Sunday, August 15, 2010

My Ruxcon paper has been accepted


Just a quick update to post that my talk for Ruxcon 2010 has been accepted. For anyone unfamiliar with Ruxcon, it is the premier technical security conference in Australia. For more information click here.

I've been to Ruxcon for several years now, going back to 2004. I can honestly say that depth of the content, value for money and international standing when compared to other conferences, it is unparallelled. The fact it is in my home town of Melbourne this year is just a bonus.

For anyone who has heard of this conference, thinking of going yet undecided, or never been but curious - I strongly urge you to attend. In particular, if you are a security consultant, penetration tester or security manager/security lead within an organisation, I strongly urge you to attend my talk as I think you will come away with something new.


- J.

Wednesday, August 11, 2010

Learnings from Black Hat/Defcon

I have finally returned from Las Vegas and had time to recover from jetlag as well as digest events at Black Hat and Defcon. At work we will be doing a presentation on this for our clients and we will be putting our own takeaway message and making it specific and meaningful for the Aussie market.

Without spoiling that, I will post on some of the things I saw and my own thoughts.

In essence, the goal posts are shifting. The ubiquity of smart phones, mobile devices, gaming consoles, etc and enroaching Internet connectivity to every device with a microprocessor means that all these devices are going to be targeted. Proof of concepts of exploits were pinpointed for IPhone (which got an utter drumming), Android, Wii, Nintendo DS, and more. Also, home/SMB routers are now proving to be a very viable targets for exploitation and information gathering.

Social networking and the ability to restrict access to it as well as information on it - is becoming less of a possibility as it becomes increasingly a decision about whether one chooses to participate in society (as Moxie Marlinspike so eloquently put it). I am really pleased to see this talk do the rounds. Applications that we use within these environments (and the social networking sites themselves) simply cannot be trusted. Site owners simply do not perform sufficient checking and audits of code prior to use on the site and easily enough there are multiple methods one can exploit trust relationships as well as lax technical controls to abuse the system.

Attack tools are becoming increasingly commoditised. This is, and has always been the case for as long as I can remember. But just seeing the number of Metasploit plug ins that are becoming available really blew my mind. Drivesploit, the Social Engineering Tool-Kit, Powershell and more.

While we have known about this for quite some time (nothing I've said above is really altogether new), it was very illuminating to see so many people thinking along the same lines and gives an indication to the prevalence of current attack taxonomies as well as future trends.While it doesn't take a rocket scientist with a magic 8 ball to figure out where its going (it seems some random with an Internet connection can), I'm pleased (?) to see that I'm not far off the mark.

I've frequently grumbled in my Wall of Shame series about security failures, but what really hit me - particularly when I spoke to other security professionals is just how far ahead many US companies are with their security. Granted they are already in a much more regulated environment, but many of the basics I've grumbled about in my Wall of Shame series  - while they are not resolved per se, it is clear they are much further along the road to maturity than we are here in Australia.

I've had some discussions with a few people in the industry about this but my honest belief is that we are behind because of our cultural attitudes. To add to my earlier predictions, I believe this means we are going to become increasingly a target for organised crime, malware authors, hackers, and the like. While its old news that the Russians prefer targeting Australian banks, we haven't seen anything targeted on that sort of scale (apart from card skimming and ATM fraud). People talk about a 'Digital Pearl Harbour' and while there are skeptics, it doesn't take a mathematician to realise that this will probably happen at some point. Sadly, it will take an event of this magnitude to really change things here in Australia. And unless it does happen on our (virtual) shores, then I doubt anyone in this country will really pay attention.

I guess I find it somewhat scary.

The fact is we're not ready. Defcon and Black Hat really highlighted just where this going. I think I always knew and my earlier forecasts were an indication of the writing on the wall. But seeing the exploits, proof of concepts, software all in the public domain really highlighted that it is becoming easier and easier to compromise systems and steal data, all the while becoming increasingly more costly and difficult to secure the information. (I would have said the same six years ago however).

Plus ça change, plus c’est la même chose.

Of course, every security conference its easy to say its all doom and gloom - they're all in the business of dispensing FUD it seems. Of course that doesn't mean however we shouldn't take it seriously - however, it does mean we need to not only lift our game.

It's time for Australia to really pull its socks up.

Here's a quick brain dump on defensive strategies that I see must be deployed today:
  • Solve the patching problem (if you haven't solved this, then you fail by default);
  • Basic config issues + password weakness (fix this for gods sake, its easy enough);
  • Lock down applications on the desktop. Rely on an SSOE where you can, focus heavily on application white listing and malware analysis tools with heuristic/behavioural analysis capability;
  • Re-consider admin access to security devices and networking devices (do you have a separate management network? two factor authentication?).
  • Consider how you deal with social media in the workplace (personally I'm in favor of banning it in the workplace but I recognise this isn't a popular choice). Whatever you decide, have a strategy and a policy to match;
  • Start focusing on social engineering as a testing and training element for security (we've known this for ages but too many ignore this). Include these elements in your pentests.

- J.