Hacking Encounters of the 3rd Kind

  • 370 views
Uploaded on

As the software world evolves, more and more companies rely on 3rd party applications and software components as part of their infrastructure. However, this approach does not come without risks. …

As the software world evolves, more and more companies rely on 3rd party applications and software components as part of their infrastructure. However, this approach does not come without risks.

The implementation of 3rd party applications has its advantages, chief among them shortened development time frames and increased software maturity. Despite these obvious benefits, organizations must remain aware of potential security implications. This presentation will:

- Explain how 3rd party software vulnerabilities might lead to a data breach
- Deliver examples of incidents and how they occur
- Discuss the effectiveness of patching

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
370
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
29
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. © 2014 Imperva, Inc. All rights reserved. Hacking Encounters of the 3rd Kind Looking Into the Security Impact of 3rd Party Software Confidential1 Barry Shteiman, Director of Security Strategy, Imperva
  • 2. © 2014 Imperva, Inc. All rights reserved. Agenda Confidential2 §  Introduction §  What is 3rd party software §  Latest examples §  Hacking of a known component §  Addressing the problem §  Wrap up
  • 3. © 2014 Imperva, Inc. All rights reserved. Barry Shteiman, Director of Security Strategy Confidential3 §  Security Researcher working with the CTO office §  Author of several application security tools, including HULK §  Open source security projects code contributor §  Twitter @bshteiman
  • 4. © 2014 Imperva, Inc. All rights reserved. What Is 3rd Party Software Confidential4
  • 5. © 2014 Imperva, Inc. All rights reserved. 3rd Party Software Defined Confidential5 A third-party software component is a reusable software component developed to be either freely distributed or sold by an entity other than the original vendor of the development platform. Source: Wikipedia, http://en.wikipedia.org/wiki/Third-party_software_component
  • 6. © 2014 Imperva, Inc. All rights reserved. Identified by Type Confidential6 •  Software created by a 3rd party supplier •  Software components created by a 3rd party •  Infrastructure/Software as a service
  • 7. © 2014 Imperva, Inc. All rights reserved.7 Adoption According to Veracode: •  “Up to 70% of internally developed code originates outside of the development team” •  28% of assessed applications are identified as created by a 3rd party Confidential 72% 18% 9% 1% Application by supplier type Internally Developed Commercial Open Source Outsourced
  • 8. © 2014 Imperva, Inc. All rights reserved. Pros vs. Cons Confidential8 •  Reduced development time and cost •  Smaller R&D team is required •  Mature solution used by many •  Delayed/No SLA on Patches •  SDLC Gap •  Patches may introduce new bugs
  • 9. © 2014 Imperva, Inc. All rights reserved. OWASP Top 10, “Using Known Vulnerable Components” Confidential9 Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts. Source: OWASP Top 10 2013 Whitepaper
  • 10. © 2014 Imperva, Inc. All rights reserved. What’s Vulnerable? Confidential10 Source: Aspect Security’s study “Understanding Security Risks in OSS Components” Aspect Security study: “A recent study by Aspect Security of over 113 million library downloads by developers in 60,000 organizations, showed that 26 percent of those downloads contain known vulnerabilities.”
  • 11. © 2014 Imperva, Inc. All rights reserved. Landscape Impact Confidential11 Source: Secunia Vulnerability Review 2014 http://secunia.com/company/news/1208-vulnerabilities-in-the-50-most-popular-programs---76-from-third-party-programs-389 Secunia: 1,208 vulnerabilities in the 50 most popular programs - 76% from third-party programs
  • 12. © 2014 Imperva, Inc. All rights reserved. Into the Wild Confidential12 Looking Into Recent Incidents
  • 13. © 2014 Imperva, Inc. All rights reserved. A Social Experiment Confidential13 Source: Topsy social analytics
  • 14. © 2014 Imperva, Inc. All rights reserved. A Social Experiment Confidential14 Source: Topsy social analytics
  • 15. © 2014 Imperva, Inc. All rights reserved. Ever Seen a Bleeding Server? Confidential15 Heartbleed (CVE-2014-0160) •  A bug in OpenSSL, allowing data leakage directly from server memory •  OpenSSL is used for Web servers, network appliances, and client software packages •  OpenSSL runs on 66% of SSL protected websites Sources: - Netcraft - http://news.netcraft.com/archives/2014/04/02/april-2014-web-server-survey.html - Heartbleed.com
  • 16. © 2014 Imperva, Inc. All rights reserved. But I Can Patch It! Can’t I? Confidential16 ChangeCipherSpec (CVE-2014-0224)
  • 17. © 2014 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential17 Source: ZDNet - http://www.zdnet.com/wordpress-plugin-vulns-affect-over-20-million-downloads-7000031703/ Wordpress Plugin vulnerabilities… A Petri Dish.
  • 18. © 2014 Imperva, Inc. All rights reserved. From Our Own Threat Advisories Confidential18
  • 19. © 2014 Imperva, Inc. All rights reserved. Show Me More Confidential19 Hacking of a Known Component
  • 20. © 2014 Imperva, Inc. All rights reserved. Zero-Days vs. Known Vulnerabilities Confidential20 §  Zero-Days gets all the glory •  Technically interesting •  Give rise to some interesting theoretical questions: How to defend the “unknown unknowns?” §  But known vulnerabilities are doing a lot of the damage •  Provide hackers with a very cost- effective method to exploit applications http://faildesk.net/wp-content/uploads/2012/02/movie-hacking-vs.-real-hacking.gif
  • 21. © 2014 Imperva, Inc. All rights reserved. Confidential21 Hacking a Known Component Apache Tomcat, running Apache Struts2 library. Target server is running a couple of applications that use the Struts library
  • 22. © 2014 Imperva, Inc. All rights reserved. Confidential22 Hacking a Known Component Struts2 showcase application, running with the Struts2 library.
  • 23. © 2014 Imperva, Inc. All rights reserved. Hacking a Known Component Confidential23 Source: www.exploit-db.com Lets find ourselves a nice exploit for Struts Apache has many extension libraries, Struts is amongst the most popular library.
  • 24. © 2014 Imperva, Inc. All rights reserved. Lets Attack Apache Struts Confidential24 CVE of the day: CVE-2013-2251, Now we need an exploit!
  • 25. © 2014 Imperva, Inc. All rights reserved. Remote Code Execution Confidential25
  • 26. © 2014 Imperva, Inc. All rights reserved. Remote Code Execution Confidential26 Hacker now owns the server. PWN3D! Injection Complete Attempting Remote Code Injection
  • 27. © 2014 Imperva, Inc. All rights reserved. Botnets Are Targeting Known Components Confidential27 Recently Observed: •  Botnets scan public servers for vulnerabilities •  Inject Hijack/Drive-by code to vulnerable systems •  Onboarding hijacked systems into the botnet
  • 28. © 2014 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential28 Botnet operator uses zombies to scan sites for vulnerabilities * As observed by Imperva’s ADC Research Team
  • 29. © 2014 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential29 Botnet exploits vulnerabilities and absorbs victim servers * As observed by Imperva’s ADC Research Team
  • 30. © 2014 Imperva, Inc. All rights reserved. Addressing the Problem Confidential30
  • 31. © 2014 Imperva, Inc. All rights reserved. Explore the Options Confidential31 1.  Don’t use 3rd Party Components? 2.  Use 3rd Party Components, Responsibly •  Identify 3rd party components, Track versions and dependencies •  Monitor security state of components •  Continuously pentest the application that includes third party components •  Create an acceptance process for new components which includes security validation •  Disable unused functionality •  Introduce compensating controls, such as Web Application Firewalls to reduce risk
  • 32. © 2014 Imperva, Inc. All rights reserved. When a company builds its security model it usually does not take into account elements that are not in control, which creates the security hole. Companies should: §  Implement policies both on the legal and technical aspects to control data access and data usage §  Have processes and controls in place to effectively manage and secure code involving 3rd party components §  Continuously monitor Recommendations 32 Confidential32
  • 33. © 2014 Imperva, Inc. All rights reserved. Webinar Materials 33 Post-Webinar Discussions Answers to Attendee Questions Webinar Recording Link Join Group Join Imperva LinkedIn Group, Imperva Data Security Direct, for…
  • 34. © 2014 Imperva, Inc. All rights reserved. Questions? Confidential34 www.imperva.com
  • 35. © 2014 Imperva, Inc. All rights reserved. Thank You 35 Confidential