Luiz Eduardo (Director, Trustwave Spiderlabs) & Joaquim Espinhara (Security Consultant, Trustwave)
PRESENTATION TITLE: Lost in Translation
PRESENTATION ABSTRACT:
We all know, English has been the universal language for several years now. Companies have been offering their security products and assessment tools in different countries. Most of these products might have GUI interface, configuration wizards and reporting capabilities in different languages to support their global customer-base. But at the end of the day, what is under the hood ends up being the same, no matter what language a given product has been configured for.
With this in mind, we have started performing some tests with both attack and defense tools used/sold globally, and problems have been found. The great majority of these tools, internally, only “speak” the English language. And when a target system, protected or analyzed by these products, is not configured to work in the English language, answering to queries or providing error messages in any foreign language, these security products will actually end-up falling short in their basic functionalities, from detecting attacks to failures in applications for example.
As a proof of concept, we have created two testing environments, one in English and another one in our native language, Portuguese. And we ran known open source and commercial scanning tools against these two environments. The end results were somewhat scary, the detection rate for the environment in Portuguese was up to 75% lower than the one in English. And the same happened to some defense/ protection tools in the same environments.
This issue could lead to many problems, from an offensive side allowing attackers not only to infiltrate a system but also to use a possible language change in a target system in order to improve post-exploitation capabilities, or, from a defensive side, “avoid” the detection of certain vulnerability(ies), amongst other implications.
Lastly, this talk will not demonstrate any new bypass techniques, but will be showing attack examples in real environments that are protected by products that have the problem previously described.
ABOUT LUIZ EDUARDO
Luiz Eduardo is the Director of Trustwave’s SpiderLabs for Latin America and Caribbean Countries.
With 20 years of experience in the IT industry, throughout his career he has worked with possibly all types of networking technologies on the enterprise and service provider sectors and the security involved in these technologies, especially 802.11 WiFi. He has also developed the Incident Response practices at two networking hardware vendors. Luiz is the creator and co-founder of the y0u Sh0t the Sheriff and Silver Bullet security conferences held in Brazil and has worked on the wireless infrastructure of Blackhat, DefCon, Computer Chaos Congress and Shmoocon. As a public speaker, he has addressed numerous top-level conferences including DEF CON, FIRST, HitB, ShmooCon, BlueHat, THOTCON, ToorCon, SecTor, BayThreat, SOURCE, CONFidence and others.
ABOUT JOAQUIM ESPINHARA
He is a member of Trustwave’s SpiderLabs – the advanced security team focused on penetration testing, incident response and application security. He has 7 years of experience and has done security research and presented talks at security conferences (H2HC, YSTS, Silver Bullet) in diverse topics such as Wireless/ Network Penetretion Testing, SAP Security and Database Security. Joaquim is interested in reverse engineering, vulnerability research and is also an enthusiast in cyberwar matters.