why current security solutions fail
TRANSCRIPT
© iViZ Security Inc1May 2013
Bikash Barai, Co-Founder & CEO
Why Current Security Solutions Fail?
© iViZ Security Inc2May 2013
Introduction• About iViZ
– Cloud based Application Penetration Testing– Zero False Positive Guarantee – Business Logic Testing with 100% WASC coverage– 400+ customers. IDG Ventures Funded.– Gartner Hype Cycle mention
• About myself– Co-founder and CEO of iViZ– Worked in areas of AI, Anti-spam filters, Multi stage attack
simulation etc– Love AI, Security, Entrepreneurship, Magic /Mind Reading
© iViZ Security Inc3May 2013
Vulnerabilities in Security Products
© iViZ Security Inc4May 2013
Symantec Email Appliance(9.5.x)Description Rating
Out-of-band stored-XSS - delivered by email Critical
XSS (both reflective and stored) with session-hijacking High
Easy CSRF to add a backdoor-administrator (for example) High
SSH with backdoor user account + privilege escalation to root High
Ability for an authenticated attacker to modify the Web-application
High
Arbitrary file download was possible with a crafted URL Medium
Unauthenticated detailed version disclosure Low
Credits: Brian Smith
© iViZ Security Inc5May 2013
Trend Email Appliance(8.2.0.X)Description Rating
Out-of-band stored-XSS in user-portal - delivered via email Critical
XSS (both reflective and stored) with session-hijacking High
Easy CSRF to add a backdoor-administrator (for example) High
Root shell via patch-upload feature (authenticated) High
Blind LDAP-injection in user-portal login-screen High
Directory traversal (authenticated) Medium
Unauthenticated access to AdminUI logs Low
Unauthenticated version disclosure Low
Credits: Brian Smith
© iViZ Security Inc6May 2013
Microsoft Auto-update Hijacking
• MD5 collision attack to generate a counterfeit copy of a Microsoft Terminal Server Licensing Service certificate.
• Used the counterfeit certificate to sign code such that malware appeared like genuine Microsoft code and hence remained undetected.
© iViZ Security Inc7May 2013
Preboot Authentication Attacks
• iViZ identified flaws in numerous BIOS’s and pre-boot authentication and disk encryption software– Bitlocker, TrueCrypt, Mcaffee Safeboot, DriveCryptor,
Diskcryptor, LILO, GRUB, HP Bios, Intel/Lenevo BIOS found to be vulnerable.
• Flaws resulted in disclosure of plaintext pre-boot authentication passwords.
• In some cases, an attacked could bypass pre-boot authentication.
© iViZ Security Inc8May 2013
Vulnerabilities in Anti-Virus
• Discovered by iViZ Security• Antivirus products process different types of
files having different file-formats. • We found flaws in handling malformed
compressed, packed and binary files in AVG, Sophos, Avast etc
• Some of the file formats for which we found flaws in AV products are– ISO, RPM, ELF, PE, UPX, LZH
© iViZ Security Inc9May 2013
More Vulnerabilities in AV products
• Detection Bypass– CVE-2012-1461: The Gzip file parser in AVG Anti-
Virus, Bitdefender, F-Secure , Fortinet antiviruses, allows remote attackers to bypass malware detection via a .tar.gz file
• Denial of Service (DoS)– CVE-2012-4014: Unspecified vulnerability in
McAfee Email Anti-virus (formerly WebShield SMTP) allows remote attackers to cause a denial of service via unknown vectors.
© iViZ Security Inc10May 2013
Vulnerabilities in VPN products
• Remote Code Execution– CVE-2012-2493: Cisco AnyConnect Secure
Mobility Client 2.x does not properly validate binaries that are received by the downloader process, which allows remote attackers to execute arbitrary code.
– CVE-2012-0646: Format string vulnerability in VPN in Apple iOS before 5.1 allows remote attackers to execute arbitrary code via a crafted racoon configuration file.
© iViZ Security Inc11May 2013
Report Findings
© iViZ Security Inc12May 2013
About the Report/Study
• iViZ used databases such as the Common Vulnerability Enumeration (CVE), Common Product Enumeration (CPE) and National Vulnerability Database (NVD) for the Analysis
© iViZ Security Inc13May 2013
Key Findings
• Vulnerabilities increasing at CAGR of 37.29% over the last 3 Years. • Anti-Virus accounts for 49% of the vulnerabilities, next Firewall (24%) • Top 3 Security vendors with maximum vulnerabilities: McAfee, Cisco
followed by Symantec. • Top 3 Security products with maximum vulnerabilities: Rising-Global’s
Antivirus , Cisco’s Adaptive Security Appliance and Ikarus Virus Utilities. • Access Control is the most prominent weakness in Security Products
followed by Input Validation. • SQL Injection is the least found vulnerability among Security products
© iViZ Security Inc14May 2013
Vulnerability Trends
In All Products In Security Products
© iViZ Security Inc15May 2013
Vulnerability by Product Types in 2012
© iViZ Security Inc16May 2013
Vulnerabilities by Vendors
© iViZ Security Inc17May 2013
© iViZ Security Inc18May 2013
Comparative Analysis
© iViZ Security Inc19May 2013
5 Predictions..• We predict an increase in attacks on security
products, companies or solutions• APT and Cyber-warfare makes “Security
Products” as the next choice• Majority of vulnerabilities discovered will not
become public and shall remain in the hands of APT actors
• Security Products are “High Pay-off” targets since they are present in most systems
• More vulnerabilities would be sold in Zero Day – Black Market
© iViZ Security Inc20May 2013
What should we do to protect us?• Test and Don’t Trust (blindly): Conduct proper
due diligence of the security product• Ask for audit reports• Patch security products like any other product• Treat security tools in similar manner as other
tools during threat modeling• Have proper detection and monitoring
solutions and multi-layer defense
© iViZ Security Inc21May 2013
Thank [email protected]
Blog: http://blog.ivizsecurity.com/ Linkedin:
http://www.linkedin.com/pub/bikash-barai/0/7a4/669Twitter: https://twitter.com/bikashbarai1
DISCLAIMERWe have used well known vulnerability standards and database like Common Vulnerability Enumeration (CVE), Common Product Enumeration (CPE) and Nation Vulnerability Database (NVD). One of the major challenges we faced was in classifying the products into security and non-security products, as the current product standard (CPE) does not support it. We solved this challenge by considering that security products have certain keywords like, ‘ ID‘virus’, ‘firewall‘, ‘IPS‘, ‘scan’ etc. Hence there are chances of some date being missed and the report should be considered as indicative. iViZ disclaims all warranties, expressed or implied, with respect to this research for any particular purpose.