Hacking Encounters of the 3rd Kind

861 views
751 views

Published on

As the software world evolves, more and more companies rely on 3rd party applications and software components as part of their infrastructure. However, this approach does not come without risks.

The implementation of 3rd party applications has its advantages, chief among them shortened development time frames and increased software maturity. Despite these obvious benefits, organizations must remain aware of potential security implications. This presentation will:

- Explain how 3rd party software vulnerabilities might lead to a data breach
- Deliver examples of incidents and how they occur
- Discuss the effectiveness of patching

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
861
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
36
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Hacking Encounters of the 3rd Kind

  1. 1. © 2014 Imperva, Inc. All rights reserved. Hacking Encounters of the 3rd Kind Looking Into the Security Impact of 3rd Party Software Confidential1 Barry Shteiman, Director of Security Strategy, Imperva
  2. 2. © 2014 Imperva, Inc. All rights reserved. Agenda Confidential2 §  Introduction §  What is 3rd party software §  Latest examples §  Hacking of a known component §  Addressing the problem §  Wrap up
  3. 3. © 2014 Imperva, Inc. All rights reserved. Barry Shteiman, Director of Security Strategy Confidential3 §  Security Researcher working with the CTO office §  Author of several application security tools, including HULK §  Open source security projects code contributor §  Twitter @bshteiman
  4. 4. © 2014 Imperva, Inc. All rights reserved. What Is 3rd Party Software Confidential4
  5. 5. © 2014 Imperva, Inc. All rights reserved. 3rd Party Software Defined Confidential5 A third-party software component is a reusable software component developed to be either freely distributed or sold by an entity other than the original vendor of the development platform. Source: Wikipedia, http://en.wikipedia.org/wiki/Third-party_software_component
  6. 6. © 2014 Imperva, Inc. All rights reserved. Identified by Type Confidential6 •  Software created by a 3rd party supplier •  Software components created by a 3rd party •  Infrastructure/Software as a service
  7. 7. © 2014 Imperva, Inc. All rights reserved.7 Adoption According to Veracode: •  “Up to 70% of internally developed code originates outside of the development team” •  28% of assessed applications are identified as created by a 3rd party Confidential 72% 18% 9% 1% Application by supplier type Internally Developed Commercial Open Source Outsourced
  8. 8. © 2014 Imperva, Inc. All rights reserved. Pros vs. Cons Confidential8 •  Reduced development time and cost •  Smaller R&D team is required •  Mature solution used by many •  Delayed/No SLA on Patches •  SDLC Gap •  Patches may introduce new bugs
  9. 9. © 2014 Imperva, Inc. All rights reserved. OWASP Top 10, “Using Known Vulnerable Components” Confidential9 Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts. Source: OWASP Top 10 2013 Whitepaper
  10. 10. © 2014 Imperva, Inc. All rights reserved. What’s Vulnerable? Confidential10 Source: Aspect Security’s study “Understanding Security Risks in OSS Components” Aspect Security study: “A recent study by Aspect Security of over 113 million library downloads by developers in 60,000 organizations, showed that 26 percent of those downloads contain known vulnerabilities.”
  11. 11. © 2014 Imperva, Inc. All rights reserved. Landscape Impact Confidential11 Source: Secunia Vulnerability Review 2014 http://secunia.com/company/news/1208-vulnerabilities-in-the-50-most-popular-programs---76-from-third-party-programs-389 Secunia: 1,208 vulnerabilities in the 50 most popular programs - 76% from third-party programs
  12. 12. © 2014 Imperva, Inc. All rights reserved. Into the Wild Confidential12 Looking Into Recent Incidents
  13. 13. © 2014 Imperva, Inc. All rights reserved. A Social Experiment Confidential13 Source: Topsy social analytics
  14. 14. © 2014 Imperva, Inc. All rights reserved. A Social Experiment Confidential14 Source: Topsy social analytics
  15. 15. © 2014 Imperva, Inc. All rights reserved. Ever Seen a Bleeding Server? Confidential15 Heartbleed (CVE-2014-0160) •  A bug in OpenSSL, allowing data leakage directly from server memory •  OpenSSL is used for Web servers, network appliances, and client software packages •  OpenSSL runs on 66% of SSL protected websites Sources: - Netcraft - http://news.netcraft.com/archives/2014/04/02/april-2014-web-server-survey.html - Heartbleed.com
  16. 16. © 2014 Imperva, Inc. All rights reserved. But I Can Patch It! Can’t I? Confidential16 ChangeCipherSpec (CVE-2014-0224)
  17. 17. © 2014 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential17 Source: ZDNet - http://www.zdnet.com/wordpress-plugin-vulns-affect-over-20-million-downloads-7000031703/ Wordpress Plugin vulnerabilities… A Petri Dish.
  18. 18. © 2014 Imperva, Inc. All rights reserved. From Our Own Threat Advisories Confidential18
  19. 19. © 2014 Imperva, Inc. All rights reserved. Show Me More Confidential19 Hacking of a Known Component
  20. 20. © 2014 Imperva, Inc. All rights reserved. Zero-Days vs. Known Vulnerabilities Confidential20 §  Zero-Days gets all the glory •  Technically interesting •  Give rise to some interesting theoretical questions: How to defend the “unknown unknowns?” §  But known vulnerabilities are doing a lot of the damage •  Provide hackers with a very cost- effective method to exploit applications http://faildesk.net/wp-content/uploads/2012/02/movie-hacking-vs.-real-hacking.gif
  21. 21. © 2014 Imperva, Inc. All rights reserved. Confidential21 Hacking a Known Component Apache Tomcat, running Apache Struts2 library. Target server is running a couple of applications that use the Struts library
  22. 22. © 2014 Imperva, Inc. All rights reserved. Confidential22 Hacking a Known Component Struts2 showcase application, running with the Struts2 library.
  23. 23. © 2014 Imperva, Inc. All rights reserved. Hacking a Known Component Confidential23 Source: www.exploit-db.com Lets find ourselves a nice exploit for Struts Apache has many extension libraries, Struts is amongst the most popular library.
  24. 24. © 2014 Imperva, Inc. All rights reserved. Lets Attack Apache Struts Confidential24 CVE of the day: CVE-2013-2251, Now we need an exploit!
  25. 25. © 2014 Imperva, Inc. All rights reserved. Remote Code Execution Confidential25
  26. 26. © 2014 Imperva, Inc. All rights reserved. Remote Code Execution Confidential26 Hacker now owns the server. PWN3D! Injection Complete Attempting Remote Code Injection
  27. 27. © 2014 Imperva, Inc. All rights reserved. Botnets Are Targeting Known Components Confidential27 Recently Observed: •  Botnets scan public servers for vulnerabilities •  Inject Hijack/Drive-by code to vulnerable systems •  Onboarding hijacked systems into the botnet
  28. 28. © 2014 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential28 Botnet operator uses zombies to scan sites for vulnerabilities * As observed by Imperva’s ADC Research Team
  29. 29. © 2014 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential29 Botnet exploits vulnerabilities and absorbs victim servers * As observed by Imperva’s ADC Research Team
  30. 30. © 2014 Imperva, Inc. All rights reserved. Addressing the Problem Confidential30
  31. 31. © 2014 Imperva, Inc. All rights reserved. Explore the Options Confidential31 1.  Don’t use 3rd Party Components? 2.  Use 3rd Party Components, Responsibly •  Identify 3rd party components, Track versions and dependencies •  Monitor security state of components •  Continuously pentest the application that includes third party components •  Create an acceptance process for new components which includes security validation •  Disable unused functionality •  Introduce compensating controls, such as Web Application Firewalls to reduce risk
  32. 32. © 2014 Imperva, Inc. All rights reserved. When a company builds its security model it usually does not take into account elements that are not in control, which creates the security hole. Companies should: §  Implement policies both on the legal and technical aspects to control data access and data usage §  Have processes and controls in place to effectively manage and secure code involving 3rd party components §  Continuously monitor Recommendations 32 Confidential32
  33. 33. © 2014 Imperva, Inc. All rights reserved. Webinar Materials 33 Post-Webinar Discussions Answers to Attendee Questions Webinar Recording Link Join Group Join Imperva LinkedIn Group, Imperva Data Security Direct, for…
  34. 34. © 2014 Imperva, Inc. All rights reserved. Questions? Confidential34 www.imperva.com
  35. 35. © 2014 Imperva, Inc. All rights reserved. Thank You 35 Confidential

×