Black Hat Asia
March 26-29, 2019
Singapore
Black Hat USA
August 3-8, 2019
Las Vegas, NV, USA
Black Hat Europe
December 3-6, 2019
London UK

Understanding Firewalls: Build Them Up, Tear Them Down

A presentation at Black Hat USA will walk attendees through developing a firewall for MacOS, and then poking holes in it.

Firewalls traditionally focus on traffic coming into a network (or endpoint) from the outside. Advanced threats use a number of techniques to get around that focus – and those techniques aimed at MacOS are at the heart of research being presented at Black Hat this week.

Patrick Wardle, chief research officer at Digita Security and founder of Objective-See, decided that the best way to understand the limitations and possibilities of a firewall was to build his own. The first part of his presentation at Black Hat (and a subsequent talk at DEF CON) will be about how one goes about building a firewall that looks at traffic flowing in both directions and precisely what such a firewall can be expected to stop.

(See Wardle's session, "Fire & Ice: Making and Breaking macOS Firewalls," on Thursday, August 9, at Black Hat USA)

The second part of the presentation will look at how an attacker would go about breaking through the firewall to reach the target within. Wardle says existing third-party firewalls for MacOS protect traffic in both directions and can be quite effective.

"There are some Mac malware samples that, the first thing they do when run, is enumerate the installed software and look for one of these firewall products," Wardle says. "And if they see one of these firewall products, they will actually not infect the system because they know that the firewall will basically detect them and then give away their presence to the user."

But even good firewalls are at a disadvantage to attackers because, in the Internet era, certain communications simply must be allowed. "I run through a variety of hacks where we can basically abuse trusted protocols, trusted processes. And even though the firewalls will see these connections, they will allow them because they have no way of telling that they're actually malicious," Wardle says.

Many Mac users are more trusting than they should be because of the Mac's reputation for security. It's a reputation that Wardle says is based on history and aggressive marketing – and is less deserved than was once the case.

"In my expert professional opinion, if you look at the latest version of Windows – Windows 10 – and compare it to the latest version of OS X, there's really no comparison in terms of security. The Windows operating system is just so much more secure," Wardle says. "Any attacker who wants to infect your Mac computer, if they're advanced and sophisticated enough, they are going to have no problem hacking in."

The firewall that Wardle developed for his presentation will be available on Github at the end of his session. The software will be free and open source.

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Sensitive Data Lingers on Used Storage Drives Sold Online
Ericka Chickowski, Contributing Writer, Dark Reading,  4/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11538
PUBLISHED: 2019-04-26
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1, an NFS problem could allow an authenticated attacker to access the contents of arbitrary files on the affected device.
CVE-2019-11539
PUBLISHED: 2019-04-26
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web...
CVE-2019-11540
PUBLISHED: 2019-04-26
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4 and 8.3RX before 8.3R7.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2 and 5.4RX before 5.4R7.1, an unauthenticated, remote attacker can conduct a session hijacking attack.
CVE-2019-11541
PUBLISHED: 2019-04-26
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, and 8.2RX before 8.2R12.1, users using SAML authentication with the Reuse Existing NC (Pulse) Session option may see authentication leaks.
CVE-2019-11542
PUBLISHED: 2019-04-26
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, an authentica...