Next month, Security BSides will be hosting an event in the nation’s capital, and the great lineup of speakers guarantees this will be a conference to remember.
The goal of BSidesDC is to provide a venue for local security professionals to engage with one another in an open, interactive, and community oriented environment.
The organizers stress that the success of the conference depends a great deal on enthusiastic participation from the community, and it should be spectacular.
One of BSidesDC’s featured speakers this year is Jacob Holcomb OSCP, CEH (@rootHak42), a Security Analyst at Independent Security Evaluators who works on projects that involve penetration testing, application security, network security, and exploit research.
In addition to his work related-projects, python coding, and his favorite pastime of EIP hunting, Holcomb loves to hack his way through the interwebz, and he has responsibly disclosed multiple 0-day vulnerabilities in commercial products.
Holcomb has also presented at Defcon 21’s Wireless Village and Wall of Sheep, at DerbyCon, and will be making an appearance at OWASP Minnesota later this year.
His BSidesDC presentation will provide an overview of the current state of SOHO security, including an outline of steps to mitigate the risk of exploitation by way of third party firmware or by jailbreak/rooting techniques.
Attendees will learn how to discover vulnerabilities and then exploit those vulnerabilities using ROP techniques, custom MIPS shellcode, web attacks such as those covered in the OWASP Top 10, as well as providing guidance on how to determine if a vulnerability can lead to root access.
SOHO networking equipment is a staple component in most home and office networks, and may also be used to supplement existing infrastructure in a large enterprise networks.
“When connecting to a wireless network offered by a restaurant, airport, or store, you’re most likely connecting to and using one or more pieces of SOHO networking equipment,” Holcomb said.
The topic of SOHO vulnerabilities is important predominantly due to the application security issues that plague perimeter networking devices in millions of homes and small businesses around the world.
“Through research, press releases, and conference presentations, ISE felt we could raise awareness of the application security issues plaguing SOHO networking equipment,” Holcomb said.
“We’re hoping through continued discussions, SOHO vendors will develop a more rigorous quality assurance program, and consumers will take the necessary precautions to better secure their networks and digital assets.”
The information presented in Holcomb’s talk is relevant to anyone who owns, operates, or uses a SOHO network, and nearly everyone reading this post uses SOHO networking equipment at some point in time. Holcomb and his team were able to exploit 100% of the SOHO hardware they tested.
“Research I conducted earlier this year showed that several types of vulnerabilities discovered in SOHO equipment are also found in enterprise level networking equipment, and they allowed us to assume full root/administrative control over the affected devices,” Holcomb said.
“I’m expecting the audience to leave this presentation with a better understanding of application security, how to find and exploit various vulnerabilities in applications – specifically those running on SOHO routers – and how to mitigate the discussed vulnerabilities at the software engineering and hardware/software implementation level,” he explained.
Aside from the risk of exploitation, problems are compounded by the fact that there is no effective patch management solution for SOHO equipment like there are for desktop/laptop and server operating systems.
“Most consumers (Home users and businesses) are under the assumption that SOHO networking equipment is secure and free of vulnerabilities,” Holcomb continued.
“Vendors assume that the wireless/LAN are free of malicious threats and that attackers can only target SOHO networking equipment from the WAN, and device administrators assume that if they disable (or don’t enable) services offered by the router, they aren’t susceptible to exploitation, but that’s not so.”
The attacks Holcomb and his team developed demonstrate varying levels of criticality from unauthenticated router take over, to authenticated takeover that requires minimal participation from users.
“Through our research, we demonstrated that an attacker can exploit the router through various services running on the router. Attacks include Buffer Overflows, Cross-Site Request Forgery, Command Injection, Directory Traversal, Authentication Bypass, Backdoors and more,” Holcomb said.
“Our attacks required us to write custom shellcode, utilize exploitation techniques such as Return Oriented Programming (ROP), leverage multiple services, and perform multistage attacks in order to receive the glorious # shell.”
Holcomb expects that as new technology is developed, hardware evolves, and our internet dependence grows, we should expect to see continual attacks against network infrastructures, and he believes his and others’ research into these network vulnerabilities will pave the way for a better understanding of attack vectors, network-based malware, and other potential exploits.
“Twenty years from now, people aren’t going to necessarily care how we exploited networking equipment in today’s world, but they will care how it can be exploited in their world. Research from today contributes to innovative thinking that brings security tomorrow,” Holcomb said.
Related: BSidesLV 2013 Featured Sessions
- BSidesLV Preview: The Object Monitor for Enhanced Network Security (OMENS)
- BSidesLV Preview: Fun with WebSockets Using Socket Puppet
- BSidesLV Preview: Open Source Pentesting and Forensic Distribution
- BSidesLV Preview: Vulnerabilities in Application Whitelisting
- BSidesLV Preview: Effective Communication in IT Security
- BSidesLV Preview: Baking Assurance into Software
- SidesLV Preview: Wireless Pen Testing and Assessments
- BSidesLV Preview: Using Machine Learning for Security Analytics
- BSidesLV Preview: Wireless Pen Testing and Assessments
- BSidesLV Preview: No Magic Bullets
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock