developer as a malware distribution vehiclethe ken thompson hack • modify c compiler to...
TRANSCRIPT
![Page 1: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/1.jpg)
@guypod
Developer as a Malware Distribution Vehicle
Guy Podjarny (@guypod)
![Page 2: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/2.jpg)
@guypod
About Me
• CEO & Co-Founder at Snyk • Find & Fix vulnerabilities in open source dependencies!
• Founder @Blaze, CTO @Akamai • Security work since 1997 • DevOps & Performance since 2010 • A Developer
![Page 3: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/3.jpg)
@guypod
Developers are more powerful
than ever
![Page 4: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/4.jpg)
@guypod
That can be Dangerous
![Page 5: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/5.jpg)
@guypod
I’m here to tell youa few stories…
![Page 6: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/6.jpg)
@guypod
XCodeGhost
![Page 7: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/7.jpg)
@guypod
The time: September, 2015
![Page 8: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/8.jpg)
@guypod
XCode: iOS Dev Platform
![Page 9: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/9.jpg)
@guypod
Xcode is BIG…
Was 3GB in 2015
![Page 10: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/10.jpg)
@guypod
Xcode downloads inChina come from the US
and are SLOW
![Page 11: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/11.jpg)
@guypod
• Hosted inside the great firewall
• Must faster to download
• Found via forums etc
Devs use local mirrors
• And… some contain malware !(dubbed XcodeGhost)
![Page 12: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/12.jpg)
@guypod
XcodeGhost Malware
• Includes a malicious CoreServices component
• Component is compiled into the iOS app
• Submitted to app store, evades detection!
• Malware spies on users installing the apps
![Page 13: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/13.jpg)
@guypod
XcodeGhost wentundetected
for4 months
![Page 14: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/14.jpg)
@guypod
Up to 300 affected apps
WeChat(China’s WhatsApp)
Didi(China’s Uber)
Railway 12306 (Train Tickets)
+ Dozens of US apps
![Page 15: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/15.jpg)
@guypod
Some apps compromised Via a Library
https://possiblemobile.com/2015/11/a-lesson-in-xcode-ghost-third-party-frameworks/
![Page 16: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/16.jpg)
@guypod
Up to 1.4M active victims/day!
http://www.circleid.com/posts/20151001_verisign_idefense_analysis_of_xcodeghost/
![Page 17: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/17.jpg)
@guypod
Not just in China (DNS queries to evil sites by geo)
http://www.circleid.com/posts/20151001_verisign_idefense_analysis_of_xcodeghost/
![Page 18: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/18.jpg)
@guypod
Apple cleans up App Store immediately, Users take months to update.
https://www.fireeye.com/blog/threat-research/2015/11/xcodeghost_s_a_new.html
![Page 19: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/19.jpg)
@guypod
![Page 20: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/20.jpg)
@guypod
Local Xcode downloads
![Page 21: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/21.jpg)
@guypod
“[CoreServices] is a Mach-O object file that is used by LLVM linker and can’t directly execute in any way”
https://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/
![Page 22: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/22.jpg)
@guypod
Developers were adistribution vehicle.
![Page 23: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/23.jpg)
@guypod
XcodeGhost Was not the first
![Page 24: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/24.jpg)
@guypod
The year: 2009
![Page 25: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/25.jpg)
@guypod
![Page 26: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/26.jpg)
@guypod
Developers still used Delphi
![Page 27: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/27.jpg)
@guypod
Induc Malware
• Detects if Delphi is installed
• Compiles sysconst.pas to a malicious sysconst.dcu
• Malware added to every program compiled on machine
• Every execution of Induc compromises local sysconst.dcu
![Page 28: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/28.jpg)
@guypod
Induc ~> XcodeGhost• Took longer to find
• 10 months!
• Spread faster • Kaspersky:“millions of copies”
• More viral and hard to remove • no unofficial downloads, no app store
• Replicates via compilers, not executables
![Page 29: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/29.jpg)
@guypod
Developers were adistribution vehicle.
![Page 30: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/30.jpg)
@guypod
Induc was not that original
either!
![Page 31: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/31.jpg)
@guypod
The year: 1984
![Page 32: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/32.jpg)
@guypod
“Reflections on Trusting Trust” Ken Thompson, 1984
https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
![Page 33: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/33.jpg)
@guypod
“I would like to present to you the cutest program I ever wrote…”
https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
![Page 34: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/34.jpg)
@guypod
The Ken Thompson Hack
• Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1)
• C compiler to replicate the trojans (Trojan 2)
• Disassembler to hide the trojans (Trojan 3)
• Remove these trojans code from the source code
Originally described by Karger and Schell in 1974, dubbed Multics vulnerability
![Page 35: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/35.jpg)
@guypod
If this happened How would you find out?
“Solution” by David Wheeler, 2005: two independent compilers producing bit-identical output
![Page 36: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/36.jpg)
@guypod
“I picked on the C compiler. I could have picked on any program-handling program
…As the level of program gets lower, these bugs will be harder and harder to detect”
![Page 37: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/37.jpg)
@guypod
“The moral is obvious. You can't trust code that you
did not totally create yourself. (Especially code from companies that employ people like me.)”
![Page 38: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/38.jpg)
@guypod
Who heretotally created their code?
![Page 39: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/39.jpg)
@guypod https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
![Page 40: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/40.jpg)
@guypod
Back to today…
![Page 41: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/41.jpg)
@guypod https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5
![Page 42: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/42.jpg)
@guypod https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5
![Page 43: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/43.jpg)
@guypod
Malicious PyPi packages (2017)
![Page 44: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/44.jpg)
@guypod
Malicious npm packages (2017, 2018)
20172018
![Page 45: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/45.jpg)
@guypod
RubyGems Hacked (2013,2016)
2013 2016
![Page 46: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/46.jpg)
@guypod https://kromtech.com/blog/security-center/cryptojacking-invades-cloud-how-modern-containerization-trend-is-exploited-by-attackers
Malicious Docker Images (June 2018) - THIS MONTH
![Page 47: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/47.jpg)
@guypod
These are the oneswe know about
![Page 48: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/48.jpg)
@guypod
• Mario Heidrich fixed a bug in Angular… and introduced a vulnerability!
• Angular accepted the “fix”
• Google security team blocked release
Injecting Vulnerability into Angular.js (2015)
https://www.slideshare.net/x00mario/an-abusive-relationship-with-angularjs/54
![Page 49: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/49.jpg)
@guypod
How often are vulnerabilities intentional?
https://research.checkpoint.com/jenkins-miner-one-biggest-mining-operations-ever-discovered/
![Page 50: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/50.jpg)
@guypod
Developers were adistribution vehicle.
![Page 51: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/51.jpg)
@guypod
The pace of shipping code
is skyrocketing
![Page 52: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/52.jpg)
@guypod
Our usersTrust
the code we ship
![Page 53: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/53.jpg)
@guypod
From Code
toSystems & Data
![Page 54: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/54.jpg)
@guypod
Developers access production systems
daily
![Page 55: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/55.jpg)
@guypod
Developers access user data
daily
![Page 56: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/56.jpg)
@guypod
That can be Dangerous
![Page 57: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/57.jpg)
@guypod
TheSyrian Electronic Army
and theFinancial Times
![Page 58: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/58.jpg)
@guypod
1. Phishing email to employees whohad publicly shared their email
Masked link to an attacker controlledcompromised site
![Page 59: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/59.jpg)
@guypod
2. Link redirects to spoofed FT Single Sign-on
page (for Google Apps)
Some users entered their passwords…
![Page 60: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/60.jpg)
@guypod
3. Attackers use compromised accounts to Email more FT users
this time from an FT email address
More users are compromised…
![Page 61: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/61.jpg)
@guypod
4. IT finds out, sends warning email to all. Attackers send identical email - with evil links
![Page 62: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/62.jpg)
@guypod
5. Attackers gain access to severalofficial Twitter accounts blog
https://www.telegraph.co.uk/technology/twitter/10064184/Financial-Times-hacked-by-Syrian-Electronic-Army.html
![Page 63: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/63.jpg)
@guypod
“A sobering day” by Andrew Betts,
a compromised FT developer
https://labs.ft.com/2013/05/a-sobering-day/
![Page 64: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/64.jpg)
@guypod
“Developers might well think they’d be wise to all this – and I thought I was.”
https://labs.ft.com/2013/05/a-sobering-day/
![Page 65: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/65.jpg)
@guypod
Developers were the 2nd most likely to click a link in a phishing email
https://www.heavybit.com/library/podcasts/the-secure-developer/ep-16-security-training-with-elevates-masha-sedova/
Internal Salesforce Phishing Testrun by Masha Sedova (@modMasha)
![Page 66: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/66.jpg)
@guypod
Compromising ahigh privileged developer
is hitting the jackpot
![Page 67: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/67.jpg)
@guypod
The Uber Hack
of 2016
![Page 68: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/68.jpg)
@guypod
Attackers accessed details of 600,000 Uber drivers
and “some personal info” of57M Uber users
![Page 69: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/69.jpg)
@guypod
Uber paid $100,000 ransom
disguised as a bug bounty
![Page 70: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/70.jpg)
@guypod
Uber didn’t report the breachfor a FULL YEAR
(until Nov, 2017)
![Page 71: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/71.jpg)
@guypod
Uber Hack Details
• Dev pushed S3 tokens to private github.com repo • Attackers gained access to repo, stole tokens
• Uber was not using 2FA
• Attackers used token to steal info from S3
![Page 72: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/72.jpg)
@guypod
“we immediately instituted multifactor authentication on Github.
We then subsequently ceased using
GitHub except for items like open source code”
![Page 73: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/73.jpg)
@guypod
Uber Hack of 2014
• Dev stored sensitive URL in public github.com gists • Attacker accessed data in May, 2014
• “Only” 50,000 drivers exposed that time
• Uber discovered breach in September, 2014 • Uber notified drivers in February, 2015
![Page 74: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/74.jpg)
@guypod
Developers can access Extremely Sensitive Data
and expose it too often
Chalker, 2015Dan Godin, 2013
![Page 75: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/75.jpg)
@guypod
These stores are just a few examples
of MANY
![Page 76: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/76.jpg)
@guypod
Developers are more powerful
than ever
![Page 77: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/77.jpg)
@guypod
WithGreat Power
comesGreat Responsibility
![Page 78: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/78.jpg)
@guypod
Why are developersfalling for these?
![Page 79: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/79.jpg)
@guypod https://www.youtube.com/watch?v=fDryj_9I5eM
Rachel Ilan Simpson@rilan
Guy Podjarny@guypod
![Page 80: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/80.jpg)
@guypod
Why do people make insecure decisions?
• Different motivations • Cognitive Limitations • Lack of Expertise
![Page 81: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/81.jpg)
@guypod
Why do developers make insecure decisions?
• Different motivations • Our goal is improved functionality, security is just a constraint
• Cognitive Limitations • We move fast, and sometimes break things - including security
• Lack of Expertise • We often don’t understand the security implications of our decisions
![Page 82: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/82.jpg)
@guypod
Developers are alsoOver Confident
![Page 83: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/83.jpg)
@guypod
“I find training developers, actually to be much harder than regular employees”
Masha Sedova (@modMasha)
https://www.heavybit.com/library/podcasts/the-secure-developer/ep-16-security-training-with-elevates-masha-sedova/
![Page 84: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/84.jpg)
@guypod
“there's a certain amount of arrogance associated with, "I already know this,"or "I'm
smarter than this." ”
Masha Sedova (@modMasha)
https://www.heavybit.com/library/podcasts/the-secure-developer/ep-16-security-training-with-elevates-masha-sedova/
![Page 85: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/85.jpg)
@guypod
“Most developers that I talk to, specifically, don't actually believe security is an
issue that happens at their company”
Masha Sedova (@modMasha)
https://www.heavybit.com/library/podcasts/the-secure-developer/ep-16-security-training-with-elevates-masha-sedova/
![Page 86: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/86.jpg)
@guypod
Security breaches Can happen to You
![Page 87: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/87.jpg)
@guypod
You areTrustworthy
but Not Infallible
![Page 88: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/88.jpg)
@guypod
How can we Mitigate
this risk?
![Page 89: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/89.jpg)
@guypod
Learn lessons fromPast Incidents
![Page 90: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/90.jpg)
@guypod
Automate Security Controls
• Apple: Malware detection in app store • npm: Malicious package detection in registry • FT: 2FA on SSO Page • Uber: 2FA on GitHub.com, then move to self hosted git
![Page 91: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/91.jpg)
@guypod
Make it Easy to be Secure
• Apple: Stand up fast local Xcode download mirrors • FT: “Reducing and removing privileges more aggressively” • Uber: Auto-expire AWS tokens • npm/PyPi/Docker: Flag/block malicious packages
![Page 92: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/92.jpg)
@guypod
Developer Education
• Apple: Encourage dev to validate Xcode Download • npm: Blog about malicious packages & typosquatting • FT: “set clearer expectations of security standards” • Angular: Require 2 expert reviewers for sensitive code
![Page 93: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/93.jpg)
@guypod
Caringabout security
Ease of being secure
![Page 94: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/94.jpg)
@guypod
ManageAccess
Like a Tech Giant
![Page 95: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/95.jpg)
@guypod
Google BeyondCorp
https://cloud.google.com/beyondcorp/
![Page 96: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/96.jpg)
@guypod
BeyondCorp in a nutshell
• All access done via a corporate proxy • Eliminates trusted network
• Proxy grants access per user & device • No more static credentials
• Access is logged and monitored • Anomalies can be detected during or after actions
https://www.slideshare.net/fortyfivan/beyondcorp-sf-meetup-closing-the-adherence-gap
![Page 98: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/98.jpg)
@guypod
Microsoft Privileged Access Workstations (PAW)
![Page 99: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/99.jpg)
@guypod
PAWs in a nutshell
• Access to production requires a secure machine • With strict controls and no further internet access
• Your “Desktop” runs as a VM on the machine • Running a secure VM in an insecure host isn’t enough
• Optionally a “Guarded Host” can host both VMs • Allows more flexibility and routine updates to the PAW
https://blogs.technet.microsoft.com/datacentersecurity/2017/10/13/privileged-access-workstationpaw/
![Page 100: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/100.jpg)
@guypod
Detailed PAW Guidance (windows centric)
https://blogs.technet.microsoft.com/datacentersecurity/2017/10/13/privileged-access-workstationpaw/
• PAW deployment guide• Why use shielded VM for PAW? • How to deploy VM template for PAW• Building VM template for PAW• Connect to VMs on PAW• Shielded VM local mode vs HGS mode• How to build the PAW host
![Page 101: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/101.jpg)
@guypod
Netflix - BLESS
![Page 102: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/102.jpg)
@guypod
QCon NYC 2017 Talk!
https://www.infoq.com/presentations/bless-security-ops-ssh
![Page 103: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/103.jpg)
@guypod
BLESS in a nutshell• Central SSH Certificate Authority (Lambda based)
• Centrally manage keys & track SSH permissions per user/system
• Instances trust CA instead of managing keys
• Dev SSH via a Bastion (jump host) server • Lyft uses BLESS server to manage SSH access to Bastion too
• Bastion manages access per BLESS Server instructions • Logs access & can enforce custom rules (e.g. allowed source IP)
https://www.infoq.com/presentations/bless-security-ops-ssh
![Page 104: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/104.jpg)
@guypod
More on Netflix BLESS
https://blogs.technet.microsoft.com/datacentersecurity/2017/10/13/privileged-access-workstationpaw/
• GitHub repo https://github.com/Netflix/bless
• Lyft on using BLESS for Bastion access https://eng.lyft.com/blessing-your-ssh-at-lyft-a1b38f81629d
• Bryan Payne's QCon NYC talk https://www.infoq.com/presentations/bless-security-ops-ssh
![Page 105: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/105.jpg)
@guypod
Controlling access makes
Security easier
![Page 106: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/106.jpg)
@guypod
Beyond learning from others,Ask Questions!
![Page 107: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/107.jpg)
@guypod
When someone asks for accessChallenge It
![Page 108: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/108.jpg)
@guypod
What happens if you don’t allow access?
or only grant partial access?
![Page 109: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/109.jpg)
@guypod
How Urgently is access needed?
![Page 110: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/110.jpg)
@guypod
How long is access needed for?
![Page 111: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/111.jpg)
@guypod
How bad would it be if this access was Compromised?
![Page 112: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/112.jpg)
@guypod
If access was compromised, How would you find out?
and how quickly?
![Page 113: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/113.jpg)
@guypod
If access was compromised, What would you do?
![Page 114: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/114.jpg)
@guypod
Agility vs
Safety
![Page 115: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/115.jpg)
@guypod
Developers are alucrative target
and attackers know it
![Page 116: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/116.jpg)
@guypod
UsersTrust You
![Page 117: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/117.jpg)
@guypod
Care about user safetyeven if it’s hard
![Page 118: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/118.jpg)
@guypod
Don’t be aMalware distribution vehicle
![Page 119: Developer as a Malware Distribution VehicleThe Ken Thompson Hack • Modify C compiler to “miscompile”: • Unix login to accept a hard coded password (Trojan 1) • C compiler](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a5834d87fcd19294ea627/html5/thumbnails/119.jpg)
@guypod
Developer as a Malware Distribution Vehicle
Guy Podjarny (@guypod)
Thank You!