Trust is an implicit requirement of doing business. At some point, we must trust employees, peers, and technology to a degree. The lack of proper management or understanding of these various trust relationships is a leading cause of security exposure. This talk will cover the analysis and exploitation of the trust relationships between code, platforms, developers, and their parent organization. We will look at the software development life cycle and how it can be actively exploited to attack, evade defenses, and ultimately own a target organization.
To support our discussion of attacking trust relationships, we will also be presenting GitPwnd, a tool to aid network penetration testers in compromising machines and spreading control within development-heavy environments. These environments tend to have heavily segmented networks and extensive logging and monitoring. Defensive tools often look for process activity and timing that differs from normal user behavior. GitPwnd evades these defenses by inserting itself into common development workflows. We’ll describe GitPwnd’s architecture, implementation choices to evade detection, and we’ll conclude with a demo of GitPwnd spreading across trust zones in a segmented network.