Internet security: a landscape of unintended consequences
0 likes447 views
The document discusses various cybersecurity vulnerabilities and attack methods, specifically focusing on issues related to memory safety and exploitation techniques in software. It highlights the importance of being prepared for breaches with incident response plans and critiques common security practices. Additionally, it addresses evolving security landscapes, emphasizing the need for secure programming practices and proactive monitoring.
Internet security: a landscape of unintended consequences
- 2. Perimeter Security Motte and Bailey Castles www.primaryhomeworkhelp.co.uk/castles/motteandbailey.htm
- 6. + “ActionScript” + RTMP (two way audio-video)
- 10. Common Vulnerabilities and Exposures 2001-2019 1172
- 11. 2001-2019 CVE reports 1172 Flash Player 1999 Internet Explorer 2033 Chrome 2442 Firefox
- 12. 2001-2019 CVE reports 1172 Flash Player 1999 Internet Explorer 2033 Chrome 2442 Firefox number is not significant indicator
- 14. Memory Safety CVEs 337 memory corruption 262 use after free 116 buffer overflow 35 integer overflow 17 out-of-bounds read 9 heap.overflow 8 null pointer dereference 5 double free 4 bounds checking 3 out of bounds memory read 3 improper memory access 2 out-of-bounds write 1 invalid pointer dereference
- 15. Memory Safety CVEs 337 memory corruption 262 use after free 116 buffer overflow 35 integer overflow 17 out-of-bounds read 9 heap.overflow 8 null pointer dereference 5 double free 4 bounds checking 3 out of bounds memory read 3 improper memory access 2 out-of-bounds write 1 invalid pointer dereference “allows remote attackers to execute arbitrary code via a crafted font” “allows remote attackers to execute arbitrary code via crafted streaming media” “allows remote attackers to execute arbitrary code via a crafted SWF file”
- 16. long a = (long)b;
- 17. Unexpected Context ...spoof the address bar and possibly conduct phishing attacks by re-opening the window to a malicious Shockwave Flash application, then changing the window location back to a trusted URL while the Flash application is still loading Microsoft Excel allows user-assisted attackers to execute arbitrary javascript and redirect users to arbitrary sites via an Excel spreadsheet with an embedded Shockwave Flash Player ActiveX Object, which is automatically executed when the user opens the spreadsheet. ...allows remote attackers to cause victims to unknowingly click on a link or dialog via access control dialogs disguised as normal graphical elements, as demonstrated by hijacking the camera or microphone
- 18. Unexpected Context ⇒ Parsing / Validation not properly validate malformed header overflow type confusion object confusion does not verify a member element's size wide characters untrusted input xml script interpret jar: URLs CRLF injection modify HTTP headers
- 19. https://github.com/envoyproxy/envoy/issues/7728 Recent vulnerabilities in URL parsing...
- 20. https://go-review.googlesource.com/c/go/+/189258/ Recent vulnerabilities in URL parsing...
- 21. Your implementation is your API.
- 22. Your implementation is your API. (not your docs)
- 23. The dark ages Web is for content Physical networks Perimeter security HTTPS is expensive
- 36. The dark ages Web is for content Physical networks Perimeter security HTTPS is expensive The modern era PII + finance + real-world Bot armies Supply chain attacks Cloud native Ubiquitous crypto
- 40. The world is changing. Fundamentals are the same.
- 43. 1. Install malware that steals credentials 2. Exploit a web application vulnerability 3. Steal access token from domain admins 4. Run code to find computers on the network 5.SQL database ⇒ 70M PII 6.PoS, custom malware ⇒ 40M credit cards 7. Create network share for stolen data 8. Exfiltrate data via FTP ⇒ success 8 vulnerabilities https://www.cio.com/article/2600345/11-steps-attackers-took-to-crack-target.html
- 44. The initial penetration point is not the story, because eventually you have to assume you're going to get breached... You cannot assume otherwise. You have to be prepared and have an incident response plan for what to do when you are breached. The real problem arises when malware is able to enable an attacker to penetrate deeper into the network." — Tal Be'ery, Aorato Lead Researcher https://www.cio.com/article/2600345/11-steps-attackers-took-to-crack-target.html
- 45. Plot to steal cryptocurrency foiled by npm security Popular pattern 1. publish a “useful” package 2. waiting until in use by the target, 3. update to include malicious code.. It now seems clear that the bug was created intentionally to target Komodo’s version of Agama wallet. A hacker spent several months making useful contributions...before inserting the bug. Eventually, the hacker added malicious code to an update of a module that Komodo’s Agama was already using. — komodoplatform.com/update-agama-vulnerability https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm
- 46. What’s new today? Scale Everything is connected Real-world targets
- 47. Lessons learned Secure is a verb, not an adjective. Anything that can happen, will. Don’t create new parser or new crypto, unless you need to. Invent new things!
- 48. Lessons learned (practical tips) Tools for testing, monitoring. Memory safe languages / features Contribute to open source dependencies
- 49. Checklists are an anti-pattern. github.com/cncf/sig-security before-you-ship.18f.gov/security bestpractices.coreinfrastructure.org @ultrasaurus