THE YEAR IN

WEB SECURITY

Billy Conn

Sr Architect, EdgeTheory

HEARTBLEED

April 2014

 

A bug in OpenSSL's implementation of TLS hearbeat

Who it affected

  • Gmail
  • Akamai
  • AWS
  • GitHub
  • Stripe
  • Wikipedia
  • Reddit
  • Yahoo​​

1% of sites still vulnerable as of Nov 1

What it affected

Both servers and clients were vulnerable

  • McAfee
  • Cisco
  • Steam
  • LastPass

1) Send 5 bytes: "ABCDE"

2) Server responds with "ABCDE"

1) If you're still there, send me these 65535 bytes back: "ABCDE"

The server never checks that you're not requesting more back than you sent!

2) Server responds with "ABCDE ... Hunter2" - 64k of potentially decrypted bytes

TLS Heartbeat

The Heartbleed Bug

hbtype = *p++;
n2s(p, payload);
pl = p;

…

*bp++ = TLS1_HB_RESPONSE;
s2n(payload, bp);
memcpy(bp, pl, payload);

Causes

  1. Hard-to-maintain code
  2. Lack of testing

Takeaways

  1. Readability matters
  2. Testing matters
  3. Every feature has a cost
  4. Patch
  5. NEVER TRUST USER INPUT

SHELLSHOCK

Introduced Sep, 1989

Disclosed Sep, 2014

different vulnerabilities

Who it affected

Tools

  1. CGI/FastCGI-based web applications

  2. OpenSSH

  3. DHCP

  4. CUPS

  5. Oracle products

  6. Cisco products

"I don't use bash"

  1. /bin/sh emulation
  2. busybox
  3. "system"

Unknown number of machines still affected

Causes

  1. Rarely used feature
  2. Poorly thought-out implementation
  3. Ignored "best practices"
  4. Lack of documentation

Takeaways

  1. Readability matters
  2. Testing matters
  3. Every feature has a cost
  4. Patch
  5. NEVER TRUST USER INPUT

Heartbleed
vs.
Shellshock

Heartbleed

  • Impossible to detect initial usage
  • Once vulnerability is closed no further technical consequences.

Shellshock

  • Hard to detect initial usage
  • Very hard to ensure no ongoing consequences
  • Machine can be compromised indefinitely without symptoms.

DETECTION

Heartbleed

  • Easy to resolve:

    1. Upgrade OpenSSL
    2. Reissue
    3. Restart

Shellshock

  • Hard to resolve:
    1. Upgrade Bash
    2. Hope your server hasn't been compromised
  • OR
    1. Wipe Server

RESOLUTION

Heartbleed

  • Small number of individual attack vectors

  • Widely deployed and easy to attack

Shellshock

  • Large number of attack vectors

  • Varying degrees of difficulty to attack and varying levels of deployment

ATTACK VECTORS

  1. Readability matters
  2. Testing matters
  3. Every feature has a cost
  4. Patch
  5. NEVER TRUST USER INPUT

Heartbleed

Shellshock

TAKEAWAYS

SECURITY: 

When you do it right, everyone feels like you're just wasting time.

 

When you do it wrong, every problem is your fault.

The Year in Web Security

By Billy Conn

The Year in Web Security

Billy Conn's 11-25-2014 presentation to the Jackson Area Web Developer's Group (JAWAD) on Web Security. Discussion of Heartbleed, ShellShock and Poodle

  • 949