This presentation introduces Micro-Segmentation and includes industry adoption statistics, strategies, and implementation examples. This presentation came from my personal experience implementing Micro-Segmentation in a fully virtualized hosted infrastructure environment for many large hospital systems. This talk will cover why we need segmentation, what the benefits are, how it evolved, and what it enables before explaining a flaw of Micro- Segmentation and how it is addressed using the recently defined term Nano-Segmentation. I also briefly touch on the famous Zero Trust Model and how Micro-Segmentation makes security more effective by following the principles of the Zero Trust Framework. Last, I will briefly cover how any organization can implement Micro and Nano-Segmentation using Tanium in a physical and/or virtual environment that scales up to millions of endpoints.
Presentations for Red Team
Fully comprising an embedded device isn’t always as easy as sending a GET request with admin=true. Sometimes, owning an embedded device takes multiple different vulnerabilities, creativity, and a little finesse. In this live demo, we show how we were able to chain multiple vulnerabilities in the Lenovo ix4-300d network attached storage (NAS) device into a remote exploit that can be executed with little user interaction. As a result, an adversary can provide the victim with a link to a malicious page that grants the attacker the ability to extract all information stored on the victim’s NAS, and the ability to execute arbitrary operating system (OS) commands on the compromised NAS. In the talk we cover how we first identified command injection, then used cross-site scripting (XSS) and cross-site request forgery (CSRF) to build an exploit that would hijack values stored in the victim’s browser storage, issue a malicious request on the user’s behalf, and issue an OS command to open a remotely accessible operating system shell.
Scripting and automation are absolutely critical to many aspects of an attacker’s effectiveness, penetration tester or otherwise. Modern WAFs and “bot detections” often add a small layer of intelligence to their monitoring, attempting to determine whether or not an attack is being automated, and shut the bot/botnet down. This presentation will be a mini-tutorial on how the various forms of “bot detection” out there work, and how to modify/spoof the necessary client environments to bypass nearly all of them using anything from Python Requests to Selenium, Puppet and beyond.
Recently, all major browser vendors agreed in principle to end support for TLS (Transport Layer Security) versions 1.0 and 1.1 in 2020. SSL (Secure Sockets Layer) version 3.0 support was removed from Chrome in early 2015 effectively ending the use of SSL completely. Akamai will discontinue support for TLS 1.0/1.1 on January 7th, 2019. These protocols have all been found to have various vulnerabilities that no longer make them safe for use in the negotiation of secure connections between end points.
With the deprecation of these cryptographic protocols, several new security exploits have come to light. These exploits including Heartbleed, POODLE, BEAST, CRIME and others attempt to disrupt the availability of services or stealing data. The most common service using TLS is obviously web traffic that is transmitted via https. Since SSL and TLS are secure connection negotiation protocols, the process for establishing a secure connection can be used for almost any type of traffic. Some of the more common ones aside from https are DNS, VPN, SMTP, POP3 and IMAP. All rely on the ability of client and server to understand a common protocol and the ability to negotiate a connection based upon a commonly understood version.
Many server-side instances still utilize older versions that support deprecated SSL/TLS versions leaving them vulnerable to availability and integrity attacks. Many client applications have the same issues with many of those built into IOT devices which are rarely upgraded.
We needed to find a means to understand what types of conversations were happening on our publicfacing proxy services. We noticed a rash of SSL downgrade attacks that resulted in intermittent outages.
We also wanted to be able to proactively engage our customers by letting them know that they had devices on their network reaching out to us using deprecated or soon to be deprecated SSL/TLS versions.
This talk will provide a quick overview of the major SSL/TLS versions along with their major vulnerabilities. I will then discuss how we were able to use some F5 iRule magic on our load balancers combined with Graylog (a log aggregation platform) to track as well as block undesirable client and server connections to our proxy end points. This strategy can easily be adapted to any protocol scenario that uses TLS connection negotiation.
Wireless pentesting typically requires physical proximity to a target which requires time, limited resources, and constant traveling. Eric & Matt have pioneered an inexpensive device to covertly perform wireless pentests anywhere on earth. Their unique solution to the problem centers around the ability to perform a wireless pentest remotely. To achieve this lofty goal they did what any hackers would do; scrounge up pieces and parts until they had a workable prototype that could phone home via multiple LTE connections and give remote access to the wireless environment surrounding their device. Much improved since it’s tangle of wires and packing peanuts, a year later their device has compromised dozens of enterprise networks spanning 3 continents. In this talk we’ll discuss why we built it, how it works, and why we think it will revolutionize wireless pentesting.
Dustin Heywood (EvilMog)
Subtitle: The Ultimate Insider in the Cloud