SlideShare uma empresa Scribd logo

Vulnerability in Security Products

D
DaveEdwards12

The document discusses security vulnerabilities that have been found in security products. It notes that security products are high-value targets for hackers as they are present on most systems. It then summarizes several past attacks on major security companies and products that have allowed compromise, including the RSA SecurID token theft and vulnerabilities in antivirus software. The document analyzes trends in vulnerabilities found across security product categories and vendors.

Tecnologia
1 de 27
(In)Security in Security Products Who do you turn to when your security product becomes a gateway for attackers? iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
Introduction • About iViZ – Cloud based Penetration Testing – Zero False Positive Guarantee – Business Logic Testing with 100% WASC coverage – 300+ customers. IDG Ventures Funded. – Gartner Hype Cycle mention • About my self – Co-founder and CEO of iViZ – Worked in areas of AI, Anti-spam filters, Multi stage attack simulation etc – Love AI, Security, Entrepreneurship, Magic /Mind Reading iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 2
About the Report/Study • Security Products are present in most of the systems and theoretically can become a “high pay-off” target for hackers after the OS, Browsers etc • At iViZ we wanted to study how secure are the security products • iViZ used databases such as the Common Vulnerability Enumeration (CVE), Common Product Enumeration (CPE) and National Vulnerability Database (NVD) for the Analysis iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 3
A few attacks on Security Companies RSA SecureID tokens stolen VeriSign Hacked into repeatedly, Lockheed Martin top suffers network management intrusion not aware Unfolding of Events L-3 Hackers claim to Communication have Norton reveals having Source code suffered intrusions Comodo compromised, Fraudulent SSL certificates issued iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 4
Vulnerability Disclosure Routes iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
RSA SecuID Token Compromise • RSA compromised in March, 2011 and confidential data was exfiltrated – Most likely Algorithms and PRNG seeds were stolen. • Initially, RSA maintained that breach has no impact on security of RSA products. • Defense contractor Lockheed Martin compromised in June, 2011 using data from RSA attack. • RSA finally acknowledged the attack and replaced all SecurID tokens (40 million) with new ones. • Defense contractors Northrop Grumman and L-3 Communications also rumored to have been attacked. iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 6
Debian OpenSSL Weak Keys • Vulnerability caused due to removal of 2 lines in code. These lines were removed as "suggested" by two security tools (Valgrind and Purify) used to find vulnerabilities in the software distributed by Debian • Resulted in a Predictable random number generator. • Hence any private key generated was predictable. (entropy ~ 2^15) iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 7
More Recent Attacks on SSL/TLS • BEAST (Browser Exploit Against SSL/TLS) Attack (2011) – a block-wise chosen-plaintext attack against the AES encryption algorithm that's used in TLS/SSL • CRIME (Compression Ratio Info-leak Made Easy) Attack (2012) – works by leveraging a property of compression functions, and noting how the length of the compressed data changes. – Can be used to obtain sensitive information like session-cookies in encrypted SSL traffic iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 8
Flame hijacked Microsoft Auto-update • Flame discovered in 2012, was operating undetected since at least 2010. • Used a MD5 collision attack (demonstrated in 2008) to generate a counterfeit copy of a Microsoft Terminal Server Licensing Service certificate. • Used the counterfeit certificate to sign code such that malware appeared like genuine Microsoft code and hence remained undetected. iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 9
MITM-Symantec BackupExec by iViZ • Man in the middle attack on NDMP protocol • NDMP is an open standard protocol that allows data transfers between various storage devices connected over a network. • An attacker looking for confidential information need to target all the machines in the network, the backup server is a one-stop point where all the critical data usually resides. iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 10
Preboot Authentication Attack by iViZ • iViZ identified flaws in numerous BIOSes and pre- boot authentication and disk encryption software – Bitlocker, TrueCrypt, Mcaffee Safeboot, DriveCryptor, Diskcryptor, LILO, GRUB, HP Bios, Intel/Lenevo BIOS found to be vulnerable. • Flaws resulted in disclosure of plaintext pre-boot authentication passwords. • In some cases, an attacked could bypass pre-boot authentication. iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 11
Anti-virus attacks by iViZ • Antivirus process different types of files having different file-formats. • We found flaws in handling malformed compressed, packed and binary files in different AV products • Some of the file formats for which we found flaws in AV products are – ISO, RPM, ELF, PE, UPX, LZH iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 12
Analysis of Vulnerabilities in Anti virus • Remote Code Execution – CVE-2010-0108: Buffer overflow in the cliproxy.objects.1 ActiveX control in the Symantec Client Proxy (CLIproxy.dll) allow remote code execution – CVE-2010-3499: F-Secure Anti-Virus does not properly interact with the processing of http:// URLs by the Microsoft Help and Support Center, which makes it easier for remote attackers to execute arbitrary code via malware that is correctly detected by this product iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 13
Analysis of Vulnerabilities in Anti virus • Detection Bypass – CVE-2012-1461: The Gzip file parser in AVG Anti- Virus, Bitdefender, F-Secure , Fortinet antiviruses, allows remote attackers to bypass malware detection via a .tar.gz file • Denial of Service (DoS) – CVE-2012-4014: Unspecified vulnerability in McAfee Email Anti-virus (formerly WebShield SMTP) allows remote attackers to cause a denial of service via unknown vectors. iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 14
Analysis of Vulnerabilities in VPN • Remote Code Execution – CVE-2012-2493: Cisco AnyConnect Secure Mobility Client 2.x does not properly validate binaries that are received by the downloader process, which allows remote attackers to execute arbitrary code. – CVE-2012-0646: Format string vulnerability in VPN in Apple iOS before 5.1 allows remote attackers to execute arbitrary code via a crafted racoon configuration file. iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 15
Analysis of Vulnerabilities in VPN • Authentication Bypass – CVE-2009-1155: Cisco Adaptive Security Appliances (ASA) 5500 Series and PIX Security Appliances, allow remote attackers to bypass authentication and establish a VPN session to an ASA device iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 16
Security Product Vulnerability Trends Vulnerability Trend in Security Products 300 250 200 150 100 50 0 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 Vulnerability Trend in All Products 7000 6000 5000 4000 3000 2000 1000 0 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 17
Most Vulnerable Security Product Categories Figure 2 VPN IDS/IPS Firewall Anti-Virus Others 0 100 200 300 400 500 600 700 iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 18
Vulnerabilities by Security Products Vulnerabilities in Security Products F-Secure Anti-virus Cisco PIX Firewall Sophos Anti-virus Cisco Adaptivesecurity Appliance Kaspersky Anti-virus ClamAV Anti-virus Trend Micro Officescan AVG AntiVirus Norton Personal Firewall Norton AntriVirus Checkpoint Firewall-1 Symentec Norton Internet Security McAfee Anti Virus 0 10 20 30 40 50 60 70 80 iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 19
Vulnerabilities by Security Companies Vulnerabilities by Vendors ClamAV Kaspersky Lab Cisco Trend Micro Symantec McAfee ISS Checkpoint CA 0 200 400 600 800 1000 1200 iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 20
Vulnerabilities in Security Products Vulnerabilities in Security Products F-Secure Anti-virus Figure 6: Shows Cisco PIX Firewall number of vulnerabilities found in Sophos Anti-virus some of the major Cisco Adaptivesecurity Appliance security products existing today. X axis Kaspersky Anti-virus display number of vulnerabilities and Y ClamAV Anti-virus axis display some of the Trend Micro Officescan major security products. Total vulnerabilities AVG AntiVirus against each security product are calculated Norton Personal Firewall by considering all the Norton AntriVirus versions of the products and their individual Checkpoint Firewall-1 vulnerabilities Symentec Norton Internet Security discovered over the past years. McAfee Anti Virus 0 10 20 30 40 50 60 70 80 iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 21
Type of Vulnerabilities in Security Products “vs” General Products All Products Security Products 0% 1% SQL Injection SQL Injection 1% 1% 0% 1% 1% 1% 2% 1% XSS 2% XSS 1% 0% 2% 0% 3% 2% 1% 4% Buffer Errors Buffer Errors 15% 10% 5% 3% 5% 5% Access Control Access Control 4% 19% 6% 15% Input Validation Input Validation 6% 13% Code Injection Code Injection 7% 14% 11% Resource Resource 8% Management Errors 4% Management Errors 9% 19% Path Traversal Path Traversal Information Leak Information Leak iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 22
Analysis of Vulnerabilities in security product companies • Some of the product companies, like Cisco, Symantec etc have more public vulnerability disclosures than others. Some of the reasons are: – Larger attack surface (more products and their versions) – Popularity Index • Latest trends like Bug Bounties and 0-Day Market leads to lesser public vulnerability disclosures (companies like Kaspersky and ISS) • Advancement and awareness of Secure SDLC also leads to lesser trivial bugs in latest security products. iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 23
Future of attacks on Security products • Like the RSA SecurID, more security products would be target of APT style attacks. • It is easier to compromise an entire network if an attacker could compromised the security systems in place. • Security products would be (and is being) targeted by state sponsored or APT style attacks • More vulnerabilities would be sold in Zero – Black Market iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 24
Some thoughts.. • Security companies do not necessarily produce secure software • Security products can itself serve as a door for a hacker • Security Products are “High Pay-off” targets since they are present in most systems • APT and Cyber-warfare makes “Security Products” as the next choice iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 25
What should we do protect us? • Conduct proper due diligence of the security product • Ask for audit reports • Patch security products like any other product • Treat security tools in similar manner as other tools during threat modeling • Have proper detection and monitoring solutions and multi-layer defense • Test and Don’t Trust (blindly) iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 26
Thank You bikash@ivizsecurity.com iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 27

Recomendados

iViZ Profile
iViZ ProfileiViZ Profile
iViZ ProfileiViZ Security
 
Python For Droid
Python For DroidPython For Droid
Python For DroidRich Helton
 
Android Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAndroid Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAvinash Birnale
 
Python Final
Python FinalPython Final
Python FinalRich Helton
 
Sandboxing
SandboxingSandboxing
SandboxingLan & Wan Solutions
 
Symantec Ubiquity
Symantec UbiquitySymantec Ubiquity
Symantec UbiquitySymantec
 
Sandbox
SandboxSandbox
Sandboxayush_nitt
 
Sophos utm-roadshow-south africa-2012
Sophos utm-roadshow-south africa-2012Sophos utm-roadshow-south africa-2012
Sophos utm-roadshow-south africa-2012dvanwyk30
 

Recomendados

iViZ Profile
iViZ ProfileiViZ Profile
iViZ ProfileiViZ Security
 
Python For Droid
Python For DroidPython For Droid
Python For DroidRich Helton
 
Android Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAndroid Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAvinash Birnale
 
Python Final
Python FinalPython Final
Python FinalRich Helton
 
Sandboxing
SandboxingSandboxing
SandboxingLan & Wan Solutions
 
Symantec Ubiquity
Symantec UbiquitySymantec Ubiquity
Symantec UbiquitySymantec
 
Sandbox
SandboxSandbox
Sandboxayush_nitt
 
Sophos utm-roadshow-south africa-2012
Sophos utm-roadshow-south africa-2012Sophos utm-roadshow-south africa-2012
Sophos utm-roadshow-south africa-2012dvanwyk30
 
2013 Security Threat Report Presentation
2013 Security Threat Report Presentation2013 Security Threat Report Presentation
2013 Security Threat Report PresentationSophos
 
Sandboxing
SandboxingSandboxing
SandboxingLan & Wan Solutions
 
Consider Sophos - Security Made Simple
Consider Sophos - Security Made SimpleConsider Sophos - Security Made Simple
Consider Sophos - Security Made SimpleDavid Fuchs
 
Insecurity in security products v1.5
Insecurity in security products v1.5Insecurity in security products v1.5
Insecurity in security products v1.5DaveEdwards12
 
Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...
Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...
Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...brianberlin
 
G01.2012 magic quadrant for endpoint protection
G01.2012 magic quadrant for endpoint protectionG01.2012 magic quadrant for endpoint protection
G01.2012 magic quadrant for endpoint protectionSatya Harish
 
8 Threats Your Anti-Virus Won't Stop
8 Threats Your Anti-Virus Won't Stop8 Threats Your Anti-Virus Won't Stop
8 Threats Your Anti-Virus Won't StopSophos
 
UTM - The Complete Security Box
UTM - The Complete Security BoxUTM - The Complete Security Box
UTM - The Complete Security BoxSophos
 
Symantec Web Security Solutions
Symantec Web Security SolutionsSymantec Web Security Solutions
Symantec Web Security SolutionsSymantec
 
McAfee MOVE & Endpoint Security
McAfee MOVE & Endpoint SecurityMcAfee MOVE & Endpoint Security
McAfee MOVE & Endpoint Securitynetlogix
 
DDOS ATTACK - MIRAI BOTNET
DDOS ATTACK - MIRAI BOTNET DDOS ATTACK - MIRAI BOTNET
DDOS ATTACK - MIRAI BOTNET Sukhdeep Singh Sandhu
 
4 Steps to Optimal Endpoint Settings
4 Steps to Optimal Endpoint Settings4 Steps to Optimal Endpoint Settings
4 Steps to Optimal Endpoint SettingsSophos
 
What's cooking at Sophos - an introduction to Synchronized Security
What's cooking at Sophos - an introduction to Synchronized SecurityWhat's cooking at Sophos - an introduction to Synchronized Security
What's cooking at Sophos - an introduction to Synchronized SecuritySophos Benelux
 
Advanced Wi-Fi pentesting
Advanced Wi-Fi pentestingAdvanced Wi-Fi pentesting
Advanced Wi-Fi pentestingYunfei Yang
 
Sophos EndUser Protection
Sophos EndUser ProtectionSophos EndUser Protection
Sophos EndUser ProtectionSophos
 
First Steps in Android
First Steps in AndroidFirst Steps in Android
First Steps in AndroidRich Helton
 
Eset India General Presentation
Eset India General PresentationEset India General Presentation
Eset India General PresentationKsenia Kondratieva
 
Sophos Wireless Protection Overview
Sophos Wireless Protection OverviewSophos Wireless Protection Overview
Sophos Wireless Protection OverviewSophos
 
Next-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space AgeNext-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space AgeBlock Armour
 
The sonic wall clean vpn approach for the mobile work force
The sonic wall clean vpn approach for the mobile work forceThe sonic wall clean vpn approach for the mobile work force
The sonic wall clean vpn approach for the mobile work forceIcomm Technologies
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introductionJimmy Saigon
 
Insecurity in security products 2013
Insecurity in security products 2013Insecurity in security products 2013
Insecurity in security products 2013DaveEdwards12
 

Mais conteúdo relacionado

Mais procurados

2013 Security Threat Report Presentation
2013 Security Threat Report Presentation2013 Security Threat Report Presentation
2013 Security Threat Report PresentationSophos
 
Consider Sophos - Security Made Simple
Consider Sophos - Security Made SimpleConsider Sophos - Security Made Simple
Consider Sophos - Security Made SimpleDavid Fuchs
 
Insecurity in security products v1.5
Insecurity in security products v1.5Insecurity in security products v1.5
Insecurity in security products v1.5DaveEdwards12
 
Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...
Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...
Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...brianberlin
 
G01.2012 magic quadrant for endpoint protection
G01.2012 magic quadrant for endpoint protectionG01.2012 magic quadrant for endpoint protection
G01.2012 magic quadrant for endpoint protectionSatya Harish
 
8 Threats Your Anti-Virus Won't Stop
8 Threats Your Anti-Virus Won't Stop8 Threats Your Anti-Virus Won't Stop
8 Threats Your Anti-Virus Won't StopSophos
 
UTM - The Complete Security Box
UTM - The Complete Security BoxUTM - The Complete Security Box
UTM - The Complete Security BoxSophos
 
Symantec Web Security Solutions
Symantec Web Security SolutionsSymantec Web Security Solutions
Symantec Web Security SolutionsSymantec
 
McAfee MOVE & Endpoint Security
McAfee MOVE & Endpoint SecurityMcAfee MOVE & Endpoint Security
McAfee MOVE & Endpoint Securitynetlogix
 
4 Steps to Optimal Endpoint Settings
4 Steps to Optimal Endpoint Settings4 Steps to Optimal Endpoint Settings
4 Steps to Optimal Endpoint SettingsSophos
 
What's cooking at Sophos - an introduction to Synchronized Security
What's cooking at Sophos - an introduction to Synchronized SecurityWhat's cooking at Sophos - an introduction to Synchronized Security
What's cooking at Sophos - an introduction to Synchronized SecuritySophos Benelux
 
Advanced Wi-Fi pentesting
Advanced Wi-Fi pentestingAdvanced Wi-Fi pentesting
Advanced Wi-Fi pentestingYunfei Yang
 
Sophos EndUser Protection
Sophos EndUser ProtectionSophos EndUser Protection
Sophos EndUser ProtectionSophos
 
First Steps in Android
First Steps in AndroidFirst Steps in Android
First Steps in AndroidRich Helton
 
Eset India General Presentation
Eset India General PresentationEset India General Presentation
Eset India General PresentationKsenia Kondratieva
 
Sophos Wireless Protection Overview
Sophos Wireless Protection OverviewSophos Wireless Protection Overview
Sophos Wireless Protection OverviewSophos
 
Next-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space AgeNext-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space AgeBlock Armour
 
The sonic wall clean vpn approach for the mobile work force
The sonic wall clean vpn approach for the mobile work forceThe sonic wall clean vpn approach for the mobile work force
The sonic wall clean vpn approach for the mobile work forceIcomm Technologies
 

Mais procurados (20)

2013 Security Threat Report Presentation
2013 Security Threat Report Presentation2013 Security Threat Report Presentation
2013 Security Threat Report Presentation
 
Sandboxing
SandboxingSandboxing
Sandboxing
 
Consider Sophos - Security Made Simple
Consider Sophos - Security Made SimpleConsider Sophos - Security Made Simple
Consider Sophos - Security Made Simple
 
Insecurity in security products v1.5
Insecurity in security products v1.5Insecurity in security products v1.5
Insecurity in security products v1.5
 
Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...
Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...
Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...
 
G01.2012 magic quadrant for endpoint protection
G01.2012 magic quadrant for endpoint protectionG01.2012 magic quadrant for endpoint protection
G01.2012 magic quadrant for endpoint protection
 
8 Threats Your Anti-Virus Won't Stop
8 Threats Your Anti-Virus Won't Stop8 Threats Your Anti-Virus Won't Stop
8 Threats Your Anti-Virus Won't Stop
 
UTM - The Complete Security Box
UTM - The Complete Security BoxUTM - The Complete Security Box
UTM - The Complete Security Box
 
Symantec Web Security Solutions
Symantec Web Security SolutionsSymantec Web Security Solutions
Symantec Web Security Solutions
 
McAfee MOVE & Endpoint Security
McAfee MOVE & Endpoint SecurityMcAfee MOVE & Endpoint Security
McAfee MOVE & Endpoint Security
 
DDOS ATTACK - MIRAI BOTNET
DDOS ATTACK - MIRAI BOTNET DDOS ATTACK - MIRAI BOTNET
DDOS ATTACK - MIRAI BOTNET
 
4 Steps to Optimal Endpoint Settings
4 Steps to Optimal Endpoint Settings4 Steps to Optimal Endpoint Settings
4 Steps to Optimal Endpoint Settings
 
What's cooking at Sophos - an introduction to Synchronized Security
What's cooking at Sophos - an introduction to Synchronized SecurityWhat's cooking at Sophos - an introduction to Synchronized Security
What's cooking at Sophos - an introduction to Synchronized Security
 
Advanced Wi-Fi pentesting
Advanced Wi-Fi pentestingAdvanced Wi-Fi pentesting
Advanced Wi-Fi pentesting
 
Sophos EndUser Protection
Sophos EndUser ProtectionSophos EndUser Protection
Sophos EndUser Protection
 
First Steps in Android
First Steps in AndroidFirst Steps in Android
First Steps in Android
 
Eset India General Presentation
Eset India General PresentationEset India General Presentation
Eset India General Presentation
 
Sophos Wireless Protection Overview
Sophos Wireless Protection OverviewSophos Wireless Protection Overview
Sophos Wireless Protection Overview
 
Next-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space AgeNext-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space Age
 
The sonic wall clean vpn approach for the mobile work force
The sonic wall clean vpn approach for the mobile work forceThe sonic wall clean vpn approach for the mobile work force
The sonic wall clean vpn approach for the mobile work force
 

Semelhante a Vulnerability in Security Products

F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introductionJimmy Saigon
 
Insecurity in security products 2013
Insecurity in security products 2013Insecurity in security products 2013
Insecurity in security products 2013DaveEdwards12
 
Why current security solutions fail
Why current security solutions failWhy current security solutions fail
Why current security solutions failDaveEdwards12
 
RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012Symantec
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsBlack Duck by Synopsys
 
F5's IP Intelligence Service
F5's IP Intelligence ServiceF5's IP Intelligence Service
F5's IP Intelligence ServiceF5 Networks
 
McAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesMcAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesIşınsu Akçetin
 
Steve Porter : cloud Computing Security
Steve Porter : cloud Computing SecuritySteve Porter : cloud Computing Security
Steve Porter : cloud Computing SecurityGurbir Singh
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
 
Spiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionSpiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionShane Rice
 
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceDSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceAndris Soroka
 
Virtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the CloudVirtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the CloudTjylen Veselyj
 
iViZ Security : On Demand Penetration Testing
iViZ Security : On Demand Penetration TestingiViZ Security : On Demand Penetration Testing
iViZ Security : On Demand Penetration TestingiViZ Techno Solutions
 
Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011Filip Maertens
 
Wireless security report
Wireless security reportWireless security report
Wireless security reportMarynol Cahinde
 
Security Lifecycle Management Process
Security Lifecycle Management ProcessSecurity Lifecycle Management Process
Security Lifecycle Management ProcessBill Ross
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngSecurity Bootcamp
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngVõ Thái Lâm
 

Semelhante a Vulnerability in Security Products (20)

F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introduction
 
Insecurity in security products 2013
Insecurity in security products 2013Insecurity in security products 2013
Insecurity in security products 2013
 
Why current security solutions fail
Why current security solutions failWhy current security solutions fail
Why current security solutions fail
 
RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
F5's IP Intelligence Service
F5's IP Intelligence ServiceF5's IP Intelligence Service
F5's IP Intelligence Service
 
McAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesMcAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded Devices
 
S series presentation
S series presentationS series presentation
S series presentation
 
Steve Porter : cloud Computing Security
Steve Porter : cloud Computing SecuritySteve Porter : cloud Computing Security
Steve Porter : cloud Computing Security
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
 
Spiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionSpiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout session
 
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceDSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
 
Virtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the CloudVirtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the Cloud
 
iViZ Security : On Demand Penetration Testing
iViZ Security : On Demand Penetration TestingiViZ Security : On Demand Penetration Testing
iViZ Security : On Demand Penetration Testing
 
Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011
 
Wireless security report
Wireless security reportWireless security report
Wireless security report
 
Security Lifecycle Management Process
Security Lifecycle Management ProcessSecurity Lifecycle Management Process
Security Lifecycle Management Process
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn Cường
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn Cường
 

Mais de DaveEdwards12

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDaveEdwards12
 
A Journey to Protect Points of Sale (POS)
A Journey to Protect Points of Sale (POS)A Journey to Protect Points of Sale (POS)
A Journey to Protect Points of Sale (POS)DaveEdwards12
 
Man in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsMan in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsDaveEdwards12
 
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsNew realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsDaveEdwards12
 
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsNew realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsDaveEdwards12
 
Anatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilitiesAnatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilitiesDaveEdwards12
 
Using 80 20 rule in application security management
Using 80 20 rule in application security managementUsing 80 20 rule in application security management
Using 80 20 rule in application security managementDaveEdwards12
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012DaveEdwards12
 

Mais de DaveEdwards12 (8)

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
A Journey to Protect Points of Sale (POS)
A Journey to Protect Points of Sale (POS)A Journey to Protect Points of Sale (POS)
A Journey to Protect Points of Sale (POS)
 
Man in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsMan in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactions
 
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsNew realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systems
 
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsNew realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systems
 
Anatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilitiesAnatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilities
 
Using 80 20 rule in application security management
Using 80 20 rule in application security managementUsing 80 20 rule in application security management
Using 80 20 rule in application security management
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 

Último

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 

Último (20)

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 

Vulnerability in Security Products

  • 1. (In)Security in Security Products Who do you turn to when your security product becomes a gateway for attackers? iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
  • 2. Introduction • About iViZ – Cloud based Penetration Testing – Zero False Positive Guarantee – Business Logic Testing with 100% WASC coverage – 300+ customers. IDG Ventures Funded. – Gartner Hype Cycle mention • About my self – Co-founder and CEO of iViZ – Worked in areas of AI, Anti-spam filters, Multi stage attack simulation etc – Love AI, Security, Entrepreneurship, Magic /Mind Reading iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 2
  • 3. About the Report/Study • Security Products are present in most of the systems and theoretically can become a “high pay-off” target for hackers after the OS, Browsers etc • At iViZ we wanted to study how secure are the security products • iViZ used databases such as the Common Vulnerability Enumeration (CVE), Common Product Enumeration (CPE) and National Vulnerability Database (NVD) for the Analysis iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 3
  • 4. A few attacks on Security Companies RSA SecureID tokens stolen VeriSign Hacked into repeatedly, Lockheed Martin top suffers network management intrusion not aware Unfolding of Events L-3 Hackers claim to Communication have Norton reveals having Source code suffered intrusions Comodo compromised, Fraudulent SSL certificates issued iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 4
  • 5. Vulnerability Disclosure Routes iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
  • 6. RSA SecuID Token Compromise • RSA compromised in March, 2011 and confidential data was exfiltrated – Most likely Algorithms and PRNG seeds were stolen. • Initially, RSA maintained that breach has no impact on security of RSA products. • Defense contractor Lockheed Martin compromised in June, 2011 using data from RSA attack. • RSA finally acknowledged the attack and replaced all SecurID tokens (40 million) with new ones. • Defense contractors Northrop Grumman and L-3 Communications also rumored to have been attacked. iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 6
  • 7. Debian OpenSSL Weak Keys • Vulnerability caused due to removal of 2 lines in code. These lines were removed as "suggested" by two security tools (Valgrind and Purify) used to find vulnerabilities in the software distributed by Debian • Resulted in a Predictable random number generator. • Hence any private key generated was predictable. (entropy ~ 2^15) iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 7
  • 8. More Recent Attacks on SSL/TLS • BEAST (Browser Exploit Against SSL/TLS) Attack (2011) – a block-wise chosen-plaintext attack against the AES encryption algorithm that's used in TLS/SSL • CRIME (Compression Ratio Info-leak Made Easy) Attack (2012) – works by leveraging a property of compression functions, and noting how the length of the compressed data changes. – Can be used to obtain sensitive information like session-cookies in encrypted SSL traffic iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 8
  • 9. Flame hijacked Microsoft Auto-update • Flame discovered in 2012, was operating undetected since at least 2010. • Used a MD5 collision attack (demonstrated in 2008) to generate a counterfeit copy of a Microsoft Terminal Server Licensing Service certificate. • Used the counterfeit certificate to sign code such that malware appeared like genuine Microsoft code and hence remained undetected. iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 9
  • 10. MITM-Symantec BackupExec by iViZ • Man in the middle attack on NDMP protocol • NDMP is an open standard protocol that allows data transfers between various storage devices connected over a network. • An attacker looking for confidential information need to target all the machines in the network, the backup server is a one-stop point where all the critical data usually resides. iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 10
  • 11. Preboot Authentication Attack by iViZ • iViZ identified flaws in numerous BIOSes and pre- boot authentication and disk encryption software – Bitlocker, TrueCrypt, Mcaffee Safeboot, DriveCryptor, Diskcryptor, LILO, GRUB, HP Bios, Intel/Lenevo BIOS found to be vulnerable. • Flaws resulted in disclosure of plaintext pre-boot authentication passwords. • In some cases, an attacked could bypass pre-boot authentication. iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 11
  • 12. Anti-virus attacks by iViZ • Antivirus process different types of files having different file-formats. • We found flaws in handling malformed compressed, packed and binary files in different AV products • Some of the file formats for which we found flaws in AV products are – ISO, RPM, ELF, PE, UPX, LZH iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 12
  • 13. Analysis of Vulnerabilities in Anti virus • Remote Code Execution – CVE-2010-0108: Buffer overflow in the cliproxy.objects.1 ActiveX control in the Symantec Client Proxy (CLIproxy.dll) allow remote code execution – CVE-2010-3499: F-Secure Anti-Virus does not properly interact with the processing of http:// URLs by the Microsoft Help and Support Center, which makes it easier for remote attackers to execute arbitrary code via malware that is correctly detected by this product iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 13
  • 14. Analysis of Vulnerabilities in Anti virus • Detection Bypass – CVE-2012-1461: The Gzip file parser in AVG Anti- Virus, Bitdefender, F-Secure , Fortinet antiviruses, allows remote attackers to bypass malware detection via a .tar.gz file • Denial of Service (DoS) – CVE-2012-4014: Unspecified vulnerability in McAfee Email Anti-virus (formerly WebShield SMTP) allows remote attackers to cause a denial of service via unknown vectors. iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 14
  • 15. Analysis of Vulnerabilities in VPN • Remote Code Execution – CVE-2012-2493: Cisco AnyConnect Secure Mobility Client 2.x does not properly validate binaries that are received by the downloader process, which allows remote attackers to execute arbitrary code. – CVE-2012-0646: Format string vulnerability in VPN in Apple iOS before 5.1 allows remote attackers to execute arbitrary code via a crafted racoon configuration file. iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 15
  • 16. Analysis of Vulnerabilities in VPN • Authentication Bypass – CVE-2009-1155: Cisco Adaptive Security Appliances (ASA) 5500 Series and PIX Security Appliances, allow remote attackers to bypass authentication and establish a VPN session to an ASA device iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 16
  • 17. Security Product Vulnerability Trends Vulnerability Trend in Security Products 300 250 200 150 100 50 0 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 Vulnerability Trend in All Products 7000 6000 5000 4000 3000 2000 1000 0 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 17
  • 18. Most Vulnerable Security Product Categories Figure 2 VPN IDS/IPS Firewall Anti-Virus Others 0 100 200 300 400 500 600 700 iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 18
  • 19. Vulnerabilities by Security Products Vulnerabilities in Security Products F-Secure Anti-virus Cisco PIX Firewall Sophos Anti-virus Cisco Adaptivesecurity Appliance Kaspersky Anti-virus ClamAV Anti-virus Trend Micro Officescan AVG AntiVirus Norton Personal Firewall Norton AntriVirus Checkpoint Firewall-1 Symentec Norton Internet Security McAfee Anti Virus 0 10 20 30 40 50 60 70 80 iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 19
  • 20. Vulnerabilities by Security Companies Vulnerabilities by Vendors ClamAV Kaspersky Lab Cisco Trend Micro Symantec McAfee ISS Checkpoint CA 0 200 400 600 800 1000 1200 iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 20
  • 21. Vulnerabilities in Security Products Vulnerabilities in Security Products F-Secure Anti-virus Figure 6: Shows Cisco PIX Firewall number of vulnerabilities found in Sophos Anti-virus some of the major Cisco Adaptivesecurity Appliance security products existing today. X axis Kaspersky Anti-virus display number of vulnerabilities and Y ClamAV Anti-virus axis display some of the Trend Micro Officescan major security products. Total vulnerabilities AVG AntiVirus against each security product are calculated Norton Personal Firewall by considering all the Norton AntriVirus versions of the products and their individual Checkpoint Firewall-1 vulnerabilities Symentec Norton Internet Security discovered over the past years. McAfee Anti Virus 0 10 20 30 40 50 60 70 80 iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 21
  • 22. Type of Vulnerabilities in Security Products “vs” General Products All Products Security Products 0% 1% SQL Injection SQL Injection 1% 1% 0% 1% 1% 1% 2% 1% XSS 2% XSS 1% 0% 2% 0% 3% 2% 1% 4% Buffer Errors Buffer Errors 15% 10% 5% 3% 5% 5% Access Control Access Control 4% 19% 6% 15% Input Validation Input Validation 6% 13% Code Injection Code Injection 7% 14% 11% Resource Resource 8% Management Errors 4% Management Errors 9% 19% Path Traversal Path Traversal Information Leak Information Leak iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 22
  • 23. Analysis of Vulnerabilities in security product companies • Some of the product companies, like Cisco, Symantec etc have more public vulnerability disclosures than others. Some of the reasons are: – Larger attack surface (more products and their versions) – Popularity Index • Latest trends like Bug Bounties and 0-Day Market leads to lesser public vulnerability disclosures (companies like Kaspersky and ISS) • Advancement and awareness of Secure SDLC also leads to lesser trivial bugs in latest security products. iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 23
  • 24. Future of attacks on Security products • Like the RSA SecurID, more security products would be target of APT style attacks. • It is easier to compromise an entire network if an attacker could compromised the security systems in place. • Security products would be (and is being) targeted by state sponsored or APT style attacks • More vulnerabilities would be sold in Zero – Black Market iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 24
  • 25. Some thoughts.. • Security companies do not necessarily produce secure software • Security products can itself serve as a door for a hacker • Security Products are “High Pay-off” targets since they are present in most systems • APT and Cyber-warfare makes “Security Products” as the next choice iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 25
  • 26. What should we do protect us? • Conduct proper due diligence of the security product • Ask for audit reports • Patch security products like any other product • Treat security tools in similar manner as other tools during threat modeling • Have proper detection and monitoring solutions and multi-layer defense • Test and Don’t Trust (blindly) iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 26
  • 27. Thank You bikash@ivizsecurity.com iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 27

Notas do Editor

  1. Interesting Points:Vulnerability life cycle involve three stages: Vulnerability Discovery, Vulnerability Disclosure, Patch Release and Patch Applied.For an organization, a vulnerability is not fixed until the patch is appliedVulnerability Disclosure may happen via various routes: Internal Disclosure: Internal Security Team or pentesters finds the vulnerability (Most Safe route)Public Disclosure: Accidental DisclosureWhite 0 Day Market: Zero Day Initiative, iDefence, Bug Bounties….As we go deeper, time to disclose the vulnerability, nd impact increases drastically. A zero day utilized in case of Cyber war fare has huge impact than an casual attacker utilizing the 0-day.
  2. http://www.ivizsecurity.com/security-advisory-iviz-sr-11001.htmlhttp://www.slideshare.net/nibin012/attacking-backup-softwares
  3. Antivirus software is one of the most complicated applications. It has to deal withhundreds of file types and formats:executables (exe, dll, msi, com, pif, cpl, elf, ocx, sys, scr, etc);documents (doc, xls, ppt, pdf, rtf, chm, hlp, etc);compressed archives (arj, arc, cab, tar, zip, rar, z, zoo, lha, lzh, ace, iso, etc);executable packers (upx, fsg, mew, nspack, wwpack, aspack, etc);media files (jpg, gif, swf, mp3, rm, wmv, avi, wmf, etc),Each of these formats can be quite complex. Hence, it is extremely difficult forantivirus software process all these format appropriately.
  4. Most Evident Facts: 1. Vulnerabilities disclosures were at peak during 2007 2. Slow but steady decrease in public disclosure. 3. Security Products also follow similar vulnerability disclosure curve as any other productNot so obvious: 1. Bug bounties 2. Black 0 day market 3. The rise and rise of price of critical vulnerabilities 4. In summary, fixing the vulnerability before going to public is a host trend.
  5. Most Evident Facts 1. Firewalls and Antivirusleads the show with most number of vulnerabilities.
  6. Most Evident Facts 1. ClamAV and Norton Antivirus leads the show with most number of vulnerabilities discovered 2. Macfeeantivus has least number of public vulnerability disclosures 3. Mostly Firewalls and Antivirus leads the show with most vulnerabilitiesNot so Obvious facts: 1. ClamAV is the open source product, hence susceptible to sever scrutiny of security researchers
  7. Most Evident:Cisco leads the show with most number of vulnerabilities followed by Symantec and CA.Kaspersky and ISS have least number public vulnerability disclosures.Not so obviousCisco, Symantec and CA has wide varieties of product offering (hundreds of products and their versions), as a result they have much larger attacj surface to defend.
  8. Most Evident:Ultimately any security product is a piece of code, they have similar weaknesses.Input Validation and buffer overflows constitute 38% of all the possible weaknesses in security products. Input Validation, Buffer Overflows, Access Control, Cross Site Scripting , and Resource Management are most common weaknesses found in security products.SQL injection is less common in security products, as compared to All Products.Not so obvious Facts:1. Apart from security vulnerabilities, there are various antivirus and firewall bypassing techniques available utilizing cryptography, stenography etc