2020-028-Shlomi Oberman, RIPPLE20, supply chain security discussion, software bill of materials

Whitepaper: https://www.jsof-tech.com/ripple20/ [blog] Build your own custom TCP/IP stack: https://www.saminiir.com/lets-code-tcp-ip-stack-1-ethernet-arp/ Another custom TCP/IP stack: https://github.com/tass-belgium/picotcp RIPPLE 20 Whitepaper: https://drive.google.com/file/d/1d3NNVCRPVFk0-V0HUO5CxWWVn9pYIvmF/view?usp=sharing  Agenda: Part 1: Background on the report Why is it called RIPPLE20? What's the RIPPLE about?  Communications with Treck (and it's Japanese counterpart) Were you surprised about the reaction? Positive or negative? Types of systems affected? IoT Embedded systems SCADA What precipitated the research? What difficulties did you face in finding these vulns? Deadlines?  What tools were used for analysis? (I think you mentioned Forescout --brbr) What kind of extensibility are we talking about? TCP sizes?  What did JSOF gain by doing this?  What were the initial benefits of using the TCP/IP stack? Speed? Size? Do these vulns affect other TCP/IP stacks?  Did Treck give you access to source? Any specific requirements set by Treck? Any items that were off-limits?  Updates since the report was released? Are your vulns such that they can be detected online? Part 2: Supply chain issues What should companies do when they don't know what's in their own tech stack? https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-Risk-Management/documents/briefings/Workshop-Brief-on-Cyber-Supply-Chain-Best-Practices.pdf   Software bill of materials: https://en.wikipedia.org/wiki/Software_bill_of_materials PicoTCP link above does not release all code, because they use binary blobs that make proper code review next to impossible "Unfortunately we can't release all the code, a.o. because some parts depend on code or binaries that aren't GPL compatible, some parts were developed under a commercial contract, and some consist of very rough proof-of-concept code. If you want to know more about the availability under the commercial license, or the possibility of using our expert services for porting or driver development, feel free to contact us at [email protected]." BLoBs = https://en.wikipedia.org/wiki/Proprietary_device_driver Vendor Contact How many organizations are affected by these vulnerabilities?  Are some devices and systems more vulnerable than others?  How many are you still investigating to see if they are affected?   What's the initial email look like when you tell a company "you're vulnerable to X"? Who are you dealing with initially? What is your delivery when you're routed to non-technical people? How did you tailor your initial response when you learned of the position of the person? Lessons Learned: What would you have done differently next time? Any additional tooling that you'd have used? BlackHat talk: 05 August What should companies do to reduce or mitigate the chances of the types of vulnerabilities found by your org? https://cambridgewirelessblog.wordpress.com/2016/05/18/supply-chain-security-and-compliance-for-embedded-devices-iot/   https://blog.shi.com/solutions/embedded-hardware-supply-chain-attacks-embedded-system-attacks-how-to-stay-safe/   http://www.intrinsic-id.com/wp-content/uploads/2018/02/2016-A-Platform-Solution-for-Secure-Supply-Chain-and-Chip-Cycle-Management-Computer-Volume-49-Issue-8-Aug.-2016-Joseph-P.-Skudlarek-Tom-Katsioulas-Michael-Chen-%E2%80%93-Mentor-Graphics..pdf https://www.supplychainservices.com/blog/major-security-risks-windows-embedded-users https://www.bbc.com/news/business-32716802#:~:text=Japanese%20car%20giants%20Toyota%20and,March%202003%20and%20November%202007.   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec