kevin stadmeyer garrett held - black hat
TRANSCRIPT
![Page 1: Kevin Stadmeyer Garrett Held - Black Hat](https://reader033.vdocuments.us/reader033/viewer/2022060902/629894fed6bc4e762d4de946/html5/thumbnails/1.jpg)
Kevin Stadmeyer Garrett Held
![Page 2: Kevin Stadmeyer Garrett Held - Black Hat](https://reader033.vdocuments.us/reader033/viewer/2022060902/629894fed6bc4e762d4de946/html5/thumbnails/2.jpg)
Worst of the Best of the Best
![Page 3: Kevin Stadmeyer Garrett Held - Black Hat](https://reader033.vdocuments.us/reader033/viewer/2022060902/629894fed6bc4e762d4de946/html5/thumbnails/3.jpg)
Agenda
• Motives • Goals • Awards Overview • Example of Serious Flaws in the System • Lies, Damned Lies, and Awards • What Awards Really Mean • Better Ways
![Page 4: Kevin Stadmeyer Garrett Held - Black Hat](https://reader033.vdocuments.us/reader033/viewer/2022060902/629894fed6bc4e762d4de946/html5/thumbnails/4.jpg)
Motives and Goals
![Page 5: Kevin Stadmeyer Garrett Held - Black Hat](https://reader033.vdocuments.us/reader033/viewer/2022060902/629894fed6bc4e762d4de946/html5/thumbnails/5.jpg)
Motives
• Yes, it’s obvious this is about marketing
• Any product will probably contain vulnerabilities
• Awarding dangerous security practices is much worse
• Public records give an incomplete picture
![Page 6: Kevin Stadmeyer Garrett Held - Black Hat](https://reader033.vdocuments.us/reader033/viewer/2022060902/629894fed6bc4e762d4de946/html5/thumbnails/6.jpg)
Goals
• Highlight a product that’s an example of this problem, and why vulnerability statistics do not accurately reflect product security
• Attempt to use publicly available statistics that come up with a model that does work
![Page 7: Kevin Stadmeyer Garrett Held - Black Hat](https://reader033.vdocuments.us/reader033/viewer/2022060902/629894fed6bc4e762d4de946/html5/thumbnails/7.jpg)
Awards Overview
Name Nomination Choosing A Winner
Info Security Products Guide Pay for Nomination No official public criteria.
SC Magazine Unknown Popular vote
Techworld.com Unknown Unknown
Information Security Magazine Editor Chosen Popular vote
![Page 8: Kevin Stadmeyer Garrett Held - Black Hat](https://reader033.vdocuments.us/reader033/viewer/2022060902/629894fed6bc4e762d4de946/html5/thumbnails/8.jpg)
Product X and Vendor Y Why public statistics aren’t a complete picture
![Page 9: Kevin Stadmeyer Garrett Held - Black Hat](https://reader033.vdocuments.us/reader033/viewer/2022060902/629894fed6bc4e762d4de946/html5/thumbnails/9.jpg)
Product X
It’s a Secret shhh! Hi Lawyers! • Provides a web service/interface on a network appliance
![Page 10: Kevin Stadmeyer Garrett Held - Black Hat](https://reader033.vdocuments.us/reader033/viewer/2022060902/629894fed6bc4e762d4de946/html5/thumbnails/10.jpg)
Product X: Findings
• A manual application security review was performed on the device without access to the source code
• The following vulnerabilities were found: – Eight high-risk issues – Six medium-risk issues – Nine low-risk issues
![Page 11: Kevin Stadmeyer Garrett Held - Black Hat](https://reader033.vdocuments.us/reader033/viewer/2022060902/629894fed6bc4e762d4de946/html5/thumbnails/11.jpg)
Product X: Serious Findings
This is a subset of the High and Medium risk issues found: • Systemic Cross-Site Scripting
– Almost any variable was vulnerable, including variables stored by the application (Persistent Cross-Site Scripting)
• Privilege Escalation – Browser-supplied user ID while in a valid session could be changed,
using an easily predictable method, for privilege escalation.
• Custom Web Server – Re-inventing the wheel and introducing bugs such as arbitrary system
file access, including the password file.
![Page 12: Kevin Stadmeyer Garrett Held - Black Hat](https://reader033.vdocuments.us/reader033/viewer/2022060902/629894fed6bc4e762d4de946/html5/thumbnails/12.jpg)
Product X: Serious Findings (Cont.)
• Session Hijacking – Poor implementation resulted in users able to steal sessions of users
logging in around the same time of day.
• Custom, Weak Session ID Algorithm – Without getting into details that would give it away:
![Page 13: Kevin Stadmeyer Garrett Held - Black Hat](https://reader033.vdocuments.us/reader033/viewer/2022060902/629894fed6bc4e762d4de946/html5/thumbnails/13.jpg)
Product X: Reaction
So What?
![Page 14: Kevin Stadmeyer Garrett Held - Black Hat](https://reader033.vdocuments.us/reader033/viewer/2022060902/629894fed6bc4e762d4de946/html5/thumbnails/14.jpg)
Vendor Y
• Major software vendor • Two independently discovered vulnerabilities, medium or
higher • One occurs on their own servers (still)
Vendor Response: *Crickets*
![Page 15: Kevin Stadmeyer Garrett Held - Black Hat](https://reader033.vdocuments.us/reader033/viewer/2022060902/629894fed6bc4e762d4de946/html5/thumbnails/15.jpg)
Lies, Statistics, and Awards
![Page 16: Kevin Stadmeyer Garrett Held - Black Hat](https://reader033.vdocuments.us/reader033/viewer/2022060902/629894fed6bc4e762d4de946/html5/thumbnails/16.jpg)
What Awards Really Mean
Problems with gathering statistics • FUD • Sources • Lack of History
![Page 17: Kevin Stadmeyer Garrett Held - Black Hat](https://reader033.vdocuments.us/reader033/viewer/2022060902/629894fed6bc4e762d4de946/html5/thumbnails/17.jpg)
Sample Statistics
Methodology • Three Categories • Two Awards • Competitors • Variety of Sources
![Page 18: Kevin Stadmeyer Garrett Held - Black Hat](https://reader033.vdocuments.us/reader033/viewer/2022060902/629894fed6bc4e762d4de946/html5/thumbnails/18.jpg)
Awards: Anti-Malware
Award Product Highs Mediums Lows
SC Magazine Symantec End-Point Protection 4 0 0
Info Security Products Guide CoreTrace - Bouncer 4.0 0 0 0
Nod32 Anti-Virus 2 1 2
Proventia Network Scanner 0 0 0
Radware Defense Pro 0 0 0
Vipre 0 0 0
Websense 1 2 1
![Page 19: Kevin Stadmeyer Garrett Held - Black Hat](https://reader033.vdocuments.us/reader033/viewer/2022060902/629894fed6bc4e762d4de946/html5/thumbnails/19.jpg)
Awards: Endpoint Security
Award Product Highs Mediums Lows
SC Magazine McAffee Security Center 2 0 1
Info Security Products Guide Parity v4.0.1 0 0 0
Checkpoint for Endpoint Security 0 2 2
Cisco NAC 1 1
F5 Firepass Remote Access Solutions 5 2 18
Symantec Endpoint Protection 0 0 0
![Page 20: Kevin Stadmeyer Garrett Held - Black Hat](https://reader033.vdocuments.us/reader033/viewer/2022060902/629894fed6bc4e762d4de946/html5/thumbnails/20.jpg)
Awards: IPSec/SSL VPN
Award Product Highs Mediums Lows
SC Magazine Cisco ASA 5500 3 0 4
Info Security Products Guide NCP Secure Enterprise Solution 0 0 2
Checkpoint Connectra 0 0 2
Citrix Access Gateway 1 1 0
F5 Firepass Remote Access Solutions 5 2 17
Stonesoft Stonegate VPN 0 0 0
![Page 21: Kevin Stadmeyer Garrett Held - Black Hat](https://reader033.vdocuments.us/reader033/viewer/2022060902/629894fed6bc4e762d4de946/html5/thumbnails/21.jpg)
What Awards Really Mean
![Page 22: Kevin Stadmeyer Garrett Held - Black Hat](https://reader033.vdocuments.us/reader033/viewer/2022060902/629894fed6bc4e762d4de946/html5/thumbnails/22.jpg)
What Awards Really Mean
Awards Are Marketing • Unclear • Too Many • Press Releases • Pointless
![Page 23: Kevin Stadmeyer Garrett Held - Black Hat](https://reader033.vdocuments.us/reader033/viewer/2022060902/629894fed6bc4e762d4de946/html5/thumbnails/23.jpg)
Better Ways
![Page 24: Kevin Stadmeyer Garrett Held - Black Hat](https://reader033.vdocuments.us/reader033/viewer/2022060902/629894fed6bc4e762d4de946/html5/thumbnails/24.jpg)
Better Ways
Credible Award Requirements • Open Process • Established Products • Audit Product Patch Process • Relevant Criteria
![Page 25: Kevin Stadmeyer Garrett Held - Black Hat](https://reader033.vdocuments.us/reader033/viewer/2022060902/629894fed6bc4e762d4de946/html5/thumbnails/25.jpg)
Better Ways
Alternative Evaluation Criteria • References • History of Security • Talk to Developers
![Page 26: Kevin Stadmeyer Garrett Held - Black Hat](https://reader033.vdocuments.us/reader033/viewer/2022060902/629894fed6bc4e762d4de946/html5/thumbnails/26.jpg)
Questions?