Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
1. November 15, 2016
Where Bits & Bytes Meet Flesh & Blood:
DevOps, Cybersecurity, and the IoT
Director | Cyber Statecraft Initiative
Joshua Corman
@joshcorman
18. The Before
Times
Transition
(5 years +/-)
Better Times
(2019 +/-)
2014
Pre-Market
1.0
2015
Hospira
Precedent
2016
Post-Market
1.0
Manufacturer
Disclosure
28. CC : From: http://www.flickr.com/photos/maiabee/2760312781/
29. X Axis: Time (Days) following initial HeartBleed disclosure and patch availability
Y Axis: Number of products included in the vendor vulnerability disclosure
Z Axis (circle size): Exposure as measured by the CVE CVSS score
COMMERCIAL RESPONSES TO OPENSSL
33. H.R. 5793 “Cyber Supply Chain Management and Transparency Act of 2014”
• Elegant Procurement Trio
1) Ingredients:
• Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd
Party and Open Source Components (along with their Versions)
2) Hygiene & Avoidable Risk:
• …and cannot use known vulnerable components for which a less vulnerable
component is available (without a written and compelling justification accepted
by $PROCURING_ENTITY)
3) Remediation:
• …and must be patchable/updateable – as new vulnerabilities will inevitably be
revealed
34. In 2013, 4,000
organizations downloaded
a version of Bouncy Castle
with a level 10 vulnerability
20,000 TIMES …
Into XXX,XXX Applications…
SEVEN YEARS
after the vulnerability was fixed
NATIONAL CYBER
AWARENESS SYSTEM
Original Notification Date:
03/30/2009
CVE-2007-6721
Bouncy Castle Java Cryptography API
CVSS v2 Base Score: 10.0 HIGH
Impact Subscore: 10.0
Exploitability Subscore: 10.0
PROCUREMENT TRIO + BOUNCY CASTLE
37. HHS Task
Force
FDA
Guidance
DOJ Work
Group
DOD Policy
EU
Guidance
DOC/NTIA
Guidance
Presidential
Commissio
n Report
FTC
Guidelines
Congression
al Letters
DOT
Principles
NHTSA
Guidance
DHS
Guidance
IMG SRC: http://circa71.files.wordpress.com/2010/08/cuy-river-fire1.jpg
In 1969, the Cuyahoga River in Ohio caught on fire and stayed on fire….
….it took this to finally get serious discussion about pollution.
We believe a similar trigger will likely be required to cause SW Liability and/or significant criminalization of research changes.
Artists MAR Williams – commision artwork by Joshua Corman and Brian Martin
"Building a Better Anonymous" Series by Joshua Corman and Brian Martin:
http://blog.cognitivedissidents.com/2011/12/20/building-a-better-anonymous-series-part-0/
http://bit.ly/vhaaAP
Hyperconnected, software-defined everything
See also: http://media.vanityfair.com/photos/566f300dc70e5cef14686b91/master/pass/junaid-hussain-isis-anonymous-hacker-a.jpg
http://www.sfexaminer.com/imager/deepwater-horizon-oil-spill/b/big/2593933/f8a3/Gulf_Oil_Spill_Trial_Cong.jpg
BP Oil Spill – weeks of oil flow – nightly news – brand damage - cost
From: http://www.flickr.com/photos/maiabee/2760312781/
CC status: share with attribution
Credit: Maia Valenzuela
http://www.k9tec.com/wp-content/uploads/2011/10/beware-of-dog-shepherd.jpg
Vs
https://img1.etsystatic.com/046/0/8940891/il_214x170.676543507_88cr.jpg
https://www.iamthecavalry.org/oath/
★ Third Party Collaboration
Do you have a published Coordinated Disclosure policy inviting the assistance of third-party researchers acting in good faith?
A collaboration policy supports a positive, productive collaboration between the automotive industry and security researchers. Researchers are invited to contribute to automotive safety as willing allies to help discover and address flaws before adversaries and accidents can impact vehicle safety. Such coordinated exchanges are more positive, productive, and impactful than other alternatives. Your attestation serves as a commitment and a protocol for teaming.
Key Elements:
Standard Based: Use of vetted ISO standards for vendor side disclosure practice and for internal vulnerability handling (ISO 29147 and ISO 30111) accelerate an organization’s maturity and ensure predictable, normalized interfaces to researchers and facilitators.
Positive Incentives: Positive “Recognition & Reward” systems can further encourage and stimulate participation in bug reporting. Several prominent “Hackathon,” “Hall of Fame,” and “Bug Bounty” programs have proven successful and continue to drive iterative improvements. Exemplars can be provided.
Known Interfaces: Independent vulnerability disclosure coordinators have normalized the interfaces between affected manufacturers and third-party researchers. These include non-profits organizations, bug bounty companies and government agencies. This too can support both greater efficiency and greater participation.
From: http://www.flickr.com/photos/maiabee/2760312781/
CC status: share with attribution
Credit: Maia Valenzuela
Qualitative takeaways:
Virtually all major (and not so major) software vendors are building on a stack of open source (including security vendors).
The breadth of use across some vendors, IBM most notably is remarkably high (open source is not just in a few rogue products).
New discoveries are getting more serious over time.
New discoveries are getting less vendor attention (fewer vendor disclosures) despite their being more serious.
Vendors are responding to new discoveries at a somewhat slower pace.
The significant increase in product disclosures after the later OpenSSL disclosures, which affect all versions of OpenSSL not just versions 1.0.1 or later, implies that many vendors and products were using old libraries (version 0.9.8 was first released in July, 2005).
Total disclosures: 227
Total product instances affected by disclosures: 2,513
Mean time to repair: 35.8
Median time to repair: 22.0
Here are just a few examples so you can see that this risk is real…
Bouncy Castle is a popular open source component… and even after critical security alerts were issued in 2009, 4000 companies still downloaded it 20,000 times.
And that was five years after a better, safer replacement was issued.
This is a level 10 critical security risk. Imagine the exposed applications out there… maybe some of them store your personal credit card data or other personal information.
IMG SRC: http://circa71.files.wordpress.com/2010/08/cuy-river-fire1.jpg
In 1969, the Cuyahoga River in Ohio caught on fire and stayed on fire….
….it took this to finally get serious discussion about pollution.
We believe a similar trigger will likely be required to cause SW Liability and/or significant criminalization of research changes.