The Security BSides London event is just around the corner – 29th April, 2014 at Kensington and Chelsea Town Hall, Hornton Street, London – and Tripwire is pleased to have one of our best and brightest scheduled to deliver a session examining techniques for identifying vulnerabilities in target applications.
Craig Young (@CraigTweets), a computer security researcher with Tripwire’s Vulnerability and Exposures Research Team (@TripwireVERT), will deliver a talk titled A Day In the Life (Of A Security Researcher).
Young is well known in the world of vulnerability research, as he has identified and responsibly disclosed dozens of vulnerabilities in products from Google, Amazon, IBM, NETGEAR, and others.
His research has resulted in numerous CVE assignments and repeated recognition in the Google Application Security Hall of Fame.
Young recently turned his attention to the security of embedded devices, including NAS products (video demo here), IP cameras, and SOHO routers, where he has found several critical flaws affecting millions of users.
While many people assume that various systems are vulnerable, far fewer people know where to begin looking for security flaws. Young’s session, scheduled for 2:45pm, will present real-world vulnerabilities discovered and details on how they were found.
The tools and methodology outlined provide an excellent foundation for exposing security flaws by combining free software with security intuition. Vulnerabilities affecting both open source and proprietary products will be presented with commentary regarding how the discovery was made, how the issue may have been introduced, and what remediation steps resolved the issues.
The talk will range from common and generally well understood web vulnerabilities to less obvious application logic errors including a heap memory disclosure with some similarity to the OpenSSL Heartbleed vulnerability which has turned the Internet on its head.
“As we have seen in the wake of the Heartbleed bug, a single vulnerability in production code can have devastating consequences for millions,” Young said. “Releasing products with critical vulnerabilities leaves customers exposed and can inflict lasting reputation damage on a brand.”
Unfortunately many organizations do not perform iterative security testing either due to time constraints or a simple lack of skills while others rely solely on commercial vulnerability assessment products, Young noted.
“There is also a growing problem in the industry of companies building products by stitching together dozens of open source products with little consideration that these components could have security issues.”
Computer security is an uphill battle in which the attackers typically have a significant advantage over the defenders. Training developers and testers how to recognize and fix flaws during the development cycle is a fundamental step in decreasing the attacker advantage.
“The information I will present is important to just about everyone, since we are all affected by poorly designed software,” Young said. “However, it is most pertinent to those involved with the development and testing of software products.”
Young says those in the software industry will walk away from the talk with all the tools needed to dive right into security-focused quality assurance. For security researchers and pen testers, the tools examined will be extremely helpful for their next research project or professional engagement.
“As some people will always be tempted to use security knowledge to attack others, this presentation will not describe any vulnerabilities where vendors/customers have not had ample time to respond with fixes,” Young emphasized.
While few things are certain about the future of computer security, it is a safe bet that the arms race between defenders and attackers will continue indefinitely, so education and sharing of information will be crucial if the defenders are ever going to gain the upper-hand.
“Currently it seems that universities and enterprises do not generally recognize the importance of security-focused training and education,” Young pointed out. “As of now, security education almost exclusively teaches defensive behavior while the offensive techniques necessary to recognize and appreciate risks are kept out of the classroom.”
Young says that today’s developers are fairly good about avoiding the traditional overflow vulnerabilities exposed by unsafe string functions like strcpy(), strcat() and sprint(), but simply replacing these functions with strncpy(), strncat() and snprintf() does not guarantee security.
“For example, the following C code snippet might not raise any flags during code review but it in fact introduces a vulnerability. Can you spot the vulnerability below?”
l = snprintf(buf, sizeof(buf), “HTTP/1.1 200 OK\r\nLocation: %.*s\r\n\r\n”, strLocation);
n = sendto(s, buf, l, 0, (struct sockaddr *)&sockname, sizeof(struct sockaddr_in) );
“We must continue to strive towards comprehensive security education for the engineers designing tomorrow’s products and services while simultaneously planning for the eventual breach. By doing this, we can raise the cost for adversaries associated with finding vulnerabilities, while also staying prepared for breaches from determined groups or individuals,” Young said.
“For individuals who have always wanted to find vulnerabilities but don’t know where to start, this presentation will build the foundations of that starting point.”
Note: Planning to attend Infosecurity Europe 2014? Be sure to drop by Tripwire’s booth (G108) to get yourself immortalized in the fashion of a true conference zombie, join us for our Happy Hour with plenty of libations to go around, get your own customized t-shirt printed on the spot, enter to win an Xbox Kinect and much much more – click here for more info.
- Chromejacking – Or How I Learned to Stop Worrying and Love Chromium Sync
- OpenX Ad Server and Remote Code Execution Vulnerability
- Distributed Nmap Port Scanning with a DNmap Megacluster
- Vulnerabilities: It’s Time to Review Your ReviewBoard
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock