Web Application Security

201x: The Year of the Security Industry Breach

jeremiahWhat if right now, people and companies are spending billions of dollars, each and every year, to be less secure? What if security products, those things indoctrinated by best-practices and mandated by compliance obligations, are actually the weakest link in the security chain? What if defense-in-depth is really nothing more than a nice idea. I’m confident this reality is coming, soon even. An inescapable and ironic situation where the security industry is going to be publicly embarrassed and must eat its own dog food for a change. That yucky, yucky stuff we’ve been trying to force down the throats of everyone else for decades. Wait. Stop. Let me back up. Back in the day, malicious hackers commonly targeted unpatched FTP, mail, and DNS servers — others brute-forced telnet ports. From a defense perspective, patch and configuration management in an enterprise environment is often difficult and expensive, particularly when there’s a lot of hosts to protect. This was is a leading reason why network firewalls are pervasively deployed across basically all Internet-connected organizations, to hide away insecure software from the hostile wilds of the Internet. This was the classic network response to an inherent software security problem, a problem no one from that industry ever bothered to address. What did happen was 65,536 ports became just two, 80 and 443 (Web), and developers largely just recreated the software that already existed to run on those ports, and within a Web browser. In response, the bad guys SHIFTED. The bad guys began focusing their attacks at the Web-layer, which is where today we see the majority of the breaches taking place and almost all of the data being lost. During the same period of time, other digital miscreants preferred hacking operating systems, such Windows, which for a long while was fairly trivial. The recommendation from the Information Security (InfoSec) industry, from their RSA keynote stages, was to spend more on firewalls and anti-virus software. Oh yeah, and patch, patch, patch… if you can. Microsoft grew tired of being the security industry’s laughing stock and hacking’s path of least resistance, so they kicked off an initiative called Trustworthy Computing and invested heavily in their Software Development Lifecycle (SDL). It took some time, but their efforts in software security paid off. How do we know? Well, the bad guys SHIFTED. We saw that instead of predominantly targeting Windows, our cyber adversaries began exploiting the applications installed on top of the desktop. Applications like Web browsers, Microsoft Office, PDF processors, and email clients — but mostly the Web browsers. Of course the InfoSec industry said, buy more firewalls! Buy more [email and browser] AV! And sadly, a lot of people listened. Patching, yeah, that‘s good idea. Do that too! Some listened. Then, as we saw starting around 2007, to exploit thousands, nay, millions of PCs, all one had to do was SQL Inject a vulnerable website, take your pick of millions because remember that pesky 80/443 software security problem was never solved by firewalls or AV, and lace those websites with browser-based exploits. Well-known exploits, zero-days, it didn’t matter which, few people ever kept up on browser patches anyway. Yet, more money spent on firewalls and AV just the same. Browsers and browser vendors, Google, Microsoft, and Mozilla, then took their turn in the exploitation crosshairs, feeling the pain of a lack of adequate software security in their respective products. Browser exploitation became a leading cause of malware propagation. As we could expect, they didn’t much like that position, that reputation, even when offering a $0 application. Users expected the software to be secure. Browser vendors had to get serious about software security, and you know what, they did! How do we know? Wait for it… the bad guys SHIFTED! If you notice, the bad guys next began targeting browser plug-ins, namely Flash and Java. Yep, that software already installed in just about everyones browser. That software riddled with vulnerabilities. That software rarely patched by the end-user. Adobe (Flash) and Oracle (Java) are working through their own software security nightmare right now. The browser vendors, not content to wait for Adobe and Oracle, are taking their own steps to protect their platforms, like Microsoft did by offering up ASLR and DEP. They are alerting, disabling or unbundling outdated plugins, if not actively uninstalling them altogether, and making sure technology exists so as not to need them at all. See HTML5. Give the situation 6 months. Give it a year. It’s difficult to say when exactly, but eventually browser hacking, including the plugins, will get sufficiently difficult to warrant another SHIFT. So where will the bad guys focus next? That’s the billion dollar question. My bet is not “mobile,” while that day may come too, I think it’ll be “security products” targeted first. Think about it. Think about all the security products out there, such as IPS, DLP, WAFs, various deployment forms of AV software, and so on are pervasive across enterprise networks and end-user PCs. These products are designed to parse and analyze data from unknown origins, making them ripe for haxoring. Products whose makers, the InfoSec Industry, never really had an emphasis on “software security,” if they even know what that concept is, and notoriously bad at handling vulnerability disclosure — a sure sign of immaturity. Their only training being how to sell more firewalls and AV. Imagine an email specifically designed to exploit a system, but only one protected by an anti-virus email gateway. A piece of Web page code that exploits a browser, but only those protected by anti-virus software. Incoming Web traffic whose goal is to compromise an IPS or WAF itself, not necessarily the website behind it. None of this is far fetched. In fact, the writing is already on the wall. Just look at what Tavis Ormandy did recently to Sophos’s products in his spare time. No one should be naive enough to believe this is an anomaly. How many zero-days do you think are yet to be found in that software? What about other AV products? What about all the other security products out there? Juicy untouched zero-day heaven, that’s what it is. Oh right right, we know the answer we’ll be given. Buy more firewalls and AV! And of course people will listen, but what for? To protect insecure firewalls, insecure AV, and the other insecure security products? Please. I’m sure the industry apologists will also predictably say, “there is no silver bullet,” as if that somehow absolves responsibility for shipping risk increasing products. Hacktivists, cyber-criminals, nation-state sponsored APT, however we label them, we’ve witnessed how our adversaries select their targets, and especially the method of attack, typically by the path of least resistance. One vulnerability is all a bad guy really needs, and the first and easiest one to identify and exploit will do just fine. So when one path of attack doesn’t work or becomes too difficult, the bad guys will shift. Reporters and PR agencies, get your digital ink ready, we’re in for a bumpy ride.