developer as a malware distribution vehiclethe ken thompson hack • modify c compiler to...
TRANSCRIPT
@guypod
Developer as a Malware Distribution Vehicle
Guy Podjarny (@guypod)
@guypod
About Me
• CEO & Co-Founder at Snyk • Find & Fix vulnerabilities in open source dependencies!
• Founder @Blaze, CTO @Akamai • Security work since 1997 • DevOps & Performance since 2010 • A Developer
@guypod
Developers are more powerful
than ever
@guypod
That can be Dangerous
@guypod
I’m here to tell youa few stories…
@guypod
XCodeGhost
@guypod
The time: September, 2015
@guypod
XCode: iOS Dev Platform
@guypod
Xcode is BIG…
Was 3GB in 2015
@guypod
Xcode downloads inChina come from the US
and are SLOW
@guypod
• Hosted inside the great firewall
• Must faster to download
• Found via forums etc
Devs use local mirrors
• And… some contain malware !(dubbed XcodeGhost)
@guypod
XcodeGhost Malware
• Includes a malicious CoreServices component
• Component is compiled into the iOS app
• Submitted to app store, evades detection!
• Malware spies on users installing the apps
@guypod
XcodeGhost wentundetected
for4 months
@guypod
Up to 300 affected apps
WeChat(China’s WhatsApp)
Didi(China’s Uber)
Railway 12306 (Train Tickets)
+ Dozens of US apps
@guypod
Some apps compromised Via a Library
https://possiblemobile.com/2015/11/a-lesson-in-xcode-ghost-third-party-frameworks/
@guypod
Up to 1.4M active victims/day!
http://www.circleid.com/posts/20151001_verisign_idefense_analysis_of_xcodeghost/
@guypod
Not just in China (DNS queries to evil sites by geo)
http://www.circleid.com/posts/20151001_verisign_idefense_analysis_of_xcodeghost/
@guypod
Apple cleans up App Store immediately, Users take months to update.
https://www.fireeye.com/blog/threat-research/2015/11/xcodeghost_s_a_new.html
@guypod
@guypod
Local Xcode downloads
@guypod
“[CoreServices] is a Mach-O object file that is used by LLVM linker and can’t directly execute in any way”
https://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/
@guypod
Developers were adistribution vehicle.
@guypod
XcodeGhost Was not the first
@guypod
The year: 2009
@guypod
@guypod
Developers still used Delphi
@guypod
Induc Malware
• Detects if Delphi is installed
• Compiles sysconst.pas to a malicious sysconst.dcu
• Malware added to every program compiled on machine
• Every execution of Induc compromises local sysconst.dcu
@guypod
Induc ~> XcodeGhost• Took longer to find
• 10 months!
• Spread faster • Kaspersky:“millions of copies”
• More viral and hard to remove • no unofficial downloads, no app store
• Replicates via compilers, not executables
@guypod
Developers were adistribution vehicle.
@guypod
Induc was not that original
either!
@guypod
The year: 1984
@guypod
“Reflections on Trusting Trust” Ken Thompson, 1984
https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
@guypod
“I would like to present to you the cutest program I ever wrote…”
https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
@guypod
The Ken Thompson Hack
• Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1)
• C compiler to replicate the trojans (Trojan 2)
• Disassembler to hide the trojans (Trojan 3)
• Remove these trojans code from the source code
Originally described by Karger and Schell in 1974, dubbed Multics vulnerability
@guypod
If this happened How would you find out?
“Solution” by David Wheeler, 2005: two independent compilers producing bit-identical output
@guypod
“I picked on the C compiler. I could have picked on any program-handling program
…As the level of program gets lower, these bugs will be harder and harder to detect”
@guypod
“The moral is obvious. You can't trust code that you
did not totally create yourself. (Especially code from companies that employ people like me.)”
@guypod
Who heretotally created their code?
@guypod https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
@guypod
Back to today…
@guypod https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5
@guypod https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5
@guypod
Malicious PyPi packages (2017)
@guypod
Malicious npm packages (2017, 2018)
20172018
@guypod
RubyGems Hacked (2013,2016)
2013 2016
@guypod https://kromtech.com/blog/security-center/cryptojacking-invades-cloud-how-modern-containerization-trend-is-exploited-by-attackers
Malicious Docker Images (June 2018) - THIS MONTH
@guypod
These are the oneswe know about
@guypod
• Mario Heidrich fixed a bug in Angular… and introduced a vulnerability!
• Angular accepted the “fix”
• Google security team blocked release
Injecting Vulnerability into Angular.js (2015)
https://www.slideshare.net/x00mario/an-abusive-relationship-with-angularjs/54
@guypod
How often are vulnerabilities intentional?
https://research.checkpoint.com/jenkins-miner-one-biggest-mining-operations-ever-discovered/
@guypod
Developers were adistribution vehicle.
@guypod
The pace of shipping code
is skyrocketing
@guypod
Our usersTrust
the code we ship
@guypod
From Code
toSystems & Data
@guypod
Developers access production systems
daily
@guypod
Developers access user data
daily
@guypod
That can be Dangerous
@guypod
TheSyrian Electronic Army
and theFinancial Times
@guypod
1. Phishing email to employees whohad publicly shared their email
Masked link to an attacker controlledcompromised site
@guypod
2. Link redirects to spoofed FT Single Sign-on
page (for Google Apps)
Some users entered their passwords…
@guypod
3. Attackers use compromised accounts to Email more FT users
this time from an FT email address
More users are compromised…
@guypod
4. IT finds out, sends warning email to all. Attackers send identical email - with evil links
@guypod
5. Attackers gain access to severalofficial Twitter accounts blog
https://www.telegraph.co.uk/technology/twitter/10064184/Financial-Times-hacked-by-Syrian-Electronic-Army.html
@guypod
“A sobering day” by Andrew Betts,
a compromised FT developer
https://labs.ft.com/2013/05/a-sobering-day/
@guypod
“Developers might well think they’d be wise to all this – and I thought I was.”
https://labs.ft.com/2013/05/a-sobering-day/
@guypod
Developers were the 2nd most likely to click a link in a phishing email
https://www.heavybit.com/library/podcasts/the-secure-developer/ep-16-security-training-with-elevates-masha-sedova/
Internal Salesforce Phishing Testrun by Masha Sedova (@modMasha)
@guypod
Compromising ahigh privileged developer
is hitting the jackpot
@guypod
The Uber Hack
of 2016
@guypod
Attackers accessed details of 600,000 Uber drivers
and “some personal info” of57M Uber users
@guypod
Uber paid $100,000 ransom
disguised as a bug bounty
@guypod
Uber didn’t report the breachfor a FULL YEAR
(until Nov, 2017)
@guypod
Uber Hack Details
• Dev pushed S3 tokens to private github.com repo • Attackers gained access to repo, stole tokens
• Uber was not using 2FA
• Attackers used token to steal info from S3
@guypod
“we immediately instituted multifactor authentication on Github.
We then subsequently ceased using
GitHub except for items like open source code”
@guypod
Uber Hack of 2014
• Dev stored sensitive URL in public github.com gists • Attacker accessed data in May, 2014
• “Only” 50,000 drivers exposed that time
• Uber discovered breach in September, 2014 • Uber notified drivers in February, 2015
@guypod
Developers can access Extremely Sensitive Data
and expose it too often
Chalker, 2015Dan Godin, 2013
@guypod
These stores are just a few examples
of MANY
@guypod
Developers are more powerful
than ever
@guypod
WithGreat Power
comesGreat Responsibility
@guypod
Why are developersfalling for these?
@guypod https://www.youtube.com/watch?v=fDryj_9I5eM
Rachel Ilan Simpson@rilan
Guy Podjarny@guypod
@guypod
Why do people make insecure decisions?
• Different motivations • Cognitive Limitations • Lack of Expertise
@guypod
Why do developers make insecure decisions?
• Different motivations • Our goal is improved functionality, security is just a constraint
• Cognitive Limitations • We move fast, and sometimes break things - including security
• Lack of Expertise • We often don’t understand the security implications of our decisions
@guypod
Developers are alsoOver Confident
@guypod
“I find training developers, actually to be much harder than regular employees”
Masha Sedova (@modMasha)
https://www.heavybit.com/library/podcasts/the-secure-developer/ep-16-security-training-with-elevates-masha-sedova/
@guypod
“there's a certain amount of arrogance associated with, "I already know this,"or "I'm
smarter than this." ”
Masha Sedova (@modMasha)
https://www.heavybit.com/library/podcasts/the-secure-developer/ep-16-security-training-with-elevates-masha-sedova/
@guypod
“Most developers that I talk to, specifically, don't actually believe security is an
issue that happens at their company”
Masha Sedova (@modMasha)
https://www.heavybit.com/library/podcasts/the-secure-developer/ep-16-security-training-with-elevates-masha-sedova/
@guypod
Security breaches Can happen to You
@guypod
You areTrustworthy
but Not Infallible
@guypod
How can we Mitigate
this risk?
@guypod
Learn lessons fromPast Incidents
@guypod
Automate Security Controls
• Apple: Malware detection in app store • npm: Malicious package detection in registry • FT: 2FA on SSO Page • Uber: 2FA on GitHub.com, then move to self hosted git
@guypod
Make it Easy to be Secure
• Apple: Stand up fast local Xcode download mirrors • FT: “Reducing and removing privileges more aggressively” • Uber: Auto-expire AWS tokens • npm/PyPi/Docker: Flag/block malicious packages
@guypod
Developer Education
• Apple: Encourage dev to validate Xcode Download • npm: Blog about malicious packages & typosquatting • FT: “set clearer expectations of security standards” • Angular: Require 2 expert reviewers for sensitive code
@guypod
Caringabout security
Ease of being secure
@guypod
ManageAccess
Like a Tech Giant
@guypod
Google BeyondCorp
https://cloud.google.com/beyondcorp/
@guypod
BeyondCorp in a nutshell
• All access done via a corporate proxy • Eliminates trusted network
• Proxy grants access per user & device • No more static credentials
• Access is logged and monitored • Anomalies can be detected during or after actions
https://www.slideshare.net/fortyfivan/beyondcorp-sf-meetup-closing-the-adherence-gap
@guypod
Microsoft Privileged Access Workstations (PAW)
@guypod
PAWs in a nutshell
• Access to production requires a secure machine • With strict controls and no further internet access
• Your “Desktop” runs as a VM on the machine • Running a secure VM in an insecure host isn’t enough
• Optionally a “Guarded Host” can host both VMs • Allows more flexibility and routine updates to the PAW
https://blogs.technet.microsoft.com/datacentersecurity/2017/10/13/privileged-access-workstationpaw/
@guypod
Detailed PAW Guidance (windows centric)
https://blogs.technet.microsoft.com/datacentersecurity/2017/10/13/privileged-access-workstationpaw/
• PAW deployment guide• Why use shielded VM for PAW? • How to deploy VM template for PAW• Building VM template for PAW• Connect to VMs on PAW• Shielded VM local mode vs HGS mode• How to build the PAW host
@guypod
Netflix - BLESS
@guypod
QCon NYC 2017 Talk!
https://www.infoq.com/presentations/bless-security-ops-ssh
@guypod
BLESS in a nutshell• Central SSH Certificate Authority (Lambda based)
• Centrally manage keys & track SSH permissions per user/system
• Instances trust CA instead of managing keys
• Dev SSH via a Bastion (jump host) server • Lyft uses BLESS server to manage SSH access to Bastion too
• Bastion manages access per BLESS Server instructions • Logs access & can enforce custom rules (e.g. allowed source IP)
https://www.infoq.com/presentations/bless-security-ops-ssh
@guypod
More on Netflix BLESS
https://blogs.technet.microsoft.com/datacentersecurity/2017/10/13/privileged-access-workstationpaw/
• GitHub repo https://github.com/Netflix/bless
• Lyft on using BLESS for Bastion access https://eng.lyft.com/blessing-your-ssh-at-lyft-a1b38f81629d
• Bryan Payne's QCon NYC talk https://www.infoq.com/presentations/bless-security-ops-ssh
@guypod
Controlling access makes
Security easier
@guypod
Beyond learning from others,Ask Questions!
@guypod
When someone asks for accessChallenge It
@guypod
What happens if you don’t allow access?
or only grant partial access?
@guypod
How Urgently is access needed?
@guypod
How long is access needed for?
@guypod
How bad would it be if this access was Compromised?
@guypod
If access was compromised, How would you find out?
and how quickly?
@guypod
If access was compromised, What would you do?
@guypod
Agility vs
Safety
@guypod
Developers are alucrative target
and attackers know it
@guypod
UsersTrust You
@guypod
Care about user safetyeven if it’s hard
@guypod
Don’t be aMalware distribution vehicle
@guypod
Developer as a Malware Distribution Vehicle
Guy Podjarny (@guypod)
Thank You!