Handmade & knitted security at Etsy

Slide 1

Slide 1 text

Click to Edith

Slide 2

Slide 2 text

Ben Hughes Etsy @benjammingh Pwning all the Internet of things for fun and proﬁt

Slide 3

Slide 3 text

@benjammingh Handmade & knitted security at Etsy • I work at Etsy, yes that Etsy. • Yes we have a seemingly large security team. • We do “some” web stuff. Have “some” servers.

Slide 4

Slide 4 text

@benjammingh Handmade & knitted security at Etsy • Intro (we’re here) • Users/laptops/the two people with “workstations”. • Servers/systems. • Data - that small topic. • Conclusions

Slide 5

Slide 5 text

The landscape has changed. https://www.ﬂickr.com/photos/andraspasztor

Slide 6

Slide 6 text

The landscape has changed. https://www.ﬂickr.com/photos/andraspasztor

Slide 7

Slide 7 text

Securing laptops (and users)

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

What? ! That’s an advert ! A paid advert ! For “TextWrangler”?!

Slide 10

Slide 10 text

Sink holes!

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

IPv6 (trust me, this time it’s really gonna happen!)

Slide 13

Slide 13 text

@benjammingh Handmade & knitted security at Etsy • http://labs.neohapsis.com/2013/07/30/picking-up-the- slaac-with-sudden-six/ • http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/ configuration/15-2mt/ip6-15-2mt-book/ip6-ra- guard.html • http://resources.infosecinstitute.com/slaac-attack/ • https://github.com/Neohapsis/suddensix

Slide 14

Slide 14 text

@benjammingh Handmade & knitted security at Etsy • Oprah says “And you get an IDS….” • On most desktop OSes (Linux/ OSX/Windows… I have no idea about Windows) you can use the firewall like an IDS. • PF example: pass log quick proto { tcp, udp } to any port { 6881, 31337, $badport }

Slide 15

Slide 15 text

Servers! https://www.ﬂickr.com/photos/stalker_cz/ (genuine Etsy data centre!)

Slide 16

Slide 16 text

Patching…

Slide 17

Slide 17 text

https://twitter.com/TimDenike/status/162973991034826752

Slide 18

Slide 18 text

https://www.blackhat.com/docs/eu-14/materials/eu-14-Kemerlis-Ret2dir-Deconstructing-Kernel-Isolation.pdf

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

@benjammingh Handmade & knitted security at Uptime security solutions!

Slide 21

Slide 21 text

@benjammingh Handmade & knitted security at Uptime security solutions! • SELinux - ‘setenforce 0’ as it’s also known as. • http://stopdisablingselinux.com/

Slide 22

Slide 22 text

@benjammingh Handmade & knitted security at Uptime security solutions! • SELinux - ‘setenforce 0’ as it’s also known as. • http://stopdisablingselinux.com/ • grsecurity - set of hardening patches to Linux. • http://grsecurity.net/features.php

Slide 23

Slide 23 text

Slide 24

Slide 24 text

No content

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

@benjammingh Handmade & knitted security at REBOOTING

Slide 27

Slide 27 text

@benjammingh Handmade & knitted security at Etsy • There will always be un-patched machines. Realities of the situation:

Slide 28

Slide 28 text

@benjammingh Handmade & knitted security at Etsy • There will always be un-patched machines. • Breeches will occur. Realities of the situation:

Slide 29

Slide 29 text

@benjammingh Handmade & knitted security at Etsy • There will always be un-patched machines. • Breeches will occur. • Knowing they happened is much better than not knowing. Realities of the situation:

Slide 30

Slide 30 text

No content

Slide 31

Slide 31 text

@benjammingh Handmade & knitted security at Etsy • Linux kernel auditd events. • http://people.redhat.com/sgrubb/audit/ (driest page ever) • Mangled with some python because auditd is awful. • (will open source this, once the bugs are out. Pinkie swear) • Use Mozilla’s https://github.com/gdestuynder/audisp-cef • Pay https://www.threatstack.com/ if you “Cloud”. • Throw in ELK/syslog/giant file to grep through.

Slide 32

Slide 32 text

@benjammingh Handmade & knitted security at Etsy More awesome auditd stuff purely for people downloading the slides: • http://security.blogoverflow.com/2013/01/a-brief- introduction-to-auditd/ • http://blog.threatstack.com/labs/2014/8/21/threat-stack- vs-redhat-auditd-showdown • http://www.slideshare.net/MarkEllzeyThomas/ audit-34493671audit-34493671

Slide 33

Slide 33 text

https://www.ﬂickr.com/photos/jdhancock Data

Slide 34

Slide 34 text

Backups

Slide 35

Slide 35 text

@benjammingh Handmade & knitted security at Etsy • Don’t ship your DB backups off unencrypted. • Don’t use symmetric encryption, because the key will live with the backup (probably). Backups

Slide 36

Slide 36 text

Canaries

Slide 37

Slide 37 text

@benjammingh Handmade & knitted security at Etsy • Put obvious “fake” data in data stores, use IDS to detect them in places they should never go. “Animal sentinel”

Slide 38

Slide 38 text

@benjammingh Handmade & knitted security at Etsy • Put obvious “fake” data in data stores, use IDS to detect them in places they should never go. • Operational uses too. Spotting non-TLS LDAP traffic. “Animal sentinel”

Slide 39

Slide 39 text

Slide 40

Slide 40 text

To Conclude

Slide 41

Slide 41 text

@benjammingh Handmade & knitted security at Etsy • Laptops/users trust the environment. This isn’t always good. Conclusions

Slide 42

Slide 42 text

@benjammingh Handmade & knitted security at Etsy • Laptops/users trust the environment. This isn’t always good. • Servers don’t have to run so blindly, there’s a wealth of information in the Linux kernel. Conclusions

Slide 43

Slide 43 text

Slide 44

Slide 44 text

@benjammingh Handmade & knitted security at ! You’re all hiring, everyone is hiring.