How you a actually get hacked!

Transcript

1. How You Actually Get Hacked 1 — @benjammingh for PuppetConf

   2016

2. AKA Do you want ants? Because that's how you get

   ants! 2 — @benjammingh for PuppetConf 2016

3. Who's this clown? 2 → Infrastructure security at Etsy. →

   Puppet Labs Operations alumni. → First used Puppet on the 0.26 branch. → Has only been in big trouble with the phone company once. 2 https://twitter.com/skullmandible/status/411281851131523072 3 — @benjammingh for PuppetConf 2016

4. What this talk is about? → Risk and threat modelling.

   → Reality, and infosec's aversion to it. → What to actually focus on, to be more secure, but less hipster. → Security myopia and the best being the enemy of the good. 4 — @benjammingh for PuppetConf 2016

5. What this talk is not about? → Mad 0day. Go

   to Infiltrate → Vendor Sponsorship. (Note however, it is Black Friday soon www.etsy.com) → Me reading out breach reports. → Nessus. 5 — @benjammingh for PuppetConf 2016

6. Mild audience participation warning! 6 — @benjammingh for PuppetConf 2016

7. Google Syndrome Disclaimer! If you are Google/Facebook/BAE Systems/Raytheon/ Any part

   of Five Eyes/OPM, this hopefully and somewhat obviously does not apply to you. Also stop listening to funny haired people who work at yarn websites for your security advice! Smash the 1%, eat the rich! 7 — @benjammingh for PuppetConf 2016

8. Threat modelling The who now? 8 — @benjammingh for PuppetConf

   2016

9. H1B fashion model visa. 9 — @benjammingh for PuppetConf 2016

10. Working out who might attack you and how 10 —

    @benjammingh for PuppetConf 2016

11. Evaluating risks and reality (and impact) 11 — @benjammingh for

    PuppetConf 2016

12. Are humans good at evaluating risk? 12 — @benjammingh for

    PuppetConf 2016

13. Have you ever said: "Have a safe flight!" 13 —

    @benjammingh for PuppetConf 2016

14. Has anyone ever said: "Have a safe drive to the

    airport!" 14 — @benjammingh for PuppetConf 2016

15. 15 — @benjammingh for PuppetConf 2016

16. Flying: → An entire spare pilot. → Computer controlled. →

    A spare engine! → 100s of hours training/qualifications. → regular safety checks. 16 — @benjammingh for PuppetConf 2016

17. Taxis → .... → have the strange smelling pine tree

    thing? 17 — @benjammingh for PuppetConf 2016

18. Every statistic says flying is 100x safer 18 — @benjammingh

    for PuppetConf 2016

19. 19 — @benjammingh for PuppetConf 2016

20. Security what is it? 20 — @benjammingh for PuppetConf 2016

21. "The state or condition of being or feeling secure." --

    The Oxford English Dictionary (as HRH Queen Elizabeth the Second decrees) 21 — @benjammingh for PuppetConf 2016

22. "Being or feeling secure" 22 — @benjammingh for PuppetConf 2016

23. Secure [from whom?] 23 — @benjammingh for PuppetConf 2016

24. Who are you defending against? → Scripts (mass own wordpress,

    nmap/zmap looking for mongodb/mssql/etc) → Script kiddies (the above, but with a tutorial) → Bug Bounties (hand wave 80% of attacks on your website?) → Red Teams/Pen tests (every... 6 months? maybe?) 24 — @benjammingh for PuppetConf 2016

25. Other attackers? → China!!!111 (though now Russia is in vogue)

    → Hackers in it for the lols (needs no explaination) → Hacktivists (I remain unconvinced these are real → Hacking for profit (not for fun. See China) 25 — @benjammingh for PuppetConf 2016

26. The main ones, ZOMG. → NSA. → now and then

    the FBI → everyone forgets about CSE (and all of Five Eyes) → GCHQ (who seem to have fewer morals..) 26 — @benjammingh for PuppetConf 2016

27. "How to NSA-Proof your Apple iCloud account. – Underground Network"

    "Blackphone 2: 'NSA Proof' Android Phone For Privacy Seekers Now Available For Preorder" "NSA-proof your e-mail in 2 hours" "How NSA-Proof Are VPN Service Providers?" 27 — @benjammingh for PuppetConf 2016

28. "An NSA-proof operating system. Yes, for real." "NSA-proof passwords" "NSA-proof

    SSH" "Physicists are building an NSA-proof internet" 28 — @benjammingh for PuppetConf 2016

29. The NSA should probably not be in your threat model.

    29 — @benjammingh for PuppetConf 2016

30. Whaaa? But shouldn't we defend against everyone? 30 — @benjammingh

    for PuppetConf 2016

31. Once you can defend against everyone up to the NSA,

    then try to defend against the NSA. 31 — @benjammingh for PuppetConf 2016

32. *cough* (please infosec, stop this NSA fetishism & security nihilism)

    *cough* 32 — @benjammingh for PuppetConf 2016

33. Which is also again saying Learn to threat model in

    reality. 33 — @benjammingh for PuppetConf 2016

34. Impact! What is the business impact of this breach. 34

    — @benjammingh for PuppetConf 2016

35. Defacement vs. DDoS → If you're a real time trading

    house large DNS provider, DDoS is a really expensive thing, defacement is not as big. → A political party website, DDoS is just annoying, defacement could be huge. 35 — @benjammingh for PuppetConf 2016

36. Mail doxing/spooling → If you're a hacker in the 90s,

    having your mail shared with a 'zine is annoying. → If you're a presidential candidate, your mail being public could endanger an election. 36 — @benjammingh for PuppetConf 2016

37. In just your company → Credit card processing done by

    you or someone else (hi Stripe) → PII or other user data. → Laptop being stolen (please tell me they're encrypted and passworded...) → Annoying people from Lizard Squad on IRC, and suffering a large DDoS. 37 — @benjammingh for PuppetConf 2016

38. Breaches 38 — @benjammingh for PuppetConf 2016

39. 39 — @benjammingh for PuppetConf 2016

40. How do systems get (0wned|compromised| breached) 40 — @benjammingh for

    PuppetConf 2016

41. Well here's how it happened in the 90s. l33t$ cc

    -o humpdee humpdee.c l33t$ ./humpdee 203.0.113.76 Humpdee c0ded by Tekneeq Crew! Local address: 198.51.100.12 Return position: 678 Return address: 0x01423908 Got shell # id uid=0(root) gid=0(root) 41 — @benjammingh for PuppetConf 2016

42. Big thanks to our teal 90s sponsor . . .

    .s$ '$&ty . . .s$$$sss..yssss. $$$' ,&ft,ysp ,sss. ,saaas. ,saaas. .ssuiis ss $$$' d$$',`$$b $$$ .$$f",`$$$P"Y$$b d$V" `$$b d$$' "$$b d$$" `$$$" $$$ $$$sss$$$ $$$$$K. $$$ ;$$$ $$$sss$$& $$$sss$$$ $$$ ,$$$ $$$ .,$$$, .ss $$$ `$$bs. $$$, $$$ $$$' .ss $$$' ,ss.$$$ .,;$$$ "Y$$" `Y$$sd$P",$$$, Y$$B.$$$i. $$$L`Y$bsd$P' `T$bsd$$P `V$baod$$$ `"" `"""""' '"""' """"'"""" """' `""""" `""""' `"""""Y$$ .$$$. . . . . . . . .y$$$b. . 'Y$P' . Y" .' http://www.attrition.org/hosted/tekneeq/ 42 — @benjammingh for PuppetConf 2016

43. (I'm trying to be invited back next year) $shellcode =

    @("shellcodez"/L) \x31\xdb\xb0\x1b\xcd\x80\x31\xc0\xb0\x02\xcd\x80\x85\xc0\ \x75\x32\x31\xdb\x89\xd9\xb1\x01\x31\xc0\xb0\x3f\xcd\x80\ \x31\xdb\x89\xd9\xb1\x02\x31\xc0\xb0\x3f\xcd\x80\xeb\x1f\ \x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\ \x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\ \x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh |-shellcodez madexploit { "humpdee": ensure => shell, targer => '203.0.113.76', shellcode => $shellcode, require => Date['90s'], } 43 — @benjammingh for PuppetConf 2016

44. Timewarp to now! → 99% of servers don't have real

    routable IPs. → TEH CLOUD, NAT, Load balancers, &c. → A few people bought firewalls. → DEP, SEP, Stack cookies, ASLR, GENTOO!!!11 → Hopefully you've patched this vuln from 1997? 44 — @benjammingh for PuppetConf 2016

45. iOS (not IOS, that is somewhat less secure) 45 —

    @benjammingh for PuppetConf 2016

46. Things we know → FBI bought an "exploit" for $1M.

    → Zerodium had a $1M bounty for full remote end to end compromise. → Apple's own bug bounty for certain things in in the $100,000s range. → Maybe someone in your company has one of these iPhone devices? 46 — @benjammingh for PuppetConf 2016

47. ZOMG! an attacker could get a foothold in your network

    for a cool $1m dollars! 47 — @benjammingh for PuppetConf 2016

48. Reality → So for the quick simple payment of $1m

    dollars you're totally getting owned. → if your attacker has $1m spare to spend on just an exploit. → and owning you is worth >$1m. → oh yeah, and there's no cheaper way to do it. 48 — @benjammingh for PuppetConf 2016

49. Reality 2 → Attackers have budgets. → Majority of attacks

    have financial motives. → Defense is about raising those costs. → (whilst still allowing your company to continue to make money) 49 — @benjammingh for PuppetConf 2016

50. Zero day is not your biggest worry. 50 — @benjammingh

    for PuppetConf 2016

51. So how do we fix this? with threat modelling 51

    — @benjammingh for PuppetConf 2016

52. Say you have N months allocated to a security project.

    Which of these will give a better return on your overall security? 52 — @benjammingh for PuppetConf 2016

53. Rolling out the awesome Grsecurity on all your linux servers.

    53 — @benjammingh for PuppetConf 2016

54. Rolling out a password manager to everyone in your organisation.

    54 — @benjammingh for PuppetConf 2016

55. One of these is awesome cool tech, which stops mad

    0day. (and I really love the work of GRSec) 55 — @benjammingh for PuppetConf 2016

56. The other involves talking to people in the company and

    helping them with a password manager. 56 — @benjammingh for PuppetConf 2016

57. Arbitrary pie chart 3D DOUGHNUT CHART! 57 — @benjammingh for

    PuppetConf 2016

58. "The use of stolen, weak or default credentials in breaches

    is not new, is not bleeding edge, is not glamorous, but boy howdy it works" - Verizon 2016 Data Breach Investigations Report 58 — @benjammingh for PuppetConf 2016

59. Passwords 59 — @benjammingh for PuppetConf 2016

60. Passwords == keys 60 — @benjammingh for PuppetConf 2016

61. More question time! If you care about lock security, do

    you: → buy cheap crappy keys but replace your locks in your whole house every month? or → buy decent (cough European) locks and not worry about it. 61 — @benjammingh for PuppetConf 2016

62. No one does the former right? (not that many people

    do the latter either, but anyway) 62 — @benjammingh for PuppetConf 2016

63. (also no ones house gets broken in to with lockpicks

    either, but stop poking holes in my analogy) 63 — @benjammingh for PuppetConf 2016

64. 64 — @benjammingh for PuppetConf 2016

65. Which of these is better? → "Password1234oct" or → "ainwobchiFatodFeb0WrorckyishroocsyacIsAfby"

    65 — @benjammingh for PuppetConf 2016

66. Which will be better next month? → "Password1234nov" or →

    "ainwobchiFatodFeb0WrorckyishroocsyacIsAfby" 66 — @benjammingh for PuppetConf 2016

67. You're wrong Ben because reasons → Guessing the first one,

    you can guess the others. → It'll be written down as it changes all the time. → Has much less entropy so they can remember it. → Second one is hashcat proof, the first one is not. 67 — @benjammingh for PuppetConf 2016

68. If you want more than just passwords! Spend money on

    Duo and buy Yubikeys 68 — @benjammingh for PuppetConf 2016

69. Duo → gives you secure second factor over iPhone/ Android

    push notifications. → backup of SMS or phone call. → backup codes too. → more secure than TOTP 2FA. 69 — @benjammingh for PuppetConf 2016

70. Yubikeys == <3 → Tiny USB cryptographic tokens that can

    tie in to Duo to be a second factor. → no more having to find your phone (I know, life is hard...) → Can also generate & store SSH/GPG RSA keys. → Now have U2F/FIDO for, well, Dropbox, GitHub, and Google 70 — @benjammingh for PuppetConf 2016

71. But most importantly... 71 — @benjammingh for PuppetConf 2016

72. STOP MAKING YOUR COLLEAGUES HATE YOU! 72 — @benjammingh for

    PuppetConf 2016

73. Be nicer? Madness At Etsy, we try, really hard, to

    make the security team approachable and friendly! (In spite of hiring me) 73 — @benjammingh for PuppetConf 2016

74. Why do this? (Other than working for a hugging company)

    74 — @benjammingh for PuppetConf 2016

75. 75 — @benjammingh for PuppetConf 2016

76. Phishing This is pretty new, has anyone heard of it?

    76 — @benjammingh for PuppetConf 2016

77. Solving phishing! → Can't be done, despite what Barracuda may

    want to sell you. → 99% of people entering details vs. 9% of people entering details isn't all that helpful. → (But still try to reduce it) 77 — @benjammingh for PuppetConf 2016

78. Solving phishing IR Having people tell the security team when

    a phishy email comes in, even if they've clicked on everything and shared their passwords, is great. 78 — @benjammingh for PuppetConf 2016

79. Not solving phishing IR Having a holier than thou, mad

    leet security team who talk down to people when they report a phishing email. That will be the last time they bother to report anything to you. 79 — @benjammingh for PuppetConf 2016

80. Love always finds a way. → If security block everything,

    people will just do it anyway. → "Shadow" teams spin up, and just avoid all your safeguards. → you block all outbound traffic bar the proxy, someone will run corkscrew. 80 — @benjammingh for PuppetConf 2016

81. Security people, be nicer ❤ 81 — @benjammingh for PuppetConf

    2016

82. And now the second half 82 — @benjammingh for PuppetConf

    2016

83. Conclusions → Start from securing from least skilled attacker up,

    not most skilled down. → Be realistic about your threat model. → Whilst its cool to defend against people with bigger budgets. Actually defending is better than trying and failing. 83 — @benjammingh for PuppetConf 2016

84. Conclusions deux → Pick the boring definite wins, not the

    exciting maybe wins. → Yes, you won't get a BlackHat talk out of them, but you will be more secure. → Attackers want to win, Defenders can definitely win if they pick the right fight. 84 — @benjammingh for PuppetConf 2016

85. Thank you → Twidder: @benjammingh → LinkedIn: lnkdin.me/p/benyeah → SpeakerDeck:

    speakerdeck.com/barnbarn → JitHub: github.com/barn → Etsy: Careers --- CodeAsCraft <--- our blog → Fax: pending. 85 — @benjammingh for PuppetConf 2016

86. Wham! 86 — @benjammingh for PuppetConf 2016