How you a actually get hacked!

C7bf554286ede7cb2786b5b19649c19b?s=47 Bea Hughes
October 22, 2016

How you a actually get hacked!

Talk on threat modelling and reality for PuppetConf 2016 in San Diego.

(An ever so slightly shorter version of this was presented at Bsides Toronto too)

Puppet Conf video https://www.youtube.com/watch?v=XlgHZIjz5eQ

C7bf554286ede7cb2786b5b19649c19b?s=128

Bea Hughes

October 22, 2016
Tweet

Transcript

  1. How You Actually Get Hacked 1 — @benjammingh for PuppetConf

    2016
  2. AKA Do you want ants? Because that's how you get

    ants! 2 — @benjammingh for PuppetConf 2016
  3. Who's this clown? 2 → Infrastructure security at Etsy. →

    Puppet Labs Operations alumni. → First used Puppet on the 0.26 branch. → Has only been in big trouble with the phone company once. 2 https://twitter.com/skullmandible/status/411281851131523072 3 — @benjammingh for PuppetConf 2016
  4. What this talk is about? → Risk and threat modelling.

    → Reality, and infosec's aversion to it. → What to actually focus on, to be more secure, but less hipster. → Security myopia and the best being the enemy of the good. 4 — @benjammingh for PuppetConf 2016
  5. What this talk is not about? → Mad 0day. Go

    to Infiltrate → Vendor Sponsorship. (Note however, it is Black Friday soon www.etsy.com) → Me reading out breach reports. → Nessus. 5 — @benjammingh for PuppetConf 2016
  6. Mild audience participation warning! 6 — @benjammingh for PuppetConf 2016

  7. Google Syndrome Disclaimer! If you are Google/Facebook/BAE Systems/Raytheon/ Any part

    of Five Eyes/OPM, this hopefully and somewhat obviously does not apply to you. Also stop listening to funny haired people who work at yarn websites for your security advice! Smash the 1%, eat the rich! 7 — @benjammingh for PuppetConf 2016
  8. Threat modelling The who now? 8 — @benjammingh for PuppetConf

    2016
  9. H1B fashion model visa. 9 — @benjammingh for PuppetConf 2016

  10. Working out who might attack you and how 10 —

    @benjammingh for PuppetConf 2016
  11. Evaluating risks and reality (and impact) 11 — @benjammingh for

    PuppetConf 2016
  12. Are humans good at evaluating risk? 12 — @benjammingh for

    PuppetConf 2016
  13. Have you ever said: "Have a safe flight!" 13 —

    @benjammingh for PuppetConf 2016
  14. Has anyone ever said: "Have a safe drive to the

    airport!" 14 — @benjammingh for PuppetConf 2016
  15. 15 — @benjammingh for PuppetConf 2016

  16. Flying: → An entire spare pilot. → Computer controlled. →

    A spare engine! → 100s of hours training/qualifications. → regular safety checks. 16 — @benjammingh for PuppetConf 2016
  17. Taxis → .... → have the strange smelling pine tree

    thing? 17 — @benjammingh for PuppetConf 2016
  18. Every statistic says flying is 100x safer 18 — @benjammingh

    for PuppetConf 2016
  19. 19 — @benjammingh for PuppetConf 2016

  20. Security what is it? 20 — @benjammingh for PuppetConf 2016

  21. "The state or condition of being or feeling secure." --

    The Oxford English Dictionary (as HRH Queen Elizabeth the Second decrees) 21 — @benjammingh for PuppetConf 2016
  22. "Being or feeling secure" 22 — @benjammingh for PuppetConf 2016

  23. Secure [from whom?] 23 — @benjammingh for PuppetConf 2016

  24. Who are you defending against? → Scripts (mass own wordpress,

    nmap/zmap looking for mongodb/mssql/etc) → Script kiddies (the above, but with a tutorial) → Bug Bounties (hand wave 80% of attacks on your website?) → Red Teams/Pen tests (every... 6 months? maybe?) 24 — @benjammingh for PuppetConf 2016
  25. Other attackers? → China!!!111 (though now Russia is in vogue)

    → Hackers in it for the lols (needs no explaination) → Hacktivists (I remain unconvinced these are real → Hacking for profit (not for fun. See China) 25 — @benjammingh for PuppetConf 2016
  26. The main ones, ZOMG. → NSA. → now and then

    the FBI → everyone forgets about CSE (and all of Five Eyes) → GCHQ (who seem to have fewer morals..) 26 — @benjammingh for PuppetConf 2016
  27. "How to NSA-Proof your Apple iCloud account. – Underground Network"

    "Blackphone 2: 'NSA Proof' Android Phone For Privacy Seekers Now Available For Preorder" "NSA-proof your e-mail in 2 hours" "How NSA-Proof Are VPN Service Providers?" 27 — @benjammingh for PuppetConf 2016
  28. "An NSA-proof operating system. Yes, for real." "NSA-proof passwords" "NSA-proof

    SSH" "Physicists are building an NSA-proof internet" 28 — @benjammingh for PuppetConf 2016
  29. The NSA should probably not be in your threat model.

    29 — @benjammingh for PuppetConf 2016
  30. Whaaa? But shouldn't we defend against everyone? 30 — @benjammingh

    for PuppetConf 2016
  31. Once you can defend against everyone up to the NSA,

    then try to defend against the NSA. 31 — @benjammingh for PuppetConf 2016
  32. *cough* (please infosec, stop this NSA fetishism & security nihilism)

    *cough* 32 — @benjammingh for PuppetConf 2016
  33. Which is also again saying Learn to threat model in

    reality. 33 — @benjammingh for PuppetConf 2016
  34. Impact! What is the business impact of this breach. 34

    — @benjammingh for PuppetConf 2016
  35. Defacement vs. DDoS → If you're a real time trading

    house large DNS provider, DDoS is a really expensive thing, defacement is not as big. → A political party website, DDoS is just annoying, defacement could be huge. 35 — @benjammingh for PuppetConf 2016
  36. Mail doxing/spooling → If you're a hacker in the 90s,

    having your mail shared with a 'zine is annoying. → If you're a presidential candidate, your mail being public could endanger an election. 36 — @benjammingh for PuppetConf 2016
  37. In just your company → Credit card processing done by

    you or someone else (hi Stripe) → PII or other user data. → Laptop being stolen (please tell me they're encrypted and passworded...) → Annoying people from Lizard Squad on IRC, and suffering a large DDoS. 37 — @benjammingh for PuppetConf 2016
  38. Breaches 38 — @benjammingh for PuppetConf 2016

  39. 39 — @benjammingh for PuppetConf 2016

  40. How do systems get (0wned|compromised| breached) 40 — @benjammingh for

    PuppetConf 2016
  41. Well here's how it happened in the 90s. l33t$ cc

    -o humpdee humpdee.c l33t$ ./humpdee 203.0.113.76 Humpdee c0ded by Tekneeq Crew! Local address: 198.51.100.12 Return position: 678 Return address: 0x01423908 Got shell # id uid=0(root) gid=0(root) 41 — @benjammingh for PuppetConf 2016
  42. Big thanks to our teal 90s sponsor . . .

    .s$ '$&ty . . .s$$$sss..yssss. $$$' ,&ft,ysp ,sss. ,saaas. ,saaas. .ssuiis ss $$$' d$$',`$$b $$$ .$$f",`$$$P"Y$$b d$V" `$$b d$$' "$$b d$$" `$$$" $$$ $$$sss$$$ $$$$$K. $$$ ;$$$ $$$sss$$& $$$sss$$$ $$$ ,$$$ $$$ .,$$$, .ss $$$ `$$bs. $$$, $$$ $$$' .ss $$$' ,ss.$$$ .,;$$$ "Y$$" `Y$$sd$P",$$$, Y$$B.$$$i. $$$L`Y$bsd$P' `T$bsd$$P `V$baod$$$ `"" `"""""' '"""' """"'"""" """' `""""" `""""' `"""""Y$$ .$$$. . . . . . . . .y$$$b. . 'Y$P' . Y" .' http://www.attrition.org/hosted/tekneeq/ 42 — @benjammingh for PuppetConf 2016
  43. (I'm trying to be invited back next year) $shellcode =

    @("shellcodez"/L) \x31\xdb\xb0\x1b\xcd\x80\x31\xc0\xb0\x02\xcd\x80\x85\xc0\ \x75\x32\x31\xdb\x89\xd9\xb1\x01\x31\xc0\xb0\x3f\xcd\x80\ \x31\xdb\x89\xd9\xb1\x02\x31\xc0\xb0\x3f\xcd\x80\xeb\x1f\ \x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\ \x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\ \x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh |-shellcodez madexploit { "humpdee": ensure => shell, targer => '203.0.113.76', shellcode => $shellcode, require => Date['90s'], } 43 — @benjammingh for PuppetConf 2016
  44. Timewarp to now! → 99% of servers don't have real

    routable IPs. → TEH CLOUD, NAT, Load balancers, &c. → A few people bought firewalls. → DEP, SEP, Stack cookies, ASLR, GENTOO!!!11 → Hopefully you've patched this vuln from 1997? 44 — @benjammingh for PuppetConf 2016
  45. iOS (not IOS, that is somewhat less secure) 45 —

    @benjammingh for PuppetConf 2016
  46. Things we know → FBI bought an "exploit" for $1M.

    → Zerodium had a $1M bounty for full remote end to end compromise. → Apple's own bug bounty for certain things in in the $100,000s range. → Maybe someone in your company has one of these iPhone devices? 46 — @benjammingh for PuppetConf 2016
  47. ZOMG! an attacker could get a foothold in your network

    for a cool $1m dollars! 47 — @benjammingh for PuppetConf 2016
  48. Reality → So for the quick simple payment of $1m

    dollars you're totally getting owned. → if your attacker has $1m spare to spend on just an exploit. → and owning you is worth >$1m. → oh yeah, and there's no cheaper way to do it. 48 — @benjammingh for PuppetConf 2016
  49. Reality 2 → Attackers have budgets. → Majority of attacks

    have financial motives. → Defense is about raising those costs. → (whilst still allowing your company to continue to make money) 49 — @benjammingh for PuppetConf 2016
  50. Zero day is not your biggest worry. 50 — @benjammingh

    for PuppetConf 2016
  51. So how do we fix this? with threat modelling 51

    — @benjammingh for PuppetConf 2016
  52. Say you have N months allocated to a security project.

    Which of these will give a better return on your overall security? 52 — @benjammingh for PuppetConf 2016
  53. Rolling out the awesome Grsecurity on all your linux servers.

    53 — @benjammingh for PuppetConf 2016
  54. Rolling out a password manager to everyone in your organisation.

    54 — @benjammingh for PuppetConf 2016
  55. One of these is awesome cool tech, which stops mad

    0day. (and I really love the work of GRSec) 55 — @benjammingh for PuppetConf 2016
  56. The other involves talking to people in the company and

    helping them with a password manager. 56 — @benjammingh for PuppetConf 2016
  57. Arbitrary pie chart 3D DOUGHNUT CHART! 57 — @benjammingh for

    PuppetConf 2016
  58. "The use of stolen, weak or default credentials in breaches

    is not new, is not bleeding edge, is not glamorous, but boy howdy it works" - Verizon 2016 Data Breach Investigations Report 58 — @benjammingh for PuppetConf 2016
  59. Passwords 59 — @benjammingh for PuppetConf 2016

  60. Passwords == keys 60 — @benjammingh for PuppetConf 2016

  61. More question time! If you care about lock security, do

    you: → buy cheap crappy keys but replace your locks in your whole house every month? or → buy decent (cough European) locks and not worry about it. 61 — @benjammingh for PuppetConf 2016
  62. No one does the former right? (not that many people

    do the latter either, but anyway) 62 — @benjammingh for PuppetConf 2016
  63. (also no ones house gets broken in to with lockpicks

    either, but stop poking holes in my analogy) 63 — @benjammingh for PuppetConf 2016
  64. 64 — @benjammingh for PuppetConf 2016

  65. Which of these is better? → "Password1234oct" or → "ainwobchiFatodFeb0WrorckyishroocsyacIsAfby"

    65 — @benjammingh for PuppetConf 2016
  66. Which will be better next month? → "Password1234nov" or →

    "ainwobchiFatodFeb0WrorckyishroocsyacIsAfby" 66 — @benjammingh for PuppetConf 2016
  67. You're wrong Ben because reasons → Guessing the first one,

    you can guess the others. → It'll be written down as it changes all the time. → Has much less entropy so they can remember it. → Second one is hashcat proof, the first one is not. 67 — @benjammingh for PuppetConf 2016
  68. If you want more than just passwords! Spend money on

    Duo and buy Yubikeys 68 — @benjammingh for PuppetConf 2016
  69. Duo → gives you secure second factor over iPhone/ Android

    push notifications. → backup of SMS or phone call. → backup codes too. → more secure than TOTP 2FA. 69 — @benjammingh for PuppetConf 2016
  70. Yubikeys == <3 → Tiny USB cryptographic tokens that can

    tie in to Duo to be a second factor. → no more having to find your phone (I know, life is hard...) → Can also generate & store SSH/GPG RSA keys. → Now have U2F/FIDO for, well, Dropbox, GitHub, and Google 70 — @benjammingh for PuppetConf 2016
  71. But most importantly... 71 — @benjammingh for PuppetConf 2016

  72. STOP MAKING YOUR COLLEAGUES HATE YOU! 72 — @benjammingh for

    PuppetConf 2016
  73. Be nicer? Madness At Etsy, we try, really hard, to

    make the security team approachable and friendly! (In spite of hiring me) 73 — @benjammingh for PuppetConf 2016
  74. Why do this? (Other than working for a hugging company)

    74 — @benjammingh for PuppetConf 2016
  75. 75 — @benjammingh for PuppetConf 2016

  76. Phishing This is pretty new, has anyone heard of it?

    76 — @benjammingh for PuppetConf 2016
  77. Solving phishing! → Can't be done, despite what Barracuda may

    want to sell you. → 99% of people entering details vs. 9% of people entering details isn't all that helpful. → (But still try to reduce it) 77 — @benjammingh for PuppetConf 2016
  78. Solving phishing IR Having people tell the security team when

    a phishy email comes in, even if they've clicked on everything and shared their passwords, is great. 78 — @benjammingh for PuppetConf 2016
  79. Not solving phishing IR Having a holier than thou, mad

    leet security team who talk down to people when they report a phishing email. That will be the last time they bother to report anything to you. 79 — @benjammingh for PuppetConf 2016
  80. Love always finds a way. → If security block everything,

    people will just do it anyway. → "Shadow" teams spin up, and just avoid all your safeguards. → you block all outbound traffic bar the proxy, someone will run corkscrew. 80 — @benjammingh for PuppetConf 2016
  81. Security people, be nicer ❤ 81 — @benjammingh for PuppetConf

    2016
  82. And now the second half 82 — @benjammingh for PuppetConf

    2016
  83. Conclusions → Start from securing from least skilled attacker up,

    not most skilled down. → Be realistic about your threat model. → Whilst its cool to defend against people with bigger budgets. Actually defending is better than trying and failing. 83 — @benjammingh for PuppetConf 2016
  84. Conclusions deux → Pick the boring definite wins, not the

    exciting maybe wins. → Yes, you won't get a BlackHat talk out of them, but you will be more secure. → Attackers want to win, Defenders can definitely win if they pick the right fight. 84 — @benjammingh for PuppetConf 2016
  85. Thank you → Twidder: @benjammingh → LinkedIn: lnkdin.me/p/benyeah → SpeakerDeck:

    speakerdeck.com/barnbarn → JitHub: github.com/barn → Etsy: Careers --- CodeAsCraft <--- our blog → Fax: pending. 85 — @benjammingh for PuppetConf 2016
  86. Wham! 86 — @benjammingh for PuppetConf 2016