Abstract
Chapter 3 sets the scene by exploring some challenges from both a technical and societal viewpoint and contrasts situations against an undertow of cyber-attacks. This chapter investigates various cases of how vulnerabilities originating from the software supply chain can have catastrophic outcomes when weaknesses slip through the net such as unpatched software or software misconfigurations during an organization's software maintenance regime. Examples are provided of high-profile hacks, security breaches, and cyber-attacks undertaken by hackers suspected of being affiliated to foreign states. These case studies provide various salient contexts as well as examples of threats, vulnerabilities, and their resultant impacts; ultimately, the consequence of flaws that create vulnerabilities occur through misconfigurations or from unpatched software weaknesses.
TopBackground
A colleague, who has worked in the cyber security profession for a considerable number of years, provided a view regarding the existing status quo and the ongoing defensive battle to protect oneself against ensuing cyber-attacks. He called this ‘peak cyber.’ ‘Peak cyber’ refers to the legacy vulnerabilities found in code that could top-out in the near future and potentially regress; this is because past weaknesses in code could be phased out due to rigor instilled by agile practices and regimes used as part of Development Operations (DevOps). This view has some credence on the basis that in 2015, 70% of vulnerabilities could be predated to at least 2013, and 44% of security breaches caused by vulnerabilities were at least two to four years old (Dignan, 2015). This was true of the infamous Heartbleed vulnerability (Synopsys Inc, 2019) that had been introduced as far back as 2011. It had the effect of discrediting Open SSL version 3 to the point that bodies such as the Payment Card Industry dropped legacy SSL as an adequate means of encrypting E2E communications in favor of TLS (Man, 2015).
Another offender was the Shellshock bug that, at the time that FireEye identified it in 2014, had been around for two decades. Shellshock was related to the Bourne Again Shell that is used extensively in a multitude of Linux servers connected to the Internet. The wider online adoption of such operating systems made this remotely exploitable vulnerability a serious problem (Lin & Seltzer, 2014). A more recent vulnerability reinforced the point that there are still problems. Dubbed the Mutagen Astronomy Integer Overflow Vulnerability, it resided within the Linux kernel and could enable an unprivileged user to gain superuser privileges. This weakness affected kernels 2.6.x, 3.10.x, and 4.14.x released between 2007 and 2017 and affected Red Hat Enterprise Linux, CentOS, and Debian distributions (Mitre, 2015; Kumar, 2018).
In addition, researchers have found that VxWorks, which is a Unix-like closed Real-Time Operating System (RTOS), has at least eleven vulnerabilities reaching back thirteen years. Industry deploys this RTOS across a variety of equipment ranging from commodity devices to aerospace assets (Khandelwal, 2019a). This has been surmounted by the panic caused by the Bluekeep vulnerability in May 2019. This flaw is associated with the Remote Desktop Services of legacy Microsoft Windows systems going back to Windows XP. Within two months, a weaponized exploit was available to attack unpatched systems (Cimpanu, 2019a). Subsequently, Microsoft found two Bluekeep-like bugs that affected older systems from the Windows 7 generation upwards (Cimpanu, 2019b). Microsoft feared that if this was exploited, it could provide a wormable vulnerability on a par with WannaCry, and with the correct hard-coded credentials exploit Samba, which was also ripe for a ransomware attack using methods dubbed SambaCry. In 2017, both vulnerabilities were over five years old, but unlike, WannaCry, which was a Windows vulnerability, the Samba 3.5 vulnerability was linked to Linux. Thus, this potentially enabled remote attackers write access that could be used to execute Samba permissions (Goldberg & Greitser, 2017).
From a 2016 survey, Veracode found that 52.5% of web developers were worried about sensitive data exposure. Yet by 2018, researchers found 67% of applications to be prone to data leakage. The 2016, survey also identified that 39% of software had cryptographic issues in their implementation, and by 2018, this had increased to 64% (Veracode, 2016a; Veracode, 2016b; Veracode, 2018). These statistics occurred even though there is best practice to assist in the reduction of weaknesses, such as the Software Assurance Maturity Model (Open Web Application Security Project, 2016), and various tools to assist developers in the generation of acceptable code, like Sonotype (Lemos, n.d.).
Key Terms in this Chapter
Island Hopping: This involves the subversion of web sites from one organization to redirect them to a malicious site hosting exploit kits used to find vulnerabilities in a bid to launch attacks against users of other organizations who visited the site; effectively, this acts as Watering Holes.
Two-Factor Authentication: An example is an SMS message to a user’s registered cellular phone that forms part of a two-stage verification process.
Watering Hole: The use of compromised web sites to infect computer hosts with malware or directly interact with them using subversion in order to springboard another phase of a cyber-attack to achieve an aim like acquire banking details.
WannaCry: A ransomware worm that used the Eternal Blue exploit to abuse the unpatched Server Message Block protocol and propagate between Windows computers.
Virtual Private Network: A security function that uses cryptographic key exchanges and encryption suites to encapsulate and tunnel traffic securely across insecure IP-based networks using TCP (SSL/TLS) or UDP (Internet Protocol Security) methods.
Man-in-the-middle Attack: A method used to interact with the user and/or the intended recipient of a communication, transaction or session in order to capture credentials, intercept traffic, and collect data to undertake further nefarious activities.
Bourne Again Shell: A command line interface that administrators of Unix and Linux operating system distributions use heavily.
Development Operations (DevOps): DevOps is a sprint-based approach that can catch coding flaws during the development of code due to security reviews, rework on previous sprint cycles, and testing.
Linux: An open source operating system originally developed by Linus Torvalds that is based on a monolithic kernel which contains a number of different open source applications and different forms of graphic user interfaces.