Friday, 14 August 2009
DEFCON 2009
« Stranger in a Standards Land | Main | Breaking the Record of Shame »
As usual, security researchers at Fortify kept up with the latest in hacking by attending the DEFCON conference in Las Vegas. In a lot of ways this year's 17th annual DEFCON felt like a confirmation of our work at Fortify: Topics included advanced SQL injection attacks and other seemingly exotic vulnerabilities, which the Security Research Group has already built support for into one or more of our products. So what was exciting?
In my opinion, the inventive misuses of Firefox plug-ins and the novel Wi-Fishing technique were two of the most interesting talk. On average, users today install Firefox plug-ins as if they were recommended by Mozilla and certified to be secure. Guess what? The plug-ins that were abused had been recommended by Mozilla, but apparently not proven to be secure.
The handful of misuses all exploit design flaws in the add-ons and ranged from password discovery to automatically dialing numbers from the Skype. For example, under normal conditions the Skype plug-in recognizes a phone number in a page and shows you a button to dial the number. But what if you could eliminate the user interaction (autodialing) and trick a victim in visiting a malicious page that automatically dials hundreds of charge-for-use phone numbers?
The Wi-Fishing technique is again a simple but clever misuse of the design. Even if you’re a thousand miles away from home, your wifi client may be continuously scanning for network names it has connected to in the past and attempting to connect to them again. The proof-of-concept tool attempts to phish these wifi clients that are searching for common networks that they have connected to in the past, such as “wireless” or “linksys”. Once the configuration settings of the network that the device is using to connect are known, a ‘clone’ of the network can be set up. Connecting to the clone makes the clone a man in the middle which is a perfect set up to sniff passwords, redirect to malicious websites, or phish other personal information from users.
Both of these exploits come down to a question of trust. Wireless networks have always been dangerous to connect to, but as we come to depend on Internet connectivity more and more, our propensity for connecting to potentially untrusted networks is increasing. Be careful! With respect to malicious software from trusted third-parties, my personal conclusion is that more and more attackers will take advantage of newly popular trusted but unverified sources of software, such as Firefox plugins and Apple App Store applications. Here at Fortify we're keeping an especially keen eye on this threat because we think software analysis may play a roll in preventing some types of malicious software from making it into a third-party distribution sites.
In my opinion, the inventive misuses of Firefox plug-ins and the novel Wi-Fishing technique were two of the most interesting talk. On average, users today install Firefox plug-ins as if they were recommended by Mozilla and certified to be secure. Guess what? The plug-ins that were abused had been recommended by Mozilla, but apparently not proven to be secure.
The handful of misuses all exploit design flaws in the add-ons and ranged from password discovery to automatically dialing numbers from the Skype. For example, under normal conditions the Skype plug-in recognizes a phone number in a page and shows you a button to dial the number. But what if you could eliminate the user interaction (autodialing) and trick a victim in visiting a malicious page that automatically dials hundreds of charge-for-use phone numbers?
The Wi-Fishing technique is again a simple but clever misuse of the design. Even if you’re a thousand miles away from home, your wifi client may be continuously scanning for network names it has connected to in the past and attempting to connect to them again. The proof-of-concept tool attempts to phish these wifi clients that are searching for common networks that they have connected to in the past, such as “wireless” or “linksys”. Once the configuration settings of the network that the device is using to connect are known, a ‘clone’ of the network can be set up. Connecting to the clone makes the clone a man in the middle which is a perfect set up to sniff passwords, redirect to malicious websites, or phish other personal information from users.
Both of these exploits come down to a question of trust. Wireless networks have always been dangerous to connect to, but as we come to depend on Internet connectivity more and more, our propensity for connecting to potentially untrusted networks is increasing. Be careful! With respect to malicious software from trusted third-parties, my personal conclusion is that more and more attackers will take advantage of newly popular trusted but unverified sources of software, such as Firefox plugins and Apple App Store applications. Here at Fortify we're keeping an especially keen eye on this threat because we think software analysis may play a roll in preventing some types of malicious software from making it into a third-party distribution sites.
Posted by at 4:15 PM in Fortify
[Trackback URL for this entry]
