Help Irongeek.com pay for bandwidth and research equipment:
Using McAfee Secure/TrustGuard as Attack Tools Derbycon 2012 (Hacking Illustrated Series InfoSec Tutorial Videos)
Using McAfee Secure/TrustGuard as Attack Tools
Derbycon 2012
McAfeee Secure (nee ScanAlert) and other “trust mark” vendors are site
security “certification” tools designed to assist e-commerce websites in
creating a sense of consumer confidence in the security of the website they are
visiting. To accomplish this, they run a daily scan of the site, and if the scan
turns up no serious issues, a symbol is displayed on the website, letting the
site visitor know the site has been scanned and is “compliant”.
Unfortunately, McAfee Secure (and every other security seal vendor) suffer from
the same critical issues that allow attackers to use their tools as a one stop
shop for network reconnaissance and turn the tools from a defensive tool into
the ultimate attack tool.
In this presentation we will illustrate the ease with which an attacker can
enumerate all the sites protected by the various services, using simple SEO
crawls and OCR to defeat graphic-based providers, and use the collected
information to reveal vulnerable sites without sending a single packet to the
sites themselves.
We then analyze the McAfee Secure and TrustGuard scans to determine which
vulnerabilities are, and are not being enumerated, and by using this data
determine what new vulnerabilities are being scanned for since the prior scan(s).
This delta in turn is used to attack newly failed sites first in order to both
reduce the attack footprint, and maximize attack efficiency.
Finally, we will demonstrate Oizys, a seal harvesting tool, which automates the
process and essentially turns HackerSafe and Trust Guard into a near realtime
alerting tool for hackers.
Jay James / Shane MacDougall
Jay James is a principal partner at Tactical Intelligence Inc, and is a
recovering system administrator and an outspoken critic of the IT audit and
compliance procedure. His presentations last year at BSidesLV and ToorCon
resulted in an unceremonious firing from LPL Financial because of the subversive
subject matter (how IT audit sucks). He was barred by his new employer from
presenting this talk at BSidesLV – so he is looking forward to a chance to
actually speak on this topic in Kentucky.
Shane MacDougall is a principal partner at Tactical Intelligence Inc, and has
been active in the computer security industry since 1989. He has been an
associate editor of PenTest Magazine, and has presented at BlackHat EU, BSidesLV,
ToorCon, and LASCON. He holds two Defcon Black Badges for winning the Defcon 19
and 20 Social Engineering CTF competitions.