Skip to content
Sign In Subscribe
videoHOU.SEC.CON. 2024

Zombies in your Pipeline

 and  CYBR.SEC.Media
15 min read

Presenter:

Andy Lewis

Transcript:

Track presentation of the evening. This is Andy Lewis. He is going to be presenting zombies in your pipeline. And I have forgotten my clipboard, so I forget. Well, with reverse labs, because I could see the logos that was.


Or I can figure out how this thing works and talk into it. How about that? All right. All right, gang, so, we are hiring. This is this is zombies in your pipeline. Hope that's what you thought you were here to see. There will be a couple times where I stop and ask you if you want to leave and encourage you to do so if you want to leave.


But this this isn't one of them. This is where we want to be. This is what we're going to be talking about. We are hiring. We're over at table 120. So stop by. If you think one of these applies to you, why would you want to work for us? We are frickin badass at malware, right? Anti-Malware.


That's why you want to work for us. Or because Wally is a personal friend of mine. So the. If you. If that's not good enough for you, we will be having a happy hour after this. I'm pretty sure we could squeeze in all of you. So, you know, if you want to come, come on down. But you get to stop by the table first to get, like, a wristband or something.


All right. All right. Who's going to be at the happy hour? Is there anybody anybody familiar with Jason Haddix? Anybody know who that guy is? So if you think you want to be a pen tester, you. And you're in Houston, Texas, you probably want to know that guy. And you probably want to learn something about his company.


All right. So that's Jason Haddix. He'll be there. There. I've been told that he'll be raffling off free passes for training. And so if you're a pen tester or somebody who wants to be a pen tester, that is the right place to be. You will get a good start. All right. Okay. Who am I? A guess who am I?


Never mind. I'm Andy Lewis. I'm a born again former United States marine. So if you feel like you, are where somebody dropped a revival tent into marine boot camp, you're probably in the right place. That's where we are. Try and keep energy in this. I'm sensitive that we're at the end of the day. I've done a whole bunch of stuff, and now I'm a solutions architect with these guys.


Reversing labs. Those are my bees to the right. Anybody else? A beekeeper in here? Yeah, it. They make honey. It's good. So that's. Who's talking to you? But it's all me, right? I'm not speaking on behalf of reversing labs or Yukon or West or anybody else. This is all me. Right. So works for me. Who are we talking to today?


You know, when I was a little kid, we go to the beach, and until you learn how to time it, you can absolutely get kicked on your butt by waves. There's a wave coming. We're going to. We're going to use a zombie metaphor to talk about it. But. But there's a wave coming, and the ripples have already started.


So, whether or not you believe in zombies will be talking to you. So, how many of you in here have anything to do with developing software? Okay. You write all your own libraries, right? You never pull anything down from the internet, right? Nobody pulls anything down from the internet that only happens on TV, I think, right in the movies.


All right, well, look, when when you're working with your security team, what are they concerned about? Primarily for those libraries you're pulling down? Usually it's vulnerabilities, right? Well, what's going on out there? Well, what's worse than vulnerabilities? Hey, how about it's totally backdoored?


That's worse. Right? How about it's something that actively attacks you or your customers? That sounds worse too. So? So this is kind of a harbinger of the wave that's coming. But let's go ahead and take it back and let's talk about Eggsy. Is there anybody that doesn't know what actually is. Okay, good. All right. Let's start with what is the internet?


Have you all seen anybody who's never seen this diagram before? Okay. What is this thing showing? So here's all of your modern digital infrastructure. And here's some guy named Bob that writes a library that everything else depends on. Is there anybody that didn't know that? What's going on right now? Today? Every day of the week. That's what's going on, right?


They might not be, Bob, but where were you in 2009? There's a lot of stuff going on, right? You know, the other thing that was there was a I think the miracle on the Hudson was 2009. Also, if you remember that. But some guy named Lassie, Colin got a new hobby in 2009. I bet you guys that are, you know, tuned into foreshadowing stuff like that know what's coming.


Who's Lassie? Come. Remember this? This is Lassie con. He got a new hobby in 2009. What? What did he make? He made a thing called xy utils. And what's important about that? Well, xy utils is Lassie. Colin's hobby. What rides on it? All of the security built into Linux for SSH and several other functions. So if you're a smart guy, what would be what would be a better thing to Trojan SSH binaries or something upstream?


Maybe something upstream. So this is Lassie, Colin's hobby, and everything's great. But if you want, just think about it like this. What's what's going to happen in February? In February? It's party time. And Z is the pinata. That's what's going to happen. All right. So so who knows this guy's name? Jens. Eugene. Does that ring a bell with anybody?


Who is that guy? Okay, look in in the modern internet and whatever. Here in the. In this century, there are some heroes. This is a guy you probably haven't heard of, but he's a Chinese guy that discovered that there is a frickin problem with log for J. And put everything he had on the line to announce it. That's who this guy is.


So, you know, there are a lot of us that had very bad days in conjunction with log for J. But as far as I know, there's only one guy who knew going in that his life was going to get worse if he made other people's lives better. That's who this guy is for. Log for J. So what happened with XY?


Remember, everything that depends on XY.


Hey, there's some guy named Andre's. What's going on with Andre's? Hey. Hey, guys. I did an update, and? And it seems like there's malware in this thing. So if you're running on this new code, you should probably get off of it. So. Once again, the internet is saved by how many guys? One. Why? Because his computer was acting up.


All right, well, that's funny. All right, well, remember, everybody today started out normal. Andre's right. But lastly, Colin, remember, he's had this hobby since 2009. And remember that Z underpins every Linux distribution.


Might be some pressure there. So. So he's having some weird days. And what's weird look like.


He ain't handling the pressure. That's what weird looks like. Now I don't want to see anybody's hand, but I know that I have taken advantage of open source libraries for decades, and I have never once thought about who might be getting their butt kicked every day by the stuff I'm using and the pressure that's on them. But here's lastly, Colin.


Hey, you know, I'm having this mental health issue, but it might be okay because there's this guy named Jia Tan who says he wants to help. So let's talk about how he helps. So here's lassi, right? This guy Jia Tan, he starts to just throw stuff on to the mailing list like, hey, here's something you might want to go ahead and put into your next release.


It'll fix this problem. Which developer doesn't want that? That's what I want, right? That's what I want. I if somebody is going to help me when the rest of the world is telling me about the bugs in the thing that I'm writing for free since 2009 and somebody wants to help me. What's going to happen? Hey, thanks.


But, you know, let's kind of be careful. Oh, wait. You know, I kind of wanted to be careful, but then these two zombies showed up and started to email and say, hey, you guys need to start doing releases faster, and you need to let this guy Jia Tan do more stuff. So. So here's last. He. Colin, guy's already under pressure.


He's already having issues dealing with it. Here's Jia Tan, who? The guy. And here are these two phantom dudes. Never been seen on the internet before. Never seen again. Saying, hey, speed it up. So what are you going to do if you're lazy? Colin? Yeah. You know this Jia Tan guy? Let's, let's go ahead and start committing some of your stuff.


Y'all see this diagram? So you see. Okay, so there's a mailing list where I'm going to I'm going to maybe put code snippets. And then there's the repo. And what's to the right of the repo. Some non-trivial Linux distros. Right. So okay. So here I am. I'm a nice guy. You need help. I'm here to help. Sort of.


Sorta. Now, before you were a developer, most of the people in this room were probably creative people. Some of y'all are actually probably pretty patient. Is there anybody in this room that is going to go ahead and work two years to get into a project that underpins the entire internet, to get a backdoor anywhere they want? I'm not that guy.

Subscribe to our Newsletter


I'm not that patient. But this guy is. So how close did we get? So let's talk about what what the impact is. What's a normal day? Normal day is a user with their SSH client logs into a system via SSH. Everything's great. Everything's secure. Everything's encrypted. What happens if you get that wrong? XY package. Let's head back to our city, man.


Right. Log in. What? Well, so this is. This is the impact. Think about this being all over the internet. Now think about this.


He made a commit. The commit went into the build distro process. Fortunately, it got into the beta code. And no farther. Imagine. Remember that whole thing about the internet rides on this one project? Now think about the security implications of that. But this is how close we came. Right. One guy. One guy saved the internet again. Volunteers.


Anybody want to save the internet next time? All right. So let's talk about how do we know this is really hard? This is really hard. So when we when we start talking about detecting it or killing it, I just like that image. Guys, that was fun. So that's why that's in there. But you know, one of the smartest guys on the planet is our chief software architect.


And we were talking about this when it was breaking and he's like, look, we've talked about this before. Insider jobs are very subtle and very difficult to detect. Can anybody say why? Anybody say why?


Well, how do you how do you know it wasn't intentional, right. It's an insider that that data commit. Okay. Well, let's talk about finding it. All right. So in all the zombie movies, I want you to have a picture in your mind when the outbreak is starting. How do you know? Because you see, this dead body started to twitch, right?


Right. Or there's a there's a breath that's wrong. There's something that's wrong. What does that twitch look like here?


One thing that Jatin had to do to to actually get the malware distributed. He had to reduce the security posture of the package. That's the subtle signal. That's the twitch. That's how you know the zombie is coming alive. All right. So what does that look like? Well, you know.


It looks like something that's too subtle for you to detect. So if you're our chief software architect, what do you do? You build a rule around it that says, hey, if I understand this and this and this and this, when I'm assessing a package, I bet you I can find an attack just like that, by the way, because copycats exist.


I bet you there's going to be one. So we built a rule, right? And how does it work? So remember the difference is what was detectable, right? So by itself, what's it look like? This is again a reason why inside jobs are so hard to detect. Because by itself, it looks like. What? Just another code commit. And you can bet there's language, you know, comments around it saying, oh yeah, I'm doing this because they're great.


So so then we go from this thing which is very subtle to something that is in your face to detect it, right. Because we're observing trends. What do you need when you're going to fight zombies?


What happens to zombies? Zombies. They exponentially grow, right? There are more zombies today than there were yesterday. Twice as much. Four times as much. Times as much. 16 times as much. What do you need to fight? Zombies. You need an army. How do you build an army? The problem is not going away. The zombie army is being built.


It is out there today, right? 1,300% increase in malicious open source packages. So it's malicious. Remember that that initial graphic malicious is worse than vulnerable, right? Yeah. Yeah. So big increase. Who's who's starting the army? Is anybody a member of these guys? Yeah. This is where your army starts again. Think about all the open source that you've consumed or added over the years without caring about who's behind it.


I can tell you that having worked with developers, the majority of people that are developing packages is security is what number one concern? Or somewhere back? Further back. Yeah. So for these guys, this is their mission. Open source security. So let's talk about give them the tools they need. So when when is there anybody who's not familiar, with the enduring secure security framework.


Anyone? ESF. Okay. So Google for it. Take a look there. Actually, it's kind of good. It's good. It's good guidance. So they lay out, hey, how does this thing work? Usually. Well, if you've ever written code, you know how it works. You fetch, you fetch a library, you don't really care much about it, and you're there. And by the way, you need to fetch that updated library and log for J kind of prove that, right?


So, okay, if you're going to secure it, what are you going to do if you're going to make sure that there's not zombies in it? There's an update available. You see that intermediate repo. Is anybody doing that in here. Is anybody downloading and staging libraries before they get pulled by developers? That would be the thing to do, right?


Why would you do that? The reason you would do that is because you can do those tests looking for the zombies before you put it someplace where you want your developers to use it, which is that that secure repo, because then we're good. Right. So that's that's how to get through this. Any questions about that? You guys are like, overwhelmed by the obvious, right?


Okay. All right. So what's happened since then?


Remember, last year, Colin was having mental health issues, and he knows the whole internet almost burned to the ground because of his project. How many people are helping him now? Two dozen. You think that's better or worse for his mental health? Hey, you be the judge. The only question is, which one of them is a zombie? There's this guy in Austin, Texas.


That's it. All right, well, I hope that was kind of a fun story for you. Doesn't matter, because I'm done. Any questions?


Okay. If there are any questions. Thanks. And don't forget. Swing by the table and get your ticket. Or get your, bracelet for coming to the happy hour. So anything else? Anything I missed. All right. Yes, sir. You know, you're right.


I don't necessarily want you to engage in speculation, although that might be fun. What was. Did anybody find out who. What was the guy? Ted. And did anybody. I mean, there's an obvious implication as to who's behind it, but was there any ground truth? I agree with you that there are obvious implications, and there are a lot of assumptions that can be made.


I'm not aware of anybody that did positive attribution. Yes. So sorry. That. Which is why this. Now we've got two dozen contributors. That's part of what makes that fun. Which one of those came from? Where do you intend came from? Right. So good question. I have a question regarding your components. Slide. In the middle of that, you mentioned about the S bomb.


Yeah. So, I think still many companies are trying to adapt to one form or another format of s bomb. But then do you really think from your perspective that's bomb would be the silver bullet for such issues to be identified and remediated? So the question is, do I think the Aspen would be a silver bullet for such issues as your question right now?


Yeah. Zombies. Silver bullets. What is the S bomb? So swing by the table. I've got a sticker for you that will show you what it is. It's a list of ingredients. Where does it. Which list of ingredients? When you. When you think about it, when you buy a box of cereal that has cyanide in it on purpose, that's in the ingredients list too.


There isn't really a warning that says, oh, by the way, this one could kill you. Government says it's got to be in the ingredients list. So it's in the ingredients list, right? The. The way the the s bomb is important. Right. Because right now, if you remember look J could tell you where it was, including people releasing software.


Is it in your stuff? I'm pretty sure it is. Is it the vulnerable version? I'll get back to you. That is the answer. The S bomb gets you right. So, Yes. Bomb by itself. It's not the silver bullet at all. Is that. Does that help? Okay. Thank you. Here we go. Thanks for. Thanks for the presentation.


I think that was awesome. Awesome insight. So you talked a lot about, you know, the dangers in things like executable and other open source software. If there is, is there anything out there to help us? If is there a place where people can go to find secure, open source or any anything that this is, is asking the question, right?


It doesn't forget who's asking. Is there anything to help for people out there consuming open source? Right. Because a lot of that is in stuff in software. Is there a place they could go to get vetted or analyzed, secure, open source. So, guys, you know, I can't sell you anything during this talk. So I'm going to tell you about our community site.


Right. So if you go to secure dot software, you can drop in and you can say, okay, I'm a npm developer and I want to know if this library is safe. So you can just drop in, write your library name that you want to search on, and you're good. So so Sasha, does that answer your question? Yeah. Got some security outside for it, not security.


Safaricom's security software. So it doesn't cost any. And does it cost anything? Nope. $0. Now if you want to know more, obviously we want to talk to you about knowing more. But if you want to know right now, today, is this npm module going to attack me? And you don't have budget for anything else other than to browse, go to secure that software.


Put in the npm module that you're concerned about. You'll you'll see a couple of things that are kind of important like a demo it for you. The the things that matter. You'll see all the versions and the histories. You'll see a verdict about how often it's downloaded. So for example, in npm there's a library called cookie.


Do I need to just talk louder? I guess I do switch. Okay. Thanks, Bob. Yeah. So, look, the number one library is cookie, and it's one of the top ten libraries on npm. So if you're developers are using J cookie to do what cookie could do for you. Why? What does J cookie bring to the table? A cookie does.


And also if you look on secured software, what you'll see are histories of libraries that hey, you know what? This this thing has been Trojan since it was released. So if it's anywhere in your environment, you are Trojan. Your release is Trojan. So good question. Thank you. Any other questions? Okay. Well, gang, thank you very much. It's been a lot of fun, Bob.


Thank you. Appreciate the help. And, hopefully swing by the table. Hopefully we'll see you tonight.

HOU.SEC.CON CTA

Related

Latest