MIAMI BEACH–It’s the accepted wisdom these days that many of the traditional security defenses organizations depend on just aren’t effective at deterring attackers. But this glosses over the fact that the last few years have included some major advances in defensive technologies, including the widespread adoption of exploit mitigations such as ASLR and DEP and the use of sandboxes in many applications. However, as these advances have made their way into the mainstream, the folks on the offensive side of the game have not been sitting idly by, either, as was made abundantly clear during the talks at the Infiltrate conference here.
Infiltrate was billed as being “exclusively offense”, and that’s exactly what it delivered. The only time defensive technologies were mentioned by the speakers was in the context of how to get around or defeat them. And defeat them, they did. Whether it was a browser-based exploit mitigation, a tablet’s operating system safeguard, hardware-based protections for smartcard systems or kernel defenses, the message that came through in the two days of talks was that with enough time, the attacker is going to win.
This has been proven time after time in the last few years, whether it’s through the attack on RSA, the compromises of various government agencies and contractors or the long-term infiltrations of some financial services companies. These things happen constantly now, and when a new large-scale compromise or attack on a high-profile company occurs, it is no longer even mildly surprising. It’s simply more of the same. Only the names and faces change.
The organizations that fall victim to such attacks often find themselves being blamed for a lack of attention to security, poor defensive practices and all manner of other sins. And software vendors routinely take it on the chin when one of their products is found to have a serious vulnerability or is the vector that’s used in a major attack. However, as with most things, it’s not always that simple.
As the saying goes, the guys on the other side of the ball are getting paid too.
“The ability to make a difference in the real world against dedicated offensive teams is a rare thing,” Dave Aitel, CEO of Immunity, which put on Infiltrate, said during the conference. “This stuff can change quickly.”
What’s happened in recent years is that changes in development practices and defensive strategies have removed some of the easy vectors for attackers, and so researchers and attackers alike have gone looking for more interesting or obscure ways to break systems. They’ve been quite successful in some cases (see: Android) and less successful in others, but we don’t often hear about the failures. Direct evidence of their progress was plain to see at Infiltrate, including the talk by researchers Zach Lanier and Ben Nell describing serious issues with the BlackBerry PlayBook tablet and how it communicates with handsets. The bug allowed them to snoop on a user’s corporate email, which is a problem.
Then there’s the work done by Dan Rosenberg on the SLOB Linux heap allocator, which he found to virtually non-existent exploit mitgations, making any vulnerabilities found in the heap easily exploitable. That specific allocator is used in embedded systems and is found in a lot or switches and routers. That’s also a problem.
And that’s not to mention the research presented by Brad Antoniewicz of Foundstone, who systematically took apart much of the security offered by some proximity-based smart card systems, or the research from Alexander Klink and Julian Waelde on efficiently taking down remote Web servers with a simple POST request.
There’s no denying that the state of the art in defense has advanced markedly in recent years and it hopefully will continue to do so in the years to come. But the folks on the offensive end of things aren’t there just to watch, either. And regardless of whether those people are researchers or attackers, attention must be paid to what it is they’re doing.