Handmade & knitted security at Etsy

C7bf554286ede7cb2786b5b19649c19b?s=47 Bea Hughes
November 22, 2014

Handmade & knitted security at Etsy

Bsides Toronto November 2014.

If you've seen the Berlin one, this is pretty much the same, but with a few more slides and newer cat pictures.

Video at https://www.youtube.com/watch?v=2W4r7RpTw30

C7bf554286ede7cb2786b5b19649c19b?s=128

Bea Hughes

November 22, 2014
Tweet

Transcript

  1. Click to Edith

  2. Ben Hughes Etsy @benjammingh Pwning all the Internet of things

    for fun and profit
  3. @benjammingh Handmade & knitted security at Etsy • I work

    at Etsy, yes that Etsy. • Yes we have a seemingly large security team. • We do “some” web stuff. Have “some” servers.
  4. @benjammingh Handmade & knitted security at Etsy • Intro (we’re

    here) • Users/laptops/the two people with “workstations”. • Servers/systems. • Data - that small topic. • Conclusions
  5. The landscape has changed. https://www.flickr.com/photos/andraspasztor

  6. The landscape has changed. https://www.flickr.com/photos/andraspasztor

  7. Securing laptops (and users)

  8. None
  9. What? ! That’s an advert ! A paid advert !

    For “TextWrangler”?!
  10. Sink holes!

  11. None
  12. IPv6 (trust me, this time it’s really gonna happen!)

  13. @benjammingh Handmade & knitted security at Etsy • http://labs.neohapsis.com/2013/07/30/picking-up-the- slaac-with-sudden-six/

    • http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/ configuration/15-2mt/ip6-15-2mt-book/ip6-ra- guard.html • http://resources.infosecinstitute.com/slaac-attack/ • https://github.com/Neohapsis/suddensix
  14. @benjammingh Handmade & knitted security at Etsy • Oprah says

    “And you get an IDS….” • On most desktop OSes (Linux/ OSX/Windows… I have no idea about Windows) you can use the firewall like an IDS. • PF example: pass log quick proto { tcp, udp } to any port { 6881, 31337, $badport }
  15. Servers! https://www.flickr.com/photos/stalker_cz/ (genuine Etsy data centre!)

  16. Patching…

  17. https://twitter.com/TimDenike/status/162973991034826752

  18. https://www.blackhat.com/docs/eu-14/materials/eu-14-Kemerlis-Ret2dir-Deconstructing-Kernel-Isolation.pdf

  19. None
  20. @benjammingh Handmade & knitted security at Uptime security solutions!

  21. @benjammingh Handmade & knitted security at Uptime security solutions! •

    SELinux - ‘setenforce 0’ as it’s also known as. • http://stopdisablingselinux.com/
  22. @benjammingh Handmade & knitted security at Uptime security solutions! •

    SELinux - ‘setenforce 0’ as it’s also known as. • http://stopdisablingselinux.com/ • grsecurity - set of hardening patches to Linux. • http://grsecurity.net/features.php
  23. @benjammingh Handmade & knitted security at Uptime security solutions! •

    SELinux - ‘setenforce 0’ as it’s also known as. • http://stopdisablingselinux.com/ • grsecurity - set of hardening patches to Linux. • http://grsecurity.net/features.php • Ksplice - https://www.ksplice.com/ scariest fix ever.
  24. None
  25. None
  26. @benjammingh Handmade & knitted security at REBOOTING

  27. @benjammingh Handmade & knitted security at Etsy • There will

    always be un-patched machines. Realities of the situation:
  28. @benjammingh Handmade & knitted security at Etsy • There will

    always be un-patched machines. • Breeches will occur. Realities of the situation:
  29. @benjammingh Handmade & knitted security at Etsy • There will

    always be un-patched machines. • Breeches will occur. • Knowing they happened is much better than not knowing. Realities of the situation:
  30. None
  31. @benjammingh Handmade & knitted security at Etsy • Linux kernel

    auditd events. • http://people.redhat.com/sgrubb/audit/ (driest page ever) • Mangled with some python because auditd is awful. • (will open source this, once the bugs are out. Pinkie swear) • Use Mozilla’s https://github.com/gdestuynder/audisp-cef • Pay https://www.threatstack.com/ if you “Cloud”. • Throw in ELK/syslog/giant file to grep through.
  32. @benjammingh Handmade & knitted security at Etsy More awesome auditd

    stuff purely for people downloading the slides: • http://security.blogoverflow.com/2013/01/a-brief- introduction-to-auditd/ • http://blog.threatstack.com/labs/2014/8/21/threat-stack- vs-redhat-auditd-showdown • http://www.slideshare.net/MarkEllzeyThomas/ audit-34493671audit-34493671
  33. https://www.flickr.com/photos/jdhancock Data

  34. Backups

  35. @benjammingh Handmade & knitted security at Etsy • Don’t ship

    your DB backups off unencrypted. • Don’t use symmetric encryption, because the key will live with the backup (probably). Backups
  36. Canaries

  37. @benjammingh Handmade & knitted security at Etsy • Put obvious

    “fake” data in data stores, use IDS to detect them in places they should never go. “Animal sentinel”
  38. @benjammingh Handmade & knitted security at Etsy • Put obvious

    “fake” data in data stores, use IDS to detect them in places they should never go. • Operational uses too. Spotting non-TLS LDAP traffic. “Animal sentinel”
  39. @benjammingh Handmade & knitted security at Etsy • Put obvious

    “fake” data in data stores, use IDS to detect them in places they should never go. • Operational uses too. Spotting non-TLS LDAP traffic. • Load Balancer Canary “Animal sentinel”
  40. To Conclude

  41. @benjammingh Handmade & knitted security at Etsy • Laptops/users trust

    the environment. This isn’t always good. Conclusions
  42. @benjammingh Handmade & knitted security at Etsy • Laptops/users trust

    the environment. This isn’t always good. • Servers don’t have to run so blindly, there’s a wealth of information in the Linux kernel. Conclusions
  43. @benjammingh Handmade & knitted security at Etsy • Laptops/users trust

    the environment. This isn’t always good. • Servers don’t have to run so blindly, there’s a wealth of information in the Linux kernel. • Be careful with data. Help it be careful with you. Conclusions
  44. @benjammingh Handmade & knitted security at ! You’re all hiring,

    everyone is hiring.