My key takeaways
- First trojan probably was implemented 1983 by Ken Thompson, who invented Unix, C,..
- He also warned back then: "You can’t trust code that you did not totally create yourself"
- Brand new hardware from the factory can be infected by malicious code as well
- Also open source software is constantly compromised
- example of a free website counter enforcing a backlink, first to a nice picture, then unnoticed to a malicious JS file
- WP Plugin "SEOPressor" implementing a backdoor as well
- The creator of PHP is named Rasmus Lerdorf
- A security scan of well known programming languages revealed:
- Beware of package typosquatting:
- naming a malicious package like a well known and widely used one, so used if
- the developer has a typo like "atlas-client" instead of "atlas_client"
- a developer looks in a repo like pypi for a package misspelling the package he is looking for
- naming a malicious package like a well known and widely used one, so used if
- Roger Grimes was involved in the forensics of the 2011 RSA attack
- He believes the seed for the RSA SecurID token was stolen (Others say nay)
- and used to break in at e.g. Lockheed Martin
- Great image of the timeline for the Solarwinds supply chain attack
- 425 of the US Fortune 500 companies have been affacted
- a teardrop attack as the malware created a lot of different malicious files over the time
- they had some 0d for M$ and VMware and bypassed MFA as well
- Why are these attacks so hard to detect
- often implanted in sources you could and have trusted for a long time before
- malware uses encrpytion to call home
- Prevention is preferred over detection
- Social engineering (SE) is responsible for 70-90% of breaches
- second is unpatched software
- Best defenses to not let them in
- mitigate SE
- Patch Internet-accessible software
- Use non-guessable passwords/multifactor authentication (MFA)
- Use Least-Permissive Permissions
- Aggressive monitoring, anomaly detection, and alerting
- Developers should not reuse code they can not inspect and approve as "backdoor free" <- IMPOV: unrealistic
- Most developer (cough, cough) have accidently leaked some credentials eg on Github
- run eg Process Explorer to inspect whats on your machine
- Look for anomalies!
- in network traffic
- in processes
- in login attempts
- …
- Do a "heartbeat" test: send a potentially malicious file to a system and watch it the alert goes off
- if not, inspect why
- Honeypots are probably one of the most underrated and underused deception technique, according to Roger Grimes
Env
- Provided by KnowBe4
- Presenter: