developer is an attack vector
TRANSCRIPT
![Page 1: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/1.jpg)
DEVELOPER IS AN ATTACKVECTOR
Disobey 13.1. 2018@Anakondantti --/-- [email protected]
Elokuva Raid – Raid kysyy pontevasti.
![Page 2: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/2.jpg)
I WISH TO CONFESS…
![Page 3: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/3.jpg)
I GOT
![Page 4: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/4.jpg)
THIS HAPPENED TO ME
![Page 5: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/5.jpg)
1. IT’S A TREND2. YOU ARE NOT SAFE
3. IN 2018 IT GETS WORSE
![Page 6: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/6.jpg)
IS IT REALLY HAPPENING?Yes. Supply Chain Attacks are a thing now.
![Page 7: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/7.jpg)
”A subsequent investigation revealed miscreants had got into the developer's servers, implanted the malware into the download
files, and then let the company infect its users as they fetched the software.
http://www.theregister.co.uk/2017/10/20/mac_os_reinstall_eltima_elmedia_malware/
![Page 8: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/8.jpg)
”The rogue installer was digitally signed
with the developer's legitimate certificate, which means the malicious code was added to it before it was
signed. There is also a compilation artifact inside the executable suggesting it was compromised before compilation.
https://motherboard.vice.com/en_us/article/a3kgpa/ccleaner-backdoor-malware-hack
“millions of people likely downloaded it.”
![Page 9: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/9.jpg)
”it is likely that an external attacker
compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted
by the organization," the Cisco Talos researchers said
![Page 10: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/10.jpg)
WHYNOW?
![Page 11: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/11.jpg)
KAISER
IDS & SIEMWAF
DEP
ASLR
#1
![Page 12: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/12.jpg)
#2
![Page 13: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/13.jpg)
#3
![Page 14: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/14.jpg)
SOITTAKAAPARANOID?
![Page 15: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/15.jpg)
IN TRUST WE TRUST?› Trust developer’s machine?
› Trust hotel WLAN (or “VR-junaverkko”) ?
› Trust USB stick from customer?
› Trust the developer as a person?
› Trust 3rd party deps?
› Trust the toolchain (javac and g++ and the like)
› Trust CI with Jenkins?
› Trust Jenkins 3rd party plugins?
› Trust tutorials at internet?
› ..
![Page 16: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/16.jpg)
IT BEGINS WITH THE TOOLS
![Page 17: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/17.jpg)
INSTALLING RUBY VERSION MANAGER
![Page 18: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/18.jpg)
NODE VERSION MANAGER
![Page 19: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/19.jpg)
CLOJURE BUILD TOOL, LEININGEN
![Page 20: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/20.jpg)
INSTALL HOMEBREW ON MAC..
![Page 21: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/21.jpg)
https://www.theregister.co.uk/2017/08/02/chrome_web_developer_extension_hacked/
1 DEV -> 1M DEV -> 50M USERS....“that's because miscreants apparently phished his Google account, updated the software to version 0.4.9, and pushed it out to its 1,044,000 users.”
![Page 22: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/22.jpg)
NEEDMOARVECTORS?
Vectrex from Wikimedia Commons
![Page 23: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/23.jpg)
CLOUD! AWESOME! AGILE!
![Page 24: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/24.jpg)
SCARED? SURPRISED?
WTF TIME!
![Page 25: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/25.jpg)
WHAT A HANDY TOOL!
![Page 26: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/26.jpg)
VPN KEEPS YOU SAFE! HMM.HTTP://DEV.SOLITA.FI/2015/05/08/INSIDE-ENTERPRISE-VPN.HTML
![Page 27: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/27.jpg)
WAT ?
![Page 28: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/28.jpg)
VIRUS SCAN.. SO DIFFICULT TO BYPASS
![Page 29: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/29.jpg)
FAKE GIT COMMITS(HTTPS://GITHUB.COM/JAYPHELPS/GIT-BLAME-SOMEONE-ELSE)
› Works because Git.
› Works on GitHub too.
![Page 30: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/30.jpg)
WAT THE ****
![Page 31: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/31.jpg)
COPY-PASTE WITH CONFIDENCE!HTTP://THEJH.NET/MISC/WEBSITE-TERMINAL-COPY-PASTE
![Page 32: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/32.jpg)
STOP ALREADY
![Page 33: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/33.jpg)
PHISHING THE DEVELOPERS WITH DNS REBINDING (HTTPS://BOUK.CO/BLOG/HACKING-DEVELOPERS/)
1. Setup DNS with minimal TTL
2. Got victim browser?
3. DNS bind haxor.do to 127.0.0.1
4. Call localhost (same-origin)
5. Profit?
![Page 34: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/34.jpg)
IS THIS REALLY NEW?
![Page 35: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/35.jpg)
PARTY LIKE IT’S 1984?Bogart Company
![Page 36: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/36.jpg)
”You can't trust code that you did not totally create yourself. (Especially code from companies that employ
people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code.
Ken Thompson 1984 Turing Award Lecture,Reflections on Trusting Trust
http://vxer.org/lib/pdf/Reflections%20on%20Trusting%20Trust.pdf
![Page 37: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/37.jpg)
1. WE ARE NOT SAFE2. MITIGATION COSTS MONEY
3. IN 2018 IT GETS WORSE
![Page 39: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/39.jpg)
TRUSTWORTHY REFERENCES› Dependencies we trust:
• https://blog.risingstack.com/controlling-node-js-security-risk-npm-dependencies/
• http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html
• https://drive.google.com/file/d/0ByL_eDzFMdXzWHh3eFJuM0xTWjg/view
• Fictional, but almost true: https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5
› Tools we trust:• https://www.theregister.co.uk/2017/08/02/chrome_web_developer_extension_hacked/
• http://vxer.org/lib/pdf/Reflections%20on%20Trusting%20Trust.pdf
› Tutorials we trust: http://thejh.net/misc/website-terminal-copy-paste
› Supply chain we trust: https://motherboard.vice.com/en_us/article/d3y48v/what-is-a-supply-chain-attack
› Developers we trust:• https://github.com/jayphelps/git-blame-someone-else
• https://github.com/aguerrero/Faking-Git-Commits
![Page 40: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/40.jpg)
REFERENCES YOU CAN TRUST
› Spotify we trust: https://www.pcworld.com/article/3128289/security/spotify-ads-slipped-malware-onto-pcs-and-macs.html
› Ccleaner we trust:• https://arstechnica.com/information-technology/2017/09/ccleaner-malware-outbreak-is-much-worse-than-it-first-appeared/
› http://www.theregister.co.uk/2017/10/20/mac_os_reinstall_eltima_elmedia_malware/
› Wifi we trust: https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html
› VPN we trust: http://dev.solita.fi/2015/05/08/inside-enterprise-vpn.html
› DNS we trust: https://bouk.co/blog/hacking-developers/
![Page 41: Developer is an attack vector](https://reader031.vdocument.in/reader031/viewer/2022030318/5a647bf17f8b9a27568b4e03/html5/thumbnails/41.jpg)