BlueHat v12 included a broad spectrum of topics. In addition to Microsoft’s usual gathering of top experts on hot topics like mobile and cloud the program also featured a sobering look at security fundamentals like passwords, pass the hash, and social engineering.
Perhaps nothing new for folks used to the BlackHat/Defcon experience but social engineers are just plain scary! Chris Hadnagy, Chief human hacker at Social-Engineer, wowed the audience with his real life pen-test tales. The clever tricks used to impugn and abuse good natured people are enough to lose sleep over.
- Chris did a fine job of not blaming end users – it seems humans are just wired to be trusting creatures. SE’s pen-test engagements are always successful. In the case history he presented 99 out of 100 employees in a company as ‘drinking the cool aid’. In this case logon to sign up for a new company iPhone. After recognizing the initial phish many employees changed passwords. The pen tester then called the victim posing as help desk – just run this tool (unsigned and hosted on my private FTP site) to clean up your machine. Audio playback of the 1 who stood her ground garnered applause!
- The key takeaway for me isn’t so much about awareness programs (which are necessary and valuable) rather as a priority accept that social engineering will succeed. Mature security programs must include detection and response capability for such intrusions.
Continuing on with fundamentals was an interesting demo pitting a ‘Pen-Test sniper’ versus ‘Forensic Analyst’. In short, a sniper uses passive techniques as much as possible. The idea is to remain hidden and gather enough information to ‘go native’ by masquerading as a legitimate user. Forensic analysis is way more difficult when a sniper uses harvested credentials. The demo highlighted two common sniper tactics.
- The first is identifying network traffic to databases. Unencrypted traffic is studied for weak authenticators and exposure to SQL injection. Only then would the sniper go active to establish a MitM position to attack the database with intent to pwn the server.
- The second common target is spoofing network shares. A network broadcast signals when users attempt to access a share; if the spoofed response is fast enough an attacker can readily capture the client hash when the authentication method is NTLMv1. Pwnage!
The security fundamentals deep dive featured ‘Pass the Hash’ (PtH) with Mark Russinovich demoing a well-known post exploitation attack tool by Amplia Security called Windows Credential Editor (WCE).
- PtH attacks have been around for a long time and will continue to be a top threat. Microsoft formed a cross functional task force to fully describe the issue (misconceptions are rampant), prioritize effective mitigations, and provide a focal point for ongoing activities. The recent white paper on PtH is the first work product.
- The 1st mitigation on restricting highly privileged domain accounts has potential impact related to the PI System. In particular, domain service accounts represent attractive targets for PtH. While most PI System services logon using built-in service accounts, some allow use of domain service accounts. It is important such accounts are configured for least privilege.
- Similarly, the 2nd mitigation on restricting local administrative accounts also has impact related to the PI System. In particular converting to PI Buffer Subsystem is recommended (configuration for the older PI Buffer Service was logon as administrator). While Microsoft’s advice is especially focused on accounts enabled for remote desktop access it is important to realize service account hashes are also exposed to PtH.
- The 3rd mitigation recommends restricting lateral movement on the network using Windows Firewall. Inbound network ports used by the PI System are well documented and pose no impediment for implementing Windows Firewall.
- Summary: Microsoft purposely advises low effort and effective mitigations for PtH risk and impact. It was refreshing to see consensus on the value of SSO as a business imperative. It seems reasonable and practical for recommendations to affect administrative roles rather than standard users.
What you say? Enough with the fundies, show me the other cool stuff! You bet. BlueHat v12 delivered on the cutting edge of security as well. Here are my favorites (with luck online sessions will be available soon).
- Great idea: Gavin Thomas of Microsoft presented on using Windows Azure for fuzz testing. Microsoft requires a minimum of 500,000 iterations on a bug fix to pass SDL. MSRC is using hundreds of machines to fuzz update candidates. Using Azure has been an efficiency boon in time and resources. When you think about it – adversaries have almost infinite time and resources to find vulns, they may even use the cloud to attack. Using cloud resources for fuzzing makes sense. I will be recommending cloud based fuzzing over our current approach.
- Best scoop: Building Trustworthy Windows Store Apps. You’d expect some hype on Windows 8 at an event like BlueHat. We got the news straight from the Microsoft security designers Crispin Cowan and David Ross. Windows 8 was described as a fresh start. Developers should expect some security rework when porting Win32 applications. In addition, every app in the store requires the compiler defenses. The scrutiny you should expect depends on the capabilities enabled for an app. It’s better to just not use capabilities, be especially careful when enabling the ‘File’ and ‘Network’ capabilities. David Ross posted this best practice article: http://blogs.msdn.com/b/windowsappdev/archive/2012/12/18/security-best-practices-for-building-windows-store-apps.aspx
- The new new thing: Chris Hoff, Senior Director and Security Architect, Juniper Networks on the disruptive technology called SDN – Software Defined Networks. Although this talk was a bit like drinking from a firehose, Hoff warned that for SDN we need to learn from virtualization and cloud initiatives. While these innovations offered undeniable benefits but also some security failures. Something as simple as ‘how does a guest VM know that host resources are exhausted?’ were overlooked in the rush to virtualize. Hoff cited his previous BlueHat talk ‘Cloudifornication’ for similar cloud based concerns. It’s likely SDN is something that will touch all of our worlds. His presentation might not be the best introduction but it did put SDN on my security radar.
- Most sobering: HTML5 to the rescue for XSS? Hardly. Mario Heiderich, security lead at html5sec.org, answers the question about how vulnerable are ‘No Script’ webapps? Although safer without Java Script, XSS bugs still prove to be quite fatal. For his demo, Mario used regex support in CSS3 to crack a ‘strong’ password in the DOM. I was surprised to see how fast this happened – a user would never notice. Then, to exfiltrate the sensitive data he made use of standard SVG methods. Yes I am totally freaked out by this. Anyway, in a nutshell HTML5 is coming. HTML5 adds support for powerful features. It doesn’t matter if you use them or not, the hackers can and will. Aside from a good SDL to avoid introducing XSS, Mario’s call for action cited the need for more participation in the HTML5 spec. In the meantime, you might want to buy stock in web application firewalls – although imperfect WAFs can restrict use of HTML features that are not needed in a given web application.