Black Hat Asia
March 26-29, 2019
Singapore
Black Hat USA
August 3-8, 2019
Las Vegas, NV, USA
Black Hat Europe
December 3-6, 2019
London UK

Understanding Firewalls: Build Them Up, Tear Them Down

A presentation at Black Hat USA will walk attendees through developing a firewall for MacOS, and then poking holes in it.

Firewalls traditionally focus on traffic coming into a network (or endpoint) from the outside. Advanced threats use a number of techniques to get around that focus – and those techniques aimed at MacOS are at the heart of research being presented at Black Hat this week.

Patrick Wardle, chief research officer at Digita Security and founder of Objective-See, decided that the best way to understand the limitations and possibilities of a firewall was to build his own. The first part of his presentation at Black Hat (and a subsequent talk at DEF CON) will be about how one goes about building a firewall that looks at traffic flowing in both directions and precisely what such a firewall can be expected to stop.

(See Wardle's session, "Fire & Ice: Making and Breaking macOS Firewalls," on Thursday, August 9, at Black Hat USA)

The second part of the presentation will look at how an attacker would go about breaking through the firewall to reach the target within. Wardle says existing third-party firewalls for MacOS protect traffic in both directions and can be quite effective.

"There are some Mac malware samples that, the first thing they do when run, is enumerate the installed software and look for one of these firewall products," Wardle says. "And if they see one of these firewall products, they will actually not infect the system because they know that the firewall will basically detect them and then give away their presence to the user."

But even good firewalls are at a disadvantage to attackers because, in the Internet era, certain communications simply must be allowed. "I run through a variety of hacks where we can basically abuse trusted protocols, trusted processes. And even though the firewalls will see these connections, they will allow them because they have no way of telling that they're actually malicious," Wardle says.

Many Mac users are more trusting than they should be because of the Mac's reputation for security. It's a reputation that Wardle says is based on history and aggressive marketing – and is less deserved than was once the case.

"In my expert professional opinion, if you look at the latest version of Windows – Windows 10 – and compare it to the latest version of OS X, there's really no comparison in terms of security. The Windows operating system is just so much more secure," Wardle says. "Any attacker who wants to infect your Mac computer, if they're advanced and sophisticated enough, they are going to have no problem hacking in."

The firewall that Wardle developed for his presentation will be available on Github at the end of his session. The software will be free and open source.

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8423
PUBLISHED: 2019-02-18
ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php filter[Query][terms][0][cnj] parameter.
CVE-2019-8424
PUBLISHED: 2019-02-18
ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sort parameter.
CVE-2019-8425
PUBLISHED: 2019-02-18
includes/database.php in ZoneMinder before 1.32.3 has XSS in the construction of SQL-ERR messages.
CVE-2019-8426
PUBLISHED: 2019-02-18
skins/classic/views/controlcap.php in ZoneMinder before 1.32.3 has XSS via the newControl array, as demonstrated by the newControl[MinTiltRange] parameter.
CVE-2019-8427
PUBLISHED: 2019-02-18
daemonControl in includes/functions.php in ZoneMinder before 1.32.3 allows command injection via shell metacharacters.