Comments on: One Exploit Should Not Ruin Your Day

By: maxprawn

maxprawn — Tue, 23 Feb 2010 06:09:45 +0000

“How many of these large security product vendors employ even one full-time person to play the role of a dedicated attacker attempting to bypass or defeat their defensive systems?”

… and how many companies even listen to that one full-time person after they hire them?

By: Dino Dai Zovi

Dino Dai Zovi — Wed, 10 Feb 2010 15:52:42 +0000

The exploit for IE7/IE8 is very similar, it just required a few tricks to deterministically trigger the vulnerability, properly craft the replacement heap block, and reliably replace the freed object. I will be releasing more details on it but not for another month or so while I am keeping it under my self-imposed embargo.

By: sheeple

sheeple — Wed, 10 Feb 2010 08:13:32 +0000

Anton is great

I wish you would have discussed the details of the ie 7 or 8 flaw in more detail, since i already looked over the code for 6(blah)…. I am just curious what the flaw was there. Maybe you can post it anonymously on milw0rm for me

Good article, and i like the idea for wireless

By: Dino Dai Zovi

Dino Dai Zovi — Thu, 28 Jan 2010 04:58:15 +0000

Hi Jaime,

I focused on the technical tactics because those were the aspects of the attack that have been widely publicized. Until other aspects of the attack are made public (hopefully some more light is shed on this eventually), it is difficult to infer what steps firms can reasonably take to protect themselves from similar attacks. A holistic view of security including technological as well as operational measures is surely key to success.

-Dino

By: Jaime Gago

Jaime Gago — Thu, 28 Jan 2010 01:14:09 +0000

Hi Dino,
Thanks for sharing your knowledge. I have a question about the whole Aurora affair. In your post you focus on the *purely* technical tactics while only mentioning once “targeted social engineering”, from what I’ve read it seems that Google China HQ was physically infiltrated and my modest understanding is that attacker gaining physical access means game over for the defense.
After the Twitter crack due to bad user policy it seems to me that all the secure designs of the world won’t solve the apparent and general lack of security awareness.
I understand that (if not in practice at least in theory) we can code applications, design networks that can minimize social engineering casualties but I’m curious about your analysis on the Google China part of the Aurora Attack.

By: Andre Fucs

Andre Fucs — Wed, 27 Jan 2010 01:50:14 +0000

Hey Dino,

Great article.

Indeed, working with Israeli banks I’ve noticed that their approach to infosec is quite different than what we see on most places. Over there, instead of having users browsing from their business desktops, those allowed to browse the Internet had a secondary CPU, connected to an separate internal network that is connected to the Internet. by doing that, the banks limit the consequences of client side exploits.

While this approach can be too costly to be widely used by larger organisations, virtualisation and other technologies can present an alternative approach.

ironically, all of this remind me of an old article about moving to a compartmentalised network, where instead of firewalls, segregation would be conducted by dual home application servers dedicated to certain functions.

By: Dominique Brezinski

Dominique Brezinski — Tue, 26 Jan 2010 19:21:11 +0000

Great post Dino, and right on with your suggestions. Having actually been on the security engineering team of a large corporation that contemplated these exact targeted, persistent threats back in 2003, many of our remediation techniques are very similar to what you mention. Though we worked to improve the timeliness of our patch cycle, patching was never the primary remediation. We focused on things that would work to reduce the scope of compromise assuming that user’s workstations, and their common authentication credentials, were getting compromised. If you don’t operate under that assumption, your entire security program is an utter failure and wasted money. The only thing Aurora has done is shown that you and I (and our like-minded security brethren) no longer need to really argue that point with everyone else.

By: Dino Dai Zovi

Dino Dai Zovi — Tue, 26 Jan 2010 18:17:08 +0000

The idea is that you should create a wireless network that is completely separate from the corporate network, even so far as making its outbound link a residential cable modem or DSL connection. This external-Internet only network is good for vendors and sales people who need Internet access to demo products, etc. Employees may be given access to it as well for their smart phones, tablets, and so on. The idea is to keep all mobile (and especially devices not managed by IT) devices off the internal network with no exceptions. Giving more freedom on this network allows IT to apply more stringent controls on the corporate network.

By: Rohan

Rohan — Tue, 26 Jan 2010 17:34:15 +0000

Hey,

Lovely article. Though I didn’t understand “Give everyone access to an external Wi-Fi network to use with their personal Internet-enabled devices.”

Won’t this lead to breach of policy violations on the corporate network??

By: daniel palacio

daniel palacio — Mon, 25 Jan 2010 19:05:33 +0000

Nice to see someone who does not recommend patching as a solution. Truth is patching in this case is useless, the bug is no longer a 0day which means this kind of attacker won’t use it again, they will just use another 0day. So even if you don’t patch, upgrading to IE 8 will actually improve your security, patching won’t.
One issue though, what to do with Adobe Reader ? With browser’s you’ve got pretty good options as far as defense in depth goes, but is there a PDF reader out there that has a sandbox ?