I Know Your Filtering Policy Better than You Do: External Enumeration and Exploitation of Email and Web Security Solutions

Presented at Black Hat USA 2014, Aug. 7, 2014, 9 a.m. (60 minutes)

Email and web filtering products and services are core components for protecting company employees from malware, phishing and client-side attacks. However, it can be trivial for an attacker to bypass these security controls if they know exactly what products and services are in use, how they are configured, and have a clear picture of the solutions' weaknesses in advance of an attack. The Speaker has previously demonstrated that email and web filtering security appliances often have vulnerabilities which can be exploited to enable an attacker to gain control of these systems (and the data they process). More recently, he has been researching what information an external attacker can discover about the filtering solutions that a target organization has, and how to bypass controls to deliver effective client-side attacks to target employees, without detection. In this presentation, the Speaker will demonstrate new tools and techniques for the automated enumeration of email and web filtering services, products and policies, and will show how flaws can be discovered and exploited. This presentation will include statistical analysis of the filtering products, services and policies used by some of the world's top companies. He will show examples of easy-to-create client-side attacks which evade most filtering solutions, and work on fully patched systems to give attackers remote control. These tools and techniques are very useful from a defensive perspective, to quickly enable the identification of filtering weaknesses and misconfiguration, or to assess the capabilities of filtering products and services.

Presenters:

• Ben Williams - NCC Group
  Ben Williams is a Senior Security Consultant for NCC Group in the UK where his time is split between penetration testing and research. He has escalated vulnerabilities in software products and appliances to a wide range of vendors, including exploitable flaws in security products from various well-known companies including: Websense, Citrix, Cisco, McAfee, Symantec, Sophos, Trend Micro, Barracuda Networks among others. Ben has presented his research previously at several major security conferences (especially on the subject of "Hacking Security Appliances").

Links:

• https://www.blackhat.com/us-14/archives.html#i-know-your-filtering-policy-better-than-you-do-external-enumeration-and-exploitation-of-email-and-web-security-solutions
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2014/video/I Know Your Filtering Policy Better than You Do.mp4
• https://www.youtube.com/watch?v=MY0TdEVChho
• https://www.blackhat.com/docs/us-14/materials/us-14-Williams-I-Know-Your-Filtering-Policy-Better-Than-You-Do.pdf
• https://www.blackhat.com/docs/us-14/materials/us-14-Williams-I-Know-Your-Filtering-Policy-Better-Than-You-Do-wp1.pdf

Similar Presentations:

• DEF CON 31 (2023) / #NoFilter: Abusing Windows Filtering Platform for privilege escalation
• SAINTCON 2019 / The Culture of Filtering: Filtering for Fear vs Filtering for the Student
• SAINTCON 2019 / Legislative Concerns and Direction for Student Data Privacy, Security and Filtering Development and How Data Security Professionals Can Help