imperva - hacking encounters of the 3rd kind
Post on 13-Jul-2015
102 Views
Preview:
TRANSCRIPT
© 2014 Imperva, Inc. All rights reserved.
Hacking Encounters of the 3rd Kind
Looking Into the Security Impact of 3rd Party Software
Confidential1
Barry Shteiman, Director of Security Strategy, Imperva
© 2014 Imperva, Inc. All rights reserved.
Agenda
Confidential2
Introduction
What is 3rd party software
Latest examples
Hacking of a known component
Addressing the problem
Wrap up
© 2014 Imperva, Inc. All rights reserved.
Barry Shteiman, Director of Security Strategy
Confidential3
Security Researcher working with the
CTO office
Author of several application security
tools, including HULK
Open source security projects code
contributor
Twitter @bshteiman
© 2014 Imperva, Inc. All rights reserved.
What Is 3rd Party Software
Confidential4
© 2014 Imperva, Inc. All rights reserved.
3rd Party Software Defined
Confidential5
A third-party software component is a reusable software
component developed to be either freely distributed or sold
by an entity other than the original vendor of the development
platform.
Source: Wikipedia, http://en.wikipedia.org/wiki/Third-party_software_component
© 2014 Imperva, Inc. All rights reserved.
Identified by Type
Confidential6
• Software created by a 3rd party supplier
• Software components created by a 3rd party
• Infrastructure/Software as a service
© 2014 Imperva, Inc. All rights reserved.7
Adoption
According to Veracode:
• “Up to 70% of internally developed code originates outside of the
development team”
• 28% of assessed applications are identified as created by a 3rd party
Confidential
72%
18%
9% 1%
Application by supplier type
Internally Developed
Commercial
Open Source
Outsourced
© 2014 Imperva, Inc. All rights reserved.
Pros vs. Cons
Confidential8
• Reduced development time and cost
• Smaller R&D team is required
• Mature solution used by many
• Delayed/No SLA on Patches
• SDLC Gap
• Patches may introduce new bugs
© 2014 Imperva, Inc. All rights reserved.
OWASP Top 10, “Using Known Vulnerable Components”
Confidential9
Components, such as libraries, frameworks, and other
software modules, almost always run with full privileges. If
a vulnerable component is exploited, such an attack can
facilitate serious data loss or server takeover.
Applications using components with known vulnerabilities
may undermine application defenses and enable a range of
possible attacks and impacts.
Source: OWASP Top 10 2013 Whitepaper
© 2014 Imperva, Inc. All rights reserved.
What’s Vulnerable?
Confidential10
Source: Aspect Security’s study “Understanding Security Risks in OSS Components”
Aspect Security study:
“A recent study by Aspect Security of over 113 million library downloads by
developers in 60,000 organizations, showed that 26 percent of those
downloads contain known vulnerabilities.”
© 2014 Imperva, Inc. All rights reserved.
Landscape Impact
Confidential11
Source: Secunia Vulnerability Review 2014
http://secunia.com/company/news/1208-vulnerabilities-in-the-50-most-popular-programs---76-from-third-party-programs-389
Secunia: 1,208 vulnerabilities in the 50 most popular
programs - 76% from third-party programs
© 2014 Imperva, Inc. All rights reserved.
Into the Wild
Confidential12
Looking Into Recent Incidents
© 2014 Imperva, Inc. All rights reserved.
A Social Experiment
Confidential13
Source: Topsy social analytics
© 2014 Imperva, Inc. All rights reserved.
Ever Seen a Bleeding Server?
Confidential14
Heartbleed (CVE-2014-0160)
• A bug in OpenSSL, allowing data leakage
directly from server memory
• OpenSSL is used for Web servers,
network appliances, and client software
packages
• OpenSSL runs on 66% of SSL protected
websites
Sources:
- Netcraft - http://news.netcraft.com/archives/2014/04/02/april-2014-web-server-survey.html
- Heartbleed.com
© 2014 Imperva, Inc. All rights reserved.
But I Can Patch It! Can’t I?
Confidential15
ChangeCipherSpec (CVE-2014-0224)
© 2014 Imperva, Inc. All rights reserved.
3rd Party Code Driven Incidents
Confidential16
Source: ZDNet - http://www.zdnet.com/wordpress-plugin-vulns-affect-over-20-million-downloads-7000031703/
Wordpress Plugin vulnerabilities… A Petri Dish.
© 2014 Imperva, Inc. All rights reserved.
From Our Own Threat Advisories
Confidential17
© 2014 Imperva, Inc. All rights reserved.
Show Me More
Confidential18
Hacking of a Known Component
© 2014 Imperva, Inc. All rights reserved.
Zero-Days vs. Known Vulnerabilities
Confidential19
Zero-Days gets all the glory
• Technically interesting
• Give rise to some interesting theoretical
questions: How to defend the
“unknown unknowns?”
But known vulnerabilities are doing
a lot of the damage
• Provide hackers with a very cost-
effective method to exploit applications
http://faildesk.net/wp-content/uploads/2012/02/movie-hacking-vs.-real-hacking.gif
© 2014 Imperva, Inc. All rights reserved. Confidential20
Hacking a Known Component
Apache Tomcat, running Apache Struts2 library.
Target server is running a couple of
applications that use the Struts library
© 2014 Imperva, Inc. All rights reserved. Confidential21
Hacking a Known Component
Struts2 showcase application, running with the Struts2 library.
© 2014 Imperva, Inc. All rights reserved.
Hacking a Known Component
Confidential22
Source: www.exploit-db.com
Lets find ourselves a nice exploit for Struts
Apache has many extension libraries, Struts is amongst the
most popular library.
© 2014 Imperva, Inc. All rights reserved.
Lets Attack Apache Struts
Confidential23
CVE of the day: CVE-2013-2251, Now we need an exploit!
© 2014 Imperva, Inc. All rights reserved.
Remote Code Execution
Confidential24
Hacker now owns
the server.
PWN3D!
Injection Complete
Attempting
Remote Code
Injection
© 2014 Imperva, Inc. All rights reserved.
Botnets Are Targeting Known Components
Confidential25
Recently Observed:
• Botnets scan public servers
for vulnerabilities
• Inject Hijack/Drive-by code to
vulnerable systems
• Onboarding hijacked
systems into the botnet
© 2014 Imperva, Inc. All rights reserved.
From a Botnet Communication
Confidential26
Botnet operator uses zombies to
scan sites for vulnerabilities* As observed by Imperva’s ADC Research Team
© 2014 Imperva, Inc. All rights reserved.
From a Botnet Communication
Confidential27
Botnet exploits vulnerabilities and
absorbs victim servers
* As observed by Imperva’s ADC Research Team
© 2014 Imperva, Inc. All rights reserved.
Addressing the Problem
Confidential28
© 2014 Imperva, Inc. All rights reserved.
Explore the Options
Confidential29
1. Don’t use 3rd Party Components?
2. Use 3rd Party Components, Responsibly
• Identify 3rd party components, Track versions and
dependencies
• Monitor security state of components
• Continuously pentest the application that includes
third party components
• Create an acceptance process for new components
which includes security validation
• Disable unused functionality
• Introduce compensating controls, such as Web
Application Firewalls to reduce risk
© 2014 Imperva, Inc. All rights reserved.
When a company builds its security model it usually does
not take into account elements that are not in control,
which creates the security hole.
Companies should:
Implement policies both on the legal and technical
aspects to control data access and data usage
Have processes and controls in place to effectively
manage and secure code involving 3rd party
components
Continuously monitor
Recommendations
30 Confidential30
© 2014 Imperva, Inc. All rights reserved.
Wrap Up
Confidential31
© 2014 Imperva, Inc. All rights reserved.
Webinar Materials
32
Post-Webinar Discussions
Answers to Attendee
Questions
Webinar Recording Link
Join Group
Join Imperva LinkedIn Group,
Imperva Data Security Direct, for…
© 2014 Imperva, Inc. All rights reserved.
Questions?
Confidential33
www.imperva.com
© 2014 Imperva, Inc. All rights reserved.
Thank You
34 Confidential
top related