DevConf.IN 2019: First steps into security engineering

First steps into security engineering DevConf.IN 2019 / Bengaluru 2019-08-03
Christian Heimes Principal Software Engineer [email protected] / [email protected] @ChristianHeimes

First steps into security engineering, DevConf.IN 2019, @ChristianHeimes, CC BY-SA
4.0 Who am I? • from Hamburg/Germany • Python and C developer • Python core contributor since 2008 • maintainer of ssl and hashlib module • Python security team m Кристиан Хай ес ख्रिस्तियन ক্রিস্টিয়ান হেইন্স ક્રિશ્ચયન હેઇમ્સ ക്രിസ്ത്യൻ ख्रिश्चन ಕ್ರಿಸ್ಟಿಯಾನ್ نایٹسرک கிறிஸ்டின் ஹெய்ம்ஸ்

4.0 Professional life • Principal Software Engineer at Red Hat • Security Engineering • FreeIPA Identity Management • Dogtag PKI

Agenda & Goals

4.0

4.0 This talk is • opinionated • subjective • biased • incomplete • edutainment Disclaimer

4.0 1. think 2. learn

Motivation Why should you care?

4.0 proud craftsman responsible engineer

4.0 $$$

4.0 https://www.theguardian.com/technology/2016/dec/14/yahoo-hack-security-of-one-billion-accounts-breached

4.0 https://www.reuters.com/article/us-yahoo-cyber/yahoo-says-all-three-billion-accounts-hacked-in-2013-data-theft-idUSKCN1C82O1

4.0 https://nypost.com/2016/10/06/verizon-wants-1b-discount-on-yahoo-deal-after-hacking-reports/ https://www.cnet.com/news/verizon-and-yahoo-agree-to-cut-4-billion-deal-by-350-million/

4.0

4.0 Life and Death

4.0 https://www.theguardian.com/technology/2017/aug/31/hacking-risk-recall-pacemakers-patient-death-fears-fda-firmware-update

Propositions & Statements

4.0 Security is a feature. Security is a selling point.

4.0 Attackers just need one vulnerability, defenders need to be perfect.

4.0 Users don't care about security. They are ignorant, disregardful, and responsible for security incidents.

4.0 ?

4.0 wrong dangerous arrogant (I used to think like that.)

4.0 We fight for the users! (Tron)

0. attitude 1. think 2. learn

Security is not an (optional) feature

4.0 “Our cars are less likely to explode than competing products.”

4.0

4.0 Alex Gaynor The worst truism in information security Attackers just need one vulnerability, defenders need to be perfect https://alexgaynor.net/2018/jul/20/worst-truism-in-infosec/

4.0 But what about the exploding cars?

4.0 “unbreakable” encryption absolute security

4.0 threat model cost–benefit analysis documentation

4.0 Threat Model: biometrics The Photographer [CC BY-SA 3.0 (https://creativecommons.org/licenses/by-sa/3.0) or GFDL (http://www.gnu.org/copyleft/fdl.html)], from Wikimedia Commons

4.0 Cost - Benefit

4.0 Mitigation: Defense in depth

4.0

4.0 https://www.independent.co.uk/travel/news-and-advice/air-safety-2017-best-year-safest-airline-passengers-worldwide-to70-civil-aviation-review-a8130796.html

4.0 Amazon Says One Engineer's Simple Mistake Brought the Internet Down 2017-02-28

Please mind the user between the chair and the keyboard

4.0 Arz [CC BY-SA 3.0 (http://creativecommons.org/licenses/by-sa/3.0/)], from Wikimedia Commons

4.0 So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users Cormac Herley, Microsoft Research

4.0 Human factor • Social engineering • CEO scam: Ubiquiti Networks victim of $39 million https://www.csoonline.com/article/2961066/supply-chain-security/ubiquiti-networks-victim-of-39-million-social- engineering-attack.html • Password in exchange for chocolate (up to 47.9%) Université du Luxembourg, Computers in Human Behavior, 2016; 61: 372 DOI: 10.1016/j.chb.2016.03.026 • dissatisfied employees • ignorant management

4.0

4.0 Your grandmother has installed Flash.

4.0 User interface, training, documentation Lion Air Flight 610: Pilots fought automatic safety system before plane plunged.

4.0 Challenger / Chernobyl 1986

4.0 Professionally paranoid

4.0 Persecution mania Cracking Passwords using Keyboard Acoustics and Language Modeling Andrew Kelly, University of Edinburgh (2010) Eavesdrop on Conversations Using a Bag of Chips with MIT’s ‘Visual Microphone’ https://singularityhub.com/2014/08/13/eavesdrop-on-conversations-using-a-bag-of-chips-with-mits-visual-microphone/ Researcher Turns HDD Into Rudimentary Microphone

4.0 be creative & learn from the past

4.0 Consider leaky abstraction layers

4.0 Example: Memory safety

4.0 Hardware security RSA Key Extraction via Acoustic Cryptanalysis https://www.tau.ac.il/~tromer/acoustic/

4.0 Physical security against intru-deers https://twitter.com/DCFurs/status/1087663240421593089

4.0 cybersquirrel1.com – attacks on power grid http://cybersquirrel1.com/

4.0 IoT – Internet of Things The “S” in “IoT” stands for security. The “P” in “IoT” stands for privacy. (Sorry, German humour)

4.0 Ethics and responsibility

4.0 I know that I know nothing (Socratic paradox)

4.0 Skill #1 Communication

4.0 Stop reading, start doing! Parisa Tabriz So, you want to work in security? https://medium.freecodecamp.org/so-you-want-to-work-in-security-bc6c10157d23

4.0 Available for free: https://www.cl.cam.ac.uk/~rja14/book.html

Human Computer Interaction UI / UX

4.0 “Soft” skills • team work / team diversity • locate and evaluate information • law / legal affairs • business • ethics & compliance • rhetoric • read and write documentation

4.0 Social Engineering • The Social Engineering Framework https://www.social-engineer.org/framework/ • Social Engineering, The Art of Human Hacking Christopher Hadnagy (2010) • The Art Of Deception Kevin D. Mitnick (2003)

OpSec DevOps Admin

4.0 Digital self-defense • secure your hardware • disk encryption • privacy • ad-blocker • email provider • good passwords / 2FA • update, update, update! https://freedom.press/training/

4.0 Operating Systems • man pages • Advanced Programming in the UNIX Environment Stevens / Rago (2013)

4.0 Computer networks and system tools • IPv4, IPv6, routing, TCP, UDP, DNS, firewall • auditing, logging • SELinux • analysis and pentesting tools • wireshark • nmap • metasploit • IDA Interactive Disassembler

4.0 DevOps Securing DevOps: Security in the Cloud Julien Vehent (2018)

Software

4.0 General Resource • OWASP: Open Web Application Security Project • CWE: Common Weakness Enumeration • CVE: Common Vulnerabilities and Exposures • IETF RFCs

4.0 Top 10 bugs • injection attacks (SQL, LDAP, JSON, XQuery, XPath, ...) • broken authentication and access control • Cross-Site scripting (XSS) • XML entities • Insecure Deserialization (images, docs, ASN.1)

4.0 Unicode >>> import unicodedata # homograph / homoglyphic confusion attack >>> unicodedata.name('Руthοn'[0]) CYRILLIC CAPITAL LETTER ER >>> import unicodedata # homograph / homoglyphic confusion attack >>> unicodedata.name('Руthοn'[0]) CYRILLIC CAPITAL LETTER ER # persistent XSS with wide unicode normalization >>> wide = ' ＜ script ＞ ' >>> safe = wide.replace('<', '<') # quote >>> unicodedata.name(safe[0]) 'FULLWIDTH LESS-THAN SIGN' >>> unicodedata.normalize('NFKD', safe) '<script>' # persistent XSS with wide unicode normalization >>> wide = ' ＜ script ＞ ' >>> safe = wide.replace('<', '<') # quote >>> unicodedata.name(safe[0]) 'FULLWIDTH LESS-THAN SIGN' >>> unicodedata.normalize('NFKD', safe) '<script>'

4.0 Programming languages • C • Assembly • eBPF, BPF • Go • Java • JavaScript • PHP • Python • Rust

Cryptography

4.0 Cryptography • The Code Book, Simon Singh • Cryptography Engineering, Ferguson/Schneier/Tadayashi • Serious Cryptography, JP Aumasson

4.0 Cryptography free online resources • Cryptography I, Dan Boneh https://www.coursera.org/learn/crypto • The cryptopals crypto challenges https://cryptopals.com/ • Crypto 101, LvH, https://www.crypto101.io/ • Mathematics of Public Key Cryptography, Steven Galbraith (2012)

4.0 TLS/SSL, Certificates • Bulletproof SSL and TLS, Ivan Ristic • CA/Browser Forum Baseline Requirements https://cabforum.org/ • Mozilla Server Side TLS https://wiki.mozilla.org/Security/Server_Side_TLS

4.0 Passwords / Authentication • NIST 800-63-3: Digital Identity Guidelines • OAuth, OpenID Connect • 2FA (FIDO, WebAuthn) • Troy Hunt, https://haveibeenpwned.com/

4.0 News, blogs • Linux Weekly News https://lwn.net/ • Troy Hunt https://www.troyhunt.com/ • Krebs on Security https://krebsonsecurity.com/ • Bruce Schneier https://www.schneier.com/ • https://www.feistyduck.com/bulletproof-tls-newsletter/

4.0 Conference videos • Chaos Communication Conference (e.g. 35C3) • Black Hat • DEFCON • Real World Crypto

4.0 Security people • Adam Langley • Alex Gaynor • Brian Krebs (Krebs On Security) • Bruce Schneier • Dan Bernstein (djb) • Frank Denis • Hanno Böck • JP Aumasson • Katie Moussouris • Matt Blaze • Matthew Green • Nick Sullivan • Parisa Tabriz • Ryan Sleevi • Tanja Lange • Tavis Ormandy • Thomas Ptacek • Tony Arcieri • Troy Hunt

Summary

4.0 Summary • “I know that I know nothing” (expert specialist) → • Keep learning • Mind the user • Get experience • Write your own crypto (do NOT use it in production) Please send me your suggestions

Questions? @ChristianHeimes [email protected] [email protected] https://speakerdeck.com/tiran/

THANK YOU plus.google.com/+RedHat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHat linkedin.com/company/red-hat

DevConf.IN 2019: First steps into security engineering

DevConf.IN 2019: First steps into security engineering

More Decks by Christian Heimes

Other Decks in Programming

Featured

Transcript