Today, attacks have clearly moved to the Web, and enterprises must now deal with threats ranging from buffer overflows to cross-site scripting. Security researchers at Information Security Decisions 2008 explain why the shift to Web attacks is happening and what that means for the average enterprise (and its firewalls and intrusion detection systems).
Panelists include Alexander Sotirov from VMware, Dave Aitel of Immunity Security Inc, Billy Hoffman of HP and Matasano Security's Tom Ptacek.
Watch all the videos from Information Security Decisions 2008.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
Defending against Internet security threats and attacks
Presenter: Okay. Let's talk about the web security stuff for a
while, a little bit here. Five years ago if we were having this
panel we would have been talking strictly about application attacks,
network attacks, that kind of stuff, now everything, all the attacks
and stuff that you do Billy. Why is that shift happening and what
does it mean for the average enterprise that has to defend against
this stuff and has a million firewalls and IDSs and that doesn't seem
to work very well any more?
Billy Hoffman: I mean, the economic benefits for corporations
moving systems to be web-based, there are just, you're not
going to put that genie back in the bottle. Way back in the day I
worked at an insurance firm, a huge one, and I remember the
day that Oracle 7 came out and I had to walk around with a CD
and install and set up all these clients for people to connect and
talk to it, and this was in the call center where they were entering
insurance claims for car accidents. It took me and two other interns,
like, two weeks to go through this enter building and do it. They weren't
ghosting. God, I wish I would have known about ghosts back then.
So, it makes a lot of sense. I worked for a company that got acquired
by a HP and so, you know, when I used to do travel expenses I filled
out an Excel spreadsheet and walked it down to Abby who was our
HR/VP of Finance. Now there's like, a web-based system because
that doesn't scale to companies that are 100,000 people.
So I think people are just, it's the costs of being about to exchange
data, to publish applications, to upgrade and maintain applications,
it's a lot easier to do things through the web.
I think the attacks that we were talking about five years ago are still
applicable to the web, it's just mutated slightly. We were talking before,
David's still doing buffer overflows against web apps. He's just
exploiting all sorts of components that maybe aren't, it's not the
operating system, it's the actual apps. I think the shift here is that
we're exploiting, instead of exploiting either the operating system or
big apps like Office and IIS we're exploiting long tail of like the
hundreds of different little gallery and wiki then bulletin board
systems and blogging systems and expense reporting systems
that everybody is writing and you can do that at the application
a lot easier.
Presenter: Right and at that point you've got, like I said, the
traditional perimeter of defense is really not going to do much
good against this.
Billy Hoffman: I still encounter people who tell me they have a
firewall, they don't have to worry about web security. I'm like
"Unless port 80 is closed that's not really helping you at all."
Alexander Sotirov: I think the downside from, I mean, I do agree that
the web is great and it does lead to some cost savings, but the
downside is that the web is built on a foundation that is thoroughly
broken as far as security's concerned, and the security model, our
web infrastructure was never designed with all these web applications
in mind and I think the situation there is actually much worse that what
we have with your typical desktop or server applications, your C or C++.net.
I think it will actually be a lot more, a lot costlier to fix all these issues
than it was with the buffer or our float time problems, so-
Tom Ptacek: With the caveat that Alex is much, much smarter than I am,
I'm going to strongly disagree about that one, right? Billy just a minute
ago said there's been a progression from the kind of security work that, like,
I've been in the industry since '94, so, right, same with you and some of us,
right, and back when it was all binary applications and all that and there's
this notion that security has developed and the web people have taken those
ideas and applied them to the web. The reverse is also true, right? You take,
there's a list of vulnerabilities called the OS top 10 which is the first thing
anyone's going to spit out at you if they're trying to prove they know anything
about web security, right? If you take a lot of things in the OS top 10 like
session management, for instance, right, and you apply them back to
software that was written binary, C++, custom protocols and all that,
you find them there, right? The idea that it's because the web has a
broken architecture I'm going to push back on because if you take the
ideas that have broken on the web and apply them to software that
pre-dates the web that was designed custom for the security problems
they have the same problems.
Alexander Sotirov: Well, the difference is a lot of these custom applications
are a lot less accessible, whereas web and web-based applications take
all this and expose it out to the world. For example, with cross-site
request forgery attacks, you can attack an enterprise by owning a
website that is external to the company. You can insert an ad on a
popular website that employees visit and as long as that passes
through the proxy that the enterprise has you'll be able to attack internal
machines which is, and you can take advantage of those session management
problems, which is certainly not the case with some kind of proprietary-binary
protocol that is sitting on a box inside, unless the attacker has access to that
network. They want to be able to exploit it. With the web, there is almost no
distinction between the internal network and the external network, so the
concept of the perimeter-
Tom Ptacek: I did PIN test in 1995 and that was all about trust relationships,
right? That was all about external dependencies. It was all about if you
get the right exports listed in your enterprise-
Alexander Sotirov: Yeah, but don't you think it would salt those trust relationships
to some extent since then?
Tom Ptacek: I don't know. One guy made a mistake with the Debbie and ran
a number generator and broke every single SSH deployment on the internet,
so no, I think the answer's no.
Billy Hoffman: I think what happens is that, at least from a web point of view,
you're right, the OS top 10, insecure encryption, right? Poor encryption,
some of these things, of course you can apply them to applications that
are desktop based as you can apply them to web app based. I think-
Dave Aitel: Because they're really vague.
Billy Hoffman: Yeah, exactly. Yeah, of course. I think there's one that says,
it's their tag line "Here so you can sell your consulting service". Sounds like
someone uses that one a lot. I think what happens here is that the web
browsers, browsers were not designed, I mean, look at Chrome. Google
just came out with their own browser. It has a task manager. Browsers
were never meant to be mini operating systems for applications. They were
meant to render documents and maybe, the hamster that dances, and so a
lot of the security models and things that are built into the browser, you look
handle same origin. It was not designed with security in mind. I think you
can argue that modern operating systems-
Tom Ptacek: Operating systems weren't designed to be secure operating
Billy Hoffman: What I'm saying though is that there's, you look at XP
Service Pack 2 and you look at IE6, you can't compare the security
design inside IE6 to the security. Let me put it this way, the maturity
and the security design of the browser is far more immature than our
modern operating systems.
Alexander Sotirov: I agree with Billy. I mean, just based on my personal
experience and I guess this is all I have to go by, my experience with
finding vulnerabilities in major websites versus finding and exploiting
vulnerabilities in desktop or server software has been that websites are
much, much easier to break. So, I can extrapolate from that that they are
a lot less secure or perhaps a lot harder to secure than server software.
Dave Aitel: Well, do you think that's just because they're more complex?
Alexander Sotirov: I'm not sure. I think it's because the model for building
web apps is very new so the ideas for how to do it securely are not as
mature as they are in the desktop software world.
Dave Aitel: It sounds earlier like you were saying that it's almost impossible
to secure a mock, sort of a web architecture that we build everything on.
Alexander Sotirov: Well, I think we would have to redesign a good chunk of that.
Dave Aitel: Like HTTP.
Alexander Sotirov: Yeah.
Tom Ptacek: You know, if there had never been hypertext, right, if to submit
my expenses instead of using a web browser I'd use a custom client-server
application to do it.
Dave Aitel: CORBA.
Tom Ptacek: Or CORBA, right.
Dave Aitel: COBRA, that’s totally secure right.
Tom Ptacek: If I'd have to do that there would be as many buffer
uploads with our cross- encrypting vulnerabilities now, right? Every
custom client-server application ever developed has had a memory
Alexander Sotirov: Well, there would be not cross-sites crypting. There
would be no interaction between, right now if you have multiple applications
that you would open in your browser, one application might be able to
attack another one or if you break into one application you'll be able to
Billy Hoffman: But you've got that now, you've got that with the classic
buffer overflow, right? If you take, like a Win 95, Win 98, one processor
to rule them all, there's a buffer overflow here-
Alexander Sotirov: Oh yeah, yeah, yeah, but we were talking about session
Billy Hoffman: Okay.
Alexander Sotirov: Buffer overflows, certainly, if you can own the
operating system then you control everything and all the applications
that are running on it, but if we're talking about bad encryption, session
management, these types of attacks don't allow you do to as much
on the desktop as they do for web based systems.
Tom Ptacek: See, there's a fantastic example, right? You said, session
management, you said bad crypting, let's just fixate on the bad cypto
for a second, right? So, yes, it's scary that the web puts a whole bunch
of crappy, bad software that was developed internally on the Internet, right?
But also it gets rid of a lot of custom encryption, so instead of having
people trying to hand implement their own Diffie–Hellman key exchange,
which happens, right? Like, there are vulnerabilities where if you don't
know what happens when you have a number that comes out to 0 mod P
which is a vulnerability that's hard to even explain, right, then you can
bypass authentication. You never have that vulnerability with a web app
because everything is goes through encryption, well almost.
Alexander Sotirov: I agree with that.
Billy Hoffman: Well, that almost gets back to the whole idea, if you're
building on top of asp.net it's taken care of a lot of the things so you
don't have to worry about it. I mean, it's got, it's taken care of session
management issues, predictable session IDs, things like that. To some
extent, I mean, if you're using Rails you get the advantage of, "Okay,
you're going to try to wrap this database call for me." So I think it's just,
and I think that's ultimately the solution, taking this all the way back to
the STLC. I think if you had to take it out of the developers' hands, I
think it's the libraries and the codes they're using that kind of either
hides or extracts or prevents them from shooting themselves the foot.
Tom Ptacek: Which is why the one size fits all STLC thing is kind
of freaky to me, right? Because the reality of everybody has a
different software security challenge. They don't, a lot of people don't
need the threat model. A lot of people need to look at all the different
components of their application, pinpoint the ones that need to be
brought up to asp.net 2.0 and needs to be brought up to whatever the
database model du jour is for Microsoft and instead of threat modeling-
Alexander Sotirov: I thought that's exactly what threat modeling is, you identify
the different components, which ones would be attacked first.
Tom Ptacek: You've got me with your legal mumbo jumbo.