THE YEAR IN
WEB SECURITY
Billy Conn
Sr Architect, EdgeTheory
HEARTBLEED
April 2014
A bug in OpenSSL's implementation of TLS hearbeat
Who it affected
- Gmail
- Akamai
- AWS
- GitHub
- Stripe
- Wikipedia
- Yahoo
1% of sites still vulnerable as of Nov 1
What it affected
Both servers and clients were vulnerable
- McAfee
- Cisco
- Steam
- LastPass
1) Send 5 bytes: "ABCDE"
2) Server responds with "ABCDE"
1) If you're still there, send me these 65535 bytes back: "ABCDE"
The server never checks that you're not requesting more back than you sent!
2) Server responds with "ABCDE ... Hunter2" - 64k of potentially decrypted bytes
TLS Heartbeat
The Heartbleed Bug
hbtype = *p++;
n2s(p, payload);
pl = p;
…
*bp++ = TLS1_HB_RESPONSE;
s2n(payload, bp);
memcpy(bp, pl, payload);
Causes
- Hard-to-maintain code
- Lack of testing
Takeaways
- Readability matters
- Testing matters
- Every feature has a cost
- Patch
- NEVER TRUST USER INPUT
SHELLSHOCK
Introduced Sep, 1989
Disclosed Sep, 2014
6 different vulnerabilities
Who it affected
Tools
-
CGI/FastCGI-based web applications
-
OpenSSH
-
DHCP
-
CUPS
-
Oracle products
-
Cisco products
"I don't use bash"
- /bin/sh emulation
- busybox
- "system"
Unknown number of machines still affected
Causes
- Rarely used feature
- Poorly thought-out implementation
- Ignored "best practices"
- Lack of documentation
Takeaways
- Readability matters
- Testing matters
- Every feature has a cost
- Patch
- NEVER TRUST USER INPUT
Heartbleed
vs.
Shellshock
Heartbleed
- Impossible to detect initial usage
- Once vulnerability is closed no further technical consequences.
Shellshock
- Hard to detect initial usage
- Very hard to ensure no ongoing consequences
-
Machine can be compromised indefinitely without symptoms.
DETECTION
Heartbleed
-
Easy to resolve:
- Upgrade OpenSSL
- Reissue
- Restart
Shellshock
-
Hard to resolve:
- Upgrade Bash
- Hope your server hasn't been compromised
-
OR
- Wipe Server
RESOLUTION
Heartbleed
-
Small number of individual attack vectors
-
Widely deployed and easy to attack
Shellshock
-
Large number of attack vectors
-
Varying degrees of difficulty to attack and varying levels of deployment
ATTACK VECTORS
- Readability matters
- Testing matters
- Every feature has a cost
- Patch
- NEVER TRUST USER INPUT
Heartbleed
Shellshock
TAKEAWAYS
SECURITY:
When you do it right, everyone feels like you're just wasting time.
When you do it wrong, every problem is your fault.
The Year in Web Security
By Billy Conn
The Year in Web Security
Billy Conn's 11-25-2014 presentation to the Jackson Area Web Developer's Group (JAWAD) on Web Security. Discussion of Heartbleed, ShellShock and Poodle
- 949