Security Vulnerabilities on Display at RSA

The RSA Conference is much more vendor-driven than shows such as Black Hat and ShmooCon, but there is always room for talk about security vulnerabilities and threats in the wild.

This year, discussion of the threat landscape touched on everything from browser hijacking to wireless security to attacks on VOIP (voice over IP). More than one presenter during the conference spoke of the idea of assuming that computers in your network have been compromised.

In fact, in one presentation, Ed Skoudis, senior consultant for InGuardians, and Johannes Ullrich, chief research officer of the SANS Internet Storm Center, outlined a number of attacks targeting enterprise networks.

Among the attacks the two highlighted was the well-known “pass-the-hash” technique, a method used to compromise machines by checking a user's cryptographic hash instead of their password. The duo also highlighted attacks on VOIP as well as how hackers can infect Windows machines through drive-by downloads, turn on their wireless interfaces and use them in attacks from long distance without using radio frequency.

While the latter is difficult to execute in Windows XP, Skoudis said the API in Vista and Windows 7 makes it “relatively easy” to write code that talks to the wireless interface. Organizations can defend against these attacks by using two-factor authentication on their WLAN (wireless LAN) and separating the wireless and wired networks through VLANs (virtual LANs) or separate physical networks, he added.

“There are bots installed in most enterprises,” Skoudis declared. “My point here is instead of spending 90 percent of your security budget on prevention, take some of that—not a large amount of it, but take 5 or 10 percent of it—and rededicate it to identification and eradication. Find the bad guys in your midst and root them out. The fact of the matter is, if you do that, that should help you with your prevention in the first place because you are limiting the bad guys’ ability to stay hidden and act in your network.”

The concept of browser hijacking also received attention at RSA. David Barruso, e-crime director at S21sec, noted that browser hijacking is being done by three main malware families. Typically, users are affected by drive-by downloads, he said.

“There are many banks affected by [this],” he explained after his presentation.

To mitigate this, users should make sure their browsers and programs are fully patched, as well as utilize anti-virus, he advised.