Slide 1

Slide 1 text

How You Actually Get Hacked 1 — @benjammingh for PuppetConf 2016

Slide 2

Slide 2 text

AKA Do you want ants? Because that's how you get ants! 2 — @benjammingh for PuppetConf 2016

Slide 3

Slide 3 text

Who's this clown? 2 → Infrastructure security at Etsy. → Puppet Labs Operations alumni. → First used Puppet on the 0.26 branch. → Has only been in big trouble with the phone company once. 2 https://twitter.com/skullmandible/status/411281851131523072 3 — @benjammingh for PuppetConf 2016

Slide 4

Slide 4 text

What this talk is about? → Risk and threat modelling. → Reality, and infosec's aversion to it. → What to actually focus on, to be more secure, but less hipster. → Security myopia and the best being the enemy of the good. 4 — @benjammingh for PuppetConf 2016

Slide 5

Slide 5 text

What this talk is not about? → Mad 0day. Go to Infiltrate → Vendor Sponsorship. (Note however, it is Black Friday soon www.etsy.com) → Me reading out breach reports. → Nessus. 5 — @benjammingh for PuppetConf 2016

Slide 6

Slide 6 text

Mild audience participation warning! 6 — @benjammingh for PuppetConf 2016

Slide 7

Slide 7 text

Google Syndrome Disclaimer! If you are Google/Facebook/BAE Systems/Raytheon/ Any part of Five Eyes/OPM, this hopefully and somewhat obviously does not apply to you. Also stop listening to funny haired people who work at yarn websites for your security advice! Smash the 1%, eat the rich! 7 — @benjammingh for PuppetConf 2016

Slide 8

Slide 8 text

Threat modelling The who now? 8 — @benjammingh for PuppetConf 2016

Slide 9

Slide 9 text

H1B fashion model visa. 9 — @benjammingh for PuppetConf 2016

Slide 10

Slide 10 text

Working out who might attack you and how 10 — @benjammingh for PuppetConf 2016

Slide 11

Slide 11 text

Evaluating risks and reality (and impact) 11 — @benjammingh for PuppetConf 2016

Slide 12

Slide 12 text

Are humans good at evaluating risk? 12 — @benjammingh for PuppetConf 2016

Slide 13

Slide 13 text

Have you ever said: "Have a safe flight!" 13 — @benjammingh for PuppetConf 2016

Slide 14

Slide 14 text

Has anyone ever said: "Have a safe drive to the airport!" 14 — @benjammingh for PuppetConf 2016

Slide 15

Slide 15 text

15 — @benjammingh for PuppetConf 2016

Slide 16

Slide 16 text

Flying: → An entire spare pilot. → Computer controlled. → A spare engine! → 100s of hours training/qualifications. → regular safety checks. 16 — @benjammingh for PuppetConf 2016

Slide 17

Slide 17 text

Taxis → .... → have the strange smelling pine tree thing? 17 — @benjammingh for PuppetConf 2016

Slide 18

Slide 18 text

Every statistic says flying is 100x safer 18 — @benjammingh for PuppetConf 2016

Slide 19

Slide 19 text

19 — @benjammingh for PuppetConf 2016

Slide 20

Slide 20 text

Security what is it? 20 — @benjammingh for PuppetConf 2016

Slide 21

Slide 21 text

"The state or condition of being or feeling secure." -- The Oxford English Dictionary (as HRH Queen Elizabeth the Second decrees) 21 — @benjammingh for PuppetConf 2016

Slide 22

Slide 22 text

"Being or feeling secure" 22 — @benjammingh for PuppetConf 2016

Slide 23

Slide 23 text

Secure [from whom?] 23 — @benjammingh for PuppetConf 2016

Slide 24

Slide 24 text

Who are you defending against? → Scripts (mass own wordpress, nmap/zmap looking for mongodb/mssql/etc) → Script kiddies (the above, but with a tutorial) → Bug Bounties (hand wave 80% of attacks on your website?) → Red Teams/Pen tests (every... 6 months? maybe?) 24 — @benjammingh for PuppetConf 2016

Slide 25

Slide 25 text

Other attackers? → China!!!111 (though now Russia is in vogue) → Hackers in it for the lols (needs no explaination) → Hacktivists (I remain unconvinced these are real → Hacking for profit (not for fun. See China) 25 — @benjammingh for PuppetConf 2016

Slide 26

Slide 26 text

The main ones, ZOMG. → NSA. → now and then the FBI → everyone forgets about CSE (and all of Five Eyes) → GCHQ (who seem to have fewer morals..) 26 — @benjammingh for PuppetConf 2016

Slide 27

Slide 27 text

"How to NSA-Proof your Apple iCloud account. – Underground Network" "Blackphone 2: 'NSA Proof' Android Phone For Privacy Seekers Now Available For Preorder" "NSA-proof your e-mail in 2 hours" "How NSA-Proof Are VPN Service Providers?" 27 — @benjammingh for PuppetConf 2016

Slide 28

Slide 28 text

"An NSA-proof operating system. Yes, for real." "NSA-proof passwords" "NSA-proof SSH" "Physicists are building an NSA-proof internet" 28 — @benjammingh for PuppetConf 2016

Slide 29

Slide 29 text

The NSA should probably not be in your threat model. 29 — @benjammingh for PuppetConf 2016

Slide 30

Slide 30 text

Whaaa? But shouldn't we defend against everyone? 30 — @benjammingh for PuppetConf 2016

Slide 31

Slide 31 text

Once you can defend against everyone up to the NSA, then try to defend against the NSA. 31 — @benjammingh for PuppetConf 2016

Slide 32

Slide 32 text

*cough* (please infosec, stop this NSA fetishism & security nihilism) *cough* 32 — @benjammingh for PuppetConf 2016

Slide 33

Slide 33 text

Which is also again saying Learn to threat model in reality. 33 — @benjammingh for PuppetConf 2016

Slide 34

Slide 34 text

Impact! What is the business impact of this breach. 34 — @benjammingh for PuppetConf 2016

Slide 35

Slide 35 text

Defacement vs. DDoS → If you're a real time trading house large DNS provider, DDoS is a really expensive thing, defacement is not as big. → A political party website, DDoS is just annoying, defacement could be huge. 35 — @benjammingh for PuppetConf 2016

Slide 36

Slide 36 text

Mail doxing/spooling → If you're a hacker in the 90s, having your mail shared with a 'zine is annoying. → If you're a presidential candidate, your mail being public could endanger an election. 36 — @benjammingh for PuppetConf 2016

Slide 37

Slide 37 text

In just your company → Credit card processing done by you or someone else (hi Stripe) → PII or other user data. → Laptop being stolen (please tell me they're encrypted and passworded...) → Annoying people from Lizard Squad on IRC, and suffering a large DDoS. 37 — @benjammingh for PuppetConf 2016

Slide 38

Slide 38 text

Breaches 38 — @benjammingh for PuppetConf 2016

Slide 39

Slide 39 text

39 — @benjammingh for PuppetConf 2016

Slide 40

Slide 40 text

How do systems get (0wned|compromised| breached) 40 — @benjammingh for PuppetConf 2016

Slide 41

Slide 41 text

Well here's how it happened in the 90s. l33t$ cc -o humpdee humpdee.c l33t$ ./humpdee 203.0.113.76 Humpdee c0ded by Tekneeq Crew! Local address: 198.51.100.12 Return position: 678 Return address: 0x01423908 Got shell # id uid=0(root) gid=0(root) 41 — @benjammingh for PuppetConf 2016

Slide 42

Slide 42 text

Big thanks to our teal 90s sponsor . . . .s$ '$&ty . . .s$$$sss..yssss. $$$' ,&ft,ysp ,sss. ,saaas. ,saaas. .ssuiis ss $$$' d$$',`$$b $$$ .$$f",`$$$P"Y$$b d$V" `$$b d$$' "$$b d$$" `$$$" $$$ $$$sss$$$ $$$$$K. $$$ ;$$$ $$$sss$$& $$$sss$$$ $$$ ,$$$ $$$ .,$$$, .ss $$$ `$$bs. $$$, $$$ $$$' .ss $$$' ,ss.$$$ .,;$$$ "Y$$" `Y$$sd$P",$$$, Y$$B.$$$i. $$$L`Y$bsd$P' `T$bsd$$P `V$baod$$$ `"" `"""""' '"""' """"'"""" """' `""""" `""""' `"""""Y$$ .$$$. . . . . . . . .y$$$b. . 'Y$P' . Y" .' http://www.attrition.org/hosted/tekneeq/ 42 — @benjammingh for PuppetConf 2016

Slide 43

Slide 43 text

(I'm trying to be invited back next year) $shellcode = @("shellcodez"/L) \x31\xdb\xb0\x1b\xcd\x80\x31\xc0\xb0\x02\xcd\x80\x85\xc0\ \x75\x32\x31\xdb\x89\xd9\xb1\x01\x31\xc0\xb0\x3f\xcd\x80\ \x31\xdb\x89\xd9\xb1\x02\x31\xc0\xb0\x3f\xcd\x80\xeb\x1f\ \x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\ \x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\ \x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh |-shellcodez madexploit { "humpdee": ensure => shell, targer => '203.0.113.76', shellcode => $shellcode, require => Date['90s'], } 43 — @benjammingh for PuppetConf 2016

Slide 44

Slide 44 text

Timewarp to now! → 99% of servers don't have real routable IPs. → TEH CLOUD, NAT, Load balancers, &c. → A few people bought firewalls. → DEP, SEP, Stack cookies, ASLR, GENTOO!!!11 → Hopefully you've patched this vuln from 1997? 44 — @benjammingh for PuppetConf 2016

Slide 45

Slide 45 text

iOS (not IOS, that is somewhat less secure) 45 — @benjammingh for PuppetConf 2016

Slide 46

Slide 46 text

Things we know → FBI bought an "exploit" for $1M. → Zerodium had a $1M bounty for full remote end to end compromise. → Apple's own bug bounty for certain things in in the $100,000s range. → Maybe someone in your company has one of these iPhone devices? 46 — @benjammingh for PuppetConf 2016

Slide 47

Slide 47 text

ZOMG! an attacker could get a foothold in your network for a cool $1m dollars! 47 — @benjammingh for PuppetConf 2016

Slide 48

Slide 48 text

Reality → So for the quick simple payment of $1m dollars you're totally getting owned. → if your attacker has $1m spare to spend on just an exploit. → and owning you is worth >$1m. → oh yeah, and there's no cheaper way to do it. 48 — @benjammingh for PuppetConf 2016

Slide 49

Slide 49 text

Reality 2 → Attackers have budgets. → Majority of attacks have financial motives. → Defense is about raising those costs. → (whilst still allowing your company to continue to make money) 49 — @benjammingh for PuppetConf 2016

Slide 50

Slide 50 text

Zero day is not your biggest worry. 50 — @benjammingh for PuppetConf 2016

Slide 51

Slide 51 text

So how do we fix this? with threat modelling 51 — @benjammingh for PuppetConf 2016

Slide 52

Slide 52 text

Say you have N months allocated to a security project. Which of these will give a better return on your overall security? 52 — @benjammingh for PuppetConf 2016

Slide 53

Slide 53 text

Rolling out the awesome Grsecurity on all your linux servers. 53 — @benjammingh for PuppetConf 2016

Slide 54

Slide 54 text

Rolling out a password manager to everyone in your organisation. 54 — @benjammingh for PuppetConf 2016

Slide 55

Slide 55 text

One of these is awesome cool tech, which stops mad 0day. (and I really love the work of GRSec) 55 — @benjammingh for PuppetConf 2016

Slide 56

Slide 56 text

The other involves talking to people in the company and helping them with a password manager. 56 — @benjammingh for PuppetConf 2016

Slide 57

Slide 57 text

Arbitrary pie chart 3D DOUGHNUT CHART! 57 — @benjammingh for PuppetConf 2016

Slide 58

Slide 58 text

"The use of stolen, weak or default credentials in breaches is not new, is not bleeding edge, is not glamorous, but boy howdy it works" - Verizon 2016 Data Breach Investigations Report 58 — @benjammingh for PuppetConf 2016

Slide 59

Slide 59 text

Passwords 59 — @benjammingh for PuppetConf 2016

Slide 60

Slide 60 text

Passwords == keys 60 — @benjammingh for PuppetConf 2016

Slide 61

Slide 61 text

More question time! If you care about lock security, do you: → buy cheap crappy keys but replace your locks in your whole house every month? or → buy decent (cough European) locks and not worry about it. 61 — @benjammingh for PuppetConf 2016

Slide 62

Slide 62 text

No one does the former right? (not that many people do the latter either, but anyway) 62 — @benjammingh for PuppetConf 2016

Slide 63

Slide 63 text

(also no ones house gets broken in to with lockpicks either, but stop poking holes in my analogy) 63 — @benjammingh for PuppetConf 2016

Slide 64

Slide 64 text

64 — @benjammingh for PuppetConf 2016

Slide 65

Slide 65 text

Which of these is better? → "Password1234oct" or → "ainwobchiFatodFeb0WrorckyishroocsyacIsAfby" 65 — @benjammingh for PuppetConf 2016

Slide 66

Slide 66 text

Which will be better next month? → "Password1234nov" or → "ainwobchiFatodFeb0WrorckyishroocsyacIsAfby" 66 — @benjammingh for PuppetConf 2016

Slide 67

Slide 67 text

You're wrong Ben because reasons → Guessing the first one, you can guess the others. → It'll be written down as it changes all the time. → Has much less entropy so they can remember it. → Second one is hashcat proof, the first one is not. 67 — @benjammingh for PuppetConf 2016

Slide 68

Slide 68 text

If you want more than just passwords! Spend money on Duo and buy Yubikeys 68 — @benjammingh for PuppetConf 2016

Slide 69

Slide 69 text

Duo → gives you secure second factor over iPhone/ Android push notifications. → backup of SMS or phone call. → backup codes too. → more secure than TOTP 2FA. 69 — @benjammingh for PuppetConf 2016

Slide 70

Slide 70 text

Yubikeys == <3 → Tiny USB cryptographic tokens that can tie in to Duo to be a second factor. → no more having to find your phone (I know, life is hard...) → Can also generate & store SSH/GPG RSA keys. → Now have U2F/FIDO for, well, Dropbox, GitHub, and Google 70 — @benjammingh for PuppetConf 2016

Slide 71

Slide 71 text

But most importantly... 71 — @benjammingh for PuppetConf 2016

Slide 72

Slide 72 text

STOP MAKING YOUR COLLEAGUES HATE YOU! 72 — @benjammingh for PuppetConf 2016

Slide 73

Slide 73 text

Be nicer? Madness At Etsy, we try, really hard, to make the security team approachable and friendly! (In spite of hiring me) 73 — @benjammingh for PuppetConf 2016

Slide 74

Slide 74 text

Why do this? (Other than working for a hugging company) 74 — @benjammingh for PuppetConf 2016

Slide 75

Slide 75 text

75 — @benjammingh for PuppetConf 2016

Slide 76

Slide 76 text

Phishing This is pretty new, has anyone heard of it? 76 — @benjammingh for PuppetConf 2016

Slide 77

Slide 77 text

Solving phishing! → Can't be done, despite what Barracuda may want to sell you. → 99% of people entering details vs. 9% of people entering details isn't all that helpful. → (But still try to reduce it) 77 — @benjammingh for PuppetConf 2016

Slide 78

Slide 78 text

Solving phishing IR Having people tell the security team when a phishy email comes in, even if they've clicked on everything and shared their passwords, is great. 78 — @benjammingh for PuppetConf 2016

Slide 79

Slide 79 text

Not solving phishing IR Having a holier than thou, mad leet security team who talk down to people when they report a phishing email. That will be the last time they bother to report anything to you. 79 — @benjammingh for PuppetConf 2016

Slide 80

Slide 80 text

Love always finds a way. → If security block everything, people will just do it anyway. → "Shadow" teams spin up, and just avoid all your safeguards. → you block all outbound traffic bar the proxy, someone will run corkscrew. 80 — @benjammingh for PuppetConf 2016

Slide 81

Slide 81 text

Security people, be nicer ❤ 81 — @benjammingh for PuppetConf 2016

Slide 82

Slide 82 text

And now the second half 82 — @benjammingh for PuppetConf 2016

Slide 83

Slide 83 text

Conclusions → Start from securing from least skilled attacker up, not most skilled down. → Be realistic about your threat model. → Whilst its cool to defend against people with bigger budgets. Actually defending is better than trying and failing. 83 — @benjammingh for PuppetConf 2016

Slide 84

Slide 84 text

Conclusions deux → Pick the boring definite wins, not the exciting maybe wins. → Yes, you won't get a BlackHat talk out of them, but you will be more secure. → Attackers want to win, Defenders can definitely win if they pick the right fight. 84 — @benjammingh for PuppetConf 2016

Slide 85

Slide 85 text

Thank you → Twidder: @benjammingh → LinkedIn: lnkdin.me/p/benyeah → SpeakerDeck: speakerdeck.com/barnbarn → JitHub: github.com/barn → Etsy: Careers --- CodeAsCraft <--- our blog → Fax: pending. 85 — @benjammingh for PuppetConf 2016

Slide 86

Slide 86 text

Wham! 86 — @benjammingh for PuppetConf 2016