Presentation is loading. Please wait.

Presentation is loading. Please wait.

© iViZ Security Inc 0 May 2013 Bikash Barai, Co-Founder & CEO Why Current Security Solutions Fail?

Similar presentations


Presentation on theme: "© iViZ Security Inc 0 May 2013 Bikash Barai, Co-Founder & CEO Why Current Security Solutions Fail?"— Presentation transcript:

1 © iViZ Security Inc 0 May 2013 Bikash Barai, Co-Founder & CEO Why Current Security Solutions Fail?

2 © iViZ Security Inc 1 May 2013 Introduction About iViZ – Cloud based Application Penetration Testing – Zero False Positive Guarantee – Business Logic Testing with 100% WASC coverage – 400+ customers. IDG Ventures Funded. – Gartner Hype Cycle mention About myself – Co-founder and CEO of iViZ – Worked in areas of AI, Anti-spam filters, Multi stage attack simulation etc – Love AI, Security, Entrepreneurship, Magic /Mind Reading

3 © iViZ Security Inc 2 May 2013 Vulnerabilities in Security Products

4 © iViZ Security Inc 3 May 2013 Symantec Email Appliance(9.5.x) DescriptionRating Out-of-band stored-XSS - delivered by emailCritical XSS (both reflective and stored) with session-hijackingHigh Easy CSRF to add a backdoor-administrator (for example)High SSH with backdoor user account + privilege escalation to rootHigh Ability for an authenticated attacker to modify the Web- application High Arbitrary file download was possible with a crafted URLMedium Unauthenticated detailed version disclosureLow Credits: Brian Smith

5 © iViZ Security Inc 4 May 2013 Trend Email Appliance(8.2.0.X) DescriptionRating Out-of-band stored-XSS in user-portal - delivered via emailCritical XSS (both reflective and stored) with session-hijackingHigh Easy CSRF to add a backdoor-administrator (for example)High Root shell via patch-upload feature (authenticated)High Blind LDAP-injection in user-portal login-screenHigh Directory traversal (authenticated)Medium Unauthenticated access to AdminUI logsLow Unauthenticated version disclosureLow Credits: Brian Smith

6 © iViZ Security Inc 5 May 2013 Microsoft Auto-update Hijacking MD5 collision attack to generate a counterfeit copy of a Microsoft Terminal Server Licensing Service certificate. Used the counterfeit certificate to sign code such that malware appeared like genuine Microsoft code and hence remained undetected.

7 © iViZ Security Inc 6 May 2013 Preboot Authentication Attacks iViZ identified flaws in numerous BIOS’s and pre- boot authentication and disk encryption software – Bitlocker, TrueCrypt, Mcaffee Safeboot, DriveCryptor, Diskcryptor, LILO, GRUB, HP Bios, Intel/Lenevo BIOS found to be vulnerable. Flaws resulted in disclosure of plaintext pre-boot authentication passwords. In some cases, an attacked could bypass pre-boot authentication.

8 © iViZ Security Inc 7 May 2013 Vulnerabilities in Anti-Virus Discovered by iViZ Security Antivirus products process different types of files having different file-formats. We found flaws in handling malformed compressed, packed and binary files in AVG, Sophos, Avast etc Some of the file formats for which we found flaws in AV products are – ISO, RPM, ELF, PE, UPX, LZH

9 © iViZ Security Inc 8 May 2013 More Vulnerabilities in AV products Detection Bypass – CVE-2012-1461: The Gzip file parser in AVG Anti- Virus, Bitdefender, F-Secure, Fortinet antiviruses, allows remote attackers to bypass malware detection via a.tar.gz file Denial of Service (DoS) – CVE-2012-4014: Unspecified vulnerability in McAfee Email Anti-virus (formerly WebShield SMTP) allows remote attackers to cause a denial of service via unknown vectors.

10 © iViZ Security Inc 9 May 2013 Vulnerabilities in VPN products Remote Code Execution – CVE-2012-2493: Cisco AnyConnect Secure Mobility Client 2.x does not properly validate binaries that are received by the downloader process, which allows remote attackers to execute arbitrary code. – CVE-2012-0646: Format string vulnerability in VPN in Apple iOS before 5.1 allows remote attackers to execute arbitrary code via a crafted racoon configuration file.

11 © iViZ Security Inc 10 May 2013 Report Findings

12 © iViZ Security Inc 11 May 2013 About the Report/Study iViZ used databases such as the Common Vulnerability Enumeration (CVE), Common Product Enumeration (CPE) and National Vulnerability Database (NVD) for the Analysis

13 © iViZ Security Inc 12 May 2013 Key Findings Vulnerabilities increasing at CAGR of 37.29% over the last 3 Years. Anti-Virus accounts for 49% of the vulnerabilities, next Firewall (24%) Top 3 Security vendors with maximum vulnerabilities: McAfee, Cisco followed by Symantec. Top 3 Security products with maximum vulnerabilities: Rising-Global’s Antivirus, Cisco’s Adaptive Security Appliance and Ikarus Virus Utilities. Access Control is the most prominent weakness in Security Products followed by Input Validation. SQL Injection is the least found vulnerability among Security products

14 © iViZ Security Inc 13 May 2013 Vulnerability Trends In All ProductsIn Security Products

15 © iViZ Security Inc 14 May 2013 Vulnerability by Product Types in 2012

16 © iViZ Security Inc 15 May 2013 Vulnerabilities by Vendors

17 © iViZ Security Inc 16 May 2013

18 © iViZ Security Inc 17 May 2013 Comparative Analysis

19 © iViZ Security Inc 18 May 2013 5 Predictions.. We predict an increase in attacks on security products, companies or solutions APT and Cyber-warfare makes “Security Products” as the next choice Majority of vulnerabilities discovered will not become public and shall remain in the hands of APT actors Security Products are “High Pay-off” targets since they are present in most systems More vulnerabilities would be sold in Zero Day – Black Market

20 © iViZ Security Inc 19 May 2013 What should we do to protect us? Test and Don’t Trust (blindly): Conduct proper due diligence of the security product Ask for audit reports Patch security products like any other product Treat security tools in similar manner as other tools during threat modeling Have proper detection and monitoring solutions and multi-layer defense

21 © iViZ Security Inc 20 May 2013 Thank You bikash@ivizsecurity.com Blog: http://blog.ivizsecurity.com/ Linkedin: http://www.linkedin.com/pub/bikash- barai/0/7a4/669 Twitter: https://twitter.com/bikashbarai1 bikash@ivizsecurity.comhttp://blog.ivizsecurity.com/http://www.linkedin.com/pub/bikash- barai/0/7a4/669https://twitter.com/bikashbarai1 DISCLAIMER We have used well known vulnerability standards and database like Common Vulnerability Enumeration (CVE), Common Product Enumeration (CPE) and Nation Vulnerability Database (NVD). One of the major challenges we faced was in classifying the products into security and non- security products, as the current product standard (CPE) does not support it. We solved this challenge by considering that security products have certain keywords like, ‘ ID‘virus’, ‘firewall‘, ‘IPS‘, ‘scan’ etc. Hence there are chances of some date being missed and the report should be considered as indicative. iViZ disclaims all warranties, expressed or implied, with respect to this research for any particular purpose.


Download ppt "© iViZ Security Inc 0 May 2013 Bikash Barai, Co-Founder & CEO Why Current Security Solutions Fail?"

Similar presentations


Ads by Google