DeepSec 2021 Talk: Web Cache Tunneling – Justin Ohneiser
By using cache poisoning to store arbitrary data, we can use public web caches as open ephemeral storage to facilitate anonymous and evasive communication between network clients.
We asked Justin a few more questions about his talk.
Please tell us the top facts about your talk.
Public web caches, when improperly configured, can be used as open ephemeral storage. Combined with a synchronization technique, this ephemeral storage can be used to tunnel arbitrary data between network clients. Tunneling data in this manner requires no listening service, as all endpoints behave as clients to the web cache server, allowing trivial use of anonymizing protocols. The conditions for this technique are present on several extremely popular websites, and the use of this technique by malware could make network detection nearly impossible.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
I was trying to imagine a way to build malware that couldn’t possibly be traced back to the operator, without relying on creating an alternate persona. I came across James Kettle’s talk on Practical Web Cache Poisoning and realized this alternative potential immediately. It certainly isn’t a perfect solution, but it’s something websites should consider eliminating and defenders should be on the lookout for.
Why do you think this is an important topic?
I think cybersecurity should be about more than hardening defenses, since an attacker will always find a way in. Techniques like this make detecting and stopping a successful attacker significantly more difficult, so we need to illuminate and eliminate them early and often.
Is there something you want everybody to know – some expert advice for our readers, maybe?
Stealthy malware doesn’t need a steady data stream, it will do just fine on slow intermittent bursts, so there is a lot of room for creative tunneling. Anything on the internet that holds on to arbitrary data for even a short period, like web caches, might be used for command-and-control.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
I predict that as detections grow more experienced, stealthy malware will increasingly hide in plain sight, and command-and-control will look more like an intelligence officer handling a human asset, as direct connections are replaced with obscure signals and dead drops.
Justin Ohneiser, following a Bachelor’s Degree in Mechanical Engineering from the University of Maryland, worked various roles in enterprise software development and computer forensics before spending the last 4 years at Booz Allen Hamilton bringing clients an offensive perspective to information security.