powerplants
Mother of all APT s ?
… a security vendor ?

… wanna buy some stocks
BBC … the Iranian connection

The and and and ….


APT s on the rise
• Buzzword or the real thing ?


Agenda

• Introduction
• APT s on the rise r
• Demonstrations
• Outook

• QA


The “Erosion of trust” lifecycle for SW - Vendors

11st
st
Erosion of Erosion of
Trust suspicious
suspicious Rebuild Trusted
Trust - Trust - Trust Vendor
Bubble Customer
Customer Customer Market

Ok, there might be some I bought a
security issues with our software product
product but.. from a good
…the customer is not trusted vendor
The vendor did not
demanding additional
mention that the
security
product might be
insecure

Ok. This product is
secure. Next topic…
Customer

The customer is
satisfied with our
Software Vendor level of security



11st
st
Trust suspicious
Bubble Customer

Are there any security
We have not seen
vulnerabilities in this
any major customer
software?
complaints yet, so we
are in the clear… Let’s invest (some) money
and check with a trusted
security expert if
everything is o.k.

Software
Customer
Produkt Customer
Customer
Customer
Customer

Software Vendor



11st
st
Trust suspicious
Bubble Customer

It was not a cheap
Is the security expert lying product, how can this
We did the security crash or the vendor? happen?
test and it is a disaster! Gosh, I spent money I wish I never bought
on Quality Assurance that product/asked the
We will discover many the vendor should have security expert to
more security done... check it.
problems if we
continue our How should I now What shall I do, now I
It is not enough to fix analysis… explain my (past) have a problem that
the now identified commitment for this should be resolved by
problems. vendor to my boss? the vendor...

Software
Customer
Produkt



11st
st
Trust suspicious
Bubble Customer

We will fix the reported
issues and we have a
satisfied client again… The second audit (re-check)
shows further sever
Of course we will solve
vulnerabilities…
the problem…

They have not a clue
what problem they cause
for me personally...

Customer
Software
Produkt
Software Vendor



11st
st
Trust suspicious
Bubble Customer
This vendor product is of
interest for us! Customer
Customer

International
Security Experts We should find a 0-day Customer Custome
Custome
r
Custome
r
Custome
vulnerability, make a r
Custome
r
r

public security advisory Make an audit and
give me your
and an conference Customer
Customer
opinion...
Customer
presentation Custome
Custome
Customer r
Custome
r
Bad news is good Custome
r
Custome
r
r

news: Vendor is not Customer
Customer

Customer Customer

able to solve security
issues. Customer
Make an audit and
give me your
I will tell anybody my opinion...
opinion on that vendor
Press
If I am asked.. Customer
Software
Produkt



11st
st
Trust suspicious
Bubble Customer

Will somebody blame me
for choosing this insecure
vendor?
Damn! We have to do a They don’t know or they
product selection before don’t care. They just
we buy from this vendor. ignore the problem.

Customer

We’ll keep using this
product if we have to - but This vendor is on the
hold on, is there really no blacklist. Our
alternative? headquarters will not
Software accept insecure products.
Produkt



11st
st
Trust suspicious
Bubble Customer

• We are investing in secure development processes
• We are investing in awareness of all employees and
partners
• We will invest in trusted external security experts
• We will invest in our product security as a key
feature The are definite
• We are honest and alert our customers about improvements in
security issues product security, but…
• We know that this will continue
Will somebody blame me
for choosing this insecure
vendor?

Damn! We have to do a
product selection before we They don’t know or they
buy from this vendor. don’t care. Either way, they
ignore the problem.

Software
Produkt Customer
We’ll keep using this
product if we have to - but
hold on, is there really no This vendor is on the
alternative? blacklist. Our headquarter
Software Vendor will not accept insecure
products.



11st
st
Trust suspicious
Bubble Customer

• We are investing in secure development
processes
• We are investing in awareness of all employees
and partners
• We will invest in trusted external security experts
• We will invest in our product security as a key
feature
The are proactive in
• We are honest and alert our customers about
security issues They are not completely informing me about
• We know that this will continue
secure but will they solve the risks and involve
these problems for me. leading security
experts.

At least they manage this
risks and work hard to
make their products as
secure as possible.
Customer
Software
Software Vendor Produkt


0 days for your very personal APT
• Am I talking bull…. ?


Agenda

• Introduction
• Demonstrations
• Outook

• QA


• Methods for identifying … usable bugs in “Software products”
• Applicaton testing and Fuzzing
• Reverse engineering
• Sourcecode analyses
• Or just simple bye them on black markets …

• A short note on so called “security scanning” tools
• Just use your



• Dynamic and manual
testing based on
• Fault injection …



• Closed source
• Decompiling
• Disassembling …


• Source code analyses

• Closed source
• SSA tools
• Brainwork


• Any other methods for getting hands on 0 day s


Agenda

• Introduction
• Demonstrations
• Outook

• QA


Demos

• What would be the best target for a high profile APT ?


Demos
• Checkpoint – Client side remote command execution
Multiple Checkpoint appliances
CVE-2011-1827

• Fuzzing
• F5 Firepass – Remote command execution
F5 FirePass SSL VPN – Remote command execution
CVE-2012-1777

• Application testing
• Microsoft ASP.Net – Authentication bypass
Microsoft Security Bulletin MS11-100 - Critical
Vulnerabilities in .NET Framework Could Allow Elevation of
Privilege (2638420)
CVE-2011-3416

Security sofware products will be the target of the trade ... soon !


Demo I

• SSL VPN appliances (Connectra / Security Gateway)
• SNX, SecureWorkSpace and
Endpoint Security On-Demand

• Patented light weight “security solution”
• Comes in 2 flavors
• ActiveX
• Signed JavaApplets


Demo I

• Problem
• Programs are flawed with several critical security vulnerabilities
• Java classes are not obfuscated

• Any known problems with ActiveX or Signed applets ???


Demo I
Cshell.jar

CreatePackageURL

RunPackageAction


Demo I
Cshell.jar

Method RunCommand in Cpls.class


Demo I


Demo II
• F5 Firepass – SSL VPN


Demo II
• F5 Firepass – SSL VPN

• Problems – this time server side
• Any problems related to SQL queries and user input ?


Demo II
• SQL Injection is pretty old ..

• Concatenated SQL queries and user input ?
• File access rights for SQL schemas ?
• SUDO permissions for SQL users ?


Demo II


Demo III
• Application testing
• ASP.Net – Membership framework
• Part of the “Security Content Map”

• built-in - validate and
store user credentials
• Microsoft way


Demo III
• Application testing and fuzzing
• Some ASP.Net applicaton test

Database column truncation – vulnerabiliy

tries to create duplicate users and elevate privilges …


Demo III
• Application testing and fuzzing
• Problems
• Passing data between different
layers ( “managed” vs “unmanaged”)


Demo III
• Membership framework - a closer look

FormsAuthentication
MakeTicketIntoBinaryBlob()

webengine4.dll
CookieAuthConstructTicket()

CopyStringToUnAlingnedBuffer()
copies a unicode string to some array
lstrlenW()
determines the length of the unicode string using


Demo III
• Membership framework - not to forget

The membership framwork creates an
/Register.aspx
context „out of the Box“

… even if you dont want to.


Demo III
• Membership framework


Agenda

• Introduction
• Demonstrations
• Outlook

• QA


In one sentence …

Toxic Security Softwareproducts created
by Software vendors are real and they
are actively being used as a perfect and
stealth Point of departure for the bad
guys to carry out most successful
targeted Attacks !


Oulook - future of targeted attacks
We will see random attacks ..

but a good deal more targeted attacks against
high profile
organizations and
companies soon!


• … only two things

Neither

nor
ing your most hated foreign
countries will help You !


• … and

The war is not over yet …


Oulook - counter measures ?
• KISS
• Awareness
• Enforce warranty in terms of Information security from software
vendors
○ If the vendor refuses .. change vendor
• Implement quality gates for new Software product


QA


Apts and other stuff

More Related Content

Similar to Apts and other stuff (20)

More from Positive Hack Days (20)

Recently uploaded (20)

Apts and other stuff