Insecure Security Infrastructure

By Ericka Chickowski  |  Print this article Print

Black Hat has traditionally been where consultants, vendors and researchers gather to talk about new security vulnerabilities, exploits and hacking techniques. This year was no exception. Here are five big topics featured at this year's event.

Insecure Security Infrastructure

If you're one of McAfee's many channel partners, you probably remember all-too-painfully the false positive scuffle that left many a corporate PC inoperable. Besides leaving egg on the face of the security vendor, the McAfee incident served as a stern reminder to all that despite their advocacy, research and leadership in security, vendors in this space are far from invincible.

Researchers Ben Feinstein, Jeff Jarmoc and Dan King aired the industry's dirty laundry with a discussion that covered recently patched vulnerabilities in McAfee and Cisco products that were uncovered by King and Jarmac respectively. Of note was a brand new proof-of-concept man-in-the-middle attack against Cisco Adaptive Security Device Manage that assaults a vulnerability that Cisco just released a patch for in January.

"We've found that security infrastructure appears to be just as prone to security vulnerabilities as other commercial software, if not more so," the speakers said in a statement prior to the show.

Besides the obvious recommendation of patching security products as soon as updates are available, they're also recommending the following:

  • make security infrastructure within scope during penetration testing and security assessment activities
  • include product security in your organization’s purchasing and product evaluation processes
  • deploy of security products in the role of compensating controls for potential vulnerabilities in other parts of your organization’s security infrastructure.

Nefarious Side of Social Networking

For at least a year now, security gurus have been lamenting the risks posed by social network sites such as Facebook and Twitter. But perhaps nothing has been quite so illuminating as the somewhat exotic-looking, but mild-mannered Robin Sage.

A cute brunette with blond highlights, Sage is smart, too -- a Cyber Security Analyst according to her Facebook, Twitter and LinkedIn profiles. Oh, yeah, and she's also a complete fabrication. Created out of whole cloth by Thomas Ryan of the firm Provide Security, the Robin Sage persona was developed to conduct an experiment on how much information high-ranking folks from Global 500 firms, the National Security Agency and the Department of Defense would give up to a total stranger who happened to be a part of their social networks.

The experiment showed that defense people gave out critical information about troop movements, that Ryan acting as Sage was able to obtain enough information to have been able to inappropriately access some people's e-mail and bank accounts and that many people violated security rules at their respective organizations.

While news had already hit the wire about the Sage experiment, Ryan used Black Hat as a springboard event to further expose the details of his experiment. The whole affair can serve as a concrete example for channel partners to present to customers when explaining the risks of unmanaged and unfettered use of social networks within business environs.