NetWars: My Experience at the Minnesota Cyber Aces State Championship

Adobe has always been very supportive of professional development for its employees. It is a great way to work on projects that might not be directly related to one’s main responsibilities. While I am currently responsible for managing engineering and quality engineering on the Adobe Photoshop architecture team, I have been using my professional development time to research cybersecurity.

I recently learned about Cyber Aces, founded by Alan Paller, co-chair of the Secretary of Homeland Security Task Force on Cyberskills and founder and research director of the SANS (SysAdmin, Audit, Networking, and Security) Institute. The goal of Cyber Aces is to “fill a critical shortage of skilled cybersecurity professionals by growing the talent pool, discovering those with high potential, and offering a fast track to cybersecurity jobs.”

In order to qualify for the Cyber Aces Minnesota State Championship, I had to take a series of online quizzes in Networking, Operating Systems, and Systems Administration. Luckily, I scored high enough to be invited to participate for the championship title on a simulation called NetWars – a real-time capture-the-flag competition on March 15, 2014. NetWars was created by the folks at SANS as a way for participants to test their skills with hands-on exercises and penetration tests.

Before the competition, there was an ethics panel hosted by Dr. Kevin Gyolai, dean of STEM (science, engineering, and mathematics) at Inver Hills Community College where the competition took place. The panelists represented a range of disciplines from industry (UNISYS), to education (Inver Hills Community College), and government (FBI). They talked about the “insider threats” facing many organizations, how the US Cyber Command has hundreds of job openings that they cannot fill and how BYOD (bring your own device) is challenging university campus networks and corporations.

After the panel, we got down to business. Level 1 had a series of questions asking us to find flags by looking at the file system, and an interesting question about PDF. On a personal level, it was awesome to see a question about a PDF. I am not allowed to talk about the question as the other states haven’t completed the competition yet, but it was an excellent question.

I have earned the ASSET (Adobe Secure Software Engineering Team) brown belt certification and programs like Cyber Aces and NetWars will help me on my way to earning a black belt. Thank you to everyone at Cyber Aces for hosting a fantastic event.  I encourage anyone interested in developing their security skills to take a look at Cyber Aces and participate.

Jeff Sass
Engineering Manager, Photoshop

Top 10 Hacking Techniques of 2013: A Few Things to Consider in 2014

For the last few years, I’ve been a part of the annual ranking of top 10 web hacking techniques organized by WhiteHat Security. Each year, it’s an honor to be asked to participate, and this year is no different. Not only does judging the Top 10 Web Hacking Techniques allow me to research these potential threats more closely, it also informs my day-to-day work.

WhiteHat’s Matt Johansen and Johnathan Kuskos have provided a detailed overview of the top 10 with some highlights available via this webinar.  This blog post will further describe some of the lessons learned from the community’s research.

1. XML-based Attacks Will Receive More Attention

This year, two of the top 15 focused on XML-based attacks. XML is the foundation of a large portion of the information we exchange over the Internet, making it an important area of study.

Specifically, both researchers focused on XML External Entities. In terms of practical applications of their research, last month Facebook gave out their largest bug bounty yet for an XML external entity attack. The Facebook attack demonstrated an arbitrary file read that they later re-classified as a potential RCE bug.

Advanced XML features such as XML external entities, XSLT and similar options are very powerful. If you are using an XML parser, be sure to check which features can be disabled to reduce your attack surface. For instance, the Facebook patch for the exploit was to set libxml_disable_entity_loader(true).

In addition, JSON is becoming an extensively used alternative to XML. As such, the JSON community is adding similar features to the JSON format. Developers will need to understand all the features that their JSON parsers support to ensure that their parsers are not providing more functionality than their APIs are intended to support.

2. SSL Takes Three of the Top 10 Spots

In both the 2011 and 2012 Top 10 lists, SSL attacks made it into the top spot.  For the 2013 list, three attacks on SSL made it into the top 10: Lucky 13, BREACH and Weaknesses in RC4. Advances in research always lead to more advances in research. In fact, the industry has already seen our first new report against SSL in 2014.  It will be hard to predict how much farther and faster research will advance, but it is safe to assume that it will.

Last year at BlackHat USA, Alex Stamos, Thomas Ptacek, Tom Ritter and Javed Samuel presented a session titled “The Factoring Dead: Preparing for the Cryptopocalypse.” In the presentation, they highlighted some of the challenges that the industry is facing in preparing for a significant breach of a cryptographic algorithm or protocol. Most systems are not designed for cryptographic agility and updating cryptography requires a community effort.

These three Top 10 entries further highlight the need for our industry to improve our crypto agility within our critical infrastructure. Developers and administrators, you should start examining your environments for TLS v1.2 support. All major browsers currently support this protocol. Also, review your infrastructure to determine if you could easily adopt future versions of TLS and/or different cryptographic ciphers for your TLS communication. The OWASP Transport Layer Protection Cheat Sheet provides more information on steps to hard your TLS implementation.

3. XSS Continues to Be a Common Concern for Security Professionals

We’ve known about cross-side scripting (XSS) in the community for over a decade, but it’s interesting that people still find innovative ways to both produce and detect it. At the most abstract level, solving the problem is complex because JavaScript is a Turing-complete language that is under active development. HTML5 and CSS3 are on the theoretical edge of Turing-Completeness in that you can implement Rule 110 so long as you have human interaction. Therefore, in theory, you could not make an absolute statement about the security of a web page without solving the halting problem.

The No. 1 entry in the Top 10 this year demonstrated that this problem is further complicated due to the fact that browsers will try to automatically correct bad code. What you see in the written code is not necessarily what the browser will interpret at execution. To solve this, any static analysis approach would not only need to know the language but also know how the browser will rewrite any flaws.

This is why HTML5 security advances such as Content Security Policies (CSP) and iframe sandboxes are so important (or even non-standards-based protections such as X-XSS-Protection).  Static analysis will be able to help you find many of your flaws. However, due to all the variables at play, they cannot guarantee a flawless site. Additional mitigations like CSP will lessen the real world exploitability of any remaining flaws in the code.

These were just a few of the things I noticed as a part of the panel this year. Thanks to Jeremiah Grossman, Matt Johansen, Johnathan Kuskos and the entire WhiteHat Security team for putting this together. It’s a valuable resource for the community – and I’m excited to see what makes the list next year.

Peleus Uhley

Lead Security Strategist

 

Mass Customization of Attacks Talk at RSA

Business consultant Stanley Davis defined mass customization as the “customization and personalization of products and services for individual customers at a mass production price.” Anyone who has ever ordered a custom PC is no stranger to mass customization: that particular combination of components wasn’t assembled into a PC until the customer initiated an order.

As we responded to zero-day exploits in the past couple of years, we took stock of some of the properties that separated them from mass malware, which affect older, patched vulnerabilities. For example, we noticed zero-day attacks starting to target more than one version of a platform on one or more operating systems. In addition, we observed that zero-day attacks contain more than one exploit possibly affecting multiple vendors’ products. Our thesis can be stated as follows: The exploit creation industry is maturing; by combining the features of mass malware with multiple zero-day exploits, they can create mass-customized attacks.

 masscustomizedattacks

 

We expand on this thesis in our upcoming talk at the RSA 2014 conference and use several case studies to prove it.

If you’re going to be attending RSA on Tuesday, Feb. 25, please swing by our talk at 2:40 p.m. in the West Room 3006. We look forward to sharing our research and the conversations with our friends and partners in the industry!

Peleus Uhley, Platform Security Strategist
Karthik Raman, Security Researcher

Adobe Sponsors Nullcon 2014

NullCon, held annually in Goa, is one of the premier security conferences in India. This conference has emerged out of a not-for-profit society, null, which is the largest active security community in India. I will be attending the conference along with two Security Researchers from my team, Kriti and Vaibhav. We are looking forward to an interesting lineup of talks, especially the keynote session by Jeff Moss, founder of Black Hat and DEF CON.

I’m most excited about the hallway conversations, which for me has always been the most interesting part of this conference and a time to catch up with some of the brightest minds in Security. This year, Adobe will have a booth at the conference and we are recruiting for the role of Security Researcher. So in case you are interested please drop by our booth with your resume or just come by to say hello.

If you haven’t registered yet for the conference, I encourage you to go ahead. The details are on the NullCon website.

See you there.

Priyank Choudhury
Manager, Secure Software Engineering

The Power of Interdisciplinary Research

I was privileged to give the keynote presentation at Norwich University’s Undergraduate Research Symposium recently, entitled “Keeping an Open Mind.” I still remember being a summer research fellow in math at Norwich, my alma mater, in 2004 and then pursuing independent studies in computer security my junior and senior years. Gaining the experience of research while still an undergrad eased my transition into a professional career in security research.

© 2013 Norwich University

© 2013 Norwich University

My message to the audience was that interdisciplinary research is possible, important, and fun. I used EO Wilson’s philosophy of consilience to reason why knowledge from diverse disciplines ought to mix: “The goal of consilience is to achieve progressive unification of all strands of knowledge in service to the indefinite betterment of the human condition.” This notion applies to our own industry of software security:  a leading practitioner would arguably be well-versed in computer science, discrete math, software engineering, systems engineering, and psychology, among other disciplines.

To demonstrate that interdisciplinary research is important I used two examples. First, the research of Prof. Kevin Warwick of the University of Reading in the UK and its potential for treating people with damaged nervous systems. Second, that of Alan Turing’s interdisciplinary work during World War II. Turing’s contributions are said to have shortened the length of the war by two years. Finally, I used the example of the winners of the 2013 Ig Nobel awards to say that research is fun and it can make us laugh and think.

I followed with practical advice about approaching research with an open mind, tracking your ideas, working with a collaborative spirit, and finding your passion in research:  when you become intrinsically motivated to learn something then there’s no stopping you – something we can all keep in mind throughout our careers.

Karthik Raman
Security Researcher

BSIMM Community Conference 2013

In mid-November, I attended the BSIMM Community Conference 2013 in Chantilly, VA.  The community represents 67 firms, and there were about 100 people in attendance.

The Building Security In Maturity Model (BSIMM) is the result of a multi-year study of real-world software security initiatives.  The BSIMM helps to measure, compare and contrast software security data.  The model also describes how mature software security initiatives evolve, change and improve over time.  Adobe was one of the nine original participants in the first version of BSIMM and has participated in subsequent BSIMM surveys.

This year the conference provided two tracks, thereby providing a smaller ratio of presenters to attendees per presentation.  Topics included Static Analysis, Software Security Meets Agile, Mobile Security, Software Security Metrics for Efficiency and Effectiveness, Architecture Analysis, Insider Threats, and Third Party Software and Security.

To sum it up, I appreciated the opportunity to connect, network and discuss comparative security initiatives, current events, and best practices with those in attendance.  Thanks to BSIMM organizers for putting on a great event.

Wendy Poland
Product Security Group Program Manager

 

Flash Player Sandbox Now Available for Safari on Mac OS X

Over the last few years, Adobe has protected our Flash Player customers through a technique known as sandboxing. Thus far, we have worked with Google, Microsoft and Mozilla on deploying sandboxes for their respective browsers. Most recently, we have worked with Apple to protect Safari users on OS X. With this week’s release of Safari in OS X Mavericks, Flash Player will now be protected by an OS X App Sandbox.

For the technically minded, this means that there is a specific com.macromedia.Flash Player.plugin.sb file defining the security permissions for Flash Player when it runs within the sandboxed plugin process. As you might expect, Flash Player’s capabilities to read and write files will be limited to only those locations it needs to function properly. The sandbox also limits Flash Player’s local connections to device resources and inter-process communication (IPC) channels. Finally, the sandbox limits Flash Player’s networking privileges to prevent unnecessary connection capabilities.

Safari users on OS X Mavericks can view Flash Player content while benefiting from these added security protections. We’d like to thank the Apple security team for working with us to deliver this solution.

Peleus Uhley
Platform Security Strategist

Illegal Access to Adobe Source Code

Adobe is investigating the illegal access of source code for Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products by an unauthorized third party.  Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident.

Adobe thanks Brian Krebs, of KrebsOnSecurity.com, and Alex Holden, chief information security officer, Hold Security LLC. holdsecurity.com  for their help in our response to this incident.

We are not aware of any zero-day exploits targeting any Adobe products. However, as always, we recommend customers run only supported versions of the software, apply all available security updates, and follow the advice in the Acrobat Enterprise Toolkit and the ColdFusion Lockdown Guide. These steps are intended to help mitigate attacks targeting older, unpatched, or improperly configured deployments of Adobe products.

For more information on Acrobat security, please visit the Acrobat Developer Center.

For more information on ColdFusion 10 security, please visit the ColdFusion Developer Center.

 

Brad Arkin

Chief Security Officer

My Summer Internship With the ASSET Team

Timber2I have spent the last three months working hard to release two coding projects for ASSET! In this blog, I am going to share my experiences working at Adobe from an intern’s perspective.

One of my projects was to develop a specialized tool written in Python for forensics experts in corporate environments. The finished tool incorporates user input on file features, in order to specify behavior and filter files by interest. For example, malicious actors might rename a RAR-compressed executable ‘X.rar’ to ‘X.jpg’ and exfiltrate it. This tool helps forensics experts locate the renamed file. In another example, when an actor encrypts compressed files to bypass AV signature scans, this tool can help detect these malicious files. The tool supports several filtering features and users can easily tweak the configuration to find whatever they are suspicious of.

The biggest part of this project is that we built our own signature library to recognize file types–this is different from most existing ones (WinHex, Scalpel, file UNIX command) which are doing rigid static-header and -footer searching. My project provides an open architecture to add more signature-searching methods. On the backend, we are implementing modules to provide searching-behavior functionality; on the frontend, signatures in the library are simply JSON objects that calls methods on corresponding tags. The objective behind the tool is that we want to explicitly know how the signatures are matched and make further extending signatures work as easily as we could.

This is a diagram of the architecture of the tool:

untangle

Currently the signature library supports several signature-searching methods, including dynamic signatures. This is really useful when handling executables (PE or ELF structured) which have file-specific computed offsets. As the needs from forensics experts increase, we will continue to develop more powerful features.

Here is a signature snippet for the DLL file type:

Dll-signature

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ASSET Senior Manager Mohit Kalra, ASSET Security Researcher Karthik Raman  and I have been cooperating with experts from other Adobe teams and justifying a few concepts behind the project. After the tool passed several phases of testing, I showcased the tool to other interns and team members at the Adobe Intern Expo, and separately to various forensic experts at Adobe. The project was difficult, and I couldn’t have completed it without the help of my co-workers. This is one of the things I appreciated the most about my internship: teamwork that proved to be productive, solid, and congenial!

Through the internship, I’ve gained hands-on experience on industry-level projects. It has given me insight into project development cycles and let me use many coding skills that I never had the chance to use previously. Apart from the technical side, there are many aspects of life you can learn in such a big corporate environment, and I’ve enjoyed the process of adapting to it.

Timber Deng
Security Intern

Flash Player Security with Windows 8 and Internet Explorer 10

With the launch of Internet Explorer 10 on Windows 8 last year, customers have experienced improved Flash Player capabilities. Adobe worked closely with Microsoft to integrate Flash Player into Internet Explorer 10 for the Windows 8 platform, but some of our customers are still unaware of the full benefit of the security enhancements. We’d like to take the opportunity to discuss how this integration introduced several new changes that have increased end-user security.

The first significant change is that Flash Player updates for IE 10 on Windows 8 are now distributed through Windows Update. End-users are no longer prompted by the Flash Player auto-updater to update Internet Explorer. This also means that enterprises can now distribute Flash Player updates for Windows 8 through their existing Windows OS patch management workflows. For IE 10 users on Windows 7, you will continue to be updated through Flash Player’s existing update mechanisms.

Windows 8 and IE 10 bring a new level of security known as Enhanced Protected Mode (EPM). In immersive mode, EPM is enabled by default. End users can enable Enhanced Protected Mode on the desktop by selecting Tools > Internet Options > Advanced and checking “Enable Enhanced Protected Mode.”

EPM on IE 10 provides several new protections. One is that all content processes will run as 64-bit processes. This means that Flash Player will also be run as a 64-bit process which will make heap sprays more difficult. The larger address space makes it more difficult to predict the memory location of the spray with a decent statistical likelihood.

The Windows 8 OS security model also utilizes AppContainers for Windows Store. The AppContainer for Internet Explorer 10 is an improvement on the existing idea of Integrity levels. The IE 10 AppContainer brokers both read and write access to most of the operating system. This is an improvement over traditional Protected Mode where only write access was limited. Since Flash Player will be executing as a low privileged process, it will not be able to read user-owned data without user interaction. In addition, the IE 10 AppContainer enforces certain network restrictions which are described here. Since Flash Player is integrated into IE 10, Flash Player is sandboxed by the same AppContainer broker as Internet Explorer.

One aspect of the new AppContainer brokers is that Internet Explorer 10 has an unique cookie store for each mode. Browser cookies for immersive surfing will be placed in the IE 10 AppContainer storage location. Cookies created while surfing Internet-zone content in IE 10 on the desktop will be placed in the Low Integrity Level (LowIL) cookie location. Flash Player acknowledges this paradigm for Local Shared Objects (LSOs), as well. This means that any data stored from your Flash Player gaming in immersive mode will not be available to Flash Player when you are surfing with IE on the desktop. More information on how IE 10 handles cookies on Windows 8 can be found in this blog.

Overall, these new protections serve to further improve security for our Windows 8 customers while also delivering a more streamlined update workflow. Adobe will continue to work with Microsoft to better improve security for our mutual customers going forward.

Peleus Uhley
Platform Security Strategist