developer is an attack vector
TRANSCRIPT
DEVELOPER IS AN ATTACKVECTOR
Disobey 13.1. 2018@Anakondantti --/-- [email protected]
Elokuva Raid – Raid kysyy pontevasti.
I WISH TO CONFESS…
I GOT
THIS HAPPENED TO ME
1. IT’S A TREND2. YOU ARE NOT SAFE
3. IN 2018 IT GETS WORSE
IS IT REALLY HAPPENING?Yes. Supply Chain Attacks are a thing now.
”A subsequent investigation revealed miscreants had got into the developer's servers, implanted the malware into the download
files, and then let the company infect its users as they fetched the software.
http://www.theregister.co.uk/2017/10/20/mac_os_reinstall_eltima_elmedia_malware/
”The rogue installer was digitally signed
with the developer's legitimate certificate, which means the malicious code was added to it before it was
signed. There is also a compilation artifact inside the executable suggesting it was compromised before compilation.
https://motherboard.vice.com/en_us/article/a3kgpa/ccleaner-backdoor-malware-hack
“millions of people likely downloaded it.”
”it is likely that an external attacker
compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted
by the organization," the Cisco Talos researchers said
WHYNOW?
KAISER
IDS & SIEMWAF
DEP
ASLR
#1
#2
#3
SOITTAKAAPARANOID?
IN TRUST WE TRUST?› Trust developer’s machine?
› Trust hotel WLAN (or “VR-junaverkko”) ?
› Trust USB stick from customer?
› Trust the developer as a person?
› Trust 3rd party deps?
› Trust the toolchain (javac and g++ and the like)
› Trust CI with Jenkins?
› Trust Jenkins 3rd party plugins?
› Trust tutorials at internet?
› ..
IT BEGINS WITH THE TOOLS
INSTALLING RUBY VERSION MANAGER
NODE VERSION MANAGER
CLOJURE BUILD TOOL, LEININGEN
INSTALL HOMEBREW ON MAC..
https://www.theregister.co.uk/2017/08/02/chrome_web_developer_extension_hacked/
1 DEV -> 1M DEV -> 50M USERS....“that's because miscreants apparently phished his Google account, updated the software to version 0.4.9, and pushed it out to its 1,044,000 users.”
NEEDMOARVECTORS?
Vectrex from Wikimedia Commons
CLOUD! AWESOME! AGILE!
SCARED? SURPRISED?
WTF TIME!
WHAT A HANDY TOOL!
VPN KEEPS YOU SAFE! HMM.HTTP://DEV.SOLITA.FI/2015/05/08/INSIDE-ENTERPRISE-VPN.HTML
WAT ?
VIRUS SCAN.. SO DIFFICULT TO BYPASS
FAKE GIT COMMITS(HTTPS://GITHUB.COM/JAYPHELPS/GIT-BLAME-SOMEONE-ELSE)
› Works because Git.
› Works on GitHub too.
WAT THE ****
COPY-PASTE WITH CONFIDENCE!HTTP://THEJH.NET/MISC/WEBSITE-TERMINAL-COPY-PASTE
STOP ALREADY
PHISHING THE DEVELOPERS WITH DNS REBINDING (HTTPS://BOUK.CO/BLOG/HACKING-DEVELOPERS/)
1. Setup DNS with minimal TTL
2. Got victim browser?
3. DNS bind haxor.do to 127.0.0.1
4. Call localhost (same-origin)
5. Profit?
IS THIS REALLY NEW?
PARTY LIKE IT’S 1984?Bogart Company
”You can't trust code that you did not totally create yourself. (Especially code from companies that employ
people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code.
Ken Thompson 1984 Turing Award Lecture,Reflections on Trusting Trust
http://vxer.org/lib/pdf/Reflections%20on%20Trusting%20Trust.pdf
1. WE ARE NOT SAFE2. MITIGATION COSTS MONEY
3. IN 2018 IT GETS WORSE
QUESTIONS?
FEEDBACK: [email protected]
TRUSTWORTHY REFERENCES› Dependencies we trust:
• https://blog.risingstack.com/controlling-node-js-security-risk-npm-dependencies/
• http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html
• https://drive.google.com/file/d/0ByL_eDzFMdXzWHh3eFJuM0xTWjg/view
• Fictional, but almost true: https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5
› Tools we trust:• https://www.theregister.co.uk/2017/08/02/chrome_web_developer_extension_hacked/
• http://vxer.org/lib/pdf/Reflections%20on%20Trusting%20Trust.pdf
› Tutorials we trust: http://thejh.net/misc/website-terminal-copy-paste
› Supply chain we trust: https://motherboard.vice.com/en_us/article/d3y48v/what-is-a-supply-chain-attack
› Developers we trust:• https://github.com/jayphelps/git-blame-someone-else
• https://github.com/aguerrero/Faking-Git-Commits
REFERENCES YOU CAN TRUST
› Spotify we trust: https://www.pcworld.com/article/3128289/security/spotify-ads-slipped-malware-onto-pcs-and-macs.html
› Ccleaner we trust:• https://arstechnica.com/information-technology/2017/09/ccleaner-malware-outbreak-is-much-worse-than-it-first-appeared/
› http://www.theregister.co.uk/2017/10/20/mac_os_reinstall_eltima_elmedia_malware/
› Wifi we trust: https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html
› VPN we trust: http://dev.solita.fi/2015/05/08/inside-enterprise-vpn.html
› DNS we trust: https://bouk.co/blog/hacking-developers/