201x: The Year of the Security Industry Breach

Discussion in 'other security issues & news' started by Hungry Man, Jan 11, 2013.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    http://blog.whitehatsec.com/year_of_the_security_industry_breach/

     
  2. Andz

    Andz Registered Member

    Joined:
    Jan 9, 2013
    Posts:
    75
    I thought I was so smart for simply dropping all packets outside of HTTP, HTTPS, and DNS.
     
  3. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    The problem I see with attacks against AVs is the number of AVs in use. When it comes to operating systems, browsers (rendering engines, really), and browser plugins, there's only a few choices. When it comes to security software, though, there's a good deal of different ones in use, and there's still a good proportion of people that don't have functional software running. So instead of using one or two exploits, they'd have to come up with dozens to get the infection rates that they want.

    But hey, bashing AV companies seems to be the trendy thing to do (when it comes to articles), so who am I to disagree? :p
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    That's very true Notok. That was the reason I cited in my own post about AV infections.

    But that's security through obscurity, and with AVs so ripe for exploitation with their inherently dangerous job I don't think it's outrageous to think they'll be attack vectors, if only for attacks on companies etc.

    I'd guess Java is installed on about 1 in 10 computers, but it's still one of the most targeted programs. Many AVs hold near that number of market share.
     
  5. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I'm surprised that AVs haven't been targeted more than they are. In order to do their job, AVs need full access to the OS and everything on it. Exploit the AV and you basically have full root access. I seem to remember reading something on this a year or 2 ago, some POCs that used the AVs own unpacking engines to execute the code.

    Another very real possibility is exploiting the servers that support and update the AVs. I could only imagine the results if an attacker compromised their update servers and pushed out a hacked update for the AV itself, not just its definitions. If someone really took the time to plan out such an attack, it would be very hard to undo the damage. I can easily imagine nations using such a tactic to deploy offensive cyber weapons on an adversary's soil.
     
  6. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    ANY software is a potential vector, including ANY security software, because all software has bugs; there's no point in singling out AV software. Any software that runs a driver has the potential for the same kind of privilege escalation, although Windows 8 has some nice additional protections in that area.

    You're misappropriating the concept*. Security software (not just AVs) have been and will be exploited (and they are constantly attacked by malware to subvert and prevent detection, which is why they have so much self-protection), but what I am responding to is the article stating that it will be the next big thing; it won't, because their objective is to infect as many systems as possible, as quickly as possible. Security software vendors are also continually working to add security to their products, and will have the development and deployment resources to fix high-risk vulnerabilities quicker than most software vendors.

    Security software exploits are more likely to be used in targeted attacks. The truth is that if an attacker decides to target you, then you're probably screwed. If the attackers are any good then they'll probably have a bag full of vulnerabilities that are unknown to most anyone else.

    We've been seeing vulnerability patches for display drivers. Since there are relatively few display adapter manufacturers, this would be a more likely vector.

    * Security by obscurity has more to do with relying on public ignorance or obfuscation as part of the security strategy. An example is using a proprietary encryption algorithm that is kept secret as a means of making it more difficult for someone to crack. Simply having a number of competitors is not security by obscurity.
     
  7. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    I remember discussing this matter with Hungry Man and defending pretty much the same POV of Notok. So, I agree with you Notok, nothing to add, your reasoning is perfect as far as I can see and comprehend.
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    All software can be exploited, that's true. What changes is:

    1) The quality of the code
    2) The ability of an attacker to interact with that code

    Antivirus is weak in terms of (2). They inherently deal with malicious code. Beyond that, they deal with code in dangerous ways. They often execute the code, parse code, parse PDF, parse XML, extract code in virtual machines, etc. All really dangerous actions.

    Self protection is different. An attacker creating a payload that shuts down the AV is far different from an attacker who exploits the AV, and uses it as the primary (or secondary) attack vector.

    They're not really adding security to their products. They'll add self protection, they'll stop an attacker from killing their service. And that's fine. But many are still behind in terms of ASLR and all of them follow a somewhat archaic security model. Combining that with the dangerous actions they perform I think they're prime for attack.

    I think they're perfect for targeted attacks against enterprise as you can guarantee every endpoint uses one.

    But if an AV holds even 10% of the market share that's more than enough for an attacker to find it valuable.

    Google estimated 10% of its users run Java. Assuming that holds true for all browsers we see a program with 10% of market being abused weekly.

    The difference is that AVs would give Admin access after being exploited, making them an even more valuable target.

    Right now that isn't the case because there are so many AVs and it's somewhat untested waters.

    Security through market share? Who cares?


    For reference:
    http://www.opswat.com/sites/default/files/OPSWAT-market-share-report-march-2012.pdf

    Many hold a significant market share. Between 10-16%. That's enough for attackers to make a big profit.

    With Firefox now having Java set to click to play, and blocking old versions, attackers will be looking for new targets over time. Java's still a great one, but it usually just takes one campaign to prove that another target is worthwhile.

    Maybe that'll be video drivers. Maybe AV. Maybe torrent software, maybe IM software.

    I think it's just worth showing that AV is a serious concern.
     
  9. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    What we have are various compromises, at various leves. IMO, all reputable AV companies will surely add these protections faster and better once the market demands - security, remember, is their business and they have the resources. Right now, the market isn't really demanding it - attacks exploiting AVs and using them as attack vectors are still only "theoretical".
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I think it's a sad state where our security programs are so behind implementing decade old techniques.

    Sophail proves demonstrably that these attacks are more than theory. And you can read about how it's been months and months and many of these vulnerabilities are still there, many of these issues persist.

    Sophos is a particularly awful example in terms of it making 0 use of any mitigation techniques just about, but there are other AVs guilty of similar issues.

    Even if an AV did make use of all these techniques it is inherently dealing with attacker controlled data, and all of them run as admin.

    If AVs, which are supposed to be protecting us, have to be hacked in the wild for them to actually implement basic security features... I think that says plenty.
     
  11. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    AVs are designed to protect from actual threats. Reputable AV companies are, at the moment, busy "perfecting" their protection from actual threats - they are getting better at that - so they can offer better solutions for customers to attract more of them.

    You are worrying too much about theoretical (or merely "demonstrated") threats that will be addressed when they become relevant and really need to be addressed.

    AVs are commercial products answering to market demands. Leave politics and idealisms aside, dude.

    .
     
  12. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    They're dangerous in the native environments, but the heuristics sandboxes are a different beast, and are specially fortified; they're not your typical VM.

    Yes, there have been attacks in the past that broke out of those sandboxes, but the thing is that security vendors have full-time security architects, security researchers, malware analysts, and so on. All in all, they're ahead of other software when it comes to security.


    What model do they use then?

    My point about self-protection is that they're constantly looking to make sure that their software isn't subverted or attacked in any way. Believe it or not, most of these folks know a thing or two about security.

    The key word there is "targeted," which is a different scenario. Like I say, an attacker is going to have a lot of tools at their disposal for targeted attacks. Security software exploits will be among them, but they're going to have a lot more, too. Kevin Mitnick showed that there are much easier and better ways to attack a specific target. And when it comes to targeted hacks on business networks, the goal is mainly just to get inside the network; what the malware does for them is just to make it easier to get back on the network again later so that they don't have to go through all the same steps, but once they're on the network they don't need to rely on sophisticated AV exploits to gain access or install whatever they want to.

    Like I say, if someone is targeting you then you're pretty much screwed. So on the whole, AV software is going to provide a lot more benefit than liability, and probably always will.

    If you create an exploit kit that contains exploits for Java, Flash, IE, FF, and Chrome, then you cover a great majority of users with a relative handful of exploits. If you go after AVs then you need a lot more, and they will be harder to find (especially in the needed quantities). In order for it to be worth the attackers' time, it would need to be easier for them to find mass-exploitable vulnerabilities in all of the current versions of the most popular AVs.

    There's also a larger number of vulnerable versions of Java, Flash, etc., in use. There are plenty of people running old versions of AVs, but it's not as common; the updaters tend to be more reliable these days, and there's more notification when it fails.



    Not always; it depends on what's exploited and how. Not all AV vulnerabilities are privilege escalation vulnerabilities. Any driver has the potential for privilege escalation exploits, but the thing about hypotheticals is that the risk isn't as uniform in the real world. It's easy to talk about hypothetical possibilities separately from risk, but in practice there are many factors that lower the risk.

    It is hypothetically possible that we will have a production-ready cure for cancer tomorrow, but realistically there are a lot of factors that make it unlikely, even though various cancer cures will probably be found at some point in the future.


    No they're not; it's been done; mostly early on when companies like Norton and McAfee had a larger market share.

    You could apply that reasoning to ANY software that doesn't have a monopoly, but that's not what the term refers to.

    AVs do not rely on hiding in the crowd. You make it sound like AV companies are full of hacks that don't take malware research and detection seriously; like they're the same as any other developer that doesn't really care about the software they make. On the whole they're quite different, in reality. Do some beta testing and get to know some of the dev teams, and the difference will be apparent.


    Out of those types of software, which do you think will be the easiest to find exploits for? It's going to be harder to find mass-exploitable vulnerabilities, on a scale large enough to be worthwhile, in security software.

    Security is about risk management and mitigation; making things harder for the bad guys, to the point that it's not worth the effort, but it can never be made impossible. Security software vendors are going to put higher priority on hardening their apps (in every way possible), and have the in-house resources to get them fixed faster; the Sophos bugs may not have been fixed in the time frame that the researcher wanted, but it was still faster than most software with comparable marketshare. Being a part of the security community also means that the apps are under a lot more constant scrutiny than other software. All of these things reduce the risk.

    Personally I don't see this article as being any different than all of the articles declaring antivirus software to be dead. It has misguided focus and doesn't account for all factors. The fact that it implies that AV software hasn't already been targeted in the past shows that the author didn't do his homework. It is pure conjecture that's light on facts and sources. You could replace "AV" in this article with anything, and the article would remain intact.

    Bottom line: is it possible that they could attack antivirus software? Absolutely, and I'm certain that they will on a small scale, as I'm sure they already do. It's the risk that matters, and the risk for AV software is lower than most software, for multiple reasons. Regardless, AV software will probably always mitigate more risk than it presents.
     
  13. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Incorrect; those were fixed in November. The longest lasting ones took less than 2 months to deploy fixes, which is better than most other types of software.

    And while the vulnerabilities were real, the attacks were entirely theoretical.
     
  14. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Agreed.

    They also don't have to be exploited in the wild before being fixed; Sophos showed that, among others.

    How quickly they fix them will be based on priorities including risk assessment. Some vulnerabilities won't even be realistically viable in any serious way, but security software vendors are still going to be more responsive than other software vendors.
     
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    @WildHunter,

    Practice tends to follow theory, and I'm not the only one stating it. Jeremiah and others have been saying it for some time, though the sophail report really did light a bit of fire under the idea.

    @Notok,

    Heuristic sandboxes are merely one attack vector. The large AVs have many.

    No, they aren't ahead of security. Sophail is a great example of a popular AV used across many systems that is horribly out of date. I did a very brief analysis of other antivirus products and found many lacking in terms of ASLR, including areas that were injected into the browser.

    Why attack Chrome's sandbox when you can just attack the AV? There's a proof of concept for this already.

    Single process running as administrator, or a few processes running as administrator.

    None of them have evolved past this. It isn't hard to imagine how they could.

    They're ideal for targeted attacks because it's one piece of software that's across a network and an exploit will bypass pretty much any security the administrator has implemented (instantly gain admin, bypass all sandboxing).

    You call the exploits sophisticated, but they're not any more sophisticated than one against Firefox, less so in many cases as Firefox uses ASLR well, and certainly less sophisticated than an attack against Chrome/IE9+. And the payoff is very large. An exploit against Firefox leads to medium integrity, confinement. An exploit in a security program means the system is owned by the attacker.

    A few things that I've stated already, just to reiterate for the sake of order/clarity:

    1) All of those programs run at medium integrity or lower.
    2) Outside of Java, all of those have pretty great patching records, and FF/Chrome have bounty programs and amazing response time
    3) Flash, IE, and Chrome, all have sandboxes. They are rarely exploited in the wild anymore.
    4) Java's market share is comparable to the top 5 AVs market shares - 10%.

    As Jeremiah points out it's a combination of plugins market share shrinking and other products becoming harder to hack. AVs aren't ahead in temrs of security, and they're very valuable targets.

    I disagree, I think that if every user used, for example, Sophos, we'd see many attacks on it in the wild.

    That really depends. I think in terms of GPU attacks it's more likely for local exploitation. AVs are far more useful for remote. A large AV that injects itself into many processes is providing huge attack surface for the system. Beyond that, the payoff is much larger. If I exploit utorrent I'm at medium integrity, if I exploit Sophos I'm at high integrity.

    That scrutiny has recently shown exactly the opposite of what you're saying. Slow patch time (months), basically opting out of security techniques, etc.

    If we're trying to make things harder for the bad guys maybe we shouldn't be running high integrity processes that inject themselves into our programs when they ignore basic security techniques.

    No, you couldn't. Most software isn't like AV. My utorrent program isn't injecting itself into Chrome, disabling ASLR, and allowing for a full sandbox bypass to instant administrative access.

    What you're missing is how valuable an attack against an AV is. The only thing that has saved them from considerably higher exploitation rates is that there are so many.

    It still doesn't use ASLR. It still disables ASLR in many processes through its faulty implementation of security techniques.

    When has this been the case? If anything their responses have been worse, as they're incredibly worried about the effect a vulnerability has on its reputation. Sophos blogged about the vulnerabilities stating that they weren't serious becuase they weren't in the wild, not giving nearly the amount of credit due for them. Those were very serious vulnerabilities, and the researcher concluded that it wasn't fit to secure systems holding any type of confidential information.

    This is not the only case of a security company responding poorly to research/ vulnerabilities shown.
     
  16. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Nobody is denying that AVs have vulnerabilities that could be exploited, but they do put a lot of emphasis on security; AV apps are constantly being scrutinized by both the good guys and the bad guys, so they have to stay on their toes. They are ahead of others because of the constant research and implementation of security in any and every way that they can.

    Now the article is saying that AVs will be the next big target for mass infection; that's not going to happen because coming up with enough exploits to get the infection rates that they want will be more difficult than finding exploits in software that isn't made by security people -- there aren't as many vulnerabilities in security software as there are for other apps that greater numbers of people use.

    As for whether there will ever be attacks, there have been all along. There used to even be malware that exploits AV software as a means of infecting the system (see the link in my previous post), but that's old hat; the AVs have been hardened and there's over 40 AVs that they'd have to find vulnerabilities that they could exploit on a large scale.

    In the context of the article, the issue of targeted attacks is a straw man. When it comes to targeted attacks there's also no point in singling out any particular type of software; it was once estimated that over 93% of all vulnerabilities are never disclosed. But even in a targeted attack, the AV is going to mitigate more risk than it presents. The AV itself is not going to be their juciest target for exploitation; they'll have any number of exploits at their disposal, and that kind of code execution is something they're most likely to do after they're already in, just to make it easier to come and go later on.

    So you looked at a few in EMET and surmised that they're insecure?

    ASLR is not the be-all and end-all of security. Secure programming is through and through, beginning to end. Despite that there will still be vulnerabilities. The entire security community scrutinizes security software and works with the vendors, and they are all in continual collaborative communication about security threats.


    Why cut a cable lock when you can just cut a kryptonite lock?

    Just what do you propose?

    Without it they're limited to detecting malware that runs in user-mode. That's why the online mini-scanners have greatly reduced detection rates.

    1) Yet they still manage to get rootkits installed. :)
    2) AV vendors are surrounded by the security community with continual collaborative communication
    3) Adobe products are still hot targets, including Flash
    4) Everything I'm finding puts Java at closer to 70%. Look up 'RIA stats' for stats on rich media plugins in general.

    The number of vulnerabilities for AV software is quite a bit smaller than other software

    Back when everyone was using Norton there was some malware that exploited it, but even then there were easier targets.

    56 days for 8 vulnerabilities that were not high risk is not bad. Most of the fixes were released well before the 56 days. If the risks were higher then they would have patched sooner, but they always act according to the balance of resources, risk, and so on. Some of that also had to do with back and forth talks with the researcher.

    It's also apparent from your verbiage that you buy every bit of the researcher's rhetoric around the facts. I'm sure that much of it was deserved, but it always makes me question motives; particularly when we don't get to hear the other side of it.

    However, even if Sophos had been the world's worst failure ever, they still wouldn't (and don't) represent the entire industry. It might be worth reading up on security software vulnerabilities and comparing with browsers, plugins, and so on.

    I was referring to the way that the article was written; it's an opinion piece that's high on conjecture and low on facts.

    Your only data seems to be the Sophos reports, and Sophos took responsible action and got the last patches out quickly in relation to the risk and public disclosure.

    I saw it happen pretty continuously, from detection bypass, to protection subversion, to new threat types, to vulnerabilities, and so on.

    And if/when malware is released that uses AVs to infect the system, who do you think will be the first to find it?
     
  17. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Here's a corollary from about ten years ago, when firewalls were the main focus of security.

    On one hand you had people like Gibson making announcements about problems like leak tests and stealth mode. These were issues, but in the scheme of things relatively minor. However, Gibson's main fault was that all he really did was to complain loudly.

    Meanwhile, there are sophisticated discussions about the bigger issues (and bigger picture) in a way that is objective and productive, like this: http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.12.5543
    Ten years on and vulnerabilities certainly continue to exist, but it's overall more difficult than it's worth for non-targeted attacks (at the least) and firewalls remain an important part of any security strategy. Compare this paper with the article in the OP, and the message should be clear (I hope). This is just no different than the other alarmist opinion articles that exist mainly to draw attention to the author and/or the author's agenda.

    Vulnerabilities are always a problem, and there will always be a number of unknown exploits (for all kinds of software) that the bad guys have and use in targeted attacks, but it doesn't make the technology any less relevant and doesn't present a great deal of risk -- certainly not even close to the level of risk that it mitigates.

    The article is about the idea that AVs will be the next major attack vector, but if you look at the number and type of antivirus exploits (compare the number of vulnerabilities for each individual AV to the number of exploits for browsers, Java, and Flash) then it's easy to see that the bad guys have a much harder time of it. With the software being harder to crack, the diversity of engines, and vendors having the ability to quickly find and deploy fixes for exploits, AV software makes a less-than-ideal target for malware.

    AV scanning will remain an important part of any security strategy for the foreseeable future -- until someone invents something insanely innovative that is capable of replacing it.
     
  18. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Based on what? The last scrutiny I saw an AV subjected to was the Sophail report. If they were constantly ahead of others they:

    1) wouldn't all be using single process admin architectures
    2) Would use decade old mitigation techniques like ASLR, which have been supported by Windows for 6 years

    I've seen no reason to believe that. I can understand stating that Java is still an easier target, but what else? Doubtful that Firefox is, there hasn't been RCE in Firefox in the wild for quite some time. Mozilla has been using ASLR well for a while, and they patch, and have a bounty program.

    Chrome? IE9/10? Nope, they're not harder to hack than those two, that's for sure.

    Flash? Sandboxed on every major browser.

    So what are we left with as an attacker. We need a program that we can get remote code execution in - something that a website can exploit. The big player right now is Java. It won't always be. So what else? Well, antivirus. Many of them inject components into the browser, parse information directly from the browser, scan emails, urls, etc.

    You can entirely bypass Chrome's sandbox, as an attacker, if you exploit an AV's email scanning. And you'll instantly get Admin access.

    I used slopfinder and looked at individual components of common AVs.

    ASLR isn't a silver bullet. It's quite powerful, and necessary in this day and age though. And a lack of support of ASLR is a serious indication that the program is not taking security seriously enough.

    Again, if the entire security community is scrutinizing AVs, where are the reports? Because I actually follow quite a number of people who are "big names" (Jeremiah, for example, is not some random blogger) and their "scrutiny" tends to be negative.

    For a process parsing XML to see if it's malicious run it as untrusted and use a broker process to hook functions. There are a million different areas of an AV that could be done this way. Same goes for an AVs extraction VM.

    1) Do they? Outside of Java? Because there hasn't been a single Flash RCE on the latest sandboxed versions. There hasn't been a single one against Chrome. The number of attacks against IE9/10 can be counted on one hand for the last 3 years.

    2) No, they really aren't. The security community doesn't like them, and they're rarely scrutinized in depth.

    3) Not really. Again, one Reader exploit since the sandbox has been created. 0 for Flash.

    4) That's interesting, and somewhat surprising given what Google stated. That's completely fine though. Java is a viable target, and profitable, but two incredibly popular browsers (Firefox and Chrome) now have it disabled by default. There will be a day when Java stops being as viable a target.

    Number of vulnerabilities means nothing. We base that number on reports, public findings, etc. By that logic Chrome is the least secure because it has so many reported vulnerabilities, when in reality Chrome is open source and has a bounty program, so naturally it has so many.

    Back then Flash didn't have a sandbox, browsers were still insecure, Java was even worse, etc.

    Response:
    Tavis Ormandy isn't some random researcher. He's provided some seriously incredibly research to the community. His work on exploiting the Linux kernel, and his paper on it, is one of my favorites.

    I take everything in this paper very seriously.

    Why? Vulnerability statistics are virtually useless when determining the security of a software, except in extreme cases.

    Response:
    One guy's research took months to fix.

    Like I said, I did a very simple check using slopfinder on many antivirus programs. Multiple programs injected non-ASLR files into the browser. A lack of ASLR is an indication of poor security, and it outright degrades the security of a program that has otherwise 'perfect' use of ASLR.

    I'm not saying that detection is irrelevant, or not worthwhile. I'm saying that antivirus programs add significant attack surface, more than just about any other program on the system. Attackers will take note of that. And when Java stops being the easiest target they'll be looking for something else to attack.
     
Loading...
Thread Status:
Not open for further replies.