DeepSec 2015 Talk: Deactivating Endpoint Protection Software in an Unauthorized Manner
Your infrastructure is full of endpoints. Did you know that? You even have endpoints if you use your employees’ devices (BYOD!) or the „Cloud“ (YMMV!). Can’t escape them. Since the bad girls and guys knows this, they will attack these weak points first. How are your endpoints (a.k.a. clients in the old days) protected? In case you use software to protect these vulnerable systems, then you should attend Matthias Deeg’s talk. He will show you the art of Deactivating Endpoint Protection Software in an Unauthorized Manner:
Endpoint protection software such as anti-virus or firewall software often have a password protection in order to restrict access to a management console for changing settings or deactivating protection features to authorized users only.
Sometimes the protection can only be deactivated temporarily for a few minutes, sometimes it can be deactivated until the protection is manually enabled again or the system is restarted.
In some situations, this feature can be useful for IT support. But if the password-based authentication is not implemented properly, low-privileged attackers or malware are able to change the protection settings or to deactivate the protection entirely in an unauthorized manner without having to know the correct password rendering the endpoint protection software useless.
In this talk, it will be shown how the violation of secure design principles can cause authentication bypass vulnerabilities that are still found in current endpoint protection software products of different manufacturers in 2015.
The chances are high that you will be affected. It’s not about passwords, it’s about secure design principles and the lack of it. Your endpoints have a problem. Make sure you know about this before the attackers do. Therefore we recommend this presentation for everyone using or relying on any kind of endpoints. 😉