Black Hat Attendees Scrutinize Adobe Flash, Website Flaws
At the Black Hat Security Conference beginning this weekend in Washington, D.C., security specialists plan to show how fragile the construct of software and hardware can be as they poke holes in the sometimes delicate weave of the Web.
Foreground Security's senior security researcher Michael Bailey, for instance, intends to perform live attacks against some of the top Web sites to show they can be compromised by exploiting what he says are design flaws in Adobe Flash.
"The point I will try to make is Flash is just as exploitable as any point on the Web," says Bailey, adding the two dozen or so Web sites he may target have been notified in advance of the weaknesses he's detected. While declining to name the specific sites that may be subject to his probes, he says they will include social-networking sites, major news outlets as well as technology companies.
The issues around Adobe Flash to be highlighted in his live demonstration are not something subject to simple patching by Adobe, according to Bailey.
Adobe is generally aware of the planned presentation though not the specifics of it, and Adobe's director of product security and privacy Brad Arkin says it sounds as though Bailey might be pointing out "common Web programming errors that developers would commonly make." Adobe's Web site makes available information, including training and materials, for helping developers with secure coding, he notes.
Potential points of vulnerability in other areas are also expected to be highlighted at the Black Hat DC security event.
David Byrne, senior security consultant at Trustwave, says he and colleague Rohini Sulatycki will show how the failure to apply known cryptographic controls to the ViewState in three Web application programming frameworks -- Microsoft ASP.Net, Sun Mojarra and Apache MyFaces -- can allow attackers to read data stored on a server. ViewState is described as a technique that allows Web application frameworks to create persistence in visual elements to maintain a constant look and feel across multiple Web pages.
"It's possible for an attacker to read data stored on a server that shouldn't be available to any user, authorized or otherwise," says Byrne, who says there will be a live demonstration of the attack (Trustwave will also make a tool available to help security professionals identify vulnerable applications). Bryne says the type of structural weakness Trustwave will reveal has been hypothesized about but never demonstrated as a proven flaw.
The remedy is using cryptographic controls based on encryption keys that are included in all three frameworks. "Our demonstration will show that under no situations should an application be put [forward on the Web] without this security," Byrne says. He adds that sometimes developers avoid using them because of performance reasons or simply ignore best security practices.
Several other presentations are expected, including those who will discuss new techniques for hacking hardware, video-surveillance systems, the Internet Explorer browser, Oracle 11g and the iPhone. Security researcher Matthieu Suiche will tackle the Mac OS X in regards to physical-memory analysis with new research that shows a snapshot of machine state at a specific time.
This story, "Black Hat: security researchers to target Adobe Flash, Web design flaws," was originally published at NetworkWorld.com. Follow the latest developments in security at Network World.