Predictions for Pwn2Own

Next week, we’ll kick off our fourth Pwn2Own contest at the CanSecWest security conference. We announced the rules and targets for this year’s contest last month on our DVLabs blog and have seen a fair number of registrants so far. This year – as with all before – promises to be very exciting.

Let me say that I have very high expectations for this contest. The results should be indicative of the real-world threats being faced by enterprises right now. Further, I hope to see some cutting edge research and techniques that will showcase the changes we see in security research space.

I also need to point out that all vulnerabilities discovered as part of the contest will be responsibly disclosed to the affected vendor (same as all vulnerabilities disclosed to the Zero Day Initiative), so that they can begin preparing patches or workarounds to make their products more secure.

So without further ado, here are my predictions.

1. More Competitors, More Pwnage. In past years’ contests, we’ve had about 4-5 competitors – and they all signed up the day of the show. To date, we’ve had six participants register for the contest and expect a few more will sign up on site. These are some of the best and brightest minds in security research and I anticipate some very interesting (and successful) hack attempts on most of the targets we’ve outlined.
2. Not Your Average Attack Vectors. To the point above, I fully expect some impressive exploits to come out of this competition. To fuel creativity and to make this more of a competition, we are not allowing the use of third-party plug-ins to aid in exploitation – at least on the first day. Third-party plug-ins – like Adobe Flash– introduce weaknesses that aid in exploitation of client-side vulnerabilities. This means that in order to defeat security controls such as Microsoft’s Data Execution Prevention (DEP) and/or Address Space Layout Randomization (ASLR), a contestant will have to write an impressive exploit. I expect to see such an exploit topple Internet Explorer 8 on Windows 7 early on in the contest.
3. Some Mobile Devices will Fall…Quickly. While last year’s contest did not see any pwnage of the mobile devices, there have been a number of devices added to the list and with all the recent research on mobile phone security being presented worldwide, these devices are quickly becoming a ripe target. Plus, we announced the mobile targets with more lead time this year, so I don’t expect these to survive this go around. First to fall: the iPhone. Survivors: BlackBerry, Symbian, Android.
4. Chrome’s Sandbox Model Saves the Day. While Chrome is often affected by vulnerabilities due to its inclusion of the WebKit library, I predict the browser will remain untouched throughout Pwn2Own. This is due to the difficulty in producing an impactful exploit that can break out of the security sandbox. I predict its counterpart, Safari, will fall by Day 2.

It remains to be seen if these predictions ring true. Regardless, the results of this contest should be revealing as to the current security posture of enterprise end-users. The devices, operating systems and browsers we selected for this contest represent those used most frequently in businesses today. The discoveries and threats that come out of this will unequivocally show just how much ‘at risk’ many businesses are.

We’ll be posting daily recaps of the competition on our DVLabs blog and will be providing instant updates via our Twitter feed, @thezdi.

Aaron Portnoy, Security Research Team Lead, TippingPoint

Is that a bot in your pocket – or does it just look like one?

Last week at the RSA Conference, my colleague Derek Brown and I, presented findings from a research project titled MOBOTS: Pocketful of Pwnage, which was designed to show how easy it would be to create a large mobile botnet. Please note that we did not actually create a botnet; we simply presented results of two different experiments that showed how easy it would be to create one.

Despite the lack of actual drama (i.e. no botnet), the session has generated quite a bit of interest, so we wanted to take the opportunity to share the results with those that weren’t able to attend.

Background and Research

As stated, the point of this research was to show just how easily and quickly a hacker could amass a large army of mobile bots. The experiment involved two key pieces:

• A control application: WeatherFist was a legitimate weather application that users could download to their smartphones. WeatherFist used a technique that enables the smartphone to “phone in” the users’ GPS coordinates to the application’s server so users can get accurate weather for their exact location. This application was posted – with links to a full EULA – on common app sharing sites like ModMyI (iPhone) and SlideMe (Android).

• A test application: WeatherFistBadMonkey was a “malicious” version of the same application designed to look like – and on the surface, function like – the WeatherFist application. WeatherFistBadMonkey was created as a proof-of-concept to demo what a malicious application may do. WeatherFistBadMonkey used the same technique to “phone in” the GPS coordinates, but also performed other functions to convert the phone into a bot and submit sensitive user data to the application server.  The WeatherFistBadMonkey application was not distributed publicly. It was tested solely on phones purchased for the experiment. Further, the purchased “test” phones were always, and continue to be, in our possession.

Results

The control application, WeatherFist, received a lot of promotion on app sharing sites and was further hyped through the social networking machine that drives people to those sites.

At the end of the project, 20,000 users had viewed the application and more than 8,000 actually downloaded it.

Again, it’s important to note that we did not actually create a mobile botnet. Instead we used these two experiments to show how easy it would be to 1) amass a large number of users if one wanted to create a botnet; and 2) create a legitimate-looking application that would render a mobile device a bot.

Smartphones are a critical piece of today’s network fabric and the results of this research show a gaping hole in the security of those networks. Organizations can use these results to create policy changes for appropriate use of smartphones in business settings, as well as provide better training on smartphone application usage. This further highlights the importance of locking down the enterprise network to keep smartphones from ‘phoning home’ any information that shouldn’t leave the data center.

The overarching goal was to highlight the security risks that continue to threaten the enterprise landscape and I think the results of this research did just that.

Danny Tijerina, Security Researcher for DVLabs, TippingPoint

Addressing Cost-Effective Security in Cloud Computing Environments

Recently, I presented at a few conferences in Malaysia and Singapore on securing data center and cloud computing environments. Although cloud computing has been a very popular topic recently, TippingPoint has been securing cloud deployments for a number of years. Specifically, we have a number of customers worldwide that leverage our solutions to protect enterprise and Web applications (off the shelf and custom) from emerging threats.

There are a number of issues related to securing public/private cloud deployments. Some are obvious and some are not so obvious. The common perception is that the biggest security issue is inter-virtual machine (VM) communications. But when I talk to customers and partners, this is much lower priority because their environments (OS’s and applications) are for the most part trusted and partitioned. Recently a bigger issue has emerged in securing the cloud around implementing a cost-effective disaster recovery architecture. The challenge is replicating a large physical infrastructure in multiple locations in a cost-effective manner. To do so requires a higher capital investment up front for resources that may or may not be leveraged or used on a regular basis.

In order to address this challenge, I believe a new approach will emerge over the next couple of years to secure both public and private clouds. The solution will be a hybrid approach to security in the data center where security policy is applied to both physical and virtualized enforcement points based on overall capacity and utilization of resources. The security policy will also follow applications as they move inside the environment or if they are shunted to a different physical location. This should largely mitigate diminished application and operating system performance by inspecting content at very high speeds using virtualized enforcement only. In addition, this approach will address the budgetary issues of replicating main sites for disaster recovery.

Many challenges to public cloud security remain. These include compliance and upholding deterministic performance in the face of denial of service attacks among others. But unless customers and partners are able to cost-effectively secure a redundant virtual environment, the cost of replicating the physical security may be too high for some…

James Collinge, Senior Director of Security Product Strategy, TippingPoint

Another day, another code execution…

By now we know that the recent attacks on Google were generated via a vulnerability in Internet Explorer. While the story brings together two of the most widely used computing tools, let’s not lose sight of what this really is. At its core, this attack is a basic remote code execution – this means there is a bug in IE that enables a hacker to run a malicious piece of code on a piece of software. In this instance, the affected company was Google.

Vulnerabilities that lead to remote code execution are the most interesting from a hacker’s perspective as these vulnerabilities give complete control of the compromised system to the hacker thereby enabling them to launch a variety of attacks, including denial-of-service, spam messaging or phishing attacks. According to the Frost & Sullivan Vulnerability Tracker for 1H2009, more than 82.5 percent of reported vulnerabilities use remote code execution.

Client-side attacks, like the Internet Explorer vulnerability, offer hackers the largest target base for enabling remote code execution. In September, we published the Top Cybersecurity Risk Report in conjunction with Qualys and SANS, which indicated client-side attacks like this are the number one risk for organizations today. This type of vulnerability leaves the door open for exploits that result in data loss or worse, thereby damaging brand reputation and leading to financial and legal issues.

The report also found that on average, major organizations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities. In other words, the highest priority risk is getting less attention than the lower priority risk.

So what to do?

Organizations should most definitely maintain system and application patches to keep these holes from being exploited. However, when immediate patching is not possible either because of delays in vendor patches being issued, or because the patches could cause service quality issues, a good intrusion prevention system (IPS) can help protect your network.

At TippingPoint, our Digital Vaccine^® Labs (DVLabs) and Zero Day Initiative (ZDI) researchers uncover hundreds of these client side vulnerabilities every year. Frost & Sullivan reports that TippingPoint leads all researchers by reporting the highest number of vulnerabilities that enabled code execution. Understanding the dynamics of remote code execution is what gives our team the knowledge to create the most accurate and up-to-date filters for our IPS Platform – and our customers the confidence that their networks are safe.

Again, the real story here is not Google or Microsoft, or even Chinese hackers. The real take away from the Google/IE story is the serious risk posed by these client-side vulnerabilities and what organizations can do to protect themselves.

Rohit Dhamankar, Director of DVLabs, TippingPoint

Intrusion Prevention Systems and Next Generation Firewalls

Firewalls are continuously evolving and transitioning into more intelligent network devices. Originally, traditional firewalls could only apply access control restrictions based on source and destination IP addresses and ports. As their feature sets matured, firewalls grew to include basic application awareness for protocols that weren’t so strictly tied to ports, such as FTP control and data channels. Also, basic security inspection was added mostly for layer 2-4 attacks. Several firewall companies touted and marketed these capabilities as intrusion prevention (IPS), even though their products fell far short of what any decent dedicated IPS would provide for security inspection. Thus, IPS is still required alongside traditional firewalls to achieve security inspection and protection for applications up to layer 7.

Next generation firewalls (NGFW) take this concept further by primarily applying the access control to traffic based on knowledge of the application, its content and structure of the traffic. These controls can also be tied to users more often than before. This provides for very granular control of the applications in one’s network and defends against applications riding over well known ports. This does not, however, provide more security up to layer 7 so that it is able to replace an IPS.

A research note dated October 12, 2009 from Gartner titled “Defining the Next Generation Firewall¹,” indicates that “NGFWs will be most effective when working in conjunction with other layers of security controls.” We see some security companies working to advance the security coverage in their NGFW products but today, none exist that can replace your firewall and IPS while providing the same level of comprehensive security. We see the next generation firewall eventually becoming a feature of IPS, which will ultimately help organizations save administrative resources and costs through robust and integrated policy management.

Jason Lancaster, Technology Director, TippingPoint

¹ Pescatore, John and Greg Young, “Defining the Next Generation Firewall,” Gartner, Inc. (October 12, 2009), http://www.gartner.com/DisplayDocument?doc_cd=171540.

Update on TippingPoint Third Party Product Testing

In the next several days, a report will be published by a small third-party test house that evaluated various intrusion prevention solutions. TippingPoint is a firm supporter of third-party testing. We believe that the validation of our world-class security research and development teams with external resources is a critical component of our goal to deliver industry leading security products. TippingPoint has led the intrusion prevention industry for many years and will continue to do so in the future. Our more than 7,000 satisfied customers depend on us every day to keep their networks secure.

As much as we would like to endorse the report and interspersed commentary, we are unable to do so. There are more than a few discrepancies between the report findings and what our customers have experienced, what we have found in our own testing and other third-party test results. In fact, the results are significantly different from the results we found during paid private testing with this test house a few weeks ago. We made every effort to engage with this test house and understand the gap between the report findings and the various other test findings. We even asked the test house to briefly delay the report until we could work together to reconcile the differences. The test house refused to do so. It’s unfortunate this type of information has been published but we will nonetheless continue to work on behalf of our customers and engage with third-party test houses to validate and help us improve our industry leading solutions.

In the meantime, if you have any questions or comments about the report, you can e-mail me directly at akessler@tippingpoint.com or work with your local sales contact.

Sincerely,

Alan Kessler

President, TippingPoint

Microsoft Tuesday and Security Wrapup for November 2009

Microsoft Tuesday for November was lighter than previous months on average, especially compared to October 2009, which ended up with 13 bulletins and 34 vulnerabilities disclosed.  Several bulletins were disclosed for both client and server side vulnerabilities.  There were three critical bulletins with five vulnerabilities and another three important bulletins with 10 vulnerabilities, bringing the total to six bulletins and 15 vulnerabilities. 

Our DVLabs security research team released coverage for all of the bulletins on November 11th moments after the bulletins were disclosed by Microsoft. Our own Cody Pierce is credited with disclosing a critical flaw in the License Logging service.  In addition, our Zero Day Initiative program is credited for responsibly disclosing two important vulnerabilities to Microsoft this month.

• Microsoft Security Bulletin Summary for November 2009 http://www.microsoft.com/technet/security/bulletin/ms09-nov.mspx
• TippingPoint ThreatLinQ Blog (login required)  http://threatlinq.tippingpoint.com/blog/?p=1393
• TippingPoint DVLabs Security Research Team Advisory TPTI-09-07  http://dvlabs.tippingpoint.com/advisory/TPTI-09-07
• Zero Day Initiative Advisory ZDI-09-082                                          http://www.zerodayinitiative.com/advisories/ZDI-09-082/
• Zero Day Initiative Advisory ZDI-09-083                                          http://www.zerodayinitiative.com/advisories/ZDI-09-083/

Overall, this month in the security world saw an average number of critical vulnerabilities disclosed by various vendors:

• Oracle disclosed 38 vulnerabilities this month ranging from remote command execution vulnerabilities, denial of service issues, information disclosure vulnerabilities, SQL injection vulnerabilities, security restrictions bypass issues, and certain data manipulation errors.
• Adobe disclosed five vulnerabilities for memory corruption errors, improper usage of invalid pointers and invalid index.
• Sun disclosed 21 vulnerabilities in the Java Runtime Environment for arbitrary code execution issues, as well as denial-of-service and security restriction bypass flaws.
• Mozilla disclosed 10 vulnerabilities in Firefox and SeaMonkey for flaws resulting in a security restriction bypass, sensitive information access and arbitrary code execution.
• Opera disclosed two vulnerabilities in their popular Web browser for flaws resulting in a security restriction bypass, sensitive information access and arbitrary code execution.

Stay tuned for an update next month on Microsoft Tuesday and the state of vulnerability disclosures.

Securing the Next Generation Data Center

Last week, we announced our next generation security platform designed for data center and core network deployments. The new TippingPoint N-Platform represents our efforts to provide the most comprehensive security for our customers using intrusion prevention (IPS) as the foundation. Our development team successfully created powerful technology to extend network security beyond intrusion prevention with additional security services without impacting network performance. The N-Platform is also a key component of 3Com’s (our parent company) Secure Network Fabric, which integrates security platforms and LAN infrastructure equipment from TippingPoint and H3C, 3Com’s line of enterprise networking products.

As we discussed our approach to securing the next generation data center with press, analysts, partners and customers, there was one question that consistently came up in conversation. What is the data center? There is the traditional definition we all know that describes the data center as a large room with rows and rows of server racks. There are even organizations that have documented guidelines for typical data center deployments. Although we have many customers who have very large data centers in the traditional sense, we classify the networks of all of our customers as “data centers.”

Whether it’s a large room that takes up an entire floor of a building or a small closet down the hall, you have a data center and it’s the center of your business. All data centers have to contend with the compliance with multiple government regulations; the convergence of security and networking products and managing them effectively; and the consolidation of infrastructure as cloud computing and virtualization tools become more mainstream. It is our mission to ensure our current and future customers tackle these security demands they face today and the ones they’ll face in the future.

I invite you to visit us here on this blog often. I, along with several of my colleagues, will keep you informed on security trends we’re seeing on a daily, sometimes hourly, basis as well as what we’re doing on the front lines of network security to solve the issues organizations face every day. Stay tuned.

Elisa Lippincott, Director of Marketing Communications, TippingPoint