Insecure Security Infrastructure

By Ericka Chickowski

Security researchers, consultants and vendors gathered in Las Vegas last week for the annual Black Hat conference. While the RSA Security Conference each spring may be the biggest security gathering of the year, some may argue that the summertime Black Hat conference is where the most important security thought leadership announcements and discoveries are made each year. Unlike RSA, Black Hat isn't a conference for flashy product announcements--instead, researchers get together to disclose newly discovered vulnerabilities, exploits and hacking techniques that can have a big impact on any channel partner's customer base.

Even if you or your on-the-ground technical didn’t the show, there’s a lot of important information to glean from what happened there.

Are Your Routers Pwned?

According to researcher Craig Heffner, millions of routers worldwide could be vulnerable to attack using an attack technique called DNS rebinding. Highlighted by Dan Kaminsky's wave-making presentation at Black Hat a couple of years ago and around for more than a decade, DNS rebinding is hardly new. The attack is made possible by the nature of the Domain Naming Service, which allows site administrators to balance traffic to a single site through numerous IP addresses. This 'feature' of DNS is also a flaw, allowing attackers to tinker with IP addresses and hijack browsers of unsuspecting users.

Heffner says he was able to use DNS rebinding to create a malicious site that routes visitors to their home network's IP address and enables the site owner to hijack their browser and obtain access to visitors' router settings. The groundbreaking part of his attack technique is that it circumvents current DNS rebinding protections achieved by browser patches and tools such as OpenDNS and the Firefox NoScript plug-in.

"It just hasn't been put together like this before," Heffner told Forbes magazine about his new spin on DNS rebinding.

Heffner says that he's tested 30 router models popular in the home and SMB networking market so far and more than half are vulnerable to his attack. He'll reveal the technical details behind the attack at his presentation at Black Hat and publicly release a tool that can automate his attack methods. His facts bear at least a second glance by channel partners responsible for securing their customer's network infrastructure--particularly those SMB customers likely to use the type of home routers Heffner tested during his research. Not only is the tool valuable for penetration testing, but his announcement provides more incentive for partners to review the login information of routers under their care, as changing default settings can often mitigate a lot of the risk from such an attack, according to Heffner.

Mobile Mania

The explosion of mobile apps touching sensitive stores of data, combined with the ubiquitous connectivity of high-speed mobile telecommunications network makes mobile security research intriguing to hackers of black, white and grey hat varieties.

"In order for (mobile) applications to do great things, they have to access sensitive information, they have to be able to interact with the phone," says Kevin Mahaffey of Lookout, a mobile security vendor.

Drive-by-Download Overdrive

Your clients' users might not know it, but without any protections they are susceptible to malicious downloads simply by visiting infected sites or looking at infected HTML-enabled e-mail.  This so-called drive-by download attack is changing the face of Web security as we know it.

Even though many security companies have reacted swiftly to detect and deter drive-by downloads, the game of cat-and-mouse between malicious hackers and researchers plays on. Black Hat will play host to the announcement of "some very advanced techniques that (are) almost impossible to overcome by automated analysis in the past, now, and in the future," according to Wayne Huang and Caleb Sima, who will present the findings of their recent project.

Huang and Sima are releasing a new drive-by download attack framework, Drivesploit, built on top of the popular Metasploit framework.

Insecure Security Infrastructure

If you're one of McAfee's many channel partners, you probably remember all-too-painfully the false positive scuffle that left many a corporate PC inoperable. Besides leaving egg on the face of the security vendor, the McAfee incident served as a stern reminder to all that despite their advocacy, research and leadership in security, vendors in this space are far from invincible.

Researchers Ben Feinstein, Jeff Jarmoc and Dan King aired the industry's dirty laundry with a discussion that covered recently patched vulnerabilities in McAfee and Cisco products that were uncovered by King and Jarmac respectively. Of note was a brand new proof-of-concept man-in-the-middle attack against Cisco Adaptive Security Device Manage that assaults a vulnerability that Cisco just released a patch for in January.

"We've found that security infrastructure appears to be just as prone to security vulnerabilities as other commercial software, if not more so," the speakers said in a statement prior to the show.

Besides the obvious recommendation of patching security products as soon as updates are available, they're also recommending the following:

  • make security infrastructure within scope during penetration testing and security assessment activities
  • include product security in your organization’s purchasing and product evaluation processes
  • deploy of security products in the role of compensating controls for potential vulnerabilities in other parts of your organization’s security infrastructure.

Nefarious Side of Social Networking

For at least a year now, security gurus have been lamenting the risks posed by social network sites such as Facebook and Twitter. But perhaps nothing has been quite so illuminating as the somewhat exotic-looking, but mild-mannered Robin Sage.

A cute brunette with blond highlights, Sage is smart, too -- a Cyber Security Analyst according to her Facebook, Twitter and LinkedIn profiles. Oh, yeah, and she's also a complete fabrication. Created out of whole cloth by Thomas Ryan of the firm Provide Security, the Robin Sage persona was developed to conduct an experiment on how much information high-ranking folks from Global 500 firms, the National Security Agency and the Department of Defense would give up to a total stranger who happened to be a part of their social networks.

The experiment showed that defense people gave out critical information about troop movements, that Ryan acting as Sage was able to obtain enough information to have been able to inappropriately access some people's e-mail and bank accounts and that many people violated security rules at their respective organizations.

While news had already hit the wire about the Sage experiment, Ryan used Black Hat as a springboard event to further expose the details of his experiment. The whole affair can serve as a concrete example for channel partners to present to customers when explaining the risks of unmanaged and unfettered use of social networks within business environs.

This article was originally published on 2010-08-03