Wednesday, May 23, 2012

CISSP CPE6: NSS Labs - Consistency in Security Effectiveness

length: 01:00:00

Webinar with Sourcefire in regards the NSS IPS group test 2012

Dave Stuart,  marketing Sourcefire
Bob Walder  Chief Research officer, NSS Labs
Jason Brvenik VP, Security Strategy, Sourcefire

NSS: security research  analysis company, subscription to unlimited access to in depth tests..
Provide information that business need to be secure.
Independent ! NOT vendor founded!

Why perform test?
NSS the only one with in house testing facilities..
Right size not the same as throughput...
Effective protection?
Idea to see how devices perform in the real world
The bad guys are always one step ahead.. the good guys are always playing catching up..

% detection?
Protect better S2C or C2S?
Which application more covered?

6.2 IPS methodology
The methodology has been revised, largest and most comprehensive test ever..
1500 live exploits & evasions (this is just subset from the thousands of exploits) -not traffic replay
300 new exploit 75 new evasions
Connection dynamic & their real-world impact
All new management criteria & analysis - important point
All new device stability testing (extensive fuzzing test, leaking...)
3 year TCO & value calculation. (not only the purchase price, sensor, mgt, support, signature updates, man hours)
Effective security of the device.
Performance of the device.

If vendor perform consistently year after year - meaning that that vendor has keep on improving the product!!!
We talk to customer which product they want to see..
The test is quite challenging - not all vendor are willing to participate.

Does this product meet my needs?
Protect assets? Performance? scale?
What is the true TCO?
Do claim match reality
What questions should I ask? What catch rate is so low? Will session ramp up?
Giving much more data to potential buyers

Comparative analysis report:
Product improvement / maintained / degraded?
Should upgrade to the latest version?
Should consider another solution?
Are critical assets protected?
Which vendor are consistent? Which vendor shine brightly for brief year then fade...


Security value map:
Quadrant: Security - Value - Rating
Q1          +         +      recommended
Q1          -         +      neutral
Q3          -         -      caution
Q4          +         -      neutral


Sourcefire:
Buying security product is not like buying car... requires consistently improving performance & effectiveness.
Security evolve : larger attack surface & new attack vectors

4 key k

Protection
Real word IPS throughput
Concurrent connection
TCO


Source firewall NSS2012 result:
98.9& overall protection NSS result!
99% C2S
98% S2C
100% resistance to evasion
No attack leakage
the best overall protection of any vendor to date...

170% rated performance..
Design to perform, scalability , protection

Sourcefire          8260     8250      8120
-------------------------------------------
Protection        98.9%      98.9%     98.9%

Real world
IPS throughput    34Gbps     17Gbps    3.4Gbps

Concurrent
connection        60M        30M       15M

TCO/Mbps          $15        $19       $34

These are pretty impressive awesome result.
Rating well beyond what it was rated
We don’t believe that you have to make choice between security & performance
We believe if you make the investment you can achieve what you need.

Testing not completed in 2012...

8250 15Gbps
8260 34Gbps
8270 51Gbps* - three stack - does not require external device
8290 64Gbps* - four stack - does not require external device
-fail safe mode no need external tap / bypass kit.
Sourcefire - creator of snort... ClamAv razorback

Omar's question:
can vendor somehow cheat the tests? (like making more aggressive signatures but might cause false positive?)
this happens.. but NSS will detect cheaters...

Labels: ,

posted by omarg at 4:00 PM 0 Comments

Thursday, May 17, 2012

CISSP CPE6: Threat Review: Deconstructing Modern Trojans

Webinar by paloalto Length: 01:00:00

Analyzing samples collected by WildFire

Prevalence port/protocol evasion in malware as compare to non-malicious

Common tricks of evasive traffic:
1. use existing protocol in unexpected way (example IRC in port 80)
2. use standard protocol over non-standard ports to avoid signature

Example, DNS tunneling:
tcp-over-dns
Dns2tcp
Iodine
Heyoka
ozymanDNS
NSTX

Take advantage of recursive query to pass encapsulate TPC message to a remote DNS server and send responses back.

App-ID address the Evasion Problem.

WildFirew analysis center, sand box-based analysis looks over samples
- detect new and unknown malware samples
- Use appip to analyze traffic generated by malware
- focus on evasive traffic behavior an unusual traffic that could not be detected by APP-ID


16,497 newly discovered malware samples - in April 2012:
66% traffic were undetected by traditional AV vendor
80% traffic generated to Internet
59% 7,918 generated evasive traffic


Common evasive behavior:
sort http headers
Unknown traffic
ddyn, fastflux domain
Fake http
Non standard http
IRC on regular port
IRC on non standard port
(surprisingly little use of IRC - it's becoming obsolete for malware)


Unknown  traffic is significantly high rate in malware as oppose to valid network traffic
11% of malware session presented as unknown
0.6% of legitimate traffic present as unknown

Enterprise can progressive reduce the amount of unknown traffic:
Custom APP-IDs

I raised questions:
You mentioned that 66% of malware traffic is not detected by major AV software, how did you test it?
Did you involve AV company to test it?
There is a common mistake of AV testing simply using using the AV CLI functionality, such using VirusTotal, whereas AV have has multiple layers of protection that might not detect via CLI functionality.
The common mistake of AV testing is simply using the CLI engine without, whereas AV has many layers of protection that cannot be access via CLI.

Labels: ,

posted by omarg at 6:00 PM 0 Comments

CISSP CPE6: Deploying IPS Successfully



Webinar Juniper Length : 01:30:00


IPS Strength:
Data center protection
IPS good for protecting datacenter, especially protecting servers.
Protecting Client to Server direction.
But IPS is not so good protecting clients.

It's good to add IPS capability on FW, because no need to add another device, but this might be the right reason.

Policy compliance with IPS

FW/IPS consolidate where IPS use is light

Out of band/sniffer
1. Client to Server
2. Anomalous/Evasive Network protocol Behavior 3. Network Layer Server to Client Attack 4. Brute Force Attacks 5. DoS Attack

Mode:
Sniffer
Integrated
Tap
Full


IPS  Weakness:
Not one is box logging
IPS only vs standalone - lack of network profiling High performance price Malware detection - require file format/application analysis (ex: malicious PDF, excel, word, flash object, java object)

File format based detection
Specialized application security (WAF)
Reputation/profiling/data import based attack detection.


Questions before deploying IPS:
what assets to protect?
What throughput, sessions, CPS?
What type of IPS policy?

Labels: ,

posted by omarg at 4:00 PM 0 Comments

Sunday, April 29, 2012

CPE: McAfee AudioParasitic: Episode 33 part 1/2Race to Zero going to be held in Def Con


length: 00:15:42

no matter what the bad guy will create undetectable malware
so we should at least benefit on this : “give us the sample!!!”
unfortunately here the rule is : do not share the sample – this is flawed

if sample is not shared- benefit only the bad guys
the good guys also need to receive the sample to analyze

people tend to forget that AV is reactive
it’s nothing that we don’t know

there is no good reason no to share the sample to AV community

at the end of the day, we’re suppose to be the good guy :
AV is dead is blab la bla is not helping anybody

VirusTotal – the AV engine is not optimized configured
Just CLI function
For example: script scan is to access from CLI
Useful to test sample BUT not useful for benchmarking.

Labels: ,

posted by omarg at 6:13 PM 0 Comments

Friday, April 27, 2012

CPE: McAfee AudioParasitic: Episode 32: M$ tuesday


length: 00:12:40

Most critical:
MS08-018: vulnerability in Microsoft Project that could allow remote code execution if a user opens a specially crafted Project file, successful exploitation could take complete control of an affected system.

MS08-025: vulnerability in the Windows kernel. A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts.

IE vulnerability can be exploited through remote code exec

Before the patch usually there is a not a lot of activities, but after the patch hast been released, usually there are more.
---- reverse engineering.

Labels: ,

posted by omarg at 8:16 PM 0 Comments

Thursday, April 26, 2012

CPE: McAfee AudioParasitic: Episode 31: SAGE 3


length: 00:30:06

SAGE 3 – examine global malware trends

China Internet users skyrocket up to 500% during the last 5 years
The rest of the world 200%
US 121% during the same time period

China gov has release recommendation to avoid game fatigue, it’s going to lead to localized malware?

China specialized malware, it’s has started in order to be also under the radar

If SPAM wants to be successful, it has to use local language

Phishing attack:  2 years ago 99% of SPAM are English, now 7-8% are non-english , that an awful  a lot fo SPAM
It goes hand in hand with customized malware, it’s one more way to stay under the radar
Most of intelligence is based on certain language
Exploitation through obscurity.

Labels: ,

posted by omarg at 8:27 PM 0 Comments

CPE: McAfee AudioParasitic: Episode 30: M$ patch Tuesday


length: 00:21:40
most critical:

MS08-014: vulnerabilities in Excel that could allow remote code execution if a user opens a specially crafted Excel file.

MS08-017: vulnerabilities in Office Web Components. These vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page.

People has been burn by Active-X for so many time, this has lead to government release recommendation not to use IE
Drastic time bring to drastic measure

Active-X web component of office , can be drive-by

The words of M$ must trick user to click malicious website make it sounds more difficult than what really is

The was security advisory in January related to 0day that was expected to be patched in the previous patch Tuesday – finally released today

Outlook: capable of remote codeexec – via email
Espionage payload

M$ recommendation: by setting killbits – most people cannot be bother to update AV, they don’t even know what is killbit???

Labels: ,

posted by omarg at 8:14 PM 0 Comments

Wednesday, April 25, 2012

CPE: McAfee AudioParasitic: Episode 29 part 2/2 intellectual property (patent), Mac Security & Virtualization.


length: 00:25:40
Part 2 of intellectual property (patent), Mac Security & Virtualization discussion with Dave, Jim and George  Heron (chief scientist ac McAfee)

OS X actually implemented many of best practices, such as Mandatory access control, application signing, library randomization, cryptographic verification of installation packages
They are good best practice that wil mitigate attacks no matter they come from.

Vista boasted the feature of running as standard user – thy has been years in OS X
Vista security is great, but not cutting edge.

Application sandboxing

Virtualization is probably the only technology that is really distruptive in security

Really chane the fundamental believe & mechanism as something is working today

Virtualization opens up to a whole new level of application

It opens up possibility for bad guys and good guys
It’s not only from economic saving, but it’s going to change also the ball game of malware
It’s allow to look APIs from outside of OS

5 security advantages in virtualization:
1.       Offline scanning
2.       Untethered monitoring – looking registry
3.       backups
4.       ensure compliance
5.       ?

HyperVizor, worries:
1.       Security
2.       Vulnerability
3.       Saving the VM image.

Labels: ,

posted by omarg at 8:55 PM 0 Comments

CPE: McAfee AudioParasitic: Episode 28: M$ patch tuesday


length: 00:15:41

11 bulletins: pulled 1, originally scheduled for 12
17 vulnerabilities: only 1 was public prior release

Most critical
MS08-008: Vulnerability in OLE Automation , allow remote code execution if a user viewed a specially crafted Web page. The vulnerability could be exploited through attacks on Object Linking and Embedding (OLE) Automation.

MS08-009: allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

MS08-010: IE, the most serious of the vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer.

MS08-013: allow remote code execution if a user opens a specially crafted Microsoft Office file with a malformed object inserted into the document.

The IE vulnerability was a 0day exploit was known to somebody, used in targeted attack

DoS
Privilege escalation
Remote exec
ISS-serverside MS08-006

Worm related vulnerabilities are relatively infrequent, nowadays
IE related vulnerability are much more important

It’s more than 1 year that we seen self replicating malware
Nowadays malware write try to be under the radar


M$ might group together security bulletin for services that require reboot
Lately most of the vulnerability are application vulnerabilities

Labels: ,

posted by omarg at 7:08 PM 0 Comments

Tuesday, April 24, 2012

CPE: McAfee AudioParasitic: Episode 27: part ½ intellectual property (patent), Mac Security & Virtualization.

length: 00:25:40
intellectual property (patent), Mac Security & Virtualization discussion with Dave, Jim and George  Heron (chief scientist ac McAfee)
Studying the security trend

Intellectual Property is a very important component of a company
In average McAfee is filling 100-200 patents/year

Once you submit a patent and it’s accepted, there are a lot of companies whom make nice big place with the patent number

Patent benefits the company, because it gives competitive advantages and also benefit the employee as the get better recognition

Apple is probably the strongest OS in the world at this moment
There are some inherit security benefits
Some security benefit are myth but some are real
The bad guys are targeting the biggest market share, biggest bang for their buck
Smaller shares of Mac gives this advantage, but it is going to change
But Apple has a lot of fundamentally good security infrastructure.
Mac is resilient to certain type of attack.

Data leak is also getting more and more important.
  
Last year (Nov 2007) is was the first time they found a malware targeting OS X platform.
It was a popper- a DNS changer
It was disguised as coded – the group that wrote it was the same group that really really really know how to write advanced malware in windows, such zilock

Labels: ,

posted by omarg at 7:37 PM 0 Comments

Thursday, April 19, 2012

CPE: McAfee AudioParasitic: Episode 26: Verbal Data loss


length: 00:22:47
Verbal data loss
Especially in the airport, you can tell based on their clothes or stuff they wearing which companies they are working for.
You can also hear the whole meeting
Discussing sensitive issue, as they do board meeting, buy order, sell order, all these confidential information, trade secret, account number, reading off the credit number and the secret CVV number.

Of course they yell all this information because they are in a noisy public place

People must understand and follow proper rule of engagement.

People must/should anomize themselves , sometime security by obscurity works

People must be aware of the surroundings

This is the difference between audioparasitic compare to other podcast, we talk about problem that does not have solution hehehe

Labels: ,

posted by omarg at 7:22 PM 0 Comments

Wednesday, April 18, 2012

CPE: McAfee AudioParasitic: Episode 25: M$ Tuesday patch

Length: 00:08:01
most critical:
MS08-001: vulnerabilities in TCP/IP processing. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
MS08-002: vulnerability in Microsoft Windows Local Security Authority Subsystem Service (LSASS). The vulnerability could allow an attacker to run arbitrary code with elevated privileges.

Labels: ,

posted by omarg at 8:35 PM 0 Comments

CPE: McAfee AudioParasitic: Episode 24: Virtual Criminology report


length: 00:28:28
growing popularity of custom trojan
highly QA’d subscription based malware

you can go to a website and order your own malware, plus you can get support , it’s “underground” , very active, started with HackerDefended days, the Holy Father
update every 3 months & guaranteed to avoid detection

then you can use online testing, such VirusTotal to QA – not necessarily you have the share the sample!!!

Should the writing of exploit, buying, selling considered illegal?
Companies that look/buy/bounty of vulnerability can cause more harm
Every time you put money in the equation, there will be evil component

When malware going PARASITIC, it’s going to be nightmare
More sophistication, easier to ransom, it’s high level coding
More complex to clean & restore

A lot of attack to foreign government has China as reference state sponsored malware writing group?

Labels: ,

posted by omarg at 7:48 PM 0 Comments

Tuesday, April 3, 2012

CPE: McAfee AudioParasitic: Episode 23: M$ patch tuesday


length: 00:16:01
most critical:
MS07-069 IE vulnerability , in the wind but without public detail
MS07-064: allow code execution if a user opened a specially crafted file used for streaming media in DirectX.
MS07-068: allow remote code execution if a user viewed a specially crafted file in Windows Media Format Runtime.

Labels: ,

posted by omarg at 9:33 PM 0 Comments

CPE: McAfee AudioParasitic: Episode 22: 2008 McAfee Avert threat forecast


length: 00:31:41
1.       Web 2.0: can be fixed quickly once found, victim of their own success, more personalized attacks, radically changed its exploit overtime
2.       Botnet: follow the storm, storm constantly moving
3.       IM: instant messaging malware, we’re expecting instant messaging worm
4.       Online game: money to be made+ less risky
5.       Vista join the party: deployment footprint
6.       Adware: continuous decline, peaked in 2007
7.       Phiser catch the wider net
8.       Parasitic crimeware takes the root: harder to remove
9.       Virtualization : transform infosec
10.   VoIP attack rise 50%

Storm: 1000 new variants/day, server side polymorphism, use P2P command & control

Parasitic: it’s old school technique, basically being parasitic in an environment, probably now with many younger AV companies, this is a good strategy as they don’t have protection.

Labels: ,

posted by omarg at 8:32 PM 0 Comments

CPE: McAfee AudioParasitic: Episode 21: MS patch


length: 00:07:41

2 bulletins

MS07-061 URI handling issue
IE 7 is vulnerable!
MS just acknowledge this issue, initially firefox reported this issue – M$ responded it was application responsibility  to validate the URI… however then M$ products are also affected
As Adobe has released a patch – active exploit targeting SPAM with PDF.

This has been pseudo public since quite some time…

MS07-062 DNS spoofing
Affecting DNS servers only
Not known to be public prior this publication.

Labels: ,

posted by omarg at 7:30 PM 0 Comments

CPE: McAfee AudioParasitic: Episode 20 Virtualization part 2/2


length:  00:23:00
Special guests: Rafal Wojtczuk and Rahul Kashyap.

When you go virtual, you will have same security problem
When deploying virtual environment need to prepare security wisely

It’s naïve to think that that virtual = secure

Virtualization has a lot to offer:
-          Offer separation
-          Offer much level of control
It’s difficult to detect rootkit, hypervisor offer a new level, allow freeze the system and analyze it – including analyzing the system accurately
This procedure cannot be tempered by the code running at guess level
-          Create opportunity to AV companies having this level of control & access – get better view of the state of the OS

Trusted computing could be very important solution
If there is rootkit – hard to detect – having secure channel helps!

In BSD & linux: KVM Kernel Virtual Memory

Can VM be detected via network?
As easch VM guest get a slice of processing time, in round robin, it is possible to do packet analysis – looking at the rate of how packet is created – it’s possible to guess if it’s a VM..

Labels: ,

posted by omarg at 7:11 PM 0 Comments

Saturday, March 24, 2012

CPE: McAfee AudioParasitic: Episode 19 Virtualization part 1/2


length:  00:21:03
Special guests: Rafal Wojtczuk and Rahul Kashyap.

A lot of people think about virtualization as a way to protect system..

Virtualization is also useful to analyze malware…

The question is this security compartment solid enough?
Can the barrier be broken? Allowing malware to spread from guess to host?

Vulnerability tin VM NAT  - parsing FTP protocol – b0f can execute arbitrary code in host not on guest!!

Some malware is actually VMware aware when running inside VM environment.

There have been a lot of talk that virtualization will provide security…
The idea was there is no need for security when system is put in virtualization is a myth!!!

Intel provide ring 0 hw access for hypervisor…

The separation concept is interesting
Gardner said in 2009 80% of virtual system will be more vulnerable than the physical counterpart

There is a mad rush to be the first – not really care about security
A lot of people rely too much on feature such snapshot as security option..
Because it is virtual it is more secure – is a myth!!!

Labels: ,

posted by omarg at 8:16 PM 0 Comments

CPE: McAfee AudioParasitic: Episode 18: MS patches


length:  00:19:34

joined by Craig Schmugar

MS07-055: Kodak image Viewer – remote exec
No public info so far
Drive by capability

MS07-056 Outlook express
Malformed NNTP – event using full outlook there is a risk…

MS07-060 Word Could Allow Remote Code Execution


Bunch of IE vulnerabilities – allow crafted UR that is more difficult for users to detect.. one of them was public knowledge.


Apparently the MS word one is publicly exploited, however McAfee have not seen any sample yt – it is believe that this vulnerability has been used for targeted attack.

Many of M$ word vulnerabilities are use in VERY targeted attacks.

Labels: ,

posted by omarg at 7:41 PM 0 Comments

Friday, March 23, 2012

CPE: McAfee AudioParasitic: Episode 17 Offensive side of Security


length:  00:28:59
Special guess Dave Aitel from Immunity – originally from @stake before NIST

Offensive side – security company that provide security tool to test

CANVAS  - penetration testing framework

I want to write exploit for living…we like to find exploits we like to find vulnerability – we like to get paid for it

They made unmask because the code is bad
They are group who targeted sw made by immunity
They found cool cross side scripting

You could attack Canvas quite successfully, surprisingly they have not receive any reporting of vulnerability

Who is the new Britney Spears? It’s the iPhone
Google phone – they want to be the windows of content

Biggest problem: ppl think about deployment then security…

Gmail- why we have to host our own mail server?

Web security analysis – the bet way is NOT to reply on scanner BUT to look at the SQL API to check if there is any vulnerability…
That’s why the debugger become the agent.

One day: agent become analyzer – find -  fix – BUT not feasible as target keep on moving.

Microsoft should be in a VM!!

VM is a tool that McAfee use a lot  - a lot of time when the malware realized  that is in VM environment – it shuts down..

CANVAS – potentially the tool can be used to penetrate, but not the best tool to help the bad guys..

Labels: ,

posted by omarg at 8:53 PM 0 Comments