June 29, 2011

Impactful Security Events and Trends

Over the past several years there have been a few events in the computer security world that can only be described as game changing. In the spirit of retrospection, it is sometimes useful to consider these past events and use them to extract trends and to try to see where security is headed in the future. To any readers who would like to comment, I would be interested to hear what your experience has been with these events and how they impacted security for you.

First, let’s start in the year 2005 with Mike Lynn’s Blackhat presentation on fully compromising Cisco routers (i.e. getting a command shell) remotely over the network. Mike described to the audience how he was able to use translations of Chinese websites that were discussing techniques for attaching debuggers to router console ports to assist him in his research. He proceeded to demonstrate for the audience his ability to compromise a Cisco router over the network, and this made it clear that the hack was real. People in the security community had speculated for a long time before Mike Lynn’s presentation about how dangerous it would be if routers themselves could be compromised given their privileged position in the network, but this was the first time that it had actually been demonstrated. The security landscape was no longer the same.

Next up, in 2006 also at the Blackhat Briefings was a talk on compromising wireless device drivers over the airwaves. This was important because a successful driver exploit would allow the attacker to take over a target system from within the “bottom half” (in Linux parlance) of the kernel itself, and therefore most likely at a level where many security mechanisms could not stop it. The end result was that just the act of turning on a wireless card having it controlled by a vulnerable driver could result in remote compromise regardless of whether the user joined a wireless network, deployed a firewall, or had every user land application perfectly patched.

Then, in 2008, Dan Kaminsky disclosed a technique for DNS cache poisoning on a massive scale. This presentation was also given at the Blackhat Briefings (noticing a trend here?), and Dan was very good at showing how pervasive DNS is to daily network operations and general user interactions on the Internet. Hence, the attack surface for this kind of attack is much broader than many people realize, and affects everything from “forgot my password” links in password reset emails to the process for acquiring an SSL certificate.

In 2009 at Blackhat again, Moxie Marlinspike blew a major hole in many SSL implementations with his presentation entitled “More Tricks for Defeating SSL“. Many users had trusted SSL for a long time to protect online banking transactions, purchasing goods over the Internet, and generally encrypting communications between web browsers and servers. The most compelling aspect of Moxie’s attack is that unlike previous tools such as “sslstrip” (also written by Moxie), this new attack left absolutely no clues for the user. The typical “lock” graphics and such that browsers commonly displayed all remained intact even though the SSL layer had been broken.

Lastly, at the upcoming Blackhat Briefings in August, 2011, Dillon Beresford will give a talk entitled “Exploiting Siemens Simatic S7 PLCs“. This speaks to outright exploitation of Programmable Logic Controllers that are commonly used in everything from factory assembly lines to nuclear power generation. As we saw from Stuxnet, SCADA systems exploitation can have important implications. For the record, Siemens has already fixed most of the vulnerabilities that Dillon is expected to discuss at Blackhat. (I will be attending Blackhat this year, so if any readers would like to meet there please email me: mrash{at}enterasys.com)

So, what can we learn from the above? Fundamentally, these presentations illustrate that computing infrastructure and code is categorically difficult to secure. Assumptions about what to trust are dangerous at every level, and if there is any trend to be found it is that we are seeing that trust placed in fundamental infrastructure is commonly misplaced. The implications of such misplaced trust are hard to know, and we’ve most likely only seen the tip of the iceberg. At a minimum, defense in depth will never go away. In the near future we can expect to see other major systems have significant security problems, but we can have some hope that the people who believe in responsible disclosure of vulnerabilities will find these problems before the blackhats.

About The Contributor:
Mike RashArchitect Engineer, Dragon

Michael serves as Security Solutions Architect for Extreme Networks. Michael Rash holds a Master's Degree in applied mathematics with a concentration in computer security from the University of Maryland, and is author of the book "Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort" published by No Starch Press.

See My Other Posts