DEVELOPER IS AN ATTACKVECTOR

Disobey 13.1. 2018@Anakondantti --/-- Antti.Virtanen@solita.fi

Elokuva Raid – Raid kysyy pontevasti.

I WISH TO CONFESS…

I GOT

THIS HAPPENED TO ME

1. IT’S A TREND2. YOU ARE NOT SAFE

3. IN 2018 IT GETS WORSE

IS IT REALLY HAPPENING?Yes. Supply Chain Attacks are a thing now.

”A subsequent investigation revealed miscreants had got into the developer's servers, implanted the malware into the download

files, and then let the company infect its users as they fetched the software.

http://www.theregister.co.uk/2017/10/20/mac_os_reinstall_eltima_elmedia_malware/

”The rogue installer was digitally signed

with the developer's legitimate certificate, which means the malicious code was added to it before it was

signed. There is also a compilation artifact inside the executable suggesting it was compromised before compilation.

https://motherboard.vice.com/en_us/article/a3kgpa/ccleaner-backdoor-malware-hack

“millions of people likely downloaded it.”

”it is likely that an external attacker

compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted

by the organization," the Cisco Talos researchers said

WHYNOW?

KAISER

IDS & SIEMWAF

DEP

ASLR

#1

#2

#3

SOITTAKAAPARANOID?

IN TRUST WE TRUST?› Trust developer’s machine?

› Trust hotel WLAN (or “VR-junaverkko”) ?

› Trust USB stick from customer?

› Trust the developer as a person?

› Trust 3rd party deps?

› Trust the toolchain (javac and g++ and the like)

› Trust CI with Jenkins?

› Trust Jenkins 3rd party plugins?

› Trust tutorials at internet?

› ..

IT BEGINS WITH THE TOOLS

INSTALLING RUBY VERSION MANAGER

NODE VERSION MANAGER

CLOJURE BUILD TOOL, LEININGEN

INSTALL HOMEBREW ON MAC..

https://www.theregister.co.uk/2017/08/02/chrome_web_developer_extension_hacked/

1 DEV -> 1M DEV -> 50M USERS....“that's because miscreants apparently phished his Google account, updated the software to version 0.4.9, and pushed it out to its 1,044,000 users.”

NEEDMOARVECTORS?

Vectrex from Wikimedia Commons

CLOUD! AWESOME! AGILE!

SCARED? SURPRISED?

WTF TIME!

WHAT A HANDY TOOL!

VPN KEEPS YOU SAFE! HMM.HTTP://DEV.SOLITA.FI/2015/05/08/INSIDE-ENTERPRISE-VPN.HTML

WAT ?

VIRUS SCAN.. SO DIFFICULT TO BYPASS

FAKE GIT COMMITS(HTTPS://GITHUB.COM/JAYPHELPS/GIT-BLAME-SOMEONE-ELSE)

› Works because Git.

› Works on GitHub too.

WAT THE ****

COPY-PASTE WITH CONFIDENCE!HTTP://THEJH.NET/MISC/WEBSITE-TERMINAL-COPY-PASTE

STOP ALREADY

PHISHING THE DEVELOPERS WITH DNS REBINDING (HTTPS://BOUK.CO/BLOG/HACKING-DEVELOPERS/)

1. Setup DNS with minimal TTL

2. Got victim browser?

3. DNS bind haxor.do to 127.0.0.1

4. Call localhost (same-origin)

5. Profit?

IS THIS REALLY NEW?

PARTY LIKE IT’S 1984?Bogart Company

”You can't trust code that you did not totally create yourself. (Especially code from companies that employ

people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code.

Ken Thompson 1984 Turing Award Lecture,Reflections on Trusting Trust

http://vxer.org/lib/pdf/Reflections%20on%20Trusting%20Trust.pdf

1. WE ARE NOT SAFE2. MITIGATION COSTS MONEY

3. IN 2018 IT GETS WORSE

QUESTIONS?

FEEDBACK: ANTTI.VIRTANEN@SOLITA.FI

TRUSTWORTHY REFERENCES› Dependencies we trust:

• https://blog.risingstack.com/controlling-node-js-security-risk-npm-dependencies/

• http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html

• https://drive.google.com/file/d/0ByL_eDzFMdXzWHh3eFJuM0xTWjg/view

• Fictional, but almost true: https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5

› Tools we trust:• https://www.theregister.co.uk/2017/08/02/chrome_web_developer_extension_hacked/

• http://vxer.org/lib/pdf/Reflections%20on%20Trusting%20Trust.pdf

› Tutorials we trust: http://thejh.net/misc/website-terminal-copy-paste

› Supply chain we trust: https://motherboard.vice.com/en_us/article/d3y48v/what-is-a-supply-chain-attack

› Developers we trust:• https://github.com/jayphelps/git-blame-someone-else

• https://github.com/aguerrero/Faking-Git-Commits

REFERENCES YOU CAN TRUST

› Spotify we trust: https://www.pcworld.com/article/3128289/security/spotify-ads-slipped-malware-onto-pcs-and-macs.html

› Ccleaner we trust:• https://arstechnica.com/information-technology/2017/09/ccleaner-malware-outbreak-is-much-worse-than-it-first-appeared/

› http://www.theregister.co.uk/2017/10/20/mac_os_reinstall_eltima_elmedia_malware/

› Wifi we trust: https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html

› VPN we trust: http://dev.solita.fi/2015/05/08/inside-enterprise-vpn.html

› DNS we trust: https://bouk.co/blog/hacking-developers/