Case Studies
Exploiting SOHO Routers
ISE researchers discovered critical security vulnerabilities in numerous small office/home office (SOHO) routers and wireless access points. These vulnerabilities allow a remote attacker to take full control of the router’s configuration settings; some allow a local attacker to bypass authentication directly and take control. This control allows an attacker to intercept and modify network traffic as it enters and leaves the network.
Whitepapers
The Not-So-Same-Origin Policy: Bypassing Web Security through Server Misconfiguration
The same-origin policy remains one of the most important security mechanisms of the web, protecting servers against malicious pages interacting with their APIs through cross-site requests. However, the subtle details of the policy can be overlooked, so we aim to show how limitations in the application of the same-origin policy can undermine security. We explain in depth how the same-origin policy works and how some web technologies can introduce loopholes that expose applications to cross-site attacks. Such misconfigurations may exist in policies utilized by Java, Flash, and Silverlight applications, and Cross-Origin Resource Sharing (CORS) headers utilized by web applications.
From FAR and NEAR: Exploiting Overflows on Windows 3.x
In a way, Windows 3.x provided Data Execution Prevention and a crude form of Address Space Layout Randomization—security measures far beyond the expectations of any early-1990s enterprise. The segmented memorymodel that made 16-bit x86 code difficult to program also complicates building an exploit. This paper demonstrates what may be the first public writeup of a buffer overflow exploit targeting a Windows 3.x application, complete with ROP chain and shellcode.
Demystifying Full-Disk Encryption
Transparent full-disk encryption uses techniques found almost nowhere else in cryptography, such as ESSIV and XTS- AES. Why must designers resort to building a custom cryptosystem rather than relying on standard techniques with typical security guarantees? This paper explores the constraints under which a full-disk encryption must operate, questioning the performance reasons for avoiding more standard cryptography yet finding them to hold. I introduce the reader familiar with cryptography but not the operation of disks to this problem, explain the high-level workings of ESSIV and XTS-AES, and review the attacks and limitations that these approaches face.
Reverse Engineering iOS Apps
Mobile applications are a part of nearly everyone’s life, and most use multiple mobile applications on a day-to-day basis. Mobile applications are widespread and have a plethora of purposes—including, but not limited to, banking and budgeting, social media, sending money, and playing games. With all of these capabilities, one must ponder whether or not these applications are securing sensitive user information at rest, as well as in transit. While Apple provides an API for developers to secure data, developers may not be utilizing these controls in a secure manner. This paper describes common mistake security developers make, methods to test for those mistakes, and problems encountered when testing for them. We will also explore reverse engineering techniques to analyze iPhone operating system (iOS) applications.
The Enemy You Know
Many organizations are already cognizant of the fact that there are security threats originating from the inside, beginning with their own trusted employees and partners. However, many organizations do not necessarily differentiate between the various types of internal adversaries, and may also be unaware that a uniform defense posture is not effective, as different defense strategies are required to thwart each type of adversary. This article will analyze the different types of internal threat actors,and discuss how each is defended against. It will consider both technology and psychology solutions, and aim to do so in a way that is immediately actionable for organizations of all types.
Our Link-Clicking CSRF Victim Robot
Over the past year, ISE has brought our SOHOpelessly Broken router hacking contest to DEF CON, DerbyCon, Toorcon, and BSides DC. ISE started the contest to shine light on the need for manufacturers to better secure small office/home office (SOHO) devices; our thought was that by demonstrating the vulnerabilities first-hand, we could help manufacturers recognize that SOHO devices are highly vulnerable to malicious compromise, thus inspiring action and change. Among the contest’s tracks is a live capture-the-flag competition, in which contestants research known vulnerabilities and use them to attack real routers running on a test network. Cross-site request forgery (CSRF) is a common attack against the web interfaces of embedded devices. CSRF occurs when an adversary tricks the victim into clicking a link that leads to an attack page while simultaneously logged in to the vulnerable device. The attack page generates and sends malicious HTTP requests to the device, reconfiguring it without the victim’s knowledge or authorization. For the contest to be successful, we needed to automate the process of tricking a user into becoming a victim of a CSRF attack; the result is our link-clicking CSRF victim robot. This white paper describes the design and implementation of the resulting software.
Scanning IPS-Protected Networks with Nessus
A Nessus vulnerability scan is one component of an overall network-level security assessment. Frequently, networks are protected by an intrusion prevention system (IPS). IPS rules may block traffic when throughput, packet counts, or connection counts cross a predefined threshold, or when packets are sent to blacklisted ports. Nessus provides neither a facility to restrict the scan rate, nor any reliable method to restrict the TCP and UDP ports to which it sends traffic. This paper describes the difficulties encountered in controlling these aspects of Nessus scans and a workaround ISE developed using virtualization, packet filters, and traffic control.
Industry-wide Misunderstandings of HTTPS
Most web browsers, historically, were cautious about caching content delivered over an HTTPS connection to disk–to a greater degree than required by the HTTP standard. In recent years, in response to the increased use of HTTPS for non-sensitive data, and the proliferation of bandwidth-hungry AJAX and Web 2.0 sites, some browsers have been changed to strictly follow the standard, and cache HTTPS content far more aggressively than before. HTTPS web servers must explicitly include a response header to block standards-compliant browsers from caching the response to disk–and not all web developers have caught up to the new browser behavior. ISE identified 21 (70% of sites tested) financial, healthcare, insurance and utility account sites that failed to forbid browsers from storing cached content on disk, and as a result, after visiting these sites, unencrypted sensitive content is left behind on end-users’ machines.
Exploiting SOHO Routers
Small office/home office (SOHO) routers are a staple networking appliance for millions of consumers. They are often the single point of ingress and egress from a SOHO network, manage domain name resolution, firewall protections, dynamic addressing, wireless connectivity, and of course, routing. Their heavy use in the consumer market and targeted demographic of non-computer savvy users has not surprisingly led to very easy-to-use, nearly turnkey solutions. As they’ve developed over the past decade, new and more features have been added to these devices that make each router one step above its previous iteration, and the competition – or so one would believe. Through our research, we discovered 55 previously unpublished security vulnerabilities in SOHO devices that demonstrate how the rich service and feature sets (e.g., SMB, NetBIOS, HTTP(S), FTP, UPnP, Telnet, etc.) implemented in these routers come at a significant cost to security. The incorporation of additional services within these SOHO routers expose attack surfaces that a malicious adversary can leverage to compromise the router core, and gain a foothold in the victim network.
Perspective Matters
To improve the security posture of digital systems, progressive organizations engage third party security experts to assess risk and provide hardening guidance. The most suitable approach for most industries is white box vulnerability assessment. However, confusion about different security approaches has led IT executives to commonly request the notably ineffective approach of black box penetration testing. Most executives may be surprised to discover that this approach actually undermines the very risk assessment objectives they seek to achieve. This article will analyze trends, contrast different tests and methodologies, and outline best practices; it has been presented at a multiple of security conferences by Ted Harrington.
The Apple Sandbox
Despite the never ending proclamations of the end of memory corruption vulnerabilities, modern software continues to fall to exploits taking advantage of these bugs. Current operating systems incorporate a battery of exploit mitigations making life significantly more complex for attackers turning these bugs into attacks. Additionally, developers are becoming increasingly aware of the security implications of previously idiomatic code. Leading software publishers are teaching defensive coding techniques and have adopted an offensive mindset for product testing. And yet, a single vulnerability can still provide the attacker the leverage needed to gain entry. Security researchers have disclosed multiple ways to render the mitigations ineffective – imagine what techniques are not public. Oftentimes, one bug can still “ruin your day”.
Reducing the Attack Surface in MMORPGs
As online games become increasingly complex and popular, malware authors could start targeting these virtual worlds to launch attacks. Two case studies show how an attacker can leverage various features of online games to take over players’ computers.
Additional Publications
- The Implicit Costs of Improper Security
- Mechanical vs. Electronic Locks
- Engineering Heap Overflow Exploits with JavaScript
- Security Evaluation of Apple's iPhone
- Content Protection for Optical Media: A Comparison of Self-Protecting Digital Content and AACS
- Security Through Legality
- Interpreter Exploitation
- Crash Analysis with BitBlaze
- Design and Implementation of Views: Isolated Perspectives of a File System
- Reducing the Attack Surface in Massively Multiplayer Online Role-Playing Games
- Injecting SMS Messages into Smart Phones for Security Analysis
- Fun and Games with Mac OS X and iPhone Payloads
- Virtual Worlds, Real Exploits
- Design and Implementation of Views: Isolated Perspectives of a File System for Regulatory Compliance
- Practical Short Signature Batch Verification
- The Design and Implementation of Audit Trails for a Versioning File System
- Verifiable Audit Trails for Versioning File System
- Security Analysis of a Cryptographically-Enabled RFID Device
- The Legitimate Vulnerability Market: The Secretive World of 0-day Exploit Sales
- Analysis of Mutation and Generation-Based Fuzzing
- Hacking Leopard: Tools and Techniques for Attacking the Newest Mac OS X
- Detecting Memory Issues in Win32 Drivers
- Experiences with the FIPS
- Problems with the FIPS 140 Certification Process