Software Dependency Failures: jQuery, a Canary in the Coal Mine

Keeping dependencies up-to-date is challenging for any software development project and even more so from a systems administration point of view. Too often you see packaged web projects, which have been put together and then forgotten. They contain dependencies to third party libraries, which never get updated even if the application itself is maintained – at least to some extent. In my daily work I research the impact of vulnerabilities on the scale of the Internet. Most of the time, vulnerabilities in protocols, services and platforms keep me and other security professionals busy, whereas the upper layers and especially the web layer is often something of an afterthought. To find out whether there is a pink elephant in the room, I wanted to analyze a web application library which is ubiquitous and has had issues with vulnerabilities which are more or less persistent – which lead me to jQuery. My hypothesis was that software dependencies cause hidden vulnerabilities in applications considered secure, even if they are otherwise developed or maintained as they should.

Continue Reading

Integrity Checking - an Integral Part of Cyber Security

During the last twenty years there has been endless talks and discussions regarding the importance of Transport Layer Security (TLS) and the potential threats emerging from failing to implement TLS correctly. Even with all the talk, the real life examples of impactful man-in-the-middle (MitM) exploitation are rare. This post aims to shed some light on one of these cases. A Prelude to a 0-Day It was a dark and stormy night normal workday for us working in an internal red team. A large part of our job is to map potential attack surfaces, and while large companies often have a huge external attack surface there’s still a lot of other things going on under the surface as well. One of these things are the employee devices and the installed enterprise software on them, typically provisioned by the company. Looking through the devices that are used daily by thousands of our colleagues we saw what we expected; reputable EDR solutions, inventory management software and so on.

Continue Reading

Further Examination into External Attack Surface

Reducing Attack Surface Decreases Security Risk In my previous write-up I explained why tracking digital assets is important, and listed some methods to get started with it. I trust that once you read it, you immediately set off to gather a list of your IP and domain assets. Since then, Tuomas Haarala has further elaborated on discovery methods from a systems administrator perspective in a write-up of his own. Armed with these tools, we can now venture further into the realm of attack surface reduction. This write-up will concentrate on the process of moving from cataloguing assets to having an idea on the attack surface involved. As laid out in my previous post, the steps in this process are: Research the attack surface, i.e. open services, related to these assets. Determine whether there is something that needs fixing within these services. This write-up will focus on the first step, and the second will be covered in a follow-up.

Continue Reading