Imperva - Hacking encounters of the 3rd kind

© 2014 Imperva, Inc. All rights reserved.

Hacking Encounters of the 3rd Kind

Looking Into the Security Impact of 3rd Party Software

Confidential1

Barry Shteiman, Director of Security Strategy, Imperva


Agenda

Confidential2

Introduction

What is 3rd party software

Latest examples

Hacking of a known component

Addressing the problem

Wrap up


Barry Shteiman, Director of Security Strategy

Confidential3

Security Researcher working with the

CTO office

Author of several application security

tools, including HULK

Open source security projects code

contributor

Twitter @bshteiman


What Is 3rd Party Software

Confidential4


3rd Party Software Defined

Confidential5

A third-party software component is a reusable software

component developed to be either freely distributed or sold

by an entity other than the original vendor of the development

platform.

Source: Wikipedia, http://en.wikipedia.org/wiki/Third-party_software_component


Identified by Type

Confidential6

• Software created by a 3rd party supplier

• Software components created by a 3rd party

• Infrastructure/Software as a service

© 2014 Imperva, Inc. All rights reserved.7

Adoption

According to Veracode:

• “Up to 70% of internally developed code originates outside of the

development team”

• 28% of assessed applications are identified as created by a 3rd party

Confidential

72%

18%

9% 1%

Application by supplier type

Internally Developed

Commercial

Open Source

Outsourced


Pros vs. Cons

Confidential8

• Reduced development time and cost

• Smaller R&D team is required

• Mature solution used by many

• Delayed/No SLA on Patches

• SDLC Gap

• Patches may introduce new bugs


OWASP Top 10, “Using Known Vulnerable Components”

Confidential9

Components, such as libraries, frameworks, and other

software modules, almost always run with full privileges. If

a vulnerable component is exploited, such an attack can

facilitate serious data loss or server takeover.

Applications using components with known vulnerabilities

may undermine application defenses and enable a range of

possible attacks and impacts.

Source: OWASP Top 10 2013 Whitepaper


What’s Vulnerable?

Confidential10

Source: Aspect Security’s study “Understanding Security Risks in OSS Components”

Aspect Security study:

“A recent study by Aspect Security of over 113 million library downloads by

developers in 60,000 organizations, showed that 26 percent of those

downloads contain known vulnerabilities.”


Landscape Impact

Confidential11

Source: Secunia Vulnerability Review 2014

http://secunia.com/company/news/1208-vulnerabilities-in-the-50-most-popular-programs---76-from-third-party-programs-389

Secunia: 1,208 vulnerabilities in the 50 most popular

programs - 76% from third-party programs


Into the Wild

Confidential12

Looking Into Recent Incidents


A Social Experiment

Confidential13

Source: Topsy social analytics


Ever Seen a Bleeding Server?

Confidential14

Heartbleed (CVE-2014-0160)

• A bug in OpenSSL, allowing data leakage

directly from server memory

• OpenSSL is used for Web servers,

network appliances, and client software

packages

• OpenSSL runs on 66% of SSL protected

websites

Sources:

- Netcraft - http://news.netcraft.com/archives/2014/04/02/april-2014-web-server-survey.html

- Heartbleed.com


But I Can Patch It! Can’t I?

Confidential15

ChangeCipherSpec (CVE-2014-0224)


3rd Party Code Driven Incidents

Confidential16

Source: ZDNet - http://www.zdnet.com/wordpress-plugin-vulns-affect-over-20-million-downloads-7000031703/

Wordpress Plugin vulnerabilities… A Petri Dish.


From Our Own Threat Advisories

Confidential17


Show Me More

Confidential18

Hacking of a Known Component


Zero-Days vs. Known Vulnerabilities

Confidential19

Zero-Days gets all the glory

• Technically interesting

• Give rise to some interesting theoretical

questions: How to defend the

“unknown unknowns?”

But known vulnerabilities are doing

a lot of the damage

• Provide hackers with a very cost-

effective method to exploit applications

http://faildesk.net/wp-content/uploads/2012/02/movie-hacking-vs.-real-hacking.gif

© 2014 Imperva, Inc. All rights reserved. Confidential20

Hacking a Known Component

Apache Tomcat, running Apache Struts2 library.

Target server is running a couple of

applications that use the Struts library

© 2014 Imperva, Inc. All rights reserved. Confidential21


Struts2 showcase application, running with the Struts2 library.



Confidential22

Source: www.exploit-db.com

Lets find ourselves a nice exploit for Struts

Apache has many extension libraries, Struts is amongst the

most popular library.


Lets Attack Apache Struts

Confidential23

CVE of the day: CVE-2013-2251, Now we need an exploit!


Remote Code Execution

Confidential24

Hacker now owns

the server.

PWN3D!

Injection Complete

Attempting

Remote Code

Injection


Botnets Are Targeting Known Components

Confidential25

Recently Observed:

• Botnets scan public servers

for vulnerabilities

• Inject Hijack/Drive-by code to

vulnerable systems

• Onboarding hijacked

systems into the botnet


From a Botnet Communication

Confidential26

Botnet operator uses zombies to

scan sites for vulnerabilities* As observed by Imperva’s ADC Research Team


From a Botnet Communication

Confidential27

Botnet exploits vulnerabilities and

absorbs victim servers

* As observed by Imperva’s ADC Research Team


Addressing the Problem

Confidential28


Explore the Options

Confidential29

1. Don’t use 3rd Party Components?

2. Use 3rd Party Components, Responsibly

• Identify 3rd party components, Track versions and

dependencies

• Monitor security state of components

• Continuously pentest the application that includes

third party components

• Create an acceptance process for new components

which includes security validation

• Disable unused functionality

• Introduce compensating controls, such as Web

Application Firewalls to reduce risk


When a company builds its security model it usually does

not take into account elements that are not in control,

which creates the security hole.

Companies should:

Implement policies both on the legal and technical

aspects to control data access and data usage

Have processes and controls in place to effectively

manage and secure code involving 3rd party

components

Continuously monitor

Recommendations

30 Confidential30


Wrap Up

Confidential31


Webinar Materials

32

Post-Webinar Discussions

Answers to Attendee

Questions

Webinar Recording Link

Join Group

Join Imperva LinkedIn Group,

Imperva Data Security Direct, for…

http://linkd.in/17Qo6Cr


Questions?

Confidential33

www.imperva.com


Thank You

34 Confidential

Presentations & Public Speaking

Imperva - Hacking encounters of the 3rd kind