About Me CEO & Co-Founder at Snyk Find & Fix - - PowerPoint PPT Presentation

@guypod

Developer as a 


Malware Distribution Vehicle


Guy Podjarny (@guypod)

@guypod

About Me

• CEO & Co-Founder at Snyk
• Find & Fix vulnerabilities in open source dependencies!
• Founder @Blaze, CTO @Akamai
• Security work since 1997
• DevOps & Performance since 2010
• A Developer

@guypod

Developers are 


more powerful 


than ever

@guypod

That can be


Dangerous

@guypod

I’m here to tell you


a few stories…

@guypod

XCodeGhost

@guypod

The time: September, 2015

@guypod

XCode: iOS Dev Platform

@guypod

Xcode is BIG…

Was 3GB in 2015

@guypod

Xcode downloads in


China come from the US

and are 


SLOW

@guypod

• Hosted inside the great firewall
• Must faster to download
• Found via forums etc

Devs use local mirrors

• And… some contain malware !

(dubbed XcodeGhost)

@guypod

XcodeGhost Malware

• Includes a malicious CoreServices component
• Component is compiled into the iOS app
• Submitted to app store, evades detection!
• Malware spies on users installing the apps

@guypod

XcodeGhost went


undetected

for


4 months

@guypod

Up to 300 affected apps

WeChat
 (China’s WhatsApp) Didi
 (China’s Uber) Railway 12306
 (Train Tickets) + Dozens of US apps

@guypod

Some apps compromised 


Via a Library

https://possiblemobile.com/2015/11/a-lesson-in-xcode-ghost-third-party-frameworks/

@guypod

Up to 


1.4M active victims/day!

http://www.circleid.com/posts/20151001_verisign_idefense_analysis_of_xcodeghost/

@guypod

Not just in China


(DNS queries to evil sites by geo)

http://www.circleid.com/posts/20151001_verisign_idefense_analysis_of_xcodeghost/

@guypod

Apple cleans up App Store immediately, Users take months to update.

https://www.fireeye.com/blog/threat-research/2015/11/xcodeghost_s_a_new.html

@guypod

@guypod

Local Xcode downloads

@guypod

“[CoreServices] is a Mach-O object file that is used by LLVM linker and can’t directly execute in any way”

https://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/

@guypod

Developers were a


distribution vehicle.

@guypod

XcodeGhost 


Was not the first

@guypod

The year: 2009

@guypod

@guypod

Developers still used


Delphi

@guypod

Induc Malware

• Detects if Delphi is installed
• Compiles sysconst.pas to a malicious sysconst.dcu
• Malware added to every program compiled on machine
• Every execution of Induc compromises local sysconst.dcu

@guypod

Induc ~> XcodeGhost

• Took longer to find
• 10 months!
• Spread faster
• Kaspersky:“millions of copies”
• More viral and hard to remove
• no unofficial downloads, no app store
• Replicates via compilers, not executables

@guypod

Developers were a


distribution vehicle.

@guypod

Induc was 


not that original

either!

@guypod

The year: 1984

@guypod

“Reflections on Trusting Trust”

Ken Thompson, 1984

https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

@guypod

“I would like to present to you the cutest program I ever wrote…”

https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

@guypod

The Ken Thompson Hack

• Modify C compiler to “miscompile”:
• Unix login to accept a hard coded password (Trojan 1)
• C compiler to replicate the trojans (Trojan 2)
• Disassembler to hide the trojans (Trojan 3)
• Remove these trojans code from the source code

Originally described by Karger and Schell in 1974, dubbed Multics vulnerability

@guypod

If this happened 


How would you find out?

“Solution” by David Wheeler, 2005: 
 two independent compilers producing bit-identical output

@guypod

“I picked on the C compiler. I could have picked on any program-handling program …
 As the level of program gets lower, these bugs will be harder and harder to detect”

@guypod

“The moral is obvious. 
 You can't trust code that you 
 did not totally create yourself. 


(Especially code from companies that employ people like me.)”

@guypod

Who here


totally created their code?

@guypod

https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

@guypod

Back to today…

@guypod

https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5

@guypod

https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5

@guypod

Malicious PyPi packages

(2017)

@guypod

Malicious npm packages

(2017, 2018)

2017 2018

@guypod

RubyGems Hacked

(2013,2016)

2013 2016

@guypod

https://kromtech.com/blog/security-center/cryptojacking-invades-cloud-how-modern-containerization-trend-is-exploited-by-attackers

Malicious Docker Images

(June 2018) - THIS MONTH

@guypod

These are the ones


we know about

@guypod

• Mario Heidrich fixed a bug in Angular… 


and introduced a vulnerability!
 
 


• Angular accepted the “fix”


• Google security team blocked release

Injecting Vulnerability into Angular.js

(2015)

https://www.slideshare.net/x00mario/an-abusive-relationship-with-angularjs/54

@guypod

How often are vulnerabilities 


intentional?

https://research.checkpoint.com/jenkins-miner-one-biggest-mining-operations-ever-discovered/

@guypod

Developers were a


distribution vehicle.

@guypod

The pace of 


shipping code


is skyrocketing

@guypod

Our users


Trust


the code we ship

@guypod

From

Code


to


Systems & Data

@guypod

Developers access 


production systems


daily

@guypod

Developers access 


user data


daily

@guypod

That can be


Dangerous

@guypod

The


Syrian Electronic Army


and the


Financial Times

@guypod

• 1. Phishing email to employees who


had publicly shared their email

Masked link to an 
 attacker controlled
 compromised site

@guypod

• 2. Link redirects to 


spoofed FT Single Sign-on
 page (for Google Apps)

Some users entered their passwords…

@guypod

• 3. Attackers use compromised accounts to 


Email more FT users
 this time from an FT email address

More users are compromised…

@guypod

• 4. IT finds out, sends warning email to all.


Attackers send identical email - with evil links

@guypod

• 5. Attackers gain access to several

• fficial Twitter accounts blog

https://www.telegraph.co.uk/technology/twitter/10064184/Financial-Times-hacked-by-Syrian-Electronic-Army.html

@guypod

“A sobering day”


by Andrew Betts, 
 a compromised FT developer

https://labs.ft.com/2013/05/a-sobering-day/

@guypod

“Developers might well think they’d be wise to all this – and I thought I was.”

https://labs.ft.com/2013/05/a-sobering-day/

@guypod

Developers were the 2nd most likely to click a link in a phishing email

https://www.heavybit.com/library/podcasts/the-secure-developer/ep-16-security-training-with-elevates-masha-sedova/

Internal Salesforce Phishing Test


run by Masha Sedova (@modMasha)

@guypod

Compromising a


high privileged developer 


is hitting the jackpot

@guypod

The

Uber Hack


• f 2016

@guypod

Attackers accessed details of 


600,000 Uber drivers


and “some personal info” of


57M Uber users

@guypod

Uber paid 


$100,000 ransom


disguised as a bug bounty

@guypod

Uber didn’t report the breach


for a FULL YEAR


(until Nov, 2017)

@guypod

Uber Hack Details

• Dev pushed S3 tokens to private github.com repo
• Attackers gained access to repo, stole tokens
• Uber was not using 2FA
• Attackers used token to steal info from S3

@guypod

“we immediately instituted multifactor authentication on Github.
 
 We then subsequently ceased using GitHub except for items like open source code”

@guypod

Uber Hack of 2014

• Dev stored sensitive URL in public github.com gists
• Attacker accessed data in May, 2014
• “Only” 50,000 drivers exposed that time

• Uber discovered breach in September, 2014
• Uber notified drivers in February, 2015

@guypod

Developers can access 


Extremely Sensitive Data


and expose it too often

Chalker, 2015 Dan Godin, 2013

@guypod

These stores are just


a few examples


• f MANY

@guypod

Developers are 


more powerful 


than ever

@guypod

With


Great Power


comes


Great Responsibility

@guypod

Why are developers
 falling for these?

@guypod

https://www.youtube.com/watch?v=fDryj_9I5eM

Rachel Ilan Simpson
 @rilan Guy Podjarny
 @guypod

@guypod

Why do people make insecure decisions?

• Different motivations
• Cognitive Limitations
• Lack of Expertise

@guypod

Why do developers make insecure decisions?

• Different motivations
• Our goal is improved functionality, security is just a constraint
• Cognitive Limitations
• We move fast, and sometimes break things - including security
• Lack of Expertise
• We often don’t understand the security implications of our decisions

@guypod

Developers are also


Over Confident

@guypod

“I find training developers, actually to be much harder than regular employees”
 


Masha Sedova (@modMasha)

https://www.heavybit.com/library/podcasts/the-secure-developer/ep-16-security-training-with-elevates-masha-sedova/

@guypod

“there's a certain amount of arrogance associated with, "I already know this,"or "I'm smarter than this." ”
 


Masha Sedova (@modMasha)

https://www.heavybit.com/library/podcasts/the-secure-developer/ep-16-security-training-with-elevates-masha-sedova/

@guypod

“Most developers that I talk to, specifically, don't actually believe security is an issue that happens at their company” 


Masha Sedova (@modMasha)

https://www.heavybit.com/library/podcasts/the-secure-developer/ep-16-security-training-with-elevates-masha-sedova/

@guypod

Security breaches


Can happen to You

@guypod

You are


Trustworthy


but

Not Infallible

@guypod

How can we 


Mitigate


this risk?

@guypod

Learn lessons from


Past Incidents

@guypod

Automate Security Controls

• Apple: Malware detection in app store
• npm: Malicious package detection in registry
• FT: 2FA on SSO Page
• Uber: 2FA on GitHub.com, then move to self hosted git

@guypod

Make it Easy to be Secure

• Apple: Stand up fast local Xcode download mirrors
• FT: “Reducing and removing privileges more aggressively”
• Uber: Auto-expire AWS tokens
• npm/PyPi/Docker: Flag/block malicious packages

@guypod

Developer Education

• Apple: Encourage dev to validate Xcode Download
• npm: Blog about malicious packages & typosquatting
• FT: “set clearer expectations of security standards”
• Angular: Require 2 expert reviewers for sensitive code

@guypod

Caring
 about security Ease 


• f being secure

@guypod

Manage


Access


Like a 


Tech Giant

@guypod

Google BeyondCorp

https://cloud.google.com/beyondcorp/

@guypod

BeyondCorp in a nutshell

• All access done via a corporate proxy
• Eliminates trusted network
• Proxy grants access per user & device
• No more static credentials
• Access is logged and monitored
• Anomalies can be detected during or after actions

https://www.slideshare.net/fortyfivan/beyondcorp-sf-meetup-closing-the-adherence-gap

@guypod

https://cloud.google.com/beyondcorp/

@guypod

Microsoft 
 Privileged Access Workstations (PAW)

@guypod

PAWs in a nutshell

• Access to production requires a secure machine
• With strict controls and no further internet access
• Your “Desktop” runs as a VM on the machine
• Running a secure VM in an insecure host isn’t enough
• Optionally a “Guarded Host” can host both VMs
• Allows more flexibility and routine updates to the PAW

https://blogs.technet.microsoft.com/datacentersecurity/2017/10/13/privileged-access-workstationpaw/

@guypod

Detailed PAW Guidance 


(windows centric)

https://blogs.technet.microsoft.com/datacentersecurity/2017/10/13/privileged-access-workstationpaw/

• PAW deployment guide
• Why use shielded VM for PAW?
• How to deploy VM template for PAW
• Building VM template for PAW
• Connect to VMs on PAW
• Shielded VM local mode vs HGS mode
• How to build the PAW host

@guypod

Netflix - BLESS

@guypod

QCon NYC 2017 Talk!

https://www.infoq.com/presentations/bless-security-ops-ssh

@guypod

BLESS in a nutshell

• Central SSH Certificate Authority (Lambda based)
• Centrally manage keys & track SSH permissions per user/system
• Instances trust CA instead of managing keys
• Dev SSH via a Bastion (jump host) server
• Lyft uses BLESS server to manage SSH access to Bastion too
• Bastion manages access per BLESS Server instructions
• Logs access & can enforce custom rules (e.g. allowed source IP)

https://www.infoq.com/presentations/bless-security-ops-ssh

@guypod

More on Netflix BLESS

https://blogs.technet.microsoft.com/datacentersecurity/2017/10/13/privileged-access-workstationpaw/

• GitHub repo


https://github.com/Netflix/bless


• Lyft on using BLESS for Bastion access


https://eng.lyft.com/blessing-your-ssh-at-lyft-a1b38f81629d 


• Bryan Payne's QCon NYC talk


https://www.infoq.com/presentations/bless-security-ops-ssh

@guypod

Controlling access 
 makes
 Security easier

@guypod

Beyond learning from others,


Ask Questions!

@guypod

When someone asks for access


Challenge It

@guypod

What happens if you 


don’t allow access? 


• r only grant partial access?

@guypod

How Urgently is access needed?

@guypod

How long is access needed for?

@guypod

How bad would it be if this access was 


Compromised?

@guypod

If access was compromised, 


How would you find out?

and how quickly?

@guypod

If access was compromised, 


What would you do?

@guypod

Agility 
 vs
 Safety

@guypod

Developers are a


lucrative target


and attackers know it

@guypod

Users


Trust You

@guypod

Care about user safety
 even if it’s hard

@guypod

Don’t be a


Malware distribution vehicle

@guypod

Developer as a 


Malware Distribution Vehicle


Guy Podjarny (@guypod)

Thank You!