Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How you a actually get hacked!

Bea Hughes
October 22, 2016

How you a actually get hacked!

Talk on threat modelling and reality for PuppetConf 2016 in San Diego.

(An ever so slightly shorter version of this was presented at Bsides Toronto too)

Puppet Conf video https://www.youtube.com/watch?v=XlgHZIjz5eQ

Bea Hughes

October 22, 2016

More Decks by Bea Hughes

Other Decks in Technology


  1. AKA Do you want ants? Because that's how you get

    ants! 2 — @benjammingh for PuppetConf 2016
  2. Who's this clown? 2 → Infrastructure security at Etsy. →

    Puppet Labs Operations alumni. → First used Puppet on the 0.26 branch. → Has only been in big trouble with the phone company once. 2 https://twitter.com/skullmandible/status/411281851131523072 3 — @benjammingh for PuppetConf 2016
  3. What this talk is about? → Risk and threat modelling.

    → Reality, and infosec's aversion to it. → What to actually focus on, to be more secure, but less hipster. → Security myopia and the best being the enemy of the good. 4 — @benjammingh for PuppetConf 2016
  4. What this talk is not about? → Mad 0day. Go

    to Infiltrate → Vendor Sponsorship. (Note however, it is Black Friday soon www.etsy.com) → Me reading out breach reports. → Nessus. 5 — @benjammingh for PuppetConf 2016
  5. Google Syndrome Disclaimer! If you are Google/Facebook/BAE Systems/Raytheon/ Any part

    of Five Eyes/OPM, this hopefully and somewhat obviously does not apply to you. Also stop listening to funny haired people who work at yarn websites for your security advice! Smash the 1%, eat the rich! 7 — @benjammingh for PuppetConf 2016
  6. Working out who might attack you and how 10 —

    @benjammingh for PuppetConf 2016
  7. Have you ever said: "Have a safe flight!" 13 —

    @benjammingh for PuppetConf 2016
  8. Has anyone ever said: "Have a safe drive to the

    airport!" 14 — @benjammingh for PuppetConf 2016
  9. Flying: → An entire spare pilot. → Computer controlled. →

    A spare engine! → 100s of hours training/qualifications. → regular safety checks. 16 — @benjammingh for PuppetConf 2016
  10. Taxis → .... → have the strange smelling pine tree

    thing? 17 — @benjammingh for PuppetConf 2016
  11. "The state or condition of being or feeling secure." --

    The Oxford English Dictionary (as HRH Queen Elizabeth the Second decrees) 21 — @benjammingh for PuppetConf 2016
  12. Who are you defending against? → Scripts (mass own wordpress,

    nmap/zmap looking for mongodb/mssql/etc) → Script kiddies (the above, but with a tutorial) → Bug Bounties (hand wave 80% of attacks on your website?) → Red Teams/Pen tests (every... 6 months? maybe?) 24 — @benjammingh for PuppetConf 2016
  13. Other attackers? → China!!!111 (though now Russia is in vogue)

    → Hackers in it for the lols (needs no explaination) → Hacktivists (I remain unconvinced these are real → Hacking for profit (not for fun. See China) 25 — @benjammingh for PuppetConf 2016
  14. The main ones, ZOMG. → NSA. → now and then

    the FBI → everyone forgets about CSE (and all of Five Eyes) → GCHQ (who seem to have fewer morals..) 26 — @benjammingh for PuppetConf 2016
  15. "How to NSA-Proof your Apple iCloud account. – Underground Network"

    "Blackphone 2: 'NSA Proof' Android Phone For Privacy Seekers Now Available For Preorder" "NSA-proof your e-mail in 2 hours" "How NSA-Proof Are VPN Service Providers?" 27 — @benjammingh for PuppetConf 2016
  16. "An NSA-proof operating system. Yes, for real." "NSA-proof passwords" "NSA-proof

    SSH" "Physicists are building an NSA-proof internet" 28 — @benjammingh for PuppetConf 2016
  17. The NSA should probably not be in your threat model.

    29 — @benjammingh for PuppetConf 2016
  18. Once you can defend against everyone up to the NSA,

    then try to defend against the NSA. 31 — @benjammingh for PuppetConf 2016
  19. *cough* (please infosec, stop this NSA fetishism & security nihilism)

    *cough* 32 — @benjammingh for PuppetConf 2016
  20. Which is also again saying Learn to threat model in

    reality. 33 — @benjammingh for PuppetConf 2016
  21. Impact! What is the business impact of this breach. 34

    — @benjammingh for PuppetConf 2016
  22. Defacement vs. DDoS → If you're a real time trading

    house large DNS provider, DDoS is a really expensive thing, defacement is not as big. → A political party website, DDoS is just annoying, defacement could be huge. 35 — @benjammingh for PuppetConf 2016
  23. Mail doxing/spooling → If you're a hacker in the 90s,

    having your mail shared with a 'zine is annoying. → If you're a presidential candidate, your mail being public could endanger an election. 36 — @benjammingh for PuppetConf 2016
  24. In just your company → Credit card processing done by

    you or someone else (hi Stripe) → PII or other user data. → Laptop being stolen (please tell me they're encrypted and passworded...) → Annoying people from Lizard Squad on IRC, and suffering a large DDoS. 37 — @benjammingh for PuppetConf 2016
  25. Well here's how it happened in the 90s. l33t$ cc

    -o humpdee humpdee.c l33t$ ./humpdee Humpdee c0ded by Tekneeq Crew! Local address: Return position: 678 Return address: 0x01423908 Got shell # id uid=0(root) gid=0(root) 41 — @benjammingh for PuppetConf 2016
  26. Big thanks to our teal 90s sponsor . . .

    .s$ '$&ty . . .s$$$sss..yssss. $$$' ,&ft,ysp ,sss. ,saaas. ,saaas. .ssuiis ss $$$' d$$',`$$b $$$ .$$f",`$$$P"Y$$b d$V" `$$b d$$' "$$b d$$" `$$$" $$$ $$$sss$$$ $$$$$K. $$$ ;$$$ $$$sss$$& $$$sss$$$ $$$ ,$$$ $$$ .,$$$, .ss $$$ `$$bs. $$$, $$$ $$$' .ss $$$' ,ss.$$$ .,;$$$ "Y$$" `Y$$sd$P",$$$, Y$$B.$$$i. $$$L`Y$bsd$P' `T$bsd$$P `V$baod$$$ `"" `"""""' '"""' """"'"""" """' `""""" `""""' `"""""Y$$ .$$$. . . . . . . . .y$$$b. . 'Y$P' . Y" .' http://www.attrition.org/hosted/tekneeq/ 42 — @benjammingh for PuppetConf 2016
  27. (I'm trying to be invited back next year) $shellcode =

    @("shellcodez"/L) \x31\xdb\xb0\x1b\xcd\x80\x31\xc0\xb0\x02\xcd\x80\x85\xc0\ \x75\x32\x31\xdb\x89\xd9\xb1\x01\x31\xc0\xb0\x3f\xcd\x80\ \x31\xdb\x89\xd9\xb1\x02\x31\xc0\xb0\x3f\xcd\x80\xeb\x1f\ \x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\ \x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\ \x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh |-shellcodez madexploit { "humpdee": ensure => shell, targer => '', shellcode => $shellcode, require => Date['90s'], } 43 — @benjammingh for PuppetConf 2016
  28. Timewarp to now! → 99% of servers don't have real

    routable IPs. → TEH CLOUD, NAT, Load balancers, &c. → A few people bought firewalls. → DEP, SEP, Stack cookies, ASLR, GENTOO!!!11 → Hopefully you've patched this vuln from 1997? 44 — @benjammingh for PuppetConf 2016
  29. iOS (not IOS, that is somewhat less secure) 45 —

    @benjammingh for PuppetConf 2016
  30. Things we know → FBI bought an "exploit" for $1M.

    → Zerodium had a $1M bounty for full remote end to end compromise. → Apple's own bug bounty for certain things in in the $100,000s range. → Maybe someone in your company has one of these iPhone devices? 46 — @benjammingh for PuppetConf 2016
  31. ZOMG! an attacker could get a foothold in your network

    for a cool $1m dollars! 47 — @benjammingh for PuppetConf 2016
  32. Reality → So for the quick simple payment of $1m

    dollars you're totally getting owned. → if your attacker has $1m spare to spend on just an exploit. → and owning you is worth >$1m. → oh yeah, and there's no cheaper way to do it. 48 — @benjammingh for PuppetConf 2016
  33. Reality 2 → Attackers have budgets. → Majority of attacks

    have financial motives. → Defense is about raising those costs. → (whilst still allowing your company to continue to make money) 49 — @benjammingh for PuppetConf 2016
  34. So how do we fix this? with threat modelling 51

    — @benjammingh for PuppetConf 2016
  35. Say you have N months allocated to a security project.

    Which of these will give a better return on your overall security? 52 — @benjammingh for PuppetConf 2016
  36. Rolling out the awesome Grsecurity on all your linux servers.

    53 — @benjammingh for PuppetConf 2016
  37. One of these is awesome cool tech, which stops mad

    0day. (and I really love the work of GRSec) 55 — @benjammingh for PuppetConf 2016
  38. The other involves talking to people in the company and

    helping them with a password manager. 56 — @benjammingh for PuppetConf 2016
  39. "The use of stolen, weak or default credentials in breaches

    is not new, is not bleeding edge, is not glamorous, but boy howdy it works" - Verizon 2016 Data Breach Investigations Report 58 — @benjammingh for PuppetConf 2016
  40. More question time! If you care about lock security, do

    you: → buy cheap crappy keys but replace your locks in your whole house every month? or → buy decent (cough European) locks and not worry about it. 61 — @benjammingh for PuppetConf 2016
  41. No one does the former right? (not that many people

    do the latter either, but anyway) 62 — @benjammingh for PuppetConf 2016
  42. (also no ones house gets broken in to with lockpicks

    either, but stop poking holes in my analogy) 63 — @benjammingh for PuppetConf 2016
  43. Which will be better next month? → "Password1234nov" or →

    "ainwobchiFatodFeb0WrorckyishroocsyacIsAfby" 66 — @benjammingh for PuppetConf 2016
  44. You're wrong Ben because reasons → Guessing the first one,

    you can guess the others. → It'll be written down as it changes all the time. → Has much less entropy so they can remember it. → Second one is hashcat proof, the first one is not. 67 — @benjammingh for PuppetConf 2016
  45. If you want more than just passwords! Spend money on

    Duo and buy Yubikeys 68 — @benjammingh for PuppetConf 2016
  46. Duo → gives you secure second factor over iPhone/ Android

    push notifications. → backup of SMS or phone call. → backup codes too. → more secure than TOTP 2FA. 69 — @benjammingh for PuppetConf 2016
  47. Yubikeys == <3 → Tiny USB cryptographic tokens that can

    tie in to Duo to be a second factor. → no more having to find your phone (I know, life is hard...) → Can also generate & store SSH/GPG RSA keys. → Now have U2F/FIDO for, well, Dropbox, GitHub, and Google 70 — @benjammingh for PuppetConf 2016
  48. Be nicer? Madness At Etsy, we try, really hard, to

    make the security team approachable and friendly! (In spite of hiring me) 73 — @benjammingh for PuppetConf 2016
  49. Why do this? (Other than working for a hugging company)

    74 — @benjammingh for PuppetConf 2016
  50. Phishing This is pretty new, has anyone heard of it?

    76 — @benjammingh for PuppetConf 2016
  51. Solving phishing! → Can't be done, despite what Barracuda may

    want to sell you. → 99% of people entering details vs. 9% of people entering details isn't all that helpful. → (But still try to reduce it) 77 — @benjammingh for PuppetConf 2016
  52. Solving phishing IR Having people tell the security team when

    a phishy email comes in, even if they've clicked on everything and shared their passwords, is great. 78 — @benjammingh for PuppetConf 2016
  53. Not solving phishing IR Having a holier than thou, mad

    leet security team who talk down to people when they report a phishing email. That will be the last time they bother to report anything to you. 79 — @benjammingh for PuppetConf 2016
  54. Love always finds a way. → If security block everything,

    people will just do it anyway. → "Shadow" teams spin up, and just avoid all your safeguards. → you block all outbound traffic bar the proxy, someone will run corkscrew. 80 — @benjammingh for PuppetConf 2016
  55. Conclusions → Start from securing from least skilled attacker up,

    not most skilled down. → Be realistic about your threat model. → Whilst its cool to defend against people with bigger budgets. Actually defending is better than trying and failing. 83 — @benjammingh for PuppetConf 2016
  56. Conclusions deux → Pick the boring definite wins, not the

    exciting maybe wins. → Yes, you won't get a BlackHat talk out of them, but you will be more secure. → Attackers want to win, Defenders can definitely win if they pick the right fight. 84 — @benjammingh for PuppetConf 2016
  57. Thank you → Twidder: @benjammingh → LinkedIn: lnkdin.me/p/benyeah → SpeakerDeck:

    speakerdeck.com/barnbarn → JitHub: github.com/barn → Etsy: Careers --- CodeAsCraft <--- our blog → Fax: pending. 85 — @benjammingh for PuppetConf 2016