[devnexus 2022] java and ransomware

Speaker: Steve Poole

Twitter: @spoole167

Link to table of contents

———————

Ransomware crimes

  • robbery
  • blackmail
  • extortion
  • revege
  • murder – ex: hospital attacks

Symptoms

  • files gone
  • files corrupt
  • unexpected files on system – obvious so believe it is real
  • prevent logging on
  • threats to delete or publish data
  • link to cryptocurrency wallet and amount – hard to trace

How get into system

  • Phishing – Impersonate boss, etc. Significant targetted social engineering. Understand business/context. Attachment with malware
  • Malware – mostly Windows
  • Government #1 target. Then education/services/health care/tech/manufacturing/retail/utilities/finance
  • Target single company or org. Look for poor security hygene
  • Vulnerabiliteis/CVEs
  • Suply chain attacks
  • Remote code execution

Once have access

  • Pull encrypton keys
  • Encrypt files not used often first
  • Then encrypt files used in memory so works until restart
  • Gigabytes/terrabytes of data – takes time
  • Would notice if network got slow so sneaky
  • Copy critical data out disguised as normal traffic. Hide in other payloads
  • Sometimes responses to ”legit” request
  • Almost always via botnets
  • Paying helps fund more
  • Rare to shut down. Instance of giving up decryption keys when one group folded

Motive

  • Data kidnapping – pay or release data
  • Blackmail – dirty payments, porn
  • Revenge – disgruntled employee, cripple systems
  • Competitor – wipe you out/steal secrets
  • Worse – weaponsized attacks from nation states
  • Some of these cases do not intend to give data back
  • Cybercrime beat drugs in value
  • Ransomware is worth 6 trillion

War

  • Can be test case to see if can get in
  • Goal is to infiltrate infrastructure and essential serices quietly so can manipulate/terminate when need
  • Break supply chain

Attacks

  • Used to wait for vulnerability to be announced and build attack. Now create own.
  • Open source repo attacks – attempts to get malware into source
  • Typosquatting – lookalike domain/dependency with minor typo
  • Build tool attacks – attempts to get malware into tools tat produce dependency
  • Dependency confusion – later version ex ”latest”
  • Designed to stay hidden until needed

General

  • Dependency confusion, typosquatting and malicious code injection increased 650% in 2021
  • New world – state funded, professionally developed, regularly exercised very sophisticated and exeremely lucrative
  • Could even be someone at conference – have to gain the skills

Costs

  • Being out of action
  • Recovery
  • Data loss – data recovery never 100%
  • Human cost – finger pointing, guilty feelings, feeling of being invaded/not trusting security systems
  • Data integrity – can modify/inject data when return

Java

Log4j

  • Still lots of log4j downloads (thru 4/11/22)
  • 36% on a day in April were vulnerable
  • Need right tools – check dependencies, not just your pom or in fat jar
  • Try dependabot
  • Write test cases and see if your tool can find

My take

Good collection of info and supporting data. Wrapped in a compelling story. Security talks are often scary and first conference in a while provided more time for bad things to happen!

[devnexus 2022] typescript for the busy java developer

Speaker: Orlando Valdez

@orlandovaldez_

Link to table of contents

———————

Typescript

  • All JavaScript is legal Typescript
  • Developed/maintained by Microsoft. Other contributors like Google
  • tsc – like javac – transplies to Javascript
  • tsserver – for IDE and editor support language services. Standalone server
  • .ts extension
  • Type analysis system

Installing

  • Install from VS Studio or npm
  • npm install -g typescript

Commands

  • Version: tsc –version
  • Create project: tsc –init (creates tsconfig.json file)

tsconfig.json

  • target – JS language version
  • module – module name
  • rootDir
  • outDir
  • sourceMap – whether to create a source map for emitted JS
  • strict – whether to enable strict type checking. Recommended for new projects. If migrating from JS, can use more fine grained flags as make more typescript like

Notes

  • Can define same class twice.
  • Can create “any” type – discouraged for new projects. Used for migration. Prefer “unknown” type instead. Can’t use until type is known. Ex, casting: x as {a : boolean}
  • null is different than undefined
  • never determines a value is unreachable so can’t use
  • can use linter to follow team standard on semicolons (inconsistent in the talk and notes below)
  • Some unexpected things because valid JavaScript still works
  • If can return null show return type as X | null
  • flow analysis for determining if a type is known
  • Tag/discriminating property – constant literal with same name and unique value across types. Use tag if own object/API

Sample code

class Foo {
  x: String; 
  y: number = 12; // type is optional (can infer based on value)
}

let bar = new Foo()
const a - 40

const arr = ["hi", "hello"]
const tuple = { x: "y"}

function error(message: string | number): never { // never returns
}

if (typeof stringOrNumber === "string") {}

enum Foo {
 Up = "UP";
}

type ID = number // alias - lets use domain language. can use for more complex entities like  a tuple. can be alternative to create a class

type Bird = Animal & { flights: boolean } // intersection

interface Foo {
 name: string
 hi: () -> void /// function that takes nothing and returns void
}

interface Sub extends Foo {} 

interface Foo {  // can add properties to an interface that already exists by redefining it (even if don't have access. can also extend an enum
  color? : String // optional property
  readonly id: number
  status : "new" | "done"
}

type K - string | number | null //union type. can only use if shared properties. otherwise we need type guards (typeof check)

if ('id' in result) // checks if property is defined. also narrows down type so might be able to determine real time and not just that has id

obj.prop
obj['prop'] // don't know type or even if exists

function genericGetProperty<T, K extends keyof T>(obj:T, propName: K) { //keyof returns keys of all props in object. the generic function won't allow you to pass invalid property name. return type is known so variable assigned to is also correct type
  return obj[propName]
}

let str = `Template: ${language} // multiline and interpolations
more``

type messages = // can use to generate all combinations of a parmeterized message
 | "learn X"
 | "learn Y"

My take

This was cool. A lot of info, but easy to follow. It built up in a way that I was able to read the code as more things got added. This was a great session!

[devnexus 2022] hacking the OSS supply changes

Speaker: Stephen Chin

@steveonjava

Link to table of contents

———————

Theme is security with sci fi references

Examples

  • Equifax data breah – from not patching Struts for at least two months
  • Solarwinds – hacked TeamCity instance injected
  • log4shell – zero day in log4j core. Affected almost all systems. Could send class file and having it excecute on the serer
  • spring4shell

Binary repos

  • Which do you trust?
  • npm, pypi, rubygems, maven central
  • Like picking up thumb drive off sidewalk and plugging into your production server

Dependency confusion attack

  • Sci fi – Matrix – agents disguised theselves as other people
  • package mining
  • npm has no security on namespaces
  • Can use same name as a company internal package and give it higher version number
  • If grabing latest version, pull mallicious package
  • When pull from npm, announcing what package you have
  • Artifactory resolves against internal repo first. Protects even if using virtual repo which mixes public and private content

Supply Chain Attacks

  • Sci fi: millinium falcon
  • Assume depedencies built on a clean system
  • Anyone can upoad to pipi
  • About 400 zero day volunerabiities in open source/cloed source/OS, embedded systems, etc
  • Sveder uploaded library to go to his website
  • JFrog scans looking for suspicious Python code behavior
  • noblesse – “optimizes your PC for python” – steals credit card/passwords and sends via dicord
  • pythatoras – supposed to help with calculations but does remote code executio

Namespaces

  • Sci fi: War games
  • Moscow – Russia and Idaho
  • St Petersburg – Russian and Florida
  • azure-core-tracing is proper name. Created core-tracing.
  • NPM took down once repored. At least 218 packages affected.
  • Stole personal data
  • Think bug bounty of test because minimal and not steaing credit cards

Pyrisa

  • Scitfi: Avengers
  • Need automated (IronMan), trustworthy (Black Widow) and dependable (Captain America)
  • trusted binary network – secure by defaut, reliable inimal outages), open
  • peer to peer
  • multi-node verification
  • reproducabe build trust model

Websites

  • research.jfrog.com

My take

I hadn’t heard of all those attacks so learned about the Python ones. The sci fi element was a nice touch. As was the community picture with a ton of people on stage.