imperva - hacking encounters of the 3rd kind
TRANSCRIPT
![Page 1: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/1.jpg)
© 2014 Imperva, Inc. All rights reserved.
Hacking Encounters of the 3rd Kind
Looking Into the Security Impact of 3rd Party Software
Confidential1
Barry Shteiman, Director of Security Strategy, Imperva
![Page 2: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/2.jpg)
© 2014 Imperva, Inc. All rights reserved.
Agenda
Confidential2
Introduction
What is 3rd party software
Latest examples
Hacking of a known component
Addressing the problem
Wrap up
![Page 3: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/3.jpg)
© 2014 Imperva, Inc. All rights reserved.
Barry Shteiman, Director of Security Strategy
Confidential3
Security Researcher working with the
CTO office
Author of several application security
tools, including HULK
Open source security projects code
contributor
Twitter @bshteiman
![Page 4: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/4.jpg)
© 2014 Imperva, Inc. All rights reserved.
What Is 3rd Party Software
Confidential4
![Page 5: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/5.jpg)
© 2014 Imperva, Inc. All rights reserved.
3rd Party Software Defined
Confidential5
A third-party software component is a reusable software
component developed to be either freely distributed or sold
by an entity other than the original vendor of the development
platform.
Source: Wikipedia, http://en.wikipedia.org/wiki/Third-party_software_component
![Page 6: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/6.jpg)
© 2014 Imperva, Inc. All rights reserved.
Identified by Type
Confidential6
• Software created by a 3rd party supplier
• Software components created by a 3rd party
• Infrastructure/Software as a service
![Page 7: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/7.jpg)
© 2014 Imperva, Inc. All rights reserved.7
Adoption
According to Veracode:
• “Up to 70% of internally developed code originates outside of the
development team”
• 28% of assessed applications are identified as created by a 3rd party
Confidential
72%
18%
9% 1%
Application by supplier type
Internally Developed
Commercial
Open Source
Outsourced
![Page 8: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/8.jpg)
© 2014 Imperva, Inc. All rights reserved.
Pros vs. Cons
Confidential8
• Reduced development time and cost
• Smaller R&D team is required
• Mature solution used by many
• Delayed/No SLA on Patches
• SDLC Gap
• Patches may introduce new bugs
![Page 9: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/9.jpg)
© 2014 Imperva, Inc. All rights reserved.
OWASP Top 10, “Using Known Vulnerable Components”
Confidential9
Components, such as libraries, frameworks, and other
software modules, almost always run with full privileges. If
a vulnerable component is exploited, such an attack can
facilitate serious data loss or server takeover.
Applications using components with known vulnerabilities
may undermine application defenses and enable a range of
possible attacks and impacts.
Source: OWASP Top 10 2013 Whitepaper
![Page 10: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/10.jpg)
© 2014 Imperva, Inc. All rights reserved.
What’s Vulnerable?
Confidential10
Source: Aspect Security’s study “Understanding Security Risks in OSS Components”
Aspect Security study:
“A recent study by Aspect Security of over 113 million library downloads by
developers in 60,000 organizations, showed that 26 percent of those
downloads contain known vulnerabilities.”
![Page 11: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/11.jpg)
© 2014 Imperva, Inc. All rights reserved.
Landscape Impact
Confidential11
Source: Secunia Vulnerability Review 2014
http://secunia.com/company/news/1208-vulnerabilities-in-the-50-most-popular-programs---76-from-third-party-programs-389
Secunia: 1,208 vulnerabilities in the 50 most popular
programs - 76% from third-party programs
![Page 12: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/12.jpg)
© 2014 Imperva, Inc. All rights reserved.
Into the Wild
Confidential12
Looking Into Recent Incidents
![Page 13: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/13.jpg)
© 2014 Imperva, Inc. All rights reserved.
A Social Experiment
Confidential13
Source: Topsy social analytics
![Page 14: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/14.jpg)
© 2014 Imperva, Inc. All rights reserved.
Ever Seen a Bleeding Server?
Confidential14
Heartbleed (CVE-2014-0160)
• A bug in OpenSSL, allowing data leakage
directly from server memory
• OpenSSL is used for Web servers,
network appliances, and client software
packages
• OpenSSL runs on 66% of SSL protected
websites
Sources:
- Netcraft - http://news.netcraft.com/archives/2014/04/02/april-2014-web-server-survey.html
- Heartbleed.com
![Page 15: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/15.jpg)
© 2014 Imperva, Inc. All rights reserved.
But I Can Patch It! Can’t I?
Confidential15
ChangeCipherSpec (CVE-2014-0224)
![Page 16: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/16.jpg)
© 2014 Imperva, Inc. All rights reserved.
3rd Party Code Driven Incidents
Confidential16
Source: ZDNet - http://www.zdnet.com/wordpress-plugin-vulns-affect-over-20-million-downloads-7000031703/
Wordpress Plugin vulnerabilities… A Petri Dish.
![Page 17: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/17.jpg)
© 2014 Imperva, Inc. All rights reserved.
From Our Own Threat Advisories
Confidential17
![Page 18: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/18.jpg)
© 2014 Imperva, Inc. All rights reserved.
Show Me More
Confidential18
Hacking of a Known Component
![Page 19: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/19.jpg)
© 2014 Imperva, Inc. All rights reserved.
Zero-Days vs. Known Vulnerabilities
Confidential19
Zero-Days gets all the glory
• Technically interesting
• Give rise to some interesting theoretical
questions: How to defend the
“unknown unknowns?”
But known vulnerabilities are doing
a lot of the damage
• Provide hackers with a very cost-
effective method to exploit applications
http://faildesk.net/wp-content/uploads/2012/02/movie-hacking-vs.-real-hacking.gif
![Page 20: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/20.jpg)
© 2014 Imperva, Inc. All rights reserved. Confidential20
Hacking a Known Component
Apache Tomcat, running Apache Struts2 library.
Target server is running a couple of
applications that use the Struts library
![Page 21: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/21.jpg)
© 2014 Imperva, Inc. All rights reserved. Confidential21
Hacking a Known Component
Struts2 showcase application, running with the Struts2 library.
![Page 22: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/22.jpg)
© 2014 Imperva, Inc. All rights reserved.
Hacking a Known Component
Confidential22
Source: www.exploit-db.com
Lets find ourselves a nice exploit for Struts
Apache has many extension libraries, Struts is amongst the
most popular library.
![Page 23: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/23.jpg)
© 2014 Imperva, Inc. All rights reserved.
Lets Attack Apache Struts
Confidential23
CVE of the day: CVE-2013-2251, Now we need an exploit!
![Page 24: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/24.jpg)
© 2014 Imperva, Inc. All rights reserved.
Remote Code Execution
Confidential24
Hacker now owns
the server.
PWN3D!
Injection Complete
Attempting
Remote Code
Injection
![Page 25: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/25.jpg)
© 2014 Imperva, Inc. All rights reserved.
Botnets Are Targeting Known Components
Confidential25
Recently Observed:
• Botnets scan public servers
for vulnerabilities
• Inject Hijack/Drive-by code to
vulnerable systems
• Onboarding hijacked
systems into the botnet
![Page 26: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/26.jpg)
© 2014 Imperva, Inc. All rights reserved.
From a Botnet Communication
Confidential26
Botnet operator uses zombies to
scan sites for vulnerabilities* As observed by Imperva’s ADC Research Team
![Page 27: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/27.jpg)
© 2014 Imperva, Inc. All rights reserved.
From a Botnet Communication
Confidential27
Botnet exploits vulnerabilities and
absorbs victim servers
* As observed by Imperva’s ADC Research Team
![Page 28: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/28.jpg)
© 2014 Imperva, Inc. All rights reserved.
Addressing the Problem
Confidential28
![Page 29: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/29.jpg)
© 2014 Imperva, Inc. All rights reserved.
Explore the Options
Confidential29
1. Don’t use 3rd Party Components?
2. Use 3rd Party Components, Responsibly
• Identify 3rd party components, Track versions and
dependencies
• Monitor security state of components
• Continuously pentest the application that includes
third party components
• Create an acceptance process for new components
which includes security validation
• Disable unused functionality
• Introduce compensating controls, such as Web
Application Firewalls to reduce risk
![Page 30: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/30.jpg)
© 2014 Imperva, Inc. All rights reserved.
When a company builds its security model it usually does
not take into account elements that are not in control,
which creates the security hole.
Companies should:
Implement policies both on the legal and technical
aspects to control data access and data usage
Have processes and controls in place to effectively
manage and secure code involving 3rd party
components
Continuously monitor
Recommendations
30 Confidential30
![Page 31: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/31.jpg)
© 2014 Imperva, Inc. All rights reserved.
Wrap Up
Confidential31
![Page 32: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/32.jpg)
© 2014 Imperva, Inc. All rights reserved.
Webinar Materials
32
Post-Webinar Discussions
Answers to Attendee
Questions
Webinar Recording Link
Join Group
Join Imperva LinkedIn Group,
Imperva Data Security Direct, for…
![Page 33: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/33.jpg)
© 2014 Imperva, Inc. All rights reserved.
Questions?
Confidential33
www.imperva.com
![Page 34: Imperva - Hacking encounters of the 3rd kind](https://reader031.vdocument.in/reader031/viewer/2022032214/55a2deaf1a28aba6558b4749/html5/thumbnails/34.jpg)
© 2014 Imperva, Inc. All rights reserved.
Thank You
34 Confidential