Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How you a actually get hacked!

Bea Hughes
October 22, 2016

How you a actually get hacked!

Talk on threat modelling and reality for PuppetConf 2016 in San Diego.

(An ever so slightly shorter version of this was presented at Bsides Toronto too)

Puppet Conf video https://www.youtube.com/watch?v=XlgHZIjz5eQ

Bea Hughes

October 22, 2016
Tweet

More Decks by Bea Hughes

Other Decks in Technology

Transcript

  1. How You Actually Get Hacked
    1 — @benjammingh for PuppetConf 2016

    View full-size slide

  2. AKA Do you want ants?
    Because that's how you get ants!
    2 — @benjammingh for PuppetConf 2016

    View full-size slide

  3. Who's this clown? 2
    → Infrastructure security at Etsy.
    → Puppet Labs Operations alumni.
    → First used Puppet on the 0.26 branch.
    → Has only been in big trouble with the phone
    company once.
    2 https://twitter.com/skullmandible/status/411281851131523072
    3 — @benjammingh for PuppetConf 2016

    View full-size slide

  4. What this talk is about?
    → Risk and threat modelling.
    → Reality, and infosec's aversion to it.
    → What to actually focus on, to be more secure, but
    less hipster.
    → Security myopia and the best being the enemy of
    the good.
    4 — @benjammingh for PuppetConf 2016

    View full-size slide

  5. What this talk is not about?
    → Mad 0day. Go to Infiltrate
    → Vendor Sponsorship. (Note however, it is Black
    Friday soon www.etsy.com)
    → Me reading out breach reports.
    → Nessus.
    5 — @benjammingh for PuppetConf 2016

    View full-size slide

  6. Mild audience
    participation
    warning!
    6 — @benjammingh for PuppetConf 2016

    View full-size slide

  7. Google Syndrome Disclaimer!
    If you are Google/Facebook/BAE Systems/Raytheon/
    Any part of Five Eyes/OPM, this hopefully and
    somewhat obviously does not apply to you.
    Also stop listening to funny haired people who work
    at yarn websites for your security advice!
    Smash the 1%, eat the rich!
    7 — @benjammingh for PuppetConf 2016

    View full-size slide

  8. Threat
    modelling
    The who now?
    8 — @benjammingh for PuppetConf 2016

    View full-size slide

  9. H1B fashion
    model visa.
    9 — @benjammingh for PuppetConf 2016

    View full-size slide

  10. Working out who might
    attack you and how
    10 — @benjammingh for PuppetConf 2016

    View full-size slide

  11. Evaluating risks and
    reality
    (and impact)
    11 — @benjammingh for PuppetConf 2016

    View full-size slide

  12. Are humans good at
    evaluating risk?
    12 — @benjammingh for PuppetConf 2016

    View full-size slide

  13. Have you ever said:
    "Have a safe flight!"
    13 — @benjammingh for PuppetConf 2016

    View full-size slide

  14. Has anyone ever said:
    "Have a safe drive to the
    airport!"
    14 — @benjammingh for PuppetConf 2016

    View full-size slide

  15. 15 — @benjammingh for PuppetConf 2016

    View full-size slide

  16. Flying:
    → An entire spare pilot.
    → Computer controlled.
    → A spare engine!
    → 100s of hours training/qualifications.
    → regular safety checks.
    16 — @benjammingh for PuppetConf 2016

    View full-size slide

  17. Taxis
    → ....
    → have the strange smelling pine tree thing?
    17 — @benjammingh for PuppetConf 2016

    View full-size slide

  18. Every statistic says flying
    is 100x safer
    18 — @benjammingh for PuppetConf 2016

    View full-size slide

  19. 19 — @benjammingh for PuppetConf 2016

    View full-size slide

  20. Security
    what is it?
    20 — @benjammingh for PuppetConf 2016

    View full-size slide

  21. "The state or condition of being or feeling secure."
    -- The Oxford English Dictionary (as HRH Queen
    Elizabeth the Second decrees)
    21 — @benjammingh for PuppetConf 2016

    View full-size slide

  22. "Being or feeling secure"
    22 — @benjammingh for PuppetConf 2016

    View full-size slide

  23. Secure [from whom?]
    23 — @benjammingh for PuppetConf 2016

    View full-size slide

  24. Who are you defending against?
    → Scripts (mass own wordpress, nmap/zmap looking
    for mongodb/mssql/etc)
    → Script kiddies (the above, but with a tutorial)
    → Bug Bounties (hand wave 80% of attacks on your
    website?)
    → Red Teams/Pen tests (every... 6 months? maybe?)
    24 — @benjammingh for PuppetConf 2016

    View full-size slide

  25. Other attackers?
    → China!!!111 (though now Russia is in vogue)
    → Hackers in it for the lols (needs no explaination)
    → Hacktivists (I remain unconvinced these are real
    → Hacking for profit (not for fun. See China)
    25 — @benjammingh for PuppetConf 2016

    View full-size slide

  26. The main ones, ZOMG.
    → NSA.
    → now and then the FBI
    → everyone forgets about CSE (and all of Five Eyes)
    → GCHQ (who seem to have fewer morals..)
    26 — @benjammingh for PuppetConf 2016

    View full-size slide

  27. "How to NSA-Proof your Apple iCloud account. –
    Underground Network"
    "Blackphone 2: 'NSA Proof' Android Phone For
    Privacy Seekers Now Available For Preorder"
    "NSA-proof your e-mail in 2 hours"
    "How NSA-Proof Are VPN Service Providers?"
    27 — @benjammingh for PuppetConf 2016

    View full-size slide

  28. "An NSA-proof operating system. Yes, for real."
    "NSA-proof passwords"
    "NSA-proof SSH"
    "Physicists are building an NSA-proof internet"
    28 — @benjammingh for PuppetConf 2016

    View full-size slide

  29. The NSA should probably
    not be in your threat model.
    29 — @benjammingh for PuppetConf 2016

    View full-size slide

  30. Whaaa?
    But shouldn't we defend against everyone?
    30 — @benjammingh for PuppetConf 2016

    View full-size slide

  31. Once you can defend
    against everyone up to
    the NSA,
    then try to defend
    against the NSA.
    31 — @benjammingh for PuppetConf 2016

    View full-size slide

  32. *cough*
    (please infosec, stop this NSA fetishism &
    security nihilism)
    *cough*
    32 — @benjammingh for PuppetConf 2016

    View full-size slide

  33. Which is also again saying
    Learn to threat model in reality.
    33 — @benjammingh for PuppetConf 2016

    View full-size slide

  34. Impact!
    What is the business
    impact of this breach.
    34 — @benjammingh for PuppetConf 2016

    View full-size slide

  35. Defacement vs. DDoS
    → If you're a real time trading house large DNS
    provider, DDoS is a really expensive thing,
    defacement is not as big.
    → A political party website, DDoS is just annoying,
    defacement could be huge.
    35 — @benjammingh for PuppetConf 2016

    View full-size slide

  36. Mail doxing/spooling
    → If you're a hacker in the 90s, having your mail
    shared with a 'zine is annoying.
    → If you're a presidential candidate, your mail being
    public could endanger an election.
    36 — @benjammingh for PuppetConf 2016

    View full-size slide

  37. In just your company
    → Credit card processing done by you or someone
    else (hi Stripe)
    → PII or other user data.
    → Laptop being stolen (please tell me they're
    encrypted and passworded...)
    → Annoying people from Lizard Squad on IRC, and
    suffering a large DDoS.
    37 — @benjammingh for PuppetConf 2016

    View full-size slide

  38. Breaches
    38 — @benjammingh for PuppetConf 2016

    View full-size slide

  39. 39 — @benjammingh for PuppetConf 2016

    View full-size slide

  40. How do systems get
    (0wned|compromised|
    breached)
    40 — @benjammingh for PuppetConf 2016

    View full-size slide

  41. Well here's how it happened in the 90s.
    l33t$ cc -o humpdee humpdee.c
    l33t$ ./humpdee 203.0.113.76
    Humpdee c0ded by Tekneeq Crew!
    Local address: 198.51.100.12
    Return position: 678
    Return address: 0x01423908
    Got shell
    # id
    uid=0(root) gid=0(root)
    41 — @benjammingh for PuppetConf 2016

    View full-size slide

  42. Big thanks to our teal 90s sponsor
    .
    . .
    .s$ '$&ty . .
    .s$$$sss..yssss. $$$' ,&ft,ysp ,sss. ,saaas. ,saaas. .ssuiis ss
    $$$' d$$',`$$b $$$ .$$f",`$$$P"Y$$b d$V" `$$b d$$' "$$b d$$" `$$$"
    $$$ $$$sss$$$ $$$$$K. $$$ ;$$$ $$$sss$$& $$$sss$$$ $$$ ,$$$
    $$$ .,$$$, .ss $$$ `$$bs. $$$, $$$ $$$' .ss $$$' ,ss.$$$ .,;$$$
    "Y$$" `Y$$sd$P",$$$, Y$$B.$$$i. $$$L`Y$bsd$P' `T$bsd$$P `V$baod$$$
    `"" `"""""' '"""' """"'"""" """' `""""" `""""' `"""""Y$$
    .$$$.
    . . . . . . . .y$$$b. .
    'Y$P'
    . Y"
    .'
    http://www.attrition.org/hosted/tekneeq/
    42 — @benjammingh for PuppetConf 2016

    View full-size slide

  43. (I'm trying to be invited back next year)
    $shellcode = @("shellcodez"/L)
    \x31\xdb\xb0\x1b\xcd\x80\x31\xc0\xb0\x02\xcd\x80\x85\xc0\
    \x75\x32\x31\xdb\x89\xd9\xb1\x01\x31\xc0\xb0\x3f\xcd\x80\
    \x31\xdb\x89\xd9\xb1\x02\x31\xc0\xb0\x3f\xcd\x80\xeb\x1f\
    \x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\
    \x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\
    \x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh
    |-shellcodez
    madexploit { "humpdee":
    ensure => shell,
    targer => '203.0.113.76',
    shellcode => $shellcode,
    require => Date['90s'],
    }
    43 — @benjammingh for PuppetConf 2016

    View full-size slide

  44. Timewarp to now!
    → 99% of servers don't have real routable IPs.
    → TEH CLOUD, NAT, Load balancers, &c.
    → A few people bought firewalls.
    → DEP, SEP, Stack cookies, ASLR, GENTOO!!!11
    → Hopefully you've patched this vuln from 1997?
    44 — @benjammingh for PuppetConf 2016

    View full-size slide

  45. iOS
    (not IOS, that is somewhat less secure)
    45 — @benjammingh for PuppetConf 2016

    View full-size slide

  46. Things we know
    → FBI bought an "exploit" for $1M.
    → Zerodium had a $1M bounty for full remote end to
    end compromise.
    → Apple's own bug bounty for certain things in in
    the $100,000s range.
    → Maybe someone in your company has one of
    these iPhone devices?
    46 — @benjammingh for PuppetConf 2016

    View full-size slide

  47. ZOMG!
    an attacker could get a foothold in your
    network for a cool $1m dollars!
    47 — @benjammingh for PuppetConf 2016

    View full-size slide

  48. Reality
    → So for the quick simple payment of $1m dollars
    you're totally getting owned.
    → if your attacker has $1m spare to spend on just an
    exploit.
    → and owning you is worth >$1m.
    → oh yeah, and there's no cheaper way to do it.
    48 — @benjammingh for PuppetConf 2016

    View full-size slide

  49. Reality 2
    → Attackers have budgets.
    → Majority of attacks have financial motives.
    → Defense is about raising those costs.
    → (whilst still allowing your company to continue to
    make money)
    49 — @benjammingh for PuppetConf 2016

    View full-size slide

  50. Zero day is not
    your biggest worry.
    50 — @benjammingh for PuppetConf 2016

    View full-size slide

  51. So how do we
    fix this?
    with threat modelling
    51 — @benjammingh for PuppetConf 2016

    View full-size slide

  52. Say you have N months allocated to a
    security project.
    Which of these will give a better return on
    your overall security?
    52 — @benjammingh for PuppetConf 2016

    View full-size slide

  53. Rolling out the awesome
    Grsecurity on all your
    linux servers.
    53 — @benjammingh for PuppetConf 2016

    View full-size slide

  54. Rolling out a password
    manager to everyone in
    your organisation.
    54 — @benjammingh for PuppetConf 2016

    View full-size slide

  55. One of these is awesome
    cool tech, which stops
    mad 0day.
    (and I really love the work of GRSec)
    55 — @benjammingh for PuppetConf 2016

    View full-size slide

  56. The other involves
    talking to people in the
    company and helping
    them with a password
    manager.
    56 — @benjammingh for PuppetConf 2016

    View full-size slide

  57. Arbitrary pie chart 3D DOUGHNUT CHART!
    57 — @benjammingh for PuppetConf 2016

    View full-size slide

  58. "The use of stolen, weak or default credentials in
    breaches is not new, is not bleeding edge, is not
    glamorous, but boy howdy it works"
    - Verizon 2016 Data Breach Investigations Report
    58 — @benjammingh for PuppetConf 2016

    View full-size slide

  59. Passwords
    59 — @benjammingh for PuppetConf 2016

    View full-size slide

  60. Passwords == keys
    60 — @benjammingh for PuppetConf 2016

    View full-size slide

  61. More question time!
    If you care about lock security, do you:
    → buy cheap crappy keys but replace your locks in
    your whole house every month?
    or
    → buy decent (cough European) locks and not worry
    about it.
    61 — @benjammingh for PuppetConf 2016

    View full-size slide

  62. No one does the former
    right?
    (not that many people do the latter either, but anyway)
    62 — @benjammingh for PuppetConf 2016

    View full-size slide

  63. (also no ones house gets broken in to with
    lockpicks either, but stop poking holes in
    my analogy)
    63 — @benjammingh for PuppetConf 2016

    View full-size slide

  64. 64 — @benjammingh for PuppetConf 2016

    View full-size slide

  65. Which of these is better?
    → "Password1234oct"
    or
    → "ainwobchiFatodFeb0WrorckyishroocsyacIsAfby"
    65 — @benjammingh for PuppetConf 2016

    View full-size slide

  66. Which will be better next month?
    → "Password1234nov"
    or
    → "ainwobchiFatodFeb0WrorckyishroocsyacIsAfby"
    66 — @benjammingh for PuppetConf 2016

    View full-size slide

  67. You're wrong Ben because reasons
    → Guessing the first one, you can guess the others.
    → It'll be written down as it changes all the time.
    → Has much less entropy so they can remember it.
    → Second one is hashcat proof, the first one is not.
    67 — @benjammingh for PuppetConf 2016

    View full-size slide

  68. If you want more than
    just passwords!
    Spend money on Duo and buy Yubikeys
    68 — @benjammingh for PuppetConf 2016

    View full-size slide

  69. Duo
    → gives you secure second factor over iPhone/
    Android push notifications.
    → backup of SMS or phone call.
    → backup codes too.
    → more secure than TOTP 2FA.
    69 — @benjammingh for PuppetConf 2016

    View full-size slide

  70. Yubikeys == <3
    → Tiny USB cryptographic tokens that can tie in to
    Duo to be a second factor.
    → no more having to find your phone (I know, life is
    hard...)
    → Can also generate & store SSH/GPG RSA keys.
    → Now have U2F/FIDO for, well, Dropbox, GitHub, and
    Google
    70 — @benjammingh for PuppetConf 2016

    View full-size slide

  71. But most
    importantly...
    71 — @benjammingh for PuppetConf 2016

    View full-size slide

  72. STOP MAKING YOUR
    COLLEAGUES HATE YOU!
    72 — @benjammingh for PuppetConf 2016

    View full-size slide

  73. Be nicer? Madness
    At Etsy, we try, really hard, to make the security team
    approachable and friendly!
    (In spite of hiring me)
    73 — @benjammingh for PuppetConf 2016

    View full-size slide

  74. Why do this?
    (Other than working for a hugging
    company)
    74 — @benjammingh for PuppetConf 2016

    View full-size slide

  75. 75 — @benjammingh for PuppetConf 2016

    View full-size slide

  76. Phishing
    This is pretty new, has anyone heard of it?
    76 — @benjammingh for PuppetConf 2016

    View full-size slide

  77. Solving phishing!
    → Can't be done, despite what Barracuda may want
    to sell you.
    → 99% of people entering details vs. 9% of people
    entering details isn't all that helpful.
    → (But still try to reduce it)
    77 — @benjammingh for PuppetConf 2016

    View full-size slide

  78. Solving phishing IR
    Having people tell the security team when a phishy
    email comes in, even if they've clicked on everything
    and shared their passwords, is great.
    78 — @benjammingh for PuppetConf 2016

    View full-size slide

  79. Not solving phishing IR
    Having a holier than thou, mad leet security team
    who talk down to people when they report a
    phishing email.
    That will be the last time they bother to report
    anything to you.
    79 — @benjammingh for PuppetConf 2016

    View full-size slide

  80. Love always finds a way.
    → If security block everything, people will just do it
    anyway.
    → "Shadow" teams spin up, and just avoid all your
    safeguards.
    → you block all outbound traffic bar the proxy,
    someone will run corkscrew.
    80 — @benjammingh for PuppetConf 2016

    View full-size slide

  81. Security
    people, be
    nicer ❤
    81 — @benjammingh for PuppetConf 2016

    View full-size slide

  82. And now the
    second half
    82 — @benjammingh for PuppetConf 2016

    View full-size slide

  83. Conclusions
    → Start from securing from least skilled attacker up,
    not most skilled down.
    → Be realistic about your threat model.
    → Whilst its cool to defend against people with
    bigger budgets. Actually defending is better than
    trying and failing.
    83 — @benjammingh for PuppetConf 2016

    View full-size slide

  84. Conclusions deux
    → Pick the boring definite wins, not the exciting
    maybe wins.
    → Yes, you won't get a BlackHat talk out of them, but
    you will be more secure.
    → Attackers want to win, Defenders can definitely
    win if they pick the right fight.
    84 — @benjammingh for PuppetConf 2016

    View full-size slide

  85. Thank you
    → Twidder: @benjammingh
    → LinkedIn: lnkdin.me/p/benyeah
    → SpeakerDeck: speakerdeck.com/barnbarn
    → JitHub: github.com/barn
    → Etsy: Careers --- CodeAsCraft <--- our blog
    → Fax: pending.
    85 — @benjammingh for PuppetConf 2016

    View full-size slide

  86. Wham!
    86 — @benjammingh for PuppetConf 2016

    View full-size slide