This is my last post for this class. Has it really been 10 weeks already??? When did THAT happen!?
I think I will continue on with the DEFCON theme. One of the speakers during DEFCON 101 said something that has stuck in my head. They stated that geeks are typically anti-social and there is high demand for a geek that speak to both management and the techies but they are rare. A person in cybersecurity must be able to communicate. This class has reminded me of that a lot. It is hard to do when you are assuming your audience knows what you are talking about (in this case they did), but you have to take it from the perspective that your audience doesn't.
TOPIC CHANGE (sorry Coach!):
I have also taken XML this semester. While this isn't part of my degree, it was interesting that it did apply. While at DEFCON, I talked to a fellow attendee about XML. He was a pen-tester and told me that when a client tells him they want him to pen-test their XML, he begins to salivate. How funny.
I found out later why. I took in a talk called, "We've Got You By The Gadgets." The talk was about Microsoft Gadgets, but it was mentioned it could apply to apps that we all use on our smart phones and tablets because they are similar concepts. Here is what I wrote for my XML class:
Gadget and apps are very simple programs. They are not complicated at
all. Any web application language can be used to write them and any web
application language can be used to alter existing ones or create
malicious ones. Software like SilverLight makes it all the more easier
to create gadgets and apps, particularly malicious ones.
The
first problem with gadgets and apps is the lack of code signing. Code
signing confirms who the software designer is that guarantees that the
code has not been altered or corrupted. This causes a Microsoft prompt
to come up and display the security warning, "Are you sure you want to
install this...?" The problem is, people will say yes because they do
not see apps or gadgets as software or code, inviting the attacker into
their technology through something that looks deceptively innocent.
Here was an interesting statement regarding gadgets:
"Some
of the things you are actually able to do from a gadget. I can do
anything I want with a gadget. I can execute a code. You can execute
URLs. If you didn't want to carry something with you in the HTML that
you're downloading with the gadget, you can get more. If you want to
change what you downloaded, you can do that too. If you want to update,
no problem. You want to create files with arbitrary content binary or
otherwise on the system, we can do that. You want to be able to read
files, anything the user has permission to you're good for. If you want
to get passed that permission, obviously you can just raise the UAC
prompt and do so. You can make your computer speak."
A demo was
done using a Nyan Cat gadget turned into a proof of concept (POC)
attack. It accessed the gmail account of the user and created a list of
contacts for the attacker to spam. This malicious code was only 16
lines. The key is that it has all of the access it needs to all of your
cookies and all the information in your browser. This means it also has
all your proxy configurations, it can manipulate anything else it wants
on the system.
Gadgets can also remap network drives, delete
mapped network drives, handle mapped network drives, and add mapped
network drives. Everything that Windows supports, it can do.
Gadgets are just code and are typically written by people who not have a bunch of experience writing code.
Also
discussed was the ASN1 bug which was an underlying parsing protocol the
US government defined and offered a reference implementation of it that
nobody bothered to use as a reference. It was used in satellites, ISDN
There was a flaw that showed up everywhere because of the shared code
problem.
Because of the lack of SSL used in gadgets and apps, it
makes it hard to reference the original code of the original app/gadget.
Anyone can "update" the gadget and turn it malicious without the user
being aware of it. Once the update is complete, the gadget is forever
altered. You think you are getting a cool gadget that does one thing,
when it reality, you are getting something completely different.
The
next demo they did was a man-in-the-middle attack. A piano
gadget was used and it was taken from the Microsoft gallery with no
modifications to it. When they put the piano on the Desktop it said
this, "Hello, this is your computer. I am tired of the way you have been
treating me. I am going to self-destruct in 5 seconds! Good-bye." That
was three lines of code for the gadget to yell at you and do a
man-in-the-middle attack.
In the end they offered these tips:
1. Don't take candy from strangers
and
2.
Write your applications properly! Your parser may approve of your code,
but you could inadvertently be writing a damaging code that can create
problems later.
Applications are similar to gadgets. Keep that in mind when you see the next popular app headed your way.
No comments:
Post a Comment