OWASP Chicago June 2015
This evening I was at Braintree's office in Chicago for the new edition of the Owasp meeting. The offices were amazing and huge!
They had beer pong tables, ping pong tables, a mini-arcade and a bar! (all that right next to the workspace)
Plenty of nice conference rooms
Some had whiteboard tables!
And in the largest building of Chicago!
1 Trojaned Gems - You can’t tell you’re using one!
Brandon Myers, a security researcher at Trustwave, was the first one to talk. He found out that when you executed
gem fetch or
gem install, the ruby package manager, it would allow a Man In The Middle to do a DNS poisoning attack to redirect you to his servers. Even though everything happens over TLS! This is because
gem doesn't check for the domain in the certificate of
rubygems.org: it just checks that the server has a valid certificate and that's all. You would then download the gem on his server and... game over.
He said that the same thing was happening when developers were pushing their gems to rubygems.org ...
That's a shame, and way worse than the downgrade https attack of go.
One way of mitigating the first MITM would be to just use curl or wget directly with https://www.rubygems.org and do whatever the
gem fetch does to get the gems. Because curl or wget should have a correct implementation of TLS that dodge fake DNS responses (that's why DNSSEC is useless if you query a https webpage with a correctly signed certificate).
To mitigate the second attack Brandon talked about signed gems, and that it was far from being efficient since none of the top gems are signed.
Two other problem were that if a fix comes around,
gem update --system is vulnerable to the attack (since gem is itself a gem) and not using the fully secure gem signing allows some dependencies of not being signed (and thus a MITM would be able to modify those).
2 Attacking and Defending DevOps
Patrick Thomas and Alec Gleason followed by explaining how much they pwned their client with heartbleed, passwords in clear and github hooks. They then explained how you could get more information out of a pwned machine if there was git, vagrant, chef, docker and other non-crypto stuff installed on the machine.
All of this was facilitated by Devops,
a software development method that emphasizes communication, collaboration (information sharing and web service usage), integration, automation, and measurement of cooperation between software developers and other IT professionals.
They said it was still a good thing but if done correctly.
After that I went to Chisec meet some people of the security community!