Web Admin Blog

This presentation was by Robert “RSnake” Hansen and was designed to be a fun conversation to have over drinks with security people.  I feel privileged to have been one of those security people who he talked about this with beforehand.  A very interesting topic about the non-obvious threats that may or may not exist.   My notes are below:

Why?

• Because I use the Internet
• Because I’m a target
• Because most people don’t know
• Because it’s a fun conversation to have over drinks with security guys
• Maybe/hopefully you’ll continue this conversation instead of just arguing!

Ground Rules

• Must be non-obvious and must be directly related to the Internet.  Not:
  • …the President or any other gov’ernment official
  • …or someone involved with SCADA Systems/Brick and mortar
• Must be in control of some infrastructure or software, etc
• Must have the largest or widest negative impact possible for the least amount of work and least likelihood of being stopped
• No magic – must be real and dangerous
• They can’t be “bad” people
• You can’t take this list too seriously

How I Got Started

• Started thinking about core technologies that everything relies on
• Made a big list
• Shopped it around to dozens of security experts
• Assigned an arbitrary, unscientific, hand-wavy, risk-rating system of my own design
• Ranked them in order of how scared I am of them personally

#10

• John Doe at C|Net
• Job: Network Engineer
• Why: Controls com.com
• Impact: Largest collection point of typo traffic both for web adn email.
  • Doesn’t require anything overt or even indefensible

#9

• Giorgio Maone of NoScript
• Job: Consultant
• Why: Controls NoScript
• Impact: Nearly every security researcher on the planet – complete compromise.  In general the most paranoid people on earth would be compromised.
  • Builds arbitrary whitelists (ebay.com)
  • Has changed functionality to subvert Adblock Plus

#8

• Eddy Nigg at StartCom Ltd…
  • or John Doe at SSL Cert Reseller
• Job: Developer/QA
• Why: Has access to create wildcard SSL certs for any domain
• Impact: Would allow an attacker to steal any information they were able to man in the middle.
  • Previously demonstrated bad security
  • Much smaller and therefore less controlled than Verisign or Thawt

#7

• John Doe at Authorize.net
• Job: Network admin/Server admin
• Why: Has the ability to see the vast majority of online transactions.
• Impact: Would allow an attacker to get PII and credit card information for the bulk of the US online shopping population and many international shoppers as well

#6 (RSnake recants this one after dinner last night)

• John Doe at Mozilla
• Job: Has check-in access
• Why: Has the ability to change functionality within the browser, including installing new SSL certs.
• Impact: Would allow the attacker to man in the middle and read all SSL traffic.
  • Almost no documentation
  • The verification process is very open and subject to tampering – meaning the update mechanism isn’t probably much better

#5

• Chirag and Floyd at Adwords
• Job: Whomever checks in code
• Why: Has access to millions of websites because it is XSS
• Impact: Can be leveraged for stealing cookies and hijacking web functionality
  • Is embedded in millions of web pages
  • Is already obfuscated heavily
  • Is seen daily by the bulk of the Internet population
  • Begs the question about CDNs in particular

#4

• John Doe at Google’s Postini
• Job: Programmer/Server admin
• Why: Controls and can view the bulk of the world’s email – including Gmail
• Impact: Would enable attacker to steal credentials, spoof conversations, tamper with data, introduce malware, etc
  • More dangerous than Adwords because it’s passive

#3

• John Doe at 1 Wilshire
• Job: NOC Monkey
• Why: One of the largest peering centers on the west coast
• Impact: Can tamper with machines, install malware, inject malicious traffic, intercept communications, etc…
  • Most amount of data links in one physical location
  • CIA has already demonstrated interest in choke points in San Francisco as outed by Mark Klein

#2

• John Doe at gtei.net
• Job: Network Admin/Server Admin
• Why: Controls 4.2.2.2 and 4.2.2.3
• Impact: Can be used to subvert a huge chunk of Internet traffic by giving erroneous DNS answers
  • Used by default in many devices
  • Used by tons of individuals and companies who are lazy
  • Can be used in very targeted attacks for a very short period of time

#1

• John Doe at iDefense
• Job: Security Engineer/Consultant
• Why: Consults for and is owned by Verisign, who owns Network Solutions, who controls authoritative DNS for “.com”
• Impact: Would allow the bulk of the Internet traffic to be modified
  • Heavily monitored and protected but still could lead to temporary and targeted compromise
  • More dangerous than 4.2.2.2 because it controls all of .com and not just a subset of users

Disappointed?  Upset?

The room is full of people who care that your feelings are hurt.

The List

1. John Doe at iDefense
2. John Doe at gtei.net
3. John Doe at 1 Wilshire
4. John Doe at Google’s Postini
5. Chirag and Floyd at Adwords
6. John Doe at Mozilla
7. John Doe at Authorize.net
8. Eddy Nigg at StartCom Ltd.
9. Giorgio Maone of NoScript
10. John Doe at C|Net

Questions/Comments?

• Robert Hansen
  • Robert_at_sectheory d0t c0m
  • http://www.sectheory.com
  • http://ha.ckers.org/
  • Detecting Malice
    • http://www.detectmalice.com/
  • XSS Book: XSS Exploits and Defense
    • ISBN: 1597491543