Tag Archives: security

[devnexus 2024] More tales from the Dark Side: How AI is the bad guys new friend[devnexus 2024] dark tales ai

Posted on by
Reply

Speaker: Stevel Poole

@spoole167

For more, see the 2024 DevNexus Blog Table of Contents

General

  • Supply chain
  • Now we are all attack vectores

Wifi

  • We also use wifi
  • How many use VPN?
  • Easy to spoof wifi
  • Only need battery, raspberry pi and a few more things
  • Would you notice a box on the wall?

Charger

  • Plug in Mac laptop charger at conference
  • If leave unattended, someone could add hardware
  • Any USB has problem
  • USB data cable and power cable look same

Hotel rooms

  • Hidden camera
  • In some countries during cold war, used human cherography to influence where sit
  • Becoming more common
  • More people are pass thru to company now

Phishing

  • Getting better
  • More targetting. Can know how company does things. Or knowing boss;’ namePhishing -> Spear Phishing -> Personalized Attacks
  • Moving towards more organized and long term attacks

Adding AI

Bad things can do

  • Deepfake nude generator
  • Deepfake phishing grew by three thousand percent in 2023

Why now

  • Not hard to do a reasonable fake. USB acceleration is sixty bucks
  • Huggingface.co has lots of models
  • Models and data avaialble to you and bad guys

Other problems

How Protect

  • Paper on identifying mouth inconsistencies for lip synching
  • Text/numbers wrong
  • Find anomalies from lack of training data – this is going to be an arms race. Once AI knows wrong, can do better next time.
  • Be more suspicious
  • Secure supply chain – all the pieces involved in creating and delivering software
  • Control AI tools in process
  • Look at where models came from and decide if safe. Will have to prove where got it from
  • Consider how train AI and when retrain it
  • Government wants a SBOM, automated supply chain, evidence of software integrity and regular aduit
  • SBOM (software bill of materials) don’t find malicious code but ensure you know what have

My take

Demos were great. Security has changed a lot. Good emphasis on depending on how much money you spend at it. It’s scary, but supposed to be. Need to think about what else I can do in my own life.

Someone challenged saying the grandparent scam sounds fake and nothing like the person. Steve didn’t get to reply, but it’s not a fare analogy. The grandparent same isn’t targeting (at least not much). Some targeting you specifically will have audio/bideo of you to base it off of. And then we are back to the 7 seconds is enough.

[2023 kcdc] cve 101: the unfolding of a zero day attack

Posted on by
Reply

Speaker: Theresa Mammarella

Twitter: @t_mammarella

For more, see the table of contents.

Notes

  • Annual cost of cyber crime predicting to top 8 trillion. Only US and China have more than that as GDP

Terminology

  • Vulnerability – weakness/flaw in system
  • Threat – attack vector, potential action
  • Risk – probably frequency of that loss.
  • Goal of cybersecurity is to minimize risk. Can’t control intent to do harm so focus on vunlerability

CVEs

  • CVE – Common Vulnerabilities and Exposures
  • Format CVE-xxxx-yyyyy. xxxx = year came out. yyyy = identifier
  • CVSS scoring – how bad is it on a scale of 0-10. Ten is worst
  • CVSS score has three parts – basic (exploitability, impact), temporal, environmental. Good description here
  • Basic is the one we see on the CVE
  • CVE can be rejected. The number is used and cannot be reused. Example. Something thought found a vulnerability. Investigation was flawed and not an actual issue. Story about it here.

How to talk about

  • Private disclosure – organization can choose when/whether to fix/share
  • Coordinated/responsible disclosure – best practice – agreed upon time frame
  • Full/public disclosure – share everything
  • Best to report via company website, security.md file, security files on server, github private vulnerability reporting

Zero day vulnerability

Examples

  • log4jshell – remote code loading. Was reported responsibility but incomplete fix so zero days on those CVEs
  • Could be as simple as a bounds check. For OpenSSL. Announced something big coming and get ready. When announced learned it only affected OpenSSL 3 (not 2) and high, not critical so boy who cried wolf situation.

Security Practices for Developers

  • Insider threat includes poor training
  • A lot more developers than info security. Increasingly harder for security teams to keep up.
  • Cost of finding and fixing bugs increases over time
  • Does this touch the internet? take untrusted input/ handle sensitive data?
  • OWASP Top 10. Updated in 2021 to add insecure design, software/data integrity failures and server side request forgery (SSRF). Some merged such as injection.
  • Starting OWASP Top 10 for Large Language Model Applications. A draft version is available
  • mitre/hipcheck – scorecard for supply chain risk. Similarly, Sonatype security rating and OpenSSF Scorecard
  • Open source dependency management. Embedded in many projects. 90% of app is open source on average. North Korea attacked many apps including Putty

Attack types

  • Typosquatting – look alike domain with one or two wrong characters
  • Open source repo attackes – attempt to get maleware/weakness added into depednecy source
  • Build tool attacks
  • Dependency confusion – different version that shows up as latest

Trust?

  • Sometimes third party projects. ex: OpenSSF Scorecard
  • NPM and PyPI often have supply chain attacks. Maven Central more so
  • Scanning tools to find issues can be helpful
  • You are responsible when things go wrong

My take

Good talk. Covered concepts and good real life examples. I learned a few things like the OWASP Top 10 for LLMs. Appreciated the shout out to “the Java people in the front row” when talking about log4j. I added a few links in my blog that weren’t in the original presentation for things I wanted to learn more about.

[2022 javaone] deserializaion exploits – why should i care?

Posted on by
Reply

Speaker: Brian Vermeer

For more see the table of contents

Star Trek

  • Everything in Star Trek could be real. And some tech surpassed
  • Teleportation would be awesome
  • Already have, but for data

Serialization

  • Turn object into data stream.
  • Send to another system or save on disk

Deseriaization

  • Basic serialization is easy. Just implement Serializable
  • On deserialization, skips constructor and sets fields directly
  • No hash/checksum. Can change in a hex editor.
  • Man in the middle attack can change data
  • If error reading, get a class cast exception

Libraries

  • Anything in classpath could be in memory. Such as library code that will run code for you
  • HashMap provides custom implementation for read object
  • ysoserial – gadgets for unsafe deserialization.
  • examples of issues with frequent issues: jackson, ehcache
  • patching to latest helps fix known things

log4j

  • 17K packages affected
  • 800K attacks in first 72 hours
  • 57% have has transitive dependencies
  • JNDI looks up and retrieves object
  • If own LDAP server can return any object
  • Then logger calls
  • So passng in the JNDI lookup string can have app do anything
  • Showed getting an interactive shell to docker container (which is root)

records

  • Does call constructor on serialization
  • Opt in – need to implement serializable
  • Still call read object

How to improve when writing custom serialization code

  • ValidatingObjectInputStream – call accept() with expected type before reading
  • ObjectInputFilter.Config.createFilter – allow specific type and deny everything else
  • Setting filter on streams overrides global one.
  • JEP-415 – OjectInputFilter.Config.setSeriialFilterFactory – let’s you merge the global and local ones
  • See blog post

JSON and Jackson

  • ObjectMapper has default typing off unless set it to enabled
  • With enabled can inject a malicious gadget

YAML

  • Deserialization product, but can read
  • Can create variables (same problem from XML – billion laughs attack). Reference as *myVarName. Keeps expanding until run out of heap

XML

  • Doc type references to read other files and reference has &var;
  • On by default on XML Parsers
  • Need to explicitly turn it off

Lessons

  • Do not deserialize data from unkown soures
  • Prevent custom serialization
  • Use filters if still need to do so
  • Understand settings for JSON/XML/YAML
  • Check for insuecre defaults
  • Update insecure libraries

Other notes

  • Gadget chain – string of side effects

My take

Good intro to serialization. Sad there is no try with resources in the initial write and read examples. The examples were great. Good mix of slides and demos. I’m surprised I’ve gotten this far without seeing a live log4j demo.