Today at the Black Hat security conference in Las Vegas, a researcher demonstrated how weaknesses in email and Web filtering solutions can be leveraged by attackers to gather valuable information which they can use in their operations.
In his presentation, Ben Williams, a senior security consultant at global information assurance specialist NCC Group, showed that while email and Web filtering products and services play an important role in protecting an organization against cyber threats, their flaws can be leveraged in the reconnaissance phase of an attack.
Last year, at Black Hat Europe, Williams revealed that email and Web gateways, firewalls, remote access servers, UTM systems and other security appliances from leading vendors are riddled with vulnerabilities that could be easily exploited by a malicious actor. Now, the expert has demonstrated that if attackers can find out how an organization’s filtering solutions are configured, they can bypass security controls and efficiently target employees without being detected.
“These are vital security controls for the majority of companies, but it can be trivial for an attacker to bypass them if they know exactly what products and services are in use and how they are configured,” Williams said. “The techniques researched and developed by NCC Group provide a clear picture of the solutions’ weaknesses in advance of an attack. Organizations should reduce information disclosure and improve both policy and configuration in order to reduce potential threats from client-side attacks.”
The researcher published two whitepapers in which he presents the tools and techniques needed for the automated enumeration of email and web filtering services, products and policies.
For example, an external attacker can determine version information, hostnames, internal IP addresses and proxy ports associated with the email/Web filtering services, software and appliances that are in use. An attacker can also access information on filtering policies, which can enable him to identify policy or configuration loopholes. The ability of products and services to handle the identification of hidden threats in more “challenging” formats can also be determined, Williams noted in his papers.
In the case of Web filtering solutions, an attacker can also find out whether any inspection or blocking is being done for HTTPS, and he can detect installed desktop antivirus products through their browser plugins.
Williams believes that the enumeration techniques he has identified can be very useful to IT security teams for spotting weaknesses and misconfiguration, and to help them assess the capabilities of filtering products and services. Detailed recommendations are included in both whitepapers.
The whitepapers on email filtering solutions and web filtering solutions are available for download.