Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Black Hat Asia
May 4-7, 2021
Virtual Event
Black Hat USA
July 31 - August 5, 2021
Las Vegas, NV, USA
Black Hat Europe
November 8-11, 2021
Virtual Event

Understanding Firewalls: Build Them Up, Tear Them Down

A presentation at Black Hat USA will walk attendees through developing a firewall for MacOS, and then poking holes in it.

Firewalls traditionally focus on traffic coming into a network (or endpoint) from the outside. Advanced threats use a number of techniques to get around that focus – and those techniques aimed at MacOS are at the heart of research being presented at Black Hat this week.

Patrick Wardle, chief research officer at Digita Security and founder of Objective-See, decided that the best way to understand the limitations and possibilities of a firewall was to build his own. The first part of his presentation at Black Hat (and a subsequent talk at DEF CON) will be about how one goes about building a firewall that looks at traffic flowing in both directions and precisely what such a firewall can be expected to stop.

(See Wardle's session, "Fire & Ice: Making and Breaking macOS Firewalls," on Thursday, August 9, at Black Hat USA)

The second part of the presentation will look at how an attacker would go about breaking through the firewall to reach the target within. Wardle says existing third-party firewalls for MacOS protect traffic in both directions and can be quite effective.

"There are some Mac malware samples that, the first thing they do when run, is enumerate the installed software and look for one of these firewall products," Wardle says. "And if they see one of these firewall products, they will actually not infect the system because they know that the firewall will basically detect them and then give away their presence to the user."

But even good firewalls are at a disadvantage to attackers because, in the Internet era, certain communications simply must be allowed. "I run through a variety of hacks where we can basically abuse trusted protocols, trusted processes. And even though the firewalls will see these connections, they will allow them because they have no way of telling that they're actually malicious," Wardle says.

Many Mac users are more trusting than they should be because of the Mac's reputation for security. It's a reputation that Wardle says is based on history and aggressive marketing – and is less deserved than was once the case.

"In my expert professional opinion, if you look at the latest version of Windows – Windows 10 – and compare it to the latest version of OS X, there's really no comparison in terms of security. The Windows operating system is just so much more secure," Wardle says. "Any attacker who wants to infect your Mac computer, if they're advanced and sophisticated enough, they are going to have no problem hacking in."

The firewall that Wardle developed for his presentation will be available on Github at the end of his session. The software will be free and open source.

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36289
PUBLISHED: 2021-05-12
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and fro...
CVE-2021-32606
PUBLISHED: 2021-05-11
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)
CVE-2021-3504
PUBLISHED: 2021-05-11
A flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to...
CVE-2021-20309
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to ...
CVE-2021-20310
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this...