Black

In the U.S., the post-Thanksgiving shopping blitz of Black Friday often serves as a make-or-break event for many retailers. Indeed, Black Friday is the day when retailers start to make a profit for the year.

No further explanation is needed to understand why retail cybersecurity is so important. Since the arrival of the browser, online shopping has evolved. In 2005, the National Retail Foundation (NRF) coined the term Cyber Monday to describe the Monday after Thanksgiving and Black Friday, and over the years it has evolved into a major concern for security-conscious businesses.

Retail Cybersecurity Is a Big Deal

According to Practical Ecommerce, the 2015 shopping weekend saw billions of dollars of sales, of which more than $ 10.4 billion was attributed to in-store sales and $ 5.77 billion to online sales. Meanwhile, comScore reported nearly $ 70 billion in desktop and mobile online sales between Nov. 1 and Dec. 31, 2015.

Everyone knows that criminals follow the money. Before the internet, we read about robberies of brick-and-mortar establishments. Now, with an anticipated $ 70-plus billion in online sales in just a 60-day period, we find that criminals have adjusted and moved online. In 2014, the number of daily attacks decreased during the timeframe surrounding Black Friday and Cyber Monday. Similarly, 2015 saw no major upticks in cybercrime, though small and medium-sized businesses found themselves in the bull’s-eye.

Verizon’s “2016 Data Breach Investigations Report” noted that “around 90 percent of all security incidents in the retail sector involved denial-of-service (DoS), point-of-sale (POS) or web app attacks.” The report explained that it took 79 percent of the organizations weeks or more to recognize that a crime occurred. In contrast, the holiday shopping period lasts for only eight weeks.

Passing on Passwords

Retailers should update their technologies. Security experts have been imploring retailers to move away from password-only environments. A 2012 Institute of Electrical and Electronics Engineers (IEEE) paper titled “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes” describes the ongoing, decades-old struggle to replace passwords with other authentication tools.

We asked John Haggard, chief executive officer (CEO) of Nymi and a global authority on authentication, for his thoughts on how retailers might protect themselves and, by extension, their customers. Here’s what he had to say:

“The single biggest corrective step a organization can make to secure its environment is to ensure all identities, including employees, partners, customers and especially machines, are correctly authenticated. This sounds simple, but it is incredibly difficult to break the addiction to passwords that is the current champion of authentication.

“What’s worse, the industry is getting organizations hooked on the multifactor alternative, which is arguably worse in today’s environment. With passwords, everyone knows the problem. With one-time codes, organizations believe they have plugged the hole when in fact they haven’t. Despite this warning, organizations should set a key objective that simply states, ‘Authenticate correctly and effortlessly.’

“This likely will never be solved 100 percent for any given period of time, therefore a constant evaluation of the authentication position can be captured by reviewing the data on incorrect authentications. A full 63 percent of breaches can be traced back to this issue, according to the Verizon study. The name of the game is to reduce the attack profile while preserving productivity.

“Passwords are in the red (as in your blood red), one-time passwords (OTPs) are yellow/red and Fast ID Online (FIDO) authenticators are green. Start by setting the objective and developing discipline to understand issues and then support vendors that are trying to help you get there. You get to give feedback and request/demand improvements — staying stuck isn’t a good strategy.”

POS systems are a primary area of concern. Every retailer should separate its POS infrastructure from its corporate infrastructure. Tripwire recommended including monitoring and two-factor authentication for all users accessing the POS environment in addition to segregating the infrastructure.

This begs the question, would retailers know if their POS infrastructure was compromised? Do they have a plan to respond to indicators of compromise? Does your response plan affect your ability to conduct commerce?

Customer Trust and Engagement

The NRF created a comprehensive playbook for its members that highlighted three key areas in which retailers need to focus: trust, community and anticipation. Customers will quickly lose trust in retailers that don’t focus on securing their environments and technologies.

How retailers engage their customer will speak volumes to how seriously they take security. Are you asking the customer to provide data that you are not able to protect? Do you send emails containing hotlinks to get your customer to click and buy? Do your privacy and terms of service statements clearly articulate how you protect customers’ data? Can customers quickly engage with your support teams if they report cybercrime? Are your support teams trained to handle social engineering attempts to access customer accounts?

Improve Online Habits for the Holidays

First and foremost, only deal with retail organizations you trust. Understand how they operate. More importantly, understand that every entity can be spoofed in email or online.

Practice good online hygiene as part of the overall retail cybersecurity solution. Resist the urge to click on Cyber Monday coupons in emails — type the URLs into your browser window instead. Ensure your devices are up to date with both your security suite and your operating system. Download apps only from trusted environments.

We asked Rebecca Herold, The Privacy Professor and industry thought leader on privacy, what consumers can do to protect their online engagements. Not surprisingly, her advice addressed the need for authenticating yourself with the vendor.

“Use two-factor authentication wherever it is offered,” Herold advised. “This way, if a password is one of the factors and the password file gets hacked, that second factor will help to prevent unauthorized access into your accounts.”

Speaking of passwords, remember to use a unique password for every online account. It sounds cumbersome, but give it some thought. If you reuse passwords and the password file of the company with the least secure infrastructure is compromised, then your user ID and password combination are the keys to all your other accounts, especially for those that lack two-factor authentication.

The holiday season is upon us. Make it a joyous occasion by keeping your company, customers and yourself safe online.


Security Intelligence

At Black Hat 2016 in Las Vegas, security researchers presented new vulnerabilities in key web protocols, including a set of four flaws in the next-generation HTTP/2 protocol and a new twist on compression-based attacks that makes it easier to decrypt HTTPS data.

Tom Van Goethem and Mathy Vanhoef, Ph.D. researchers at the University of Leuven in Belgium, described a vulnerability they call HEIST -- "HTTP Encrypted Information can be Stolen through TCP-windows" -- which builds on a method for determining the exact size of TCP responses and makes old attacks easier because the SSL/TLS protocols do nothing to obscure packet lengths. The HEIST vulnerability can allow attackers to easily infer the length of plaintexts being transmitted.

"Concretely, this means that compression-based attacks such as CRIME and BREACH can now be performed purely in the browser, by any malicious website or script, without requiring a man-in-the-middle position. Moreover, we also show that our length-exposing attacks can be used to obtain sensitive information from unwitting victims by abusing services on popular websites," the researchers wrote.

The researchers were able to "increase the damaging effects of our attacks by abusing new features of HTTP/2," in particular, the ability to use a single TCP circuit to open parallel requests over HTTP/2. Mitigations will be difficult: "One of the few, if not the only, adequate countermeasure is to disable third-party cookies," Goethem and Vanhoef wrote.

Meanwhile, Imperva presented a report at Black Hat describing four attack vectors in the HTTP/2 web protocol that enabled vulnerabilities in five HTTP/2 server implementations, including Microsoft IIS, Apache, Nginx, Jetty and nghttpd.

"In this study, we found an exploitable vulnerability in almost all of the new components of the HTTP/2 protocol," the report read. "The four different attack vectors we discovered are Slow Read, HPACK (Compression), Dependency DoS and Stream abuse. The five popular servers under test from various vendors were found to be vulnerable to at least one attack vector, with Slow Read being the most prevalent."

While only five servers were tested, Imperva concluded that the vulnerabilities could probably also be found in other HTTP/2 servers. The Imperva Defense Center research team worked with the vendors of the servers they tested so that the vulnerabilities they found were patched before the report was published.

In other news

  • Banner Health, the non-profit hospital system headquartered in Phoenix, Ariz., is notifying approximately 3.7 million people -- including patients, health plan members and beneficiaries, food and beverage customers and physicians and healthcare providers -- that their personal data was exposed after they "discovered that cyber attackers may have gained unauthorized access to computer systems that process payment card data at food and beverage outlets at some Banner Health locations." Banner Health responded by hiring Kroll, the New York-based security and risk management firm, to investigate the attack, and put up a dedicated website to provide information about the attack to the people exposed in the attack.
  • In another blow to a key web protocol, a feature in HTML5 meant to allow web servers to check the charge remaining on mobile device batteries, and serve less processing-intensive content to users who are running low on charge, turns out to enable a different feature: battery fingerprinting. In a paper on online tracking, Ph.D. student Steven Englehardt and Arvind Narayanan, assistant professor of computer science, both at Princeton University, described a technique for using the Battery Status API to extract enough battery status information to describe devices sufficiently to track users across different websites. Security researcher Lukasz Olejnik wrote: "Frequency of changes in the reported readouts from Battery Status API potentially allowed the monitoring of users' computer use habits; for example, potentially enabled analyzing of how frequently the user's device is under heavy use. This could lead to behavioral analysis." Battery status readouts for a particular device, which include the current battery level, the time, in seconds, to discharge and recharge the battery provide sufficient precision -- and changes to those values updated slowly enough -- to allow the fingerprinting of devices and track them across websites.
  • At Black Hat, Kaspersky Lab announced its own bug bounty program, in association with bug bounty platform provider HackerOne. For the initial phase of the program, Kaspersky is offering up to $ 50,000 in bounty rewards to researchers who report vulnerabilities in Kaspersky Internet Security 2017 and Kaspersky Endpoint Security 10 SP1MR3 running on Microsoft Windows 8.1, or a more recent Microsoft desktop OS. Payouts for flaws that enable local privilege escalation will be $ 1,000, while flaws that compromise user data or enable remote code execution will average $ 2,000. "Our bug bounty program will help amplify the current internal and external mitigation measures we use to continuously improve the resiliency of our products," said Nikita Shvetsov, CTO at Kaspersky Lab, in a press statement. "We think it's time for all security companies, large and small, to work more closely with external security researchers by embracing bug bounty programs as an effective and necessary tool to help keep their products secure and their customers protected."

Next Steps

Find out more about how to protect against the BREACH attack on HTTPS traffic exploits.

Read about how HTTP/2 may be the answer to improving app performance.

Learn more about how HTTP Strict Transport Security (HSTS) addresses web security.

PRO+

Content

Find more PRO+ content and other member only offers, here.


SearchSecurity: Security Wire Daily News

A few more photos from the Black Hat USA 2016 Business Hall.

Featured companies: NSFOCUS, Qualys, FireEye, Synack, Forcepoint, LogRhythm. Also featured is the US Department of Homeland Security.

NSFOCUS
Qualys
FireEye
Synack
Forcepoint
LogRhythm
US Department of Homeland Security


Help Net Security

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Inside the xDedic Hacked Server Marketplace

June 16, 2016 , 10:00 am

uTorrent Forums User List Stolen

June 9, 2016 , 2:30 pm

Patched BadTunnel Windows Bug Has ‘Extensive’ Impact

June 15, 2016 , 3:23 pm

The Illusion Of An Encrypted Internet

June 7, 2016 , 12:56 pm

Oracle EBusiness Suite ‘Massive’ Attack Surface Assessed

August 3, 2016 , 10:14 pm

Meet the 18-Year-Old Who Hacked the Pentagon

June 21, 2016 , 3:15 pm

IoT Medical Devices: A Prescription for Disaster

July 11, 2016 , 11:31 am

Android KeyStore Encryption Scheme Broken, Researchers Say

July 7, 2016 , 11:52 am


Threatpost | The first stop for security news

Las Vegas -- The Black Hat 2016 conference keynote was a call to action in both the public and private sectors to focus on ways to make dealing with cyberthreats faster and more efficient.

Dan Kaminsky, security researcher, co-founder and chief scientist of White Ops, began by saying it is important not to underestimate speed when it comes to making security decisions.

"Speed has totally changed, what was once months has become minutes. Everything has changed," Kaminsky said. "What you can build, what gets broken and how long we have to learn and adapt from our experiences, those cycles have gotten so fast. And our need to make things secure and functional and effective has just exploded."

Kaminsky described a number of different things, from large projects to small moments in development, that can impact security.

"People think that it's a zero sum game, that if you're going to get security everyone else has to suffer. Well, if we want to get security, let's make life better for everybody else. Let's go ahead and give people environments that are easy to work with," Kaminsky said. "Think in terms of milliseconds. Think in terms of the lines that you're impacting, the time that you're taking, the difficulty in making something scale out not just for your own use but for the use of the world. This is the game to play."

Kaminsky dug deep into the history of the internet and the gritty details of code to identify ways to improve speed, but two themes came back time and again in his talk.

First, Kaminsky said information sharing is a critical way to improve security in the short-term. He said managers have all had the experience of assigning engineers to fix a security issue "that has probably been fixed a thousand times, so maybe we should start actually releasing the code that we're doing … If you actually want your coworkers to solve a problem not repeatedly, it might be cheaper and [more] cost effective for you to just give it to the world."

"Bugs are not random. Fixes are not random either. We're not taking all of the lessons we have to deal with and actually dealing with them," Kaminsky said. He noted talking to a group of bankers who shared code and fixes with each other. "He said, 'Yeah, we don't compete on security. If one of us gets hit, we're all going down so we should probably share our information.'"

For longer term projects, Kaminsky said we needed to see more work from the public sector.

"I believe in all projects in terms of timelines," Kaminsky said in a press conference following his keynote. "How long is it going to take to do this? Some things are just going to take three years of effort and the longer the timeline, the less it's something that private sector is good at and the more it's something the public sector is good at. How do I get a hundred nerds working on a project for ten years and not getting interrupted and not getting harassed and not getting told to do different things? The way you don't make it happen is how we're doing it in infosec today, which is the spare time of a small number of highly paid consultants. We can do better than that."

Kaminsky said he wants something like the National Institutes of Health (NIH) for cyber -- a public works organization to take on long-term research projects with stable funding.

"I want an organization dedicated to the extended study of infosec, that can fund and implement the hard and sometimes really boring work that fixing all these problems is going to take," Kaminsky said.

One example of such an effort was the work done by the Software Assurance Metrics And Tool Evaluation (SAMATE) project at the National Institute of Standards and Technology (NIST), which Kaminsky described as "the greatest scut work" he's ever seen.

"They went ahead and they collected variants of every single vulnerability in C and Java, and there's like thousands, and they went ahead and made it so you can compile them into one program," Kaminsky said, and he described the value of such a body of work for all of the companies working on static analysis tools. "That stuff may exist in the bowels of Microsoft or Oracle or many other companies, but it was NIST that got it out the door."

No matter the aim, short-term or long, Kaminsky stressed the value in sharing information and being open with knowledge.

"Experts and users have different things in mind for their technology. I don't mind if you just want to work on your own stuff," Kaminsky said. "But the real magic comes when you take the expertise that you've got in security and you translate it and you rebuild it and you reform it. Don't be afraid to take the knowledge you have and make it accessible to vastly more people."

Next Steps

Learn more how to shift IT security budgets to focus on attack detection and response.

Find out how to use security tools to automate incident response.

Get more information on the differences between dynamic code analysis and static analysis for source code testing.


SearchSecurity: Security Wire Daily News

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Inside the xDedic Hacked Server Marketplace

June 16, 2016 , 10:00 am

uTorrent Forums User List Stolen

June 9, 2016 , 2:30 pm

Patched BadTunnel Windows Bug Has ‘Extensive’ Impact

June 15, 2016 , 3:23 pm

The Illusion Of An Encrypted Internet

June 7, 2016 , 12:56 pm

Meet the 18-Year-Old Who Hacked the Pentagon

June 21, 2016 , 3:15 pm

IoT Medical Devices: A Prescription for Disaster

July 11, 2016 , 11:31 am

Android KeyStore Encryption Scheme Broken, Researchers Say

July 7, 2016 , 11:52 am


Threatpost | The first stop for security news

Black Hat Neil Wyler and Bart Stump are responsible for managing what is probably the world’s most-attacked wireless network.

The two friends, veterans among a team of two dozen, are at the time of writing knee deep in the task of running the network at Black Hat, the security event where the world reveals the latest security messes.

The event kicks off with three days of training, then unleashes tempered anarchy as the conference proper gets under way.

Wyler, better known as Grifter (@grifter801), heads the network operations centre (NoC) at Black Hat, an event he has loved since he was 12 years-old. “I literally grew up among the community,” he says.

Bart (@stumper55) shares the job.

Wyler's day job is working for RSA's incident response team while Stumper is an engineer with Optiv, but their Black Hat and DEF CON experience trumps their professional status. Wyler has worked with Black Hat for 13 years and DEF CON for 16 years, while Stump has chalked up nine years with both hacker meets.

Together with an army of capable network engineers and hackers they operate one of the few hacker conference networks that delegates and journalists are officially advised to avoid.

Rightly so; over the next week the world’s talented hacker contingent will flood Las Vegas for Black Hat and DEF CON, the biggest infosec party week of the year. The diverse talents – and ethics – of the attending masses render everything from local ATMs to medical implants potentially hostile and not-to-be-trusted.

Some 23 network and security types represent the network operations centre (NoC) and are responsible for policing the Black Hat network they help create. Come August each member loosens the strict defensive mindset they uphold in their day jobs as system administrators and security defenders to let the partying hackers launch all but the nastiest attacks over their network.

“We will sit back and monitor attacks as they happen," Wyler tells The Register from his home in the US. "It's not your average security job."

The Black Hat NoC. Image: supplied.

The Black Hat NoC. Image: supplied.

The crew operates with conference din as a background, sometimes due to cheers as speakers pull off showy hacks or offer impressive technical demos in rotating shifts. In the NoC, some laugh, some sleep, and all work in a pitch broken by the glow of LEDs and computer screens. Their score is a backdrop of crunching cheese Nachos, old hacker movies, and electronic music.

"Picture it in the movies, and that's what it's like," Stump says, commiserating with your Australia-based scribe's Vegas absence; "it'll be quite a sight, you'll be missing something".

Delegates need not. The NoC will again be housed in The Fish Bowl, a glass den housing the crew and mascots Lyle the stuffed ape and Helga the inflatable sheep. Delegates are welcome to gawk.

Risky click

The NoC operators at Black Hat and DEF CON need to check their defensive reflexes at the door in part to allow a user base consisting almost entirely of hackers to pull pranks and spar, and in part to allow presenters to legitimately demonstrate the black arts of malware.

When you see traffic like that, you immediately go into mitigation mode to respond to that threat," Wyler says. "Black Hat is a very interesting network because you can't do that - we have to ask if we are about to ruin some guy's demonstration on stage in front of 4000 people".

Stump recalls intruding on a training session in a bid to claim the scalp of a Black Hat found slinging the infamous Zeus banking trojan. "The presenter says 'it's all good, we are just sending it up to AWS for our labs' and we had a laugh; I couldn't take the normal security approach and simply block crazy shit like this."

Flipping malware will get you noticed and monitored by one of the NoC's eager operators who will watch to see if things escalate beyond what's expected of a normal demonstration.

If legitimate attacks are seeping out of a training room, the sight of Wyler, Stump, or any other NoC cop wordlessly entering with a walkie-talkie clipped to hip and a laptop under arm is enough for the Black Hat activity to cease. "It is part of the fun for us," Wyler says. "Being able to track attacks to a location and have a chat."

Targeting the Black Hat network itself will immediately anger the NoC, however.

The team has found all manner of malware pinging command and control servers over its network, some intentional, and some from unwittingly infected delegates. "We'll burst in and say anyone who's MAC address ends with this, clean up your machine," Stump says.

$ 4000 smut-fest

Training is by far the most expensive part of a hacker conference. Of the 71 training sessions running over the weekend past ahead of the Black Hat main conference, each cost between US$ 2500 (£1887, A$ 3287) and US$ 5300 (£4000, A$ 6966) with many students having the charge covered by generous bosses.

Stump on CNN.

Bart and the blow up doll cameo on CNN Money.

So it was to this writer's initial incredulity that most of the sea of "weird porn" flowing through the Black Hat pipes stems from randy training students. "It is more than it should ever be," Wyler says of the Vegas con's porn obsession. "While you are at a training class - I mean it's not even during lunch."

The titillating tidbit was noticed when one NoC cop hacked together a script to pull and project random images from the network traffic on Fish Bowl monitors. A barrage of flesh sent the shocked operators into laughing fits of ALT-TAB. Another moment was captured when Stump was filmed for on CNN Money and a shopper's blow up doll appeared with perfect timing.

Balancing act

Black Hat's NoC started as an effective but hacked-together effort by a group of friends just ahead of the conference. Think Security Onion, intrusion detection running on Kali, and Openbsd boxes.

Now they have brought on security and network muscle, some recruited from a cruise through a cruise of the expo floor, including two one gigabyte pipes from CenturyLink with both running about 600Mbps on each. "We were used to being a group of friends hanging out where a lot of stuff happened on site, and now we've brought in outsiders," Stump says.

Ruckus Wireless, Fortinet, and CenturyLink are now some of the vendors that help cater to Black Hat's more than 70 independent networks. "It's shenanigans," Wyler says. "But we love it."

The pair do not and cannot work on the DEF CON networks since they are still being built during Black Hat, but they volunteer nonetheless leading and helping out with events, parties, and demo labs. I feel a responsibility to give back to the community which feeds me," Wyler says. "That's why we put in the late nights." ®

Sponsored: Global DDoS threat landscape report


The Register - Security

Media Archives

Barnaby Jack: Jackpotting Automated Teller Machines Redux get media »

Nathan Hamiel, Marcin Wielgoszewski: Constricting the Web, Offensive Python for Web Hackers get media »

Shawn Moyer, Nathan Keltner: Wardriving the Smart Grid, Practical Approaches to Attacking Utility Packet Radios get media »


Black Hat Announcements

Black Hat: 9 free security tools for defense and attacking

A Black Hat conference audience, 2015

Credit: Steve Marcus, Reuters

When Black Hat convenes next week in Las Vegas, it will be a rich environment for gathering tools that can be used to tighten security but also -- in the wrong hands -- to carry out exploits.

Researchers presenting generally point out the value these releases hold for researchers like themselves who operate in experimental environments as well as for enterprise security pros who want to build better defenses against such attack tools.

[ An InfoWorld exclusive: Go inside a security operations center. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

Presenters will detail a broad range of exploits they've carried out against devices, protocols and technologies from HTTP to internet of things gear to the techniques penetration testers use to test the networks of their clients.

Here is a sampling of some of the scheduled educational briefings coming up next week along with a description of the free tools that will accompany them. 

HTTP/2 & QUIC -- Teaching Good Protocols To Do Bad Things

Presenters: Carl Vincent, Sr. Security Consultant, Cisco, and Catherine (Kate) Pearce, Sr. Security Consultant, Cisco

These two researchers took a look at HTTP/2 and QUIC, two Web protocols used to multiplex connections. The researchers say they are experiencing déjà vu because they have found security weaknesses in these protocols that are reminiscent of weaknesses they found two years ago in multipath TCP (MPTCP). Back then they discovered that because MPTCP changed paths and endpoints during sessions, it was difficult to secure the traffic and possible to compromise it. "This talk briefly introduces QUIC and HTTP/2, covers multiplexing attacks beyond MPTCP, discusses how you can use these techniques over QUIC and within HTTP/2, and discusses how to make sense of and defend against H2/QUIC traffic on your network," according to the description of their talk. They say they will release tools with these techniques incorporated.

Applied Machine Learning for Data Exfil and Other Fun Topics

Brian Wallace, Senior Security Researcher, Cylance, Matt Wolff, Chief Data Scientist, Cylance, and Xuan Zhao, Data Scientist, Cylance

This team applied machine learning to security data to help analysts make decisions about whether their networks are facing actual incidents. They say lacking an understanding of machine learning can leave you at a disadvantage when analyzing problems. "We will walk the entire pipeline from idea to functioning tool on several diverse security-related problems, including offensive and defensive use cases for machine learning," they write in describing their briefing. They plan to release all the tools, source code and data sets they used in their research. They'll also include an obfuscation tool for data exfiltration, a network mapper and a command and control panel identification module.

GATTacking Bluetooth Smart Devices - Introducing a New BLE Proxy Tool

 Slawomir Jasek, IT Security Consultant, SecuRing

The internet of things is rife with devices that make use of Bluetooth Low Energy, but they don't always take advantage of all the security features of the technology. "A

1
InfoWorld Security

Craig Williams, Mike Caudill & Kevin Timm, Cisco Systems


Register Now // july 24 - 27


USA 2010 Weekend Training Session //July 24-25

USA 2010 Weekday Training Session //July 26-27


Overview:

When testing an intrusion prevention system (IPS), security engineers tend to evaluate speed, accuracy, and ease of use. Although speed and ease of use are important for a security device, customers are paying for protection; thus, the accuracy of the signature base is critical. Evasion techniques are constantly evolving, it is imperative that IPS devices have the ability to detect both ordinary exploits and their obfuscated cousins.

This hands-on course will cover everything from older, well understood evasion techniques to newer, cutting edge ones. We will apply these techniques using penetration testing tools and public proof-of-concept exploit code. The purpose of this course is to learn to test any IPS, not expose a flaw of a specific vendor. To that end the actual IPS devices we are testing will not be identified.

Students will learn how to modify attacks to accurately evaluate the detection capability of a device. Emphasis will be placed on determining if a signature is specific to a vulnerability or exploit, as well as its resistance to additional layers of evasions. The course will also cover the intricacies of performance testing and the impact that a heavy load can have on an IPS. Newer technologies such as reputation will be discussed as they apply to detection.

By the end of the course, students will have detailed knowledge of evasion techniques and be able to properly gauge the performance of a device and avoid IPS testing pitfalls. The key factor in successful IPS testing is having properly trained, knowledgeable staff conducting the test. With the ever-present threat to network security, it is imperative to fully understand the level of protection that an IPS device provides and the level of insight required to maximize its capabilities.

teaching methods:

Lecture, group exercises, and demos.

Student Requirements, experience/expertise

  • Basic IPS experience required with a major IPS platform (Cisco, TippingPoint, ISS, Sourcefire, Entrasys, etc.)
  • Basic shell scripting programming experience is recommended.
  • Basic familiarity with VMWare products.
  • Basic regular expression familiarity.
  • Optional: While Ruby/Python/Perl experienced is not a prerequisite, students with this background will probably be more comfortable with the material.

What to bring:

A laptop capable of running vmware infrastructure client (aka windows or windows vm) or RDP

What we provide:

  • Copy of slides
  • Remote access to 2 VMware infrastructure servers (hosting attacker & victim vm’s) setup on an inline IPS network
  • 3 switches (assuming 3 rows of tables 1 switch per table)
  • Cisco IPS
  • 30 Ethernet cables
  • Traffic generator capable of dosing an ips

Trainers:

Craig Williams is a senior research engineer for Cisco Systems where he is part of the Cisco Security Research & Operations organization. Craig specializes in exploit and malware analysis, reverse engineering, IPS signature design, vulnerability research, attack obfuscation and evasion, and network programming. Since joining Cisco in 2004, Craig has made significant contributions to the IPS signature team including a pending patent involving obfuscated traffic inspection. His current research involves malware, specifically improving the detection and mitigation of botnets.


Mike Caudill is a Program Manager and Incident Manager for Cisco Systems where he is part of the Cisco Security Research & Operations organization. Since joining Cisco in 1998, Mike has worked as an Incident Manager for the Cisco PSIRT where he responded, resolved, and disclosed security vulnerabilities in affected Cisco products. Mike has held leadership roles in both FIRST and ICASI, international organizations whose missions focus on vulnerability and security incident response in order to improve the state of security on the Internet. Mike has a relentless passion to protect customers and Internet users from vulnerabilities and attacks and today is helping to find new ways to detect, identify, mitigate, and respond to those attacks.


Kevin Timm is a security researcher at Cisco Systems where he is part of the Cisco Security Research & Operations organization. Kevin’s current work focuses the automation of malware analysis using virtualization. Over the past decade, Kevin has authored several security-related white papers and articles as well as presented at Cisco Networkers. Prior to joining Cisco in 2004, Kevin held senior roles in the Managed Security and Managed Hosting industries.


Late:
Ends Jul 23

Onsite:

$ 2000

$ 2200

$ 2400

$ 2600

$ 2900



Black Hat Announcements