Does Heartbleed & Shellshock mean thatFree Software security is broken?

Paul Harper GCIH

MA Student

Kings College London

Department of War Studies

harper.paul.j@gmail.com

http://about.me/pauljamesharper

Is Free Software security broken?

● Some advocates ofproprietary softwareargue that theexistence ofHeartbleed andShellshock prove thatFree Softwaresecurity is broken.

● They say it disprove'sLinus's Law.

Linus's Law

● Coined by Eric S.Raymond

● "Given enough eyeballs, allbugs are shallow."

● "Given a large enoughbeta-tester and co-developer base, almostevery problem will becharacterized quickly andthe fix will be obvious tosomeone."

Heartbleed

● CVE-2014-0160● Affects cryptography of

OpenSSL Transport LayerSecurity (TLS)

● OpenSSL is widely used on theInternet

● OpenSSL only has two [fulltime]people to write, maintain, test,and review 500,000 lines ofbusiness critical code

● More Info: http://heartbleed.com/

ShellShock

● Affects Bash (Bourne Again Shell)

● Initial report was CVE-2014-6271

● Five more CVE's found.

● Allows remote code execution

● Default on most Unix/Linuxsystems including OS X.

● Bug is 20 Years Old.

● “Internet of Things” embeddeddevices tend to use Busybox butmany developers prefer Bash.

ShellShock and Heartbleed arebeing exploited now.

● Nmap NSE scripts are available.● Metasploit modules are

available.● In August 2014 Community

Health Systems breached byexploiting Heartbleed,compromising the confidentialityof millions of patient records

● On 6 October Yahoo! servershad been compromised in anattack related to the Shellshock

Were ShellShock and Heartbleed exploited beforethe CVE announcements?

● The NSA says no!

● Security researchers havenot found any indications inlogs of Heartbleed orShellshock being exploitedprior to theannouncements.

● If they were exploited bygovernments it wasprobably not on a massscale.

Does this mean Free Softwaresecurity is broken?

● Your software freedom does notguarantee bug-free code, andneither does proprietarysoftware

● But when a bug is discovered infree software, everyone has thepermission, rights, and sourcecode to expose and fix theproblem.

● In the case of ShellShocksecurity researchers were ableto find 5 more CVE's after thefirst vulnerablities.

But when a bug is discovered in free software, everyone has the permission, rights, and source code to expose and fix theproblem.

Proprietary Software

● “Once we found this one bugwe now find five more. Theonly reason we were able todo that was because thecode was open source...If itwould have been closedsource we would have foundonly one because we couldn'tlook.”

- Chris Thomas, Strategist atTenable Network Security

National Sovereignty

● Microsoft has beenproven to be providing“Zero Days” to the USGovernment?

● NSA has been proven tobe tampering with Ciscorouters

● Have you checked tosee if your routers phonehome?

What can I do?

● Good starting point is AustralianSignals Directorate Top 4Mitigations in a Linuxenvironment

● At least 85% of the targetedcyber intrusions that theAustralian Signals Directorate(ASD) responds to could beprevented by following the Top 4mitigation strategies listed in theStrategies to Mitigate TargetedCyber Intrusion

● Available on ASD website.

Top 4 Mitigations

1. Application whitelisting (Difficult – No mechanism to performapplication whitelisting has not been implemented in either thecore Linux kernel or popular Linux distributions)

● Commercial solutions● SELinux or AppArmor policies● Custom Linux security modules

2. Application and operating system patching

3. Minimising the number of users with administrative privileges

4. General system hardening for Linux● If you are using Suricita or Snort IDS there are signatures.

Don't believe anything I have toldyou!

● “Never delegateresponsibility for yourown personal safety.”- Rory Miller SWATtrainer.

● Use the ScientificMethod like CliffordStoll did to catch TheCuckoo's Egghacker.

Demo

Demonstration

Questions and Discussion?

References

● Shellshock proves open source's 'many eyes'can't see straight: http://www.infoworld.com/article/2689233/security/shellshock-proves-open-source-many-eyes-wrong.html

● Linus's Law: http://en.wikipedia.org/wiki/Linus's_Law

● The Heartbleed Bug: http://heartbleed.com/

References

● Free Software Foundation statement on the GNU Bash "shellshock"vulnerability:https://www.fsf.org/news/free-software-foundation-statement-on-the-gnu-bash-shellshock-vulnerability

● What Heartbleed means for Free Software: http://blogs.fsfe.org/samtuke/?p=718

● Security Weekly: Shellshock Overview / Stories of the Week:https://www.youtube.com/watch?v=SuqdqaTmiIw&list=UUtzOhHovEkcX3MKUbC9_zBQ

● Everything you need to know about the Shellshock Bash bug:http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

● The anatomy of a Shellshock attack in the wild:http://www.troyhunt.com/2014/10/the-anatomy-of-shellshock-attack-in-wild.html

References

● How Can Any Company Ever Trust Microsoft Again?:http://www.computerworlduk.com/blogs/open-enterprise/how-can-any-company-ever-trust-microsoft-again-3569376/

● Photos of an NSA “upgrade” factory show Cisco router gettingimplant:http://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/

● Jacob Appelbaum: NSA aims for absolute surveillance -ITWEB SECURITY SUMMIT 2014 (Interesting discussionregarding Free Software and Hardware in developingcountries)s : https://www.youtube.com/watch?v=FScSpFZjFf0

References

● The Top 4 in a Linux Environment:http://www.asd.gov.au/publications/csocprotect/top_4_mitigations_linux.htm

● Security hardening on Ubuntu Server 14.04:http://blog.mattbrock.co.uk/hardening-the-security-on-ubuntu-server-14-04/

● Hardening CentOS 6.*:http://wiki.centos.org/Events/Dojo/Madrid2013?action=AttachFile&do=get&target=Hardening_CentOS.pdf

● Everything you need to know about the Shellshock bug:http://blog.pluralsight.com/about-the-shellshock-bug

● ‘Bash Bug’ giving you Shellshock? CVE-2014-6271 update.(Has the Suricita/Snort signatures:http://www.percona.com/blog/2014/09/26/bash-bug-giving-you-shellshock-cve-2014-6271-update/

● The KGB, the Computer, and Me (How Clifford Stoll used the scientific method to solvecomputer crime.): https://www.youtube.com/watch?v=EcKxaq1FTac

● Cooking the Cuckoo's Egg (Why this 1980's case is still relevant.):http://taosecurity.blogspot.com/2011/04/cooking-cuckoos-egg.html