Wednesday, August 11, 2010

Learnings from Black Hat/Defcon

I have finally returned from Las Vegas and had time to recover from jetlag as well as digest events at Black Hat and Defcon. At work we will be doing a presentation on this for our clients and we will be putting our own takeaway message and making it specific and meaningful for the Aussie market.

Without spoiling that, I will post on some of the things I saw and my own thoughts.

In essence, the goal posts are shifting. The ubiquity of smart phones, mobile devices, gaming consoles, etc and enroaching Internet connectivity to every device with a microprocessor means that all these devices are going to be targeted. Proof of concepts of exploits were pinpointed for IPhone (which got an utter drumming), Android, Wii, Nintendo DS, and more. Also, home/SMB routers are now proving to be a very viable targets for exploitation and information gathering.

Social networking and the ability to restrict access to it as well as information on it - is becoming less of a possibility as it becomes increasingly a decision about whether one chooses to participate in society (as Moxie Marlinspike so eloquently put it). I am really pleased to see this talk do the rounds. Applications that we use within these environments (and the social networking sites themselves) simply cannot be trusted. Site owners simply do not perform sufficient checking and audits of code prior to use on the site and easily enough there are multiple methods one can exploit trust relationships as well as lax technical controls to abuse the system.

Attack tools are becoming increasingly commoditised. This is, and has always been the case for as long as I can remember. But just seeing the number of Metasploit plug ins that are becoming available really blew my mind. Drivesploit, the Social Engineering Tool-Kit, Powershell and more.

While we have known about this for quite some time (nothing I've said above is really altogether new), it was very illuminating to see so many people thinking along the same lines and gives an indication to the prevalence of current attack taxonomies as well as future trends.While it doesn't take a rocket scientist with a magic 8 ball to figure out where its going (it seems some random with an Internet connection can), I'm pleased (?) to see that I'm not far off the mark.

I've frequently grumbled in my Wall of Shame series about security failures, but what really hit me - particularly when I spoke to other security professionals is just how far ahead many US companies are with their security. Granted they are already in a much more regulated environment, but many of the basics I've grumbled about in my Wall of Shame series  - while they are not resolved per se, it is clear they are much further along the road to maturity than we are here in Australia.

I've had some discussions with a few people in the industry about this but my honest belief is that we are behind because of our cultural attitudes. To add to my earlier predictions, I believe this means we are going to become increasingly a target for organised crime, malware authors, hackers, and the like. While its old news that the Russians prefer targeting Australian banks, we haven't seen anything targeted on that sort of scale (apart from card skimming and ATM fraud). People talk about a 'Digital Pearl Harbour' and while there are skeptics, it doesn't take a mathematician to realise that this will probably happen at some point. Sadly, it will take an event of this magnitude to really change things here in Australia. And unless it does happen on our (virtual) shores, then I doubt anyone in this country will really pay attention.

I guess I find it somewhat scary.

The fact is we're not ready. Defcon and Black Hat really highlighted just where this going. I think I always knew and my earlier forecasts were an indication of the writing on the wall. But seeing the exploits, proof of concepts, software all in the public domain really highlighted that it is becoming easier and easier to compromise systems and steal data, all the while becoming increasingly more costly and difficult to secure the information. (I would have said the same six years ago however).

Plus ça change, plus c’est la même chose.

Of course, every security conference its easy to say its all doom and gloom - they're all in the business of dispensing FUD it seems. Of course that doesn't mean however we shouldn't take it seriously - however, it does mean we need to not only lift our game.

It's time for Australia to really pull its socks up.

Here's a quick brain dump on defensive strategies that I see must be deployed today:
  • Solve the patching problem (if you haven't solved this, then you fail by default);
  • Basic config issues + password weakness (fix this for gods sake, its easy enough);
  • Lock down applications on the desktop. Rely on an SSOE where you can, focus heavily on application white listing and malware analysis tools with heuristic/behavioural analysis capability;
  • Re-consider admin access to security devices and networking devices (do you have a separate management network? two factor authentication?).
  • Consider how you deal with social media in the workplace (personally I'm in favor of banning it in the workplace but I recognise this isn't a popular choice). Whatever you decide, have a strategy and a policy to match;
  • Start focusing on social engineering as a testing and training element for security (we've known this for ages but too many ignore this). Include these elements in your pentests.

- J.

3 comments:

Drazen Drazic said...

All that and those "unknowns"...categorised on so many levels; from an organisational perspective and from the other attack side.

Christian said...

I'm surprised you would recommend a blanket ban on socmedia ;)

"The issue's not whether you're paranoid, the issue is whether you're paranoid enough."

Jarrod said...

In the work place, I just don't see a legitimate need for it (social media, to say nothing of full Internet access). Every enterprise seems to allow almost unfettered Internet connectivity. I ask myself "why?".

This is, I suppose deserving of a post in its own right.

Not all environments are the same and there are plenty of legitimate reasons for it but for the "average user" I just don't see a need for it.

I totally get that this isn't a popular call, but hey, its just my blog so I'm allowed an opinion, however deluded they may appear to some. :)

- J.