hacking encounters of the 3rd kind
TRANSCRIPT
© 2014 Imperva, Inc. All rights reserved.
Hacking Encounters of the 3rd Kind
Looking Into the Security Impact of 3rd Party Software
Confidential 1
Barry Shteiman, Director of Security Strategy, Imperva
© 2014 Imperva, Inc. All rights reserved.
Agenda
Confidential 2
§ Introduction § What is 3rd party software § Latest examples § Hacking of a known component § Addressing the problem § Wrap up
© 2014 Imperva, Inc. All rights reserved.
Barry Shteiman, Director of Security Strategy
Confidential 3
§ Security Researcher working with the CTO office
§ Author of several application security tools, including HULK
§ Open source security projects code contributor
§ Twitter @bshteiman
© 2014 Imperva, Inc. All rights reserved.
What Is 3rd Party Software
Confidential 4
© 2014 Imperva, Inc. All rights reserved.
3rd Party Software Defined
Confidential 5
A third-party software component is a reusable software component developed to be either freely distributed or sold by an entity other than the original vendor of the development platform.
Source: Wikipedia, http://en.wikipedia.org/wiki/Third-party_software_component
© 2014 Imperva, Inc. All rights reserved.
Identified by Type
Confidential 6
• Software created by a 3rd party supplier
• Software components created by a 3rd party
• Infrastructure/Software as a service
© 2014 Imperva, Inc. All rights reserved. 7
Adoption
According to Veracode: • “Up to 70% of internally developed code originates outside of the
development team”
• 28% of assessed applications are identified as created by a 3rd party
Confidential
72%
18%
9% 1%
Application by supplier type
Internally Developed
Commercial
Open Source
Outsourced
© 2014 Imperva, Inc. All rights reserved.
Pros vs. Cons
Confidential 8
• Reduced development time and cost
• Smaller R&D team is required
• Mature solution used by many
• Delayed/No SLA on Patches
• SDLC Gap
• Patches may introduce new bugs
© 2014 Imperva, Inc. All rights reserved.
OWASP Top 10, “Using Known Vulnerable Components”
Confidential 9
Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.
Source: OWASP Top 10 2013 Whitepaper
© 2014 Imperva, Inc. All rights reserved.
What’s Vulnerable?
Confidential 10
Source: Aspect Security’s study “Understanding Security Risks in OSS Components”
Aspect Security study: “A recent study by Aspect Security of over 113 million library downloads by developers in 60,000 organizations, showed that 26 percent of those downloads contain known vulnerabilities.”
© 2014 Imperva, Inc. All rights reserved.
Landscape Impact
Confidential 11
Source: Secunia Vulnerability Review 2014 http://secunia.com/company/news/1208-vulnerabilities-in-the-50-most-popular-programs---76-from-third-party-programs-389
Secunia: 1,208 vulnerabilities in the 50 most popular programs - 76% from third-party programs
© 2014 Imperva, Inc. All rights reserved.
Into the Wild
Confidential 12
Looking Into Recent Incidents
© 2014 Imperva, Inc. All rights reserved.
A Social Experiment
Confidential 13
Source: Topsy social analytics
© 2014 Imperva, Inc. All rights reserved.
A Social Experiment
Confidential 14
Source: Topsy social analytics
© 2014 Imperva, Inc. All rights reserved.
Ever Seen a Bleeding Server?
Confidential 15
Heartbleed (CVE-2014-0160)
• A bug in OpenSSL, allowing data leakage directly from server memory
• OpenSSL is used for Web servers, network appliances, and client software packages
• OpenSSL runs on 66% of SSL protected websites
Sources: - Netcraft - http://news.netcraft.com/archives/2014/04/02/april-2014-web-server-survey.html - Heartbleed.com
© 2014 Imperva, Inc. All rights reserved.
But I Can Patch It! Can’t I?
Confidential 16
ChangeCipherSpec (CVE-2014-0224)
© 2014 Imperva, Inc. All rights reserved.
3rd Party Code Driven Incidents
Confidential 17
Source: ZDNet - http://www.zdnet.com/wordpress-plugin-vulns-affect-over-20-million-downloads-7000031703/
Wordpress Plugin vulnerabilities… A Petri Dish.
© 2014 Imperva, Inc. All rights reserved.
From Our Own Threat Advisories
Confidential 18
© 2014 Imperva, Inc. All rights reserved.
Show Me More
Confidential 19
Hacking of a Known Component
© 2014 Imperva, Inc. All rights reserved.
Zero-Days vs. Known Vulnerabilities
Confidential 20
§ Zero-Days gets all the glory • Technically interesting • Give rise to some interesting theoretical
questions: How to defend the “unknown unknowns?”
§ But known vulnerabilities are doing a lot of the damage • Provide hackers with a very cost-
effective method to exploit applications
http://faildesk.net/wp-content/uploads/2012/02/movie-hacking-vs.-real-hacking.gif
© 2014 Imperva, Inc. All rights reserved. Confidential 21
Hacking a Known Component
Apache Tomcat, running Apache Struts2 library.
Target server is running a couple of applications that use the Struts library
© 2014 Imperva, Inc. All rights reserved. Confidential 22
Hacking a Known Component
Struts2 showcase application, running with the Struts2 library.
© 2014 Imperva, Inc. All rights reserved.
Hacking a Known Component
Confidential 23
Source: www.exploit-db.com
Lets find ourselves a nice exploit for Struts
Apache has many extension libraries, Struts is amongst the most popular library.
© 2014 Imperva, Inc. All rights reserved.
Lets Attack Apache Struts
Confidential 24
CVE of the day: CVE-2013-2251, Now we need an exploit!
© 2014 Imperva, Inc. All rights reserved.
Remote Code Execution
Confidential 25
© 2014 Imperva, Inc. All rights reserved.
Remote Code Execution
Confidential 26
Hacker now owns the server. PWN3D!
Injection Complete
Attempting Remote Code Injection
© 2014 Imperva, Inc. All rights reserved.
Botnets Are Targeting Known Components
Confidential 27
Recently Observed: • Botnets scan public servers
for vulnerabilities • Inject Hijack/Drive-by code to
vulnerable systems • Onboarding hijacked
systems into the botnet
© 2014 Imperva, Inc. All rights reserved.
From a Botnet Communication
Confidential 28
Botnet operator uses zombies to scan sites for vulnerabilities
* As observed by Imperva’s ADC Research Team
© 2014 Imperva, Inc. All rights reserved.
From a Botnet Communication
Confidential 29
Botnet exploits vulnerabilities and absorbs victim servers
* As observed by Imperva’s ADC Research Team
© 2014 Imperva, Inc. All rights reserved.
Addressing the Problem
Confidential 30
© 2014 Imperva, Inc. All rights reserved.
Explore the Options
Confidential 31
1. Don’t use 3rd Party Components?
2. Use 3rd Party Components, Responsibly • Identify 3rd party components, Track versions and
dependencies • Monitor security state of components • Continuously pentest the application that includes
third party components • Create an acceptance process for new components
which includes security validation • Disable unused functionality • Introduce compensating controls, such as Web
Application Firewalls to reduce risk
© 2014 Imperva, Inc. All rights reserved.
When a company builds its security model it usually does not take into account elements that are not in control, which creates the security hole. Companies should: § Implement policies both on the legal and technical
aspects to control data access and data usage § Have processes and controls in place to effectively
manage and secure code involving 3rd party components
§ Continuously monitor
Recommendations
32 Confidential 32
© 2014 Imperva, Inc. All rights reserved.
Webinar Materials
33
Post-Webinar Discussions
Answers to Attendee
Questions
Webinar Recording Link Join Group
Join Imperva LinkedIn Group, Imperva Data Security Direct, for…
© 2014 Imperva, Inc. All rights reserved.
Questions?
Confidential 34
www.imperva.com
© 2014 Imperva, Inc. All rights reserved.
Thank You
35 Confidential