No Shortage of Security Vulnerabilities at RSA

The RSA Conference is much more vendor-driven than shows like Black Hat or ShmooCon, but there is always room for talk about security vulnerabilities and threats in the wild.

This year, discussion of the threat landscape touched on everything from browser hijacking to wireless security to attacks on Voice-over-Internet Protocol (VoIP). More than one presenter during the conference spoke of the idea of assuming computers in your network have been compromised. In their presentation, Ed Skoudis, senior consultant for InGuardians, and Johannes Ullrich, chief research officer of the SANS Internet Storm Centre, outlined a number of attacks targeting enterprise networks.

Among the attacks the two highlighted was the well-known “pass-the-hash” technique, a method used to compromise machines by checking a user’s cryptographic hash instead of their password. The duo also highlighted attacks on VoIP, as well as how hackers can turn infect Windows machines through drive-by downloads, turn on their wireless interfaces and use them in attacks from long distance without using radio frequency.

While the latter is difficult to execute in Windows XP, Skoudis said the API in Vista and Windows 7 makes it “relatively easy” to write code that talks to the wireless interface. Organisations can defend against these attacks by using two-factor authentication on their WLAN and separating the wireless and wired network through virtual local area networks (VLANs) or separate physical networks, he added.

“There are bots installed in most enterprises,” Skoudis declared. “My point here is instead of spending 90 per cent of your security budget on prevention take some of that, not a large amount of it but take five or 10 per cent of it, and re-dedicate it to identification and eradication. Find the bad guys in your midst and root them out. The fact of the matter is, if you do, that that should help you with your prevention in the first place, because you are limiting the bad guys’ ability to stay hidden and act in your network.”

The concept of browser hijacking also received attention at RSA. David Barruso, e-crime director at S21sec, noted that browser hijacking is being done by three main malware families. Typically, users are affected by drive-by downloads, he said.

“There are many banks affected by (this),” he explained after his presentation.

To mitigate this, users should make sure their browsers and programmes are fully patched, as well as utilise anti-virus, he advised.