Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ConFoo 2019: First steps into security engineering

ConFoo 2019: First steps into security engineering

https://confoo.ca/en/yul2019/session/first-steps-into-security-engineering

Experience with security is a useful and even profitable skill for every technical and non-technical employee in IT. Contrary to common stereotypes, security is far more than black hoodies, math and crypto. It's also humans and communication skills. Attendees of my talks regularly ask me how to get started. Let me introduce you to diverse areas of info sec and point you to books, online courses, talks, and other resources to get you started.

Christian Heimes

March 14, 2019
Tweet

More Decks by Christian Heimes

Other Decks in Programming

Transcript

  1. First steps into security engineering, ConFoo 2019, @ChristianHeimes 2 Who

    am I? • from Hamburg/Germany • Python and C developer • Python core contributor since 2008 • maintainer of ssl and hashlib module • Python security team
  2. First steps into security engineering, ConFoo 2019, @ChristianHeimes 3 Professional

    life • Principal Software Engineer at Red Hat • Security Engineering • FreeIPA Identity Management • Dogtag PKI
  3. First steps into security engineering, ConFoo 2019, @ChristianHeimes 5 This

    talk is • opinionated • subjective • biased • incomplete • edutainment Disclaimer
  4. First steps into security engineering, ConFoo 2019, @ChristianHeimes 18 World

    laws pertaining to homosexual relationships and expression 2017 Wikipedia
  5. First steps into security engineering, ConFoo 2019, @ChristianHeimes 19 World

    laws pertaining to homosexual relationships and expression 2019 Wikipedia
  6. First steps into security engineering, ConFoo 2019, @ChristianHeimes 23 Attackers

    just need one vulnerability, defenders need to be perfect.
  7. First steps into security engineering, ConFoo 2019, @ChristianHeimes 24 Users

    don't care about security. They are ignorant, disregardful, and responsible for security incidents.
  8. First steps into security engineering, ConFoo 2019, @ChristianHeimes 30 “Our

    cars are less likely to explode than competing products.”
  9. First steps into security engineering, ConFoo 2019, @ChristianHeimes 35 Alex

    Gaynor The worst truism in information security Attackers just need one vulnerability, defenders need to be perfect https://alexgaynor.net/2018/jul/20/worst-truism-in-infosec/
  10. First steps into security engineering, ConFoo 2019, @ChristianHeimes 39 Threat

    Model: biometrics The Photographer [CC BY-SA 3.0 (https://creativecommons.org/licenses/by-sa/3.0) or GFDL (http://www.gnu.org/copyleft/fdl.html)], from Wikimedia Commons
  11. First steps into security engineering, ConFoo 2019, @ChristianHeimes 46 Amazon

    Says One Engineer's Simple Mistake Brought the Internet Down 2017-02-28
  12. First steps into security engineering, ConFoo 2019, @ChristianHeimes 48 Arz

    [CC BY-SA 3.0 (http://creativecommons.org/licenses/by-sa/3.0/)], from Wikimedia Commons
  13. First steps into security engineering, ConFoo 2019, @ChristianHeimes 49 So

    Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users Cormac Herley, Microsoft Research
  14. First steps into security engineering, ConFoo 2019, @ChristianHeimes 50 Human

    factor • Social engineering • CEO scam: Ubiquiti Networks victim of $39 million https://www.csoonline.com/article/2961066/supply-chain-security/ubiquiti-networks-victim-of-39-million-social- engineering-attack.html • Password in exchange for chocolate (up to 47.9%) Université du Luxembourg, Computers in Human Behavior, 2016; 61: 372 DOI: 10.1016/j.chb.2016.03.026 • dissatisfied employees • ignorant management
  15. First steps into security engineering, ConFoo 2019, @ChristianHeimes 51 London

    Gatwick, Christmas 2018 Police believe airport insider was behind Gatwick drone chaos
  16. First steps into security engineering, ConFoo 2019, @ChristianHeimes 54 User

    interface, training, documentation Lion Air Flight 610: Pilots fought automatic safety system before plane plunged.
  17. First steps into security engineering, ConFoo 2019, @ChristianHeimes 59 Persecution

    mania Cracking Passwords using Keyboard Acoustics and Language Modeling Andrew Kelly, University of Edinburgh (2010) Eavesdrop on Conversations Using a Bag of Chips with MIT’s ‘Visual Microphone’ https://singularityhub.com/2014/08/13/eavesdrop-on-conversations-using-a-bag-of-chips-with-mits-visual-microphone/ Researcher Turns HDD Into Rudimentary Microphone
  18. First steps into security engineering, ConFoo 2019, @ChristianHeimes 63 Hardware

    security RSA Key Extraction via Acoustic Cryptanalysis https://www.tau.ac.il/~tromer/acoustic/
  19. First steps into security engineering, ConFoo 2019, @ChristianHeimes 64 Physical

    security against intru-deers https://twitter.com/DCFurs/status/1087663240421593089
  20. Everyday security issues, PyGotham 2018 66 IoT – Internet of

    Things The “S” in “IoT” stands for security. The “P” in “IoT” stands for privacy. (Sorry, German humour)
  21. First steps into security engineering, ConFoo 2019, @ChristianHeimes 72 Stop

    reading, start doing! Parisa Tabriz So, you want to work in security? https://medium.freecodecamp.org/so-you-want-to-work-in-security-bc6c10157d23
  22. First steps into security engineering, ConFoo 2019, @ChristianHeimes 73 Available

    for free: https://www.cl.cam.ac.uk/~rja14/book.html
  23. First steps into security engineering, ConFoo 2019, @ChristianHeimes 75 “Soft”

    skills • team work / team diversity • locate and evaluate information • law / legal affairs • business • ethics & compliance • rhetoric • read and write documentation
  24. First steps into security engineering, ConFoo 2019, @ChristianHeimes 76 Social

    Engineering • The Social Engineering Framework https://www.social-engineer.org/framework/ • Social Engineering, The Art of Human Hacking Christopher Hadnagy (2010) • The Art Of Deception Kevin D. Mitnick (2003)
  25. First steps into security engineering, ConFoo 2019, @ChristianHeimes 78 Digital

    self-defense • secure your hardware • disk encryption • privacy • ad-blocker • email provider • good passwords / 2FA • update, update, update! https://freedom.press/training/
  26. First steps into security engineering, ConFoo 2019, @ChristianHeimes 79 Operating

    Systems • man pages • Advanced Programming in the UNIX Environment Stevens / Rago (2013)
  27. First steps into security engineering, ConFoo 2019, @ChristianHeimes 80 Computer

    networks and system tools • IPv4, IPv6, routing, TCP, UDP, DNS, firewall • auditing, logging • SELinux • analysis and pentesting tools • wireshark • nmap • metasploit • IDA Interactive Disassembler
  28. First steps into security engineering, ConFoo 2019, @ChristianHeimes 81 DevOps

    Securing DevOps: Security in the Cloud Julien Vehent (2018)
  29. First steps into security engineering, ConFoo 2019, @ChristianHeimes 83 General

    Resource • OWASP: Open Web Application Security Project • CWE: Common Weakness Enumeration • CVE: Common Vulnerabilities and Exposures • IETF RFCs
  30. First steps into security engineering, ConFoo 2019, @ChristianHeimes 84 Top

    10 bugs • injection attacks (SQL, LDAP, JSON, XQuery, XPath, ...) • broken authentication and access control • Cross-Site scripting (XSS) • XML entities • Insecure Deserialization (images, docs, ASN.1)
  31. First steps into security engineering, ConFoo 2019, @ChristianHeimes 85 Unicode

    >>> import unicodedata # homograph / homoglyphic confusion attack >>> unicodedata.name('Руthοn'[0]) CYRILLIC CAPITAL LETTER ER >>> import unicodedata # homograph / homoglyphic confusion attack >>> unicodedata.name('Руthοn'[0]) CYRILLIC CAPITAL LETTER ER # persistent XSS with wide unicode normalization >>> wide = ' < script > ' >>> safe = wide.replace('<', '&lt;') # quote >>> unicodedata.name(safe[0]) 'FULLWIDTH LESS-THAN SIGN' >>> unicodedata.normalize('NFKD', safe) '<script>' # persistent XSS with wide unicode normalization >>> wide = ' < script > ' >>> safe = wide.replace('<', '&lt;') # quote >>> unicodedata.name(safe[0]) 'FULLWIDTH LESS-THAN SIGN' >>> unicodedata.normalize('NFKD', safe) '<script>'
  32. First steps into security engineering, ConFoo 2019, @ChristianHeimes 86 Programming

    languages • C • Assembly • eBPF, BPF • Go • Java • JavaScript • PHP • Python • Rust
  33. First steps into security engineering, ConFoo 2019, @ChristianHeimes 88 Cryptography

    • The Code Book, Simon Singh • Cryptography Engineering, Ferguson/Schneier/Tadayashi • Serious Cryptography, JP Aumasson
  34. First steps into security engineering, ConFoo 2019, @ChristianHeimes 89 Cryptography

    free online resources • Cryptography I, Dan Boneh https://www.coursera.org/learn/crypto • The cryptopals crypto challenges https://cryptopals.com/ • Crypto 101, LvH, https://www.crypto101.io/ • Mathematics of Public Key Cryptography, Steven Galbraith (2012)
  35. First steps into security engineering, ConFoo 2019, @ChristianHeimes 90 TLS/SSL,

    Certificates • Bulletproof SSL and TLS, Ivan Ristic • CA/Browser Forum Baseline Requirements https://cabforum.org/ • Mozilla Server Side TLS https://wiki.mozilla.org/Security/Server_Side_TLS
  36. First steps into security engineering, ConFoo 2019, @ChristianHeimes 91 Passwords

    / Authentication • NIST 800-63-3: Digital Identity Guidelines • OAuth, OpenID Connect • 2FA (FIDO, WebAuthn) • Troy Hunt, https://haveibeenpwned.com/
  37. First steps into security engineering, ConFoo 2019, @ChristianHeimes 93 News,

    blogs • Linux Weekly News https://lwn.net/ • Troy Hunt https://www.troyhunt.com/ • Krebs on Security https://krebsonsecurity.com/ • Bruce Schneier https://www.schneier.com/ • https://www.feistyduck.com/bulletproof-tls-newsletter/
  38. First steps into security engineering, ConFoo 2019, @ChristianHeimes 94 Conference

    videos • Chaos Communication Conference (e.g. 35C3) • Black Hat • DEFCON • Real World Crypto
  39. First steps into security engineering, ConFoo 2019, @ChristianHeimes 95 Security

    people • Adam Langley • Alex Gaynor • Brian Krebs (Krebs On Security) • Bruce Schneier • Dan Bernstein (djb) • Frank Denis • Hanno Böck • JP Aumasson • Katie Moussouris • Matt Blaze • Matthew Green • Nick Sullivan • Parisa Tabriz • Ryan Sleevi • Tanja Lange • Tavis Ormandy • Thomas Ptacek • Tony Arcieri • Troy Hunt
  40. First steps into security engineering, ConFoo 2019, @ChristianHeimes 97 Summary

    • “I know that I know nothing” (expert specialist) → • Keep learning • Mind the user • Get experience • Write your own crypto (do NOT use it in production) Please send me your suggestions