Infrastructure security at Etsy — Operations monkey at Puppet Labs — Was once retweeted by William Gibson! — basically, kind of a big deal ̣ https://twitter.com/skullmandible/status/411281851131523072 @benjammingh for DevSecCon 2017 2
history and sadness — Malware reversing and how — 5 minute break — Discovering problems in the first place — Hardening? — Fin @benjammingh for DevSecCon 2017 3
fast */ /* wordexp is also rife with security "challenges", unless you pass it WRDE_NOCMD it *must* support subshell expansion, and even if you don't beause it has to support so much of the standard shell (all the odd little variable expansion options for example) it is hard to do without a subshell). It is probbably just plan a Bad Idea to call in anything setuid, or executing remotely. */ int wordexp(const char *__restrict__ words, wordexp_t *__restrict__ pwe, int flags) { /* cbuf_l's inital value needs to be big enough for 'cmd' plus about 20 chars */ size_t cbuf_l = 1024; char *cbuf = NULL; /* Put a NUL byte between each word, and at the end */ char *cmd = "/usr/bin/perl -e 'print join(chr(0), @ARGV), chr(0)' -- "; libc/gen/wordexp.c from the Apple FOSS mirror on github @benjammingh for DevSecCon 2017 13
/Volumes/MacKeeper Installer/MacKeeper.pkg: xar archive version 1, SHA-1 checksum [durazac:mc]% xar -x -f /Volumes/MacKeeper\ Installer/MacKeeper.pkg xar - eXtensible ARchiver @benjammingh for DevSecCon 2017 19
staff 6344 Oct 4 20:43 Distribution drwxr-xr-x 6 ben staff 192 Oct 4 20:43 LaunchOffer.pkg drwxr-xr-x 7 ben staff 224 Oct 4 20:43 MacKeeper.pkg drwxr-xr-x 23 ben staff 736 Oct 4 20:43 Resources drwxr-xr-x 7 ben staff 224 Oct 4 20:43 comzeobitmackeeper.pkg @benjammingh for DevSecCon 2017 20
tar zxvf ../Payload x . [durazac:paidload]% ls -la ../Payload -rw-r--r-- 1 ben staff 82 Oct 5 04:43 ../Payload Wait, there's no payload? @benjammingh for DevSecCon 2017 23
80 0 May 12 02:42 . [durazac:comzeobitmackeeper.pkg]% lsbom Bom . 41775 0/80 Wait, so there is no payload, it just runs that super sketch script!?!? @benjammingh for DevSecCon 2017 28
my talk on sinkholing from 2014 — If you use OpenDNS * and you should! read here — on the cheap * obviously doesn't scale cat <<EOF | sudo tee -a /etc/hosts && pkill -HUP mDNSResponder 127.0.0.1 cdn.mackeeper.com event.mackeeper.com mackeeperapp.mackeeper.com EOF @benjammingh for DevSecCon 2017 33
dead now) — OSSEC - Open Source HIDS SECurity Threaty threats paid things — Carbon Black Response — Clown Strike - Falcon — Red Canary @benjammingh for DevSecCon 2017 40
tool. Little more invasive say, my default dumps browser history. /usr/bin/python osxcollector.py spits out a tarball, inside that are system logs and a JSON report. @benjammingh for DevSecCon 2017 43
(plan9, TOS, Xenix) — open source https://github.com/facebook/osquery/ — has a logo that makes you think of Gravatar @benjammingh for DevSecCon 2017 45
Doorman - Doorman, OSS tool for doing the same. — Envdb - Looks pretty nice (but I've not used it yet) These are for fleet deployments, as osquery is just a SQL REPL for your system. @benjammingh for DevSecCon 2017 46
path like "/Users/%/Library/LaunchAgents/com.%.MacKeeper.Helper.plist" ...> OR path like "/Users/%/Documents/MacKeeper Backups" ...> OR path = "/Applications/MacKeeper.app" ; osquery> select distinct( user ) from logged_in_users; more fun on a server osquery> select * from kernel_extensions where name not like 'com.apple.%'; not amaze on the VM, but good on my laptop @benjammingh for DevSecCon 2017 49
MaaS offering — Chef/Puppet - needs no introduction — Munki - manage software installs, rather than just have them — Simian - Simian is an enterprise-class Mac OS X software deployment solution, buuuut it's Google — JSS Jamf - Is another alternative, I guess @benjammingh for DevSecCon 2017 51
Malware - Sarah Edwards — When Macs Get Hacked -Sarah Edwards — Hipster DFIR on OSX - Scott J. Roberts — Syscall Auditing at scale - Ryan Huber — Tracking a stolen code-signing certificate with osquery - Mike Myers — Methods of Malware Persistence - Patrick Wardle @benjammingh for DevSecCon 2017 57