Professional Information Security Association
SEP-2017
PISA Journal
Supply Chain Attacks Blockchain and DLT Revolutionize Digital Trust .
www.pisa.org.hk
Issue
26
Special Topics 05 Supply Chain Attack 12 Blockchain and DLT revolutionize Digital Trust
Page 2 of 30
An Organization for Information Security Professionals
Editor: editor@pisa.org.hk
Copyright
ďƒ“ 2017
Professional Information Security Association
Intranet 04 20 21 30
Page 3 of 30
Message from the Chair The Editorial Board Event Snapshot Joining PISA
A Publication of Professional Information Security Association
Professional Information Security Association
Message from the
Chairman knowledge to help bring prosperity to the society in the Information Age.
I
Time is running fast. PISA is now one of the most recognized Info-sec professional bodies, not only locally in Hong Kong, but also in the region. However, I would urge all members to continue to facilitate our knowledge and sharing, to achieve the highest quality of technical and ethical standards to our profession, and enforce our best control practices.
t’s my pleasure and honor to be re-elected as the Chairperson of PISA again in 2017. I recall when I took the same role in 10+ year ago, PISA was still a young professional association in Hong Kong. With the passion of our ExCo colleagues, we grew up in a rapid but healthy way, upholding our original mission as the prominent body of professional information security practitioners, and utilize our expertise and
Page 4 of 30
Most importantly, we need to consistently upload our integrity standard, independence and governance to make PISA a better platform for all of us. Thank you and I look forward to meeting all of you in our regular events.
An Organization for Information Security Professionals
Ando Ho Chairman
SEP-2017
Supply Chain Attacks
I
n 2017 we have seen cyber attacks making its way through the upstream of the supply chain to bypass the defense of enterprises. We have to understand more about it in order to better protect our information
S. C. Leung CISSP CCSP CISA CBCP S.C. has been working in the CERT for 16 years. Before that he had worked in banking, telecommunication, ISP and consulting industries. He was the Founding Chairperson of PISA in 2001. He is also the Editor of the PISA Journal since its publication.
Page 5 of 30
A Publication of Professional Information Security Association
PISA
Journal
Professional Information Security Association
What is Supply Chain Attack? The term “supply chain� is used to connect the flow of business activities of certain products or services through the participating parties involved. The activities involved are material supply, manufacturing, assembly, distribution (wholesales and retail) to end consumer. Supply chain exists in any industry, from the financial sector, manufacturing industry, software industry or even government sector. The complex interconnection of parties in-
volved in a supply chain can be represented in a simplified flowchart as that in Figure 1.
Supply chain attack is about the attackers leveraging on our trust on our supply chain partners to bypass traditional defenses and compromise a large number of computers. Attackers target weak points in the supply chain to launch their initial attacks. The compromised software spread to other parties downstream. For example, the attacker might target a less secure distributor to spread malware to customers and consumers.
Figure 1 - The simplified supply chain in manufacturing industry (Source: Wikipedia)
Forms of Supply Chain Attacks Supply chain attack can take many forms. In this article, I discuss the following common ones with recent attack cases. 1. Software Update Contamination 2. Software Library Contamination
3. Firmware Contamination 4. Waterhole Attack
Page 6 of 30
An Organization for Information Security Professionals
SEP-2017
Issue
Supply Chain Attacks
Software Update Contamination Software update contamination of commercial software is the most popular form of supply chain attacks today. Enterprises has legitimate software installed on the enterprise network after serious testing process. They usually trust their software providers to provide them continual update for the software to introduce new features or bug fixes. These software has built-in software update functionality. Software vendors with good security practice will digitally sign the software updates to ensure integrity. At the endpoint, client system verifies the authenticity of the software update before applying it. Enterprise IT teams might whitelist the IP addresses of the update servers provided by the software providers on the firewall. Some enterprise might allow automatic update of software, especially malware definitions for anti-malware solutions. There are a few ways that attackers compromise the software update mechanism. Attacker can simply hack into the web servers that is used to distribute software and replace the legitimate software with a
Page 7 of 30
26
poisoned one. However, this might be detectable because the malware were not authenticated by the supplier. If the attackers can compromise the internal of the software distribution mechanism, the code could have a higher chance to to be signed by legitimate digital certificate of the software provider. A signed software update is usually trusted by the systems. NotPetya Ransomware
In June 2017, the “NotPetya� ransomware hit Ukraine and some Eastern European countries. Investigation showed that the initial infection was from the software update of M.E.Doc software, an accounting system having 80% market share in Ukraine. Attacker infiltrated into the software company and created backdoors inside M.E.Doc disguised as legitimate software update. Besides Ukraine, global shipping company Maersk and FedEx subsidiary TNT were hit by NotPetya, each with estimating financial loss in millions of US dollars.
A Publication of Professional Information Security Association
PISA
Journal
Professional Information Security Association
ShadowPad backdoor
In July 2017, it was found that a backdoor named ShadowPad was injected into the Xmanager Suite, a popular server management software produced by NetSarang. The contaminated software was pushed software update . The attack was spotted when a company using the software observed suspicious domain name lookup requests. The backdoor allowed the attacker to load malware on the victim systems and exfiltrate data.
CCleaner backdoor
CCleaner is a popular free software used for PC maintenance produced by Avastowned Piriform. In August 2017, it was found that the official download of the free version of CCleaner contained a malicious code and had command and control func-
Page 8 of 30
tionality. It was estimated that 2.3 million copies of poisoned CCleaner software were downloaded. Infected computers would potentially be connected by attacker to steal sensitive personal information. Furthermore the attacker targeted 20+ companies with additional malware.
Chrome browser extensions compromised Image credit: https://wccftech.com/attackers-chrome-extension-hijacking-spree/
In August 2017 attacker compromised a series of Chrome browser extensions to hijack traffic from legitimate ad network. Attacker used phishing email to obtain the password of chrome extension developers to obtain their Google account credentials. These compromised extensions attempted to substitute ads on a victim’s browser and hijack traffic from legitimate ad networks. The malicious extensions also attempted to stealing CloudFlare credentials from the victim machines.
An Organization for Information Security Professionals
SEP-2017
Issue
Supply Chain Attacks
Software Library Contamination Software Library Contamination is another software supply chain attack. The attack happens through the third-party code that software developers use in their projects. Most applications contains frameworks, libraries or software development kits (SDK). If these components are compromised, the malicious code will spread to many applications developed with these components. The attacker might hack into the hosting website of the framework, library or SDK and replace them with a contaminated version. The developers trusting these components would not be aware that they are using a contaminated third-party code.
XcodeGhost
In 2015, thousands of of iOS apps (e.g. 微 信、天天動聽、滴滴打車、同花順、憤怒
After investigation it was found that the developers in China used a trojaned Xcode (iOS development tool) on an unofficial website. In China, developers are used to use local copies of Apple Xcode development environment hosted on unofficial websites due to network performance issues in accessing the Apple Xcode website. The XcodeGhost had a large impact. Apple removed the infected apps off the shelf. Affected users could just update the apps to get disinfected. However, even as today, some enterprises are still using the infected apps and the threat still exists.
Youmi Ad SDK spyware
In 2015, SourceDNA researchers found that Youmi’s new advertising SDK was illegally collecting information on users. Developers who created apps with Youmi Ad SDK were unaware that the SDK was collecting user information and sending back to Youmi’s server in China. Apple later took down all affected apps. The number if downloads of affected apps amounted to 1 million.
的小鳥 2) were found to have backdoor.
Page 9 of 30
26
A Publication of Professional Information Security Association
PISA
Journal
Professional Information Security Association
Firmware Contamination
Waterhole Attack
Supply chain attack can occur in firmware. Firmware contamination is difficult to detect because pre-loaded firmware coming with devices is at a lower level than the operating system. It cannot be detected or removed by anti-malware software.
In Waterhole Attack, attacker poisons a website frequently visited by victims. Victims trusting the website were prompted to download.
Bad Rabbit ransomware Zombie Zero poisoned handheld scanners
In 2014, security consulting company TrapX discovered malware breaking into ERP system to steal financial, logistics and customer information. After investigation, the source of attack was found to be handheld scanners with Embedded WinXP. The devices had a malware installed when they were shipped from the Chinese manufacturer. TrapX did not confirm if the scanner manufacturer knowingly shipped devices with pre-loaded malware.
Page 10 of 30
In October 2017, the Bad Rabbit ransomware spread wildly in Russia, Ukraine, Bulgaria, Turkey and Germany. It was found to be spread by drive-by-download via waterhole attack. The compromised legitimate websites were popular ones in their countries, such as Radio Station in the US, Tourist Office and Hercegnovi Municipality in Montenegro, Defense association in Bulgaria, Bahmut Municipality of Ukraine, German booking website and Turkish twitter trend, booking website, SEO web services. Attacker sets a trap and wait for the victim to come. Victims visiting the website would be either attacked by exploits on the browser and plugin vulnerability, or download a contaminated version of legitimate version of document or software and install by themselves.
An Organization for Information Security Professionals
PISA
Journal
Professional Information Security Association
Supply Chain Attacks
Tackling Supply Chain Attacks Supply chain attack is complex and there is no simple defense. For example, it is hard to detect and remove malicious firmware because they sit below the operating system.
References [1]
ENISA, “Supply chain attacks”, 29 August, 2017 (https:// www.enisa.europa.eu/publications/info -notes/supply-chain-attacks/)
[2]
“What is a Supply Chain Attack”, Motherboard, September 2017. (https://motherboard.vice.com/en_us/ article/d3y48v/what-is-a-supply-chainattack)
[3]
Proofpoint, ”Threat Actor goes Chrome extension hacking”, 14 August 2017 (https:// www.proofpoint.com/us/threat-insight/ post/threat-actor-goes-chromeextension-hijacking-spree)
Tackling the threat of supply chain attacks should start with partner management. We have to control the supply chain partners:
Copyright & Disclaimer
Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA
Page 11 of 30
Purchase only from authorized suppliers; check supplier reputation
Require suppliers to practice security in their process, including,
Provide integrity check to hardware and software to detect unauthorized modification
Perform annual security audit
Perform security awareness education to staff
Restrict access of supplier to enterprise network
Test software before deployment
SC Leung ■
An Organization for Information Security Professionals
Professional Information Security Association
Blockchain and DLT Revolutionize Digital Trust
This article was published at TechInAsia on 5 Jan 2018 with title “Banks don’t trust anyone, and it’s expensive. Blockchain and DLT can change that” https://www.techinasia.com/talk/blockchain-dlt-trusted-system
Antony Ma CISSP Antony Ma is a software developer, turned IT Auditor, turned Security Architect, turned Entrepreneur. He was Chairman of PISA back in 2009-2010. Now he is founder and CTO of a travel technology company.
Page 12 of 30
An Organization for Information Security Professionals
SEP-2017 Blockchain and DLT revolutionize Digital Trust
While most people think banks are stable and trusted, they actually operate based on a zerotrust assumption (or simply trust no one). Every employee is constantly under checking and controls (there have been too many stories of insider hacks, misuse of customer money, and money laundering). Regulators like MAS (Monetary Authority of Singapore) or HKMA (Hong Kong Monetary Authority) enforce multi-layer risk control mechanisms, generally known as the three lines of defence. The fir st line is the process owner or the depar tment manager who executes each transaction and follows bank policies. The second is a centralized or independent risk management depar tment. Risk managers do not execute daily operations but oversee the overall operating environment and set risk parameters, operating procedures, and advise first-line
Page 13 of 30
managers on risk mitigation strategies. The third line is what I was doing — risk assurance. Auditor s ver ify highrisk transactions and give their independent opinion to the board. All three parties and numerous checks and controls build a strong risk management mechanism internal to the bank. There are two other layers external to the bank that ensure critical risk controls are not circumvented: thirdparty independent auditors (PWC, EY, etc.) and financial regulators. So, one customer transaction at a bank branch could have five different teams reviewing it (line managers, risk managers, internal auditors, external auditors, and regulators). This explains why there are so many transaction records, signatures, approvals, and a huge paper trail when you simply deposit US$100 in your personal account.
A Publication of Professional Information Security Association
PISA
Journal
Professional Information Security Association
Transaction log
A Public / Shared Ledger is a distributed trust system in which all transaction logs are validated by members connected to the network.
Running a zero-trust organization is costly and inefficient, and Inter net banking doesn’t solve this crucial and fundamental problem (in some cases, it even amplifies distrust). But blockchain, when taken together with distributed ledger technology (DLT), can. This sets the backdrop for this article on why blockchain matters.
Page 14 of 30
Trusted system The problem blockchain is trying to solve is how to run a trusted system with trustless people. (Note: I’m not implying that people are trustless or that we live in a trustless world, but a rotten apple spoils the bunch.) To be more precise, a trusted system refers to a transactional system that produces results according to a rule book. It’s not always legal (i.e. in
An Organization for Information Security Professionals
SEP-2017 Blockchain and DLT revolutionize Digital Trust
compliance with the law), but it has to be resilient and stable/predictable. A trusted system gives a consistent truth that can be verified without relying on another system. Transactions in a trusted system can’t be repudiated—which depends on record immutability —and are irrevocable. However, immutability in software before DLT was vulnerable because of the human factor (e.g. system administrator misconduct). System administrators had all access rights and were able to alter system parameters. But a system can only be as good as the people running it in terms of its trustworthiness, diligence, and capabilities. A few malicious or careless human actors can circumvent all advanced security controls. They are the Achilles heel of a secure system. Immutability alone does not produce a trusted system; it has to decouple from the operating team. Humans, with souls and feelings, are just too erratic to produce consistent and pre-
Page 15 of 30
Issue
26
dictable results.
Blockchain and DLT Blockchain and DLT together eliminate the vulnerability of human interference, as a system built with both technologies can operate without having to trust system administrators. DLT solves this administrator problem with a decentralized and consensus approach. A DLT network or infrastructure is still run by people but not by one person or a team (like employees receiving paychecks from the same boss). “Distributed” means the software is running on multiple independent operating systems by total strangers without any filtering or selection. Anyone with a computer and a network connection can join and contribute to the DLT—no registration, financial deposit, or ID verification is needed.
There is also no hierarchy of users in a DLT system, no super-
A Publication of Professional Information Security Association
PISA
Journal
Professional Information Security Association
administrators or privileged accounts that can delete transactions in the system. Each transaction must be endorsed by other users. The system follows self-governance according to the rules defined by the software developers. But how can hundreds of trustless people achieve self-governance and build a trusted system together?
Game theory Let us simplify the above question by using a story.
A group of students were on a weekend camping trip. They returned late and missed a midterm exam. The students told the professor that they couldn’t come back on time because they had a flat tire. So, the professor said she would give them an extension if they could give the same answer (without consultation) to one question: Which tire? In this situation, the students have a
Page 16 of 30
common goal to answer the question correctly and share the same benefit. Each of them plays the same role— there are no leaders or people with a privilege to answer twice. If all students cooperate and give the same answer, everyone gets a second chance to take the midterm exam (the reward). Without a central body and coordination, the students do not need any external enforcement, as it is in their self-interest to work together. In game theory, this is a self-enforcing agreement. In his talk at the Taipei Ethereum Meetup, Ethereum co-founder Vitalik Buterin said that economic incentives “encourage desired properties to hold into the future.” This means that economic incentives entice each user to behave in a predictable way. Users in a DLT network share the same economic incentive if the DLT is secure and trusted, making each of them act independently and rationally to protect their own benefits.
An Organization for Information Security Professionals
SEP-2017 Blockchain and DLT revolutionize Digital Trust
This economic incentive can exist in many forms: monetary, reputation, etc. In bitcoin, for example, the incentive is generating new coins. Users of the bitcoin DLT are rewarded with a new coin when they fulfill their duty by validating that bitcoin transactions are executed following the bitcoin protocol. The reason new bitcoins are rewarded to users is to encourage them to follow this protocol. (Note: More on this at the bottom of the article.) Mathematical formulas and cryptography ensure that what happens cannot be altered (immutability), and rewards via the “proof of work� protocol (in bitcoin) ensures the same behaviour will be followed by users in the future. Once the system starts, there is no need for central administration.
Drawbacks and Risks Now, we have a system that is traceable and predictable, governed by
Page 17 of 30
Issue
26
each user in the system with equal responsibility. Since it is not dependent on human intervention, employing a third party to do independent reviews does not provide additional assurance. When bank transactions run a blockchain and DLT system, the three lines of defence described at the beginning of this article are no longer necessary. Users trust that the transactions are executed securely, and not because of bank employees, auditors, or even regulators like HKMA or MAS. But there are also risks in using blockchain and DLT. Consider the flat tire example again. What happens if there were only two students riding on a motorcycle? There are only four possible permutations and a 50 percent chance that both students will guess the same answer and get another chance to take the exam. The four possible answers are:
A Publication of Professional Information Security Association
PISA
Journal
Professional Information Security Association
1. Student A answers front wheel, student B answers front wheel. (Pass) 2. Student A answers front wheel, student B answers rear wheel. (Fail) 3. Student A answers rear wheel, student B answers front wheel. (Fail)
4. Student A answers rear wheel, student B answers rear wheel. (Pass) It’s not wise for the professor to use the same test. In the case of Bitcoin, what happens if only two computers are running the bitcoin protocol? Even though they are independent, it is possible that they make the same error. One crucial property of DLT is decentralization, which becomes vulnerable if there are only a few independent participants. The risks associated with blockchain and DLT are totally different from the traditional risks of confidentiality, integrity, and availability. ***
Page 18 of 30
Blockchain creates record immutability (past records are safe) and DLT protects immutability from human interference. Game theory enforces the DLT rules by appealing to the self -interest of each individual user (future records are highly likely to be safe). With these together, we can build a trusted system with decentralized cryptography without relying on third -party auditing. Trust is moved from the auditors to the software infrastructures (one reason why I’m not an auditor anymore). Note: When multiple users are competing to earn new Bitcoin, there is an objective rule to find the first winner. In Bitcoin or other DLT systems, the transactions can have trillions of possibilities, so they need a mechanism to determine which transaction should be included in the system. This mechanism currently involves solving a mathematical puzzle using computing power. To find the answer to this puzzle, a user must consider all answers
An Organization for Information Security Professionals
SEP-2017 Blockchain and DLT revolutionize Digital Trust
of previous answers. Like playing chess, the new move needs to consider all pervious moves. Whoever solves it is given the right to create new transactions in the system. But, this right expires as soon as the next user finds a new answer for the same puzzle. This mechanism is called “proof of work.”
Antony Ma
Copyright & Disclaimer
Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA
Page 19 of 30
A Publication of Professional Information Security Association
Issue
26
SEP-2017
PISA Journal The Editorial Board
SC Leung CISSP CCSP CISA CBCP
Joyce Fan CISSP CRISC CISA
Ian Christofis CISSP
Alan Ho CISSP CISA CISM CGEIT
You can contribute to PISA Journal by: ●
●
Joining the Editorial Board Submitting articles to the Journal
SC Leung, Chief Editor editor@pisa.org.hk
Next Issue: Issue 27 (Mar-2018)
Page 20 of 30
A Publication of Professional Information Security Association
Professional Information Security Association
Event Snapshot We Share. We Progress.
(ISC)2 Member Reception (7-Apr-2017) The (ISC)2 Board of Directors and Executive Management visited Hong Kong and met with our members in Sheraton Hotel. They have answered questions regarding certification, membership and career development.
Page 21 of 30
An Organization for Information Security Professionals
SEP-2017
Event Snapshot We Contribute. We Achieve.
PISA Security Jam (27-May-2017) PISA organized the second PISA Jam, a 1-day conference to gather security buddies to share their research. There were presentations on Teensy, Cyber Security Intelligence, SIEM and Machine Learning on Security Analytics. In the afternoon we had workshops on Locks, CTF, SIEM and Elastic Search.
Page 22 of 30
A Publication of Professional Information Security Association
Professional Information Security Association
Event Snapshot We Share. We Progress.
(ISC)2 APAC Security Congress and ISLA 2017 @ Hong Kong (Jul-2017) The (ISC)2 APAC Security Congress 2017 was held in Hong Kong, together with the ISLA 2017 Award Presentation Ceremony in the Sheraton Hotel.
The Hong Kong ISLA 2017 honourees. (from left) Alan Ho, Dr. Ricci Ieong, Kin Ip, Mike Lo and Martin Chan. (Note: Dr. Xiapu Luo was not able to attend)
Page 23 of 30
An Organization for Information Security Professionals
SEP-2017
Event Snapshot We Contribute. We Achieve.
Information Security Summit (15-16 August 2017) PISA was a co-organizer of the 2-day Information Security Summit 2017 in HKCEC. This is the photo of all organizers and invited speakers. (ISC)2 speaker Jill Slay (first from the right in the front row) talked about ICS security.
Seminar: Malware Command and Control Centre using Social Media Platform (4 August 2017) Harris Ramli talked about how attacker leverage on social media platform to hide the communication traffic of C&C.
Page 24 of 30
A Publication of Professional Information Security Association
Professional Information Security Association
Event Snapshot We Share. We Progress.
PISA AGM 2017 cum Feature Talk: DevOps Security Journey (19-Aug-2017) PISA had the AGM at PolyU staff canteen with many members actively participated.
Vincent Ip delivered a talk on DevOps Security Journey
Page 25 of 30
An Organization for Information Security Professionals
SEP-2017
Event Snapshot We Contribute. We Achieve.
Seminar: False sense of security - "How easy to hack the physical security nowadays (21-Sep-2017) Andy Kong talked about the real difference of a good physical security system and demonstrated how to hack into a vulnerable system in 10 seconds.
Seminar: How does Blockchain enhance Cybersecurty (26-Sep-2017) Antony Ma shared his view on contribution of Blockchain to Cybersecurity.
Page 26 of 30
A Publication of Professional Information Security Association
Professional Information Security Association
Event Snapshot We Share. We Progress.
PISA Speakers in the local community. PISA professionals were invited to share their views on cyber security in seminars. Joyce Fan spoke at WTIA’s SafeWifi Seminar
Frankie Leung spoke in Hong Kong IT Industry Council
Eric Moy spoke at Inland Revenue Department’s IT security seminar
Frank Chow spoke in the Office of Communication Authority
Otto Lee spoke on Ransomware at the Hong Kong Baptist University
Page 27 of 30
An Organization for Information Security Professionals
Professional Information Security Association
Event Snapshot We Share. We Progress.
Various talks to schools under (ISC)2 Safe and Secure Online Program
Page 28 of 30
An Organization for Information Security Professionals
SEP-2017
Event Snapshot We Contribute. We Achieve.
Various talks to schools under (ISC)2 Safe and Secure Online Program
Page 29 of 30
A Publication of Professional Information Security Association
Professional Information Security Association
Professional Information Security Association Vision to be the prominent body of professional information security practitioners, and utilize expertise and
Successful Career
Be up-to-date and be more competitive in the info-sec community – line up yourself with the resources you need to expand your technical competency and move forward towards a more successful career.
Many Ways
Networking
Continued Education
Enjoy networking and collaboration opportunities with other in-the-field security professionals and exchange technical information and ideas for keeping your knowledge up to date
Check out job listings information provided by members. Get information on continuing education and professional certification
Sharing of Information Find out the solution to your technical problems from our email groups and connections with our experienced members and advisors.
Enjoy the discounted or free admissions to association activities - including seminars, discussions, open forum, IT related seminars and conferences organized or supported by the Association.
You Can Benefit Membership Information
Enquiry email:
Realize Your Potential
Professional Recognition
Develop your potentials and capabilities in proposing and running project groups such as Education Sector Security, Mobile Security, Cloud Security, Honeynet, Public Policy Committee and others and enjoy the sense of achievement and recognition of your potentials
Benefit from the immediate access to professional recognition by using post-nominal designation
Membership Requirements Membership Annual Type Fee (HK$)
membership@pisa.org.hk
Full
500
Associate
300
Affiliate
300
Student
Free
Membership Application Form: http://www.pisa.org.hk/ membership/member.htm
Qualifications
Relevant Experience
Recognized Degree in Computing discipline, OR other appropriate educational / professional qual. Tertiary Education
3 years Info-Sec working experience Info-Sec related experience
Interested in furthering any of the objects of the society Full-time student over 18 years old
Nil Nil
Code of Ethics: http://www.pisa.org.hk/ ethics/ethics.htm
Page 30 of 30
• •
Relevant computing experience (post-qualifications) will be counted, and the recognition of professional examinations / membership is subject to the review of the Membership Committee. All members must commit to the Code of Ethics of the Association, pay the required fees and abide by the Constitution and Bylaws of the Association An Organization for Information Security Professionals