What motivates you to find security vulnerabilities?
I’m actually the CEO, so I don’t find security vulnerabilities anymore, but instead I spend many enlightening hours making spreadsheets. However, the Immunity team spends a lot of time examining vulnerabilities, both for our consulting clients and for CANVAS and SILICA.
I think while for some people this is a job — for Immunity’s team we look for people who find each and every vulnerability beautiful in its own way. Likewise, we look for people who like to work as part of a team — no matter how good you are at it, you simply can’t do vulnerability analysis on your own anymore.
What are the primary tools you use, and how do you use them?
One of the great things about having a big team looking at vulnerabilities is that we spend a lot of time working on our own toolset, and then we can give it to the public. Either in terms of what I like to think of as the best penetration testing framework available, CANVAS — which is also featured in InfoSec Institute’s classes — or the wireless testing product SILICA, or our free tools. We’ve released the first usable debugger that includes an SMT solver as part of the standard API. This makes things like automatically finding return-to-libc addresses quick and easy. It lets you model code in a way you really couldn’t do before without being an expert. You can say things like “What code will add one to EAX and then return”. And Immunity Debugger will search the entire codespace for you for things that do that. Even I can use it. And it’s completely free.
One of the things we announced at INFILTRATE 2011, which is our industry conference focused on offensive information technology, was a Thunderbird trojan. We literally inject ourselves into any Thunderbird plugin and take over your email client. I’m writing this email on Thunderbird, and I have no way of knowing if it’s being surreptitiously sent to someone else, my GPG keys stolen, or if someone is sending me emails to be executed on my machine as commands!
How do you choose your target of investigation? Do you pick your target application and look for bugs, or look for a genre of bug in many different applications?
Immunity does a lot of consulting, mostly for large financial and manufacturing clients. What we like to tell clients is that a security consulting company’s goal is both to cover the bases, but also to surprise them. A consulting engagement should be a learning experience. So while we look for the standard user-input-validation bugs, as Citibank learned, it’s also important to look for the things you least expect!
What are you working on currently?
CANVAS and SILICA are growing by leaps and bounds, and they absorb most of my focus. If you look at penetration testing frameworks — none of them other than CANVAS have good exploits! It’s hilarious! For example, Immunity released MS11_032 as a local SYSTEM privilege escalation for all Windows versions a day after the vulnerability was patched by Microsoft. This is the kind of capability that makes penetration testing extra fun. And having a reliable kernel trojan for Windows just makes things more interesting. We have some big announcements in that direction coming out shortly.
Right now, I’m also doing QA on SILICA’s next release. It’s amazing just how much there is to wireless penetration testing that is not really publicly talked about. For example, most mobile phones send everything in cleartext. There’s protocols running over most wireless networks nobody has ever really talked about — and they’re all fun to play with. Ever messed with GSM over IP? Well, now you can! :>
Of course, personally I also try to think as big-picture as possible. It’s hard to do that and not be pompous, but we all ride the ragged edge of disaster when it comes to that. Lately I’ve been working on a talk on cyber-war that I hope will at the least be a bit interesting.
What do you think is the biggest challenge facing infosec as an industry?
Signal versus noise is a continual challenge. Anti-Virus, IDS, IPS — all these solutions are attempts at taking a high noise channel and finding signal. This is very very hard. But if you have a high signal channel, security gets very doable. El Jefe, a GPL’ed project from Immunity, does something very simple, and very effective. It hooks CreateProcess on Windows, and it sends all the data it can learn from process creation to a centralized server. Then you can simply ask your centralized server: What new processes started today. You’d be surprised how easy it is to catch hackers that way. Real hackers — not just worms and things you already know about.
So I’d say “Finding signal channels that aren’t full of noise” is the real challenge. Everyone does this in different ways. Immunity does this largely by writing exploits.
Why did you start the Daily Dave mailing list? Why have you kept it running?
DailyDave was started when Immunity started, in 2002. And now it’s an important part of the security community, in my opinion. It used to be all messages about lobster farms, Buffy the Vampire Slayer, and exploitation. Now the list is more about information security, but we try to make it a high-signal, interesting list. Occasionally I check out the membership list — it’s basically everybody who is active in the security community, which is cool to see, and certainly not something I expected when we started it.
Although it’s called “DailyDave” it’s neither daily, nor all about me. It’s really more of a watering hole for hackers. It can occasionally be political, or very technical, or both at the same time.