Black Hat Asia 2015

I have always wanted to attend a Black Hat conference ever since i heard about it 10 years ago, the time when i was interested in security and hacking. However, due to the steep price in the tickets to attend, i've never been able to afford myself a ticket. Imagine a 2 days conference cost between $1800 to $2000. 

So when I was told that Codenomicon is going to have a booth in Black Hat Asia and i will be involved in it...i was ecstatic and happy! I never would have imagined myself being in one of the most talked conferences in the world especially knowing Black Hat's presence in Asia, USA and Europe. 

So we came on the day before the conference to set up the booth and in the back of my head i just couldnt wait for the real thing to happen - the event itself. 

Our booth was situated in the Business Hall room and there were other companies including Tripwire, Cisco, Qualys, Tenable, Vectra and Logrhythm. There were also another business hall room which has another set of companies and organizations including ISC(2), OWASP and etc. 

While the event starts at 9am (keynote), the Business Hall is supposed to start at 10am. However, at 9.30am, people started coming in and visiting the booths. Lucky for me, i was there early to get things ready...plugged in my laptop and prep the demos for Codenomicon's products. 

I had the opportunity to attend the briefing as i was holding the briefing pass and listened to some talks. While the topics were interesting, the delivery of the topic was not as enthusiastic as i was expecting. And i was even surprised by the attendance as it wasn't a full house (unlike most conferences i attended in the past). The set up of the stage was great, similar like the one in DefCamp (Romania) where i spoke at last year. 

But despite certain level of expectations not being met, the best part of the event was the networking session, where i got to meet ex-colleagues, fellow hackers from India, friends from LinkedIn, security enthusiasts from all over the world. It was the best experience of the 2 days event.

Overall, i had fun. After speaking to some of my friends who have attended the event in Vegas and Europe, according to them, the ones there, are 10 to 20 times bigger than here. Wow! That was my expression! How big could it be there! And I am sure will make it a point to attend them one day! 

The Codenomicon Team 

Null Singapore Security Meet Up - March

I received a tweet from an Indian friend of mine Ajin Abraham asking me to check out a 'mini-con' called Null Singapore. As i was travelling during the period of the first meet up, i said i'll be attending the one in March instead.

It was pretty interesting to attend this small group of security enthusiasts and i thought i need to check out the atmosphere there as well. So a week before 19th March, i shared this meetup to my Facebook group 'Singapore Cyber Security Enthusiasts' where i share latest security articles, news and conferences in Singapore or overseas. It wasn't a bad response, about 4 signed up for the meetup.

On the 19th March, we set foot for the meetup. Located at Craig Road, and fortunately 5 mins away from my office and 10 mins away from Tanjong Pagar MRT Station, it was quite a convenient location (well at least for me). When we reached the place, we saw an empty office from the front and there were no signs to say 'Go here for Null Singapore' or anything to direct us. Well, it was not a big deal, the entrance was on the side of the building, opposite the street soccer court and it was at level 2. 

When we reached inside, the room was silent and there were already people sitting. My first though was, will there be enough seats. Well fortunately, despite the full house, everyone managed to be seated either at the sofa area or the foldable chairs. 

Started with the newsbytes by Suman Sourav sharing the latest news in the security world, from the Lenovo malware to the Carbanak Cyber gang that infiltrated the banks and stole over $1Bn. 

Suman Sourav sharing the latest news

Next was Randen Rosete who shared about the IoT (Internet of Things) and the mistakes made by developers for not properly securing the APIs that in some or many cases leave the default passwords in clear text giving a hacker the ability to intercept and create exploits easily. 

Randen Rosete and the problems with IoT

Lastly, we had a sharing session about infrastructure security by Sriram Narayanan discussing on the mistakes made, the impact of the mistakes and how it was resolved and finding the root cause of the issue. 

Sriram Narayanan on the mistakes made and lessons learned in Infrastructure security

Another 'last minute' event was the 'ice breaking' event, suggested by Paul Craig from Vantage Point security, a company specializing in Vulnerability Assessment and Penetration Testing where we all gave a brief introduction of ourselves at the end of the meetup. 

I have to say, this is a small but great atmosphere with security enthusiasts from various fields such as software engineering, application security, infrastructure, networking, threat intelligence, VA/PT and others. 

I am definitely looking forward to visit again next month.

For more information on Null Singapore Meetup: 

http://www.meetup.com/Null-Singapore-The-Open-Security-Community/

FB Group 'Singapore Cyber Security Enthusiasts': 

https://www.facebook.com/groups/236102096567858/

Dissecting Third Party Application Policy & Process – Finding the Missing Link

Abstract

"On average over 70% of IT Security budget is spent on Infrastructure, yet over 75% of attacks happen at the Application level." - Rob Labbe (Microsoft SDLC for IT)

POODLE, HeartBleed and ShellShock. If there’s something to be learned from these vulnerabilities is that they came from the applications side of things rather than network. As the above quote states, organizations spend bulk of the budget in securing the infrastructure yet majority of the attacks happen at the application level. Top organizations follow best practices and comply to standards such as ISO 27*, NIST and many other frameworks yet recent news have shown that despite all that, organizations keep falling victims to hackers. Are we doing enough to protect our systems? What have we done to ensure that our applications residing in our systems now are not filled with holes waiting to be exploited? How well do we ensure that our installed applications, be it in-house or third party software are soundly checked before deployment? Do organizations have the proper process when it comes to installation of third party software? This paper will explore at two of the big organizations on how their policies and processes play a part when it comes to third party applications into corporate systems and what could possibly be the missing link that could potentially stop the change of a secure corporate system to a gateway of heaven for hackers.

Background

"As a house is only as strong as its foundation, it's no wonder cyber attacks are on the rise with reports showing 71 percent of software contains components with critical vulnerabilities," – Rep Royce (http://royce.house.gov/)

In my experience as a security consultant and an ethical hacker, my primary role was to perform vulnerability assessment and penetration testing to clients ranging from servers, web applications, network and even workstations. Some organizations were repeated customers and that allowed me to observe on the changes and remediation made towards the vulnerabilities found via previous assessments reports. Most of the vulnerabilities found during my experience were those assessments done on workstations. It was quite surprising and at the same time shocking to see the kinds of vulnerabilities found on these workstations. Much of these vulnerabilities found were mainly from third party applications such as torrent clients, FTP clients and servers, databases and many more. These observations made me wonder on how these users were allowed to install such applications and whether or not proper processes exist to monitor, verify and validate these applications before being given the permit to install on corporate systems.

The Interview

To find out about how third party applications are being installed on the machines, 2 personnel were being interviewed from two different organizations. One is from a global bank and another from a government agency. Two basic questions were asked: 1) Are end users allowed to install 3^rd party applications? 2) What is the process involved for this? Below are the case studies.

Case Study 1 – A Bank’s Security Manager

Me: “So I understand that 3^rd party applications can be installed on end users machine. Is that true”

BSM: “Depending on the type of users. Usually they are not allowed to install, however, some users, if they need to install will have to request for it.”

Me: “Walk me through this process.”

BSM: “Well, we have a form that user needs to fill in and it will be submitted to the relevant department for clearance and approval. Once approved, a member of the IT team will install it for the user.”

Me: “Are the users allowed to install themselves?”

BSM: “No. Because they have limited privileges and only an IT personnel have the proper rights to install it for them.”

Me: “So who will provide the binary for the installation? The user or the IT team?”

BSM: “The user”

Me: “Are there any security checks involved before the installation?”

BSM: “At most, we will scan it against the AV scanner and ensure its not infected.”

The Process in Graphic

Case Study 2 – A Government CIO

Me: “So I understand that 3^rd party applications can be installed on end users machine. Is that true”

GCIO: “Depending on the type of users. Usually they are not allowed to install, however, some users, if they need to install will have to request for it”.

Me: “Walk me through this process.”

GCIO: “The user will have to log a ticket with the helpdesk using a remedy system. The user will have to write down the reason for this request and why is it necessary to be installed in the machine. This will then be approved by their department’s manager to confirm if such request is necessary. Once approved, the request will then be submitted to another level of management. The application will be downloaded by the relevant IT team and installation and proper packaging is involved before installation. Once its packaged, it will then be committed into the SCCM and will be pushed to the users requested. The installation will commence without the need for user to have system privileges”.

Me: “Are there any security checks involved before the packaging”

GCIO: “Yes. Our packaging team in the development lab is equipped with endpoint protection systems and it is a standard to have new application be scanned by the AV/AS before packaging.”

The Process in Graphic

Findings

As we can see from the above 2 case studies, in both situations, proper privileges are enforced and users has the possibility to install third party applications if approved. In terms of security, in both cases, there were only relying on scanning the applications for infections or malware. There was no process or effort to check for vulnerabilities in the applications at all.

Potential Issues and Impact

Based on the two case studies, we can see that there are no proper checks to ensure that the applications are not vulnerable before deploying or installing them onto the user’s machines. As Anti Virus or Anti Malware products do not detect vulnerable libraries used in these applications, these installed applications can be a gateway to hacker’s heaven. If we look at previous hacking related events, the systems that were compromised were not the servers but were started from the end users machines before pivoting to another and eventually compromising the entire network.

Challenges in Vulnerability Scanners

In most, if not all policies and standards require a section that concentrates on the need for organizations to perform vulnerability assessments which include vulnerability scanning of a network or a system. According to Qualys, (https://community.qualys.com/docs/DOC-1068) a typical vulnerability scanning processes in the following manner:

1) Check if the remote host is alive

2) Detecting if the host is behind a firewall

3) Scans for TCP/UDP ports

4)  Scans and Detects for Operating System

5) Discover services through the TCP/UDP ports

6) Checks version of the services and detects if it is a known vulnerability

While vulnerability scannings detect vulnerabilities and are practiced in most organizations, we need to understand that most of these scanners are able to detect for known vulnerabilities based on the version of the services detected. These scanners, however, do not detect for vulnerable libraries/components inside an application/binary.

Binary Analysis via Codenomicon’s Appcheck

AppCheck brings total visibility to the digital assets that organizations of all sizes regularly use to build and expand their digital infrastructure. Leaving no stone unturned and no component unchecked, AppCheck performs a patent-pending, non-destructive static binary analysis on your digital assets to provide a comprehensive and up-to-date bill of materials (BOM). With AppCheck, you gain unprecedented situational awareness and visibility to the risk posture an organization.

The following image is an example of a popular firewall system manager of a vendor whose firmware was publicly available and downloaded. Upon uploading the binary to AppCheck, we can see the number of 3^rd party components being used in this application and how many components are vulnerable.

AppCheck’s dashboard showing the components, vulnerabilities and component licenses.

AppCheck listing the list of 3^rd party components and the number of vulnerabilities associated to each component.

AppCheck listing the libraries using the vulnerable component as well as the CVE number and CVSS score for the vulnerabilities associated with the vulnerable component.

Compromise despite Compliance

Past reports have clearly shown that even companies from the fortune 500, despite its maturity and compliance to standards and/or following best practices were compromised affecting its customers, its brand and its reputation and costs. With so many analyses on how these hacks were done, from the exploitation of vulnerable application, the holes in the network to cyber espionage caused from disgruntled employees to political causes. If there is one thing that we can learn is that there are more things that need to be done when it comes to cyber security.

Solution

As shown, performing just vulnerability scanning as part of the assessment or management is insufficient. Organizations need to relook at its policies and processes to ensure that proper security checks are done both in the form of checking for malware and vulnerabilities in the form of binary extraction and analysis. As organizations do not have the source codes for these 3^rd party applications, analyzing from that angle will be almost impossible, however it has been shown that analyzing in its binary form is possible, extracting the package and reviewing the libraries used giving organizations the capability to identify the vulnerabilities in its libraries thereby allowing them to understand the risks involved before installing on to their systems.

Enhancing Desktop Application Software Policy

With the current policies only look for malwares and scanning against existing Anti Virus applications before installing on corporate machines, security managers must understand that this is not enough as much of applications that are being infiltrated are not through malware but through vulnerable components inside the application that are not malicious at all. AppCheck allow organizations to have the transparency of the inside of the binary, ability to view the components and understanding the risks involved before deploying or installing them to corporate machines.

The Process in Graphic

Conclusion

With thousands of applications being developed and uploaded online every day, it is time for organizations to relook at its current vulnerability management policies and processes. Just like the history of weaponry, with every evolvement of defense, so do to the evolvement of attacks. Traditional security of securing from the perimeter is no longer enough. If there’s one thing we can learn about the Trojan Horse of Troy is that the perimeter defense will eventually be breached and if there’s no proper strategy to handle and manage what’s inside the walls, then we, unfortunately will lose the war.