Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Help the hackers get your data

Vranac Srdjan
August 30, 2019
Programming
0
71

Help the hackers get your data

In May 2018 something happened to the internet, GDPR came online,
and suddenly users in the EU had a lot more rights to their digital privacy,
which is awesome. But on the flip side the implementation of the GDPR and
procedures regarding it, are very vague, and were meant to be written as
we go along, with whatever comes up as best practices.
Books and talks have been written and given about the data encryption, problems
encountered with event sourcing systems, questionaries about the purposes of
collecting user data... So many words, and hours of many lives spent...
Yet, something has been overlooked, something so basic, we do not even notice it.
If you are working on an enterprise class project, or on other large projects,
you might have an infra team that would deal with this and tell you what you need
to do to be secure (at least good ones will)
But... if you are working on smaller projects, and you have mom and pop shops
to support, you deserve the same level of security bigger projects have...
I am talking about secrets and credentials management for your application, the most
overlooked aspect of any application.
This talk gives you a look at secrets management and security from the business side of things,
and tries to give you actionable information how to talk to your clients, and bosses about this subject

Vranac Srdjan

August 30, 2019
Tweet

More Decks by Vranac Srdjan

See All by Vranac Srdjan
Help the hackers get your data
vranac
0
38
Help the hackers get your data
vranac
0
81
Devonomics
vranac
0
66
Help the hackers get your data
vranac
0
20
Help the hackers get your data
vranac
0
41
Distributed Domain Destruction - Adventures in building distributed systems
vranac
0
68
Help the hackers get your data
vranac
0
110
Seatec Astronomy
vranac
0
260
Distributed Domain Destruction - Adventures in building distributed systems
vranac
0
130

Other Decks in Programming

See All in Programming
Push通知許諾率向上へのアプローチ
miyabigouji
0
990
Value and Record Types
hschwentner
0
730
Kotlinハイパフォーマンスプログラミング
ohmae
4
3.2k
A JVM Threading Model for the containerized times
lhespanha
0
880
AWS Lambdaから始める Devチームの小さなDevOps改善 〜QCDどれも諦めない運用を目指して〜 / Start to improving small DevOps with AWS Lambda by Dev Team
cocoeyes02
0
490
どうするLeSS - スクラムフェス三河2023.9.16
stanby_inc
1
120
KustoクエリのChatGPT Plugin!
tomokusaba
0
290
Flutter CustomPaint @Flutter MeetUp(In Songdo) - 박제창
itsmedreamwalker
0
160
Jetpack Media3로 좋은 콘텐츠 소비 경험 구현하기
workspace93
0
120
RDRA, ICONIX, DDDの実践から得た学び
hsawaji
5
780
Lightweight Architectures: With Angular's Signals and Standalone
manfredsteyer
PRO
0
100
スキル差があるペア_モブプロで効果的な_ドライバーナビゲータ以外のロールの分け方.pdf
yatasunshine
1
180

Featured

See All Featured
Imperfection Machines: The Place of Print at Facebook
scottboms
257
12k
The Web Native Designer (August 2011)
paulrobertlloyd
78
2.6k
Raft: Consensus for Rubyists
vanstee
130
5.9k
Bash Introduction
62gerente
603
210k
No one is an island. Learnings from fostering a developers community.
thoeni
14
1.8k
Agile that works and the tools we love
rasmusluckow
323
20k
Documentation Writing (for coders)
carmenintech
54
3.3k
Git: the NoSQL Database
bkeepers
PRO
420
61k
Visualization
eitanlees
131
13k
In The Pink: A Labor of Love
frogandcode
135
21k
Embracing the Ebb and Flow
colly
77
3.8k
Making Projects Easy
brettharned
104
5.1k

Transcript

  1. HELP THE HACKERS GET
    YOUR DATA
    1 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  2. WHOAMI
    2 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  3. SEATEC ASTRONOMY
    3 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  4. TOO MANY SECRETS
    4 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  5. SECURITY IS IMPORTANT
    M'KAY
    5 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  6. Good software engineer has
    technical skills,
    communications skills
    AND business skills
    — Antonio Peric-Mazar (Locastic CEO)
    6 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  7. Take off your developers hat
    Focus on the business goals
    less on academics
    — David Cramer (Sentry CEO)
    from "Mastering Duct Tape" PyCon balkan 2018
    7 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  8. COST
    AND
    SECURITY
    ARE
    AFTERTHOUGHT
    8 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  9. BY THINKING IN TERMS OF BUSINESS
    AND COST AND EXPENSES
    SECURITY STARTS TO CLIMB MORE AND
    MORE ON THE PRIORITY LIST
    9 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  10. LOW HANGING FRUIT
    10 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  11. 11 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  12. DATA BREACHES EXPOSED
    4.1 BILLION RECORDS
    IN FIRST SIX MONTHS OF 2019
    12 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  13. COMMON WAYS OF REVEALING YOUR SECRETS?
    > making your information public,
    > malicious party gaining access to your infrastructure
    13 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  14. MALICIOUS PARTY GAINING ACCESS TO
    YOUR INFRASTRUCTURE
    14 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  15. # location: /etc/pam_scripts/login-email-notification.sh
    #!/bin/sh
    EMAIL_TO="[email protected]"
    EMAIL_FROM="[email protected]"
    SUBJECT="SSH Login Notification"
    MESSAGE="
    A user signed into your server through SSH.
    -------------------------------------------
    Username: ${PAM_USER}
    IP Address: ${PAM_RHOST}"
    if [ ${PAM_TYPE} = "open_session" ]; then
    echo "${MESSAGE}" | mail -n -r "${EMAIL_FROM}" -s "${SUBJECT}" "${EMAIL_TO}"
    fi
    exit 0
    # location: /etc/pam.d/sshd
    # Login Email Notification
    session required pam_exec.so /etc/pam_scripts/login-email-notification.sh
    15 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  16. You don't store your users passwords in your database,
    yet the access-credentials to said database are written
    down in cleartext in a file on your server. Sounds
    familiar?
    — Andreas Heigl
    16 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  17. STORY TIME!
    17 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  18. ENVIRONMENT VARIABLES
    18 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  19. 19 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  20. tr '\0' '\n' < /proc//environ
    20 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  21. CONTAINERS!!!111
    docker inspect -f \
    '{{range $index, $value := .Config.Env}}{{println $value}}{{end}}' \
    container_name
    21 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  22. web_app:
    image: code4hire/dev-images:php-7.2-cli
    hostname: "web_app"
    working_dir: ${WEB_DESTINATION_PATH}
    volumes:
    - ${WEB_APP_PATH}:${WEB_DESTINATION_PATH}
    - ${WEB_REPORTS_PATH}:${WEB_REPORTS_DESTINATION_PATH}
    - ./auth.json:/root/.composer/auth.json
    - "${DATA_PATH}/datadog:/var/run/datadog:ro"
    environment:
    - APPLICATION_ENV=${APPLICATION_ENV}
    - WEB_LOGGER_NAME=${WEB_LOGGER_NAME}
    - WEB_LOG_PATH=${WEB_LOG_PATH}
    - WEB_LOG_LEVEL=${LOG_LEVEL}
    - WEB_LOG_TO_CONSOLE=${LOG_TO_CONSOLE}
    - SENTRY_DSN=${SENTRY_DSN}
    - RMQ_HOST=${RMQ_HOST}
    - RMQ_PORT=${RMQ_PORT}
    - RMQ_USERNAME=${RMQ_USERNAME}
    - RMQ_PASSWORD=${RMQ_PASSWORD}
    - RMQ_VHOST=${RMQ_VHOST}
    - RMQ_PREFETCH_COUNT=${RMQ_PREFETCH_COUNT}
    - RMQ_DEFAULT_EXCHANGE_NAME=${RMQ_DEFAULT_EXCHANGE_NAME}
    - RMQ_DEFAULT_EXCHANGE_TYPE=${RMQ_DEFAULT_EXCHANGE_TYPE}
    ...
    22 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  23. DOCKER SECRETS!!!
    /run/secrets/NAME
    23 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  24. IF OPS TEAM ALLOWS THIS!
    PLEASE HAVE A TALK WITH THEM!
    24 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  25. LIABILITY
    &
    CRIMINAL NEGLIGENCE
    25 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  26. INSURANCE
    26 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  27. CERTIFICATION
    27 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  28. SECURITY
    COST/DAMAGE CONTROL
    28 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  29. HOW CAN THIS SITUATION BE IMPROVED?
    SECRETS MANAGEMENT APPLICATIONS
    29 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  30. EASE OF SETUP AND OPERATION
    30 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  31. SECRET ROTATION
    31 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  32. DYNAMIC SECRETS
    {{ USERNAME }}:{{ password }}@tcp({{ mysql_server }}:3306)/{{ DATABASE }}
    32 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  33. ENCRYPTION IN TRANSPORT AND AT
    REST
    33 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  34. CHOICES OF BACKENDS
    34 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  35. COST
    35 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  36. Ansible Vault, Barbican, Chef Data Bags, Chef Vault,
    Citadel, Confidant, Configuration Storage Systems
    (Consul, etcd, Zookeeper), Conjur, Crypt, EJSON, Keywhiz,
    Knox, Red October, Trousseau, Vault (Hashicorp)
    36 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  37. AWS SECRETS MANAGER
    37 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  38. EXAMPLE 1: PRODUCTION-SCALE WEB APPLICATION
    Cost Dimensions
    - 2 SSH keys per server and 5 database credentials per database.
    - 2 API calls per SSH key per day. 24 API calls per database credential per day.
    - 7 API calls per database credential per week to rotate credentials safely.
    15 secrets (2 SSH keys * 1 load balancer
    + 2 SSH keys * 2 web servers
    + 2 SSH keys * 2 app servers
    + 5 database credentials * 1 database)
    @ $0.40 / secret / month
    4,040 API calls (2 SSH keys/server * 5 servers * 1 API call/day * 30 days
    + 5 database credentials * 1 database * 24 API calls/day * 30 days
    + 5 database credentials * 1 database * 7 API calls/week * 4 weeks) @ $0.05/10,000 calls
    $6.02 TOTAL (PER MONTH)
    38 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  39. EXAMPLE 2: USING EPHEMERAL SECRETS TO
    AUTHENTICATE MICRO SERVICES
    Cost Dimensions
    5M secrets (each valid for 1 hour).
    2 API calls per secret per month.
    Note: Since these secrets are stored in Secrets Manager for an hour,
    the price per secret is calculated as
    $0.40 * 1 hour / (30 days * 24 hours) = $0.00056 / secret/ hour
    $2,800.00 5M secrets @ $0.00056 / secret/ hour
    $50.00 10M API calls (5M secret * 2 API calls) @ $0.05/10,000 calls
    $2,850.00 TOTAL (PER MONTH)
    39 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  40. HASHICORP VAULT
    40 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  41. GOOD FIT?
    41 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  42. sharing
    shamir's
    algorithm
    secret
    42 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  43. VAULT STARTUP
    UNSEAL -> DECRYPT -> AUTHENTICATE -> LOAD POLICIES -> READY
    43 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  44. VAULT OPERATES EXCLUSIVELY IN A
    WHITELIST MODE
    44 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  45. PHP
    $client = new \GuzzleHttp\Client([
    'base_uri' => $baseUrl,
    'timeout' => 2.0,
    'headers' => [
    'X-Vault-Token' => $accessToken,
    'Accept' => 'application/json',
    ]
    ]);
    $response = $client->request('GET', '/v1/secret/hello/excited');
    $response->getBody()->seek(0);
    $output = json_decode(trim($responseBody->getContents()));
    print_r($output->data->excited)
    yes
    45 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  46. EVERYTHING IS AWESOME? RIGHT?
    > sealing/unsealing
    > http calls
    46 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  47. HOW DOES IT ALL FIT TOGETHER:
    > vault token goes into config (ironic, I know)
    > token gets sent to the vault server, and client token is
    returned
    > only retrieval of secrets granted by the ACL assigned is
    possible
    > when lease on client token expires, vault token is used
    to obtain new one
    47 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  48. In case of breach:
    > your tripwire system is triggered
    > your files are downloaded, possibly the config ones as
    well
    > you remove server from public
    > you rotate the token generated
    > you update the config
    > you make server publicly available
    48 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  49. FINAL WORDS
    49 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  50. average cost of a large data breach (in which more than
    one million records are lost) in 2018 was
    $3.9 MILLION DOLLARS
    50 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide

  51. THE END
    51 — Srdjan Vranac, Code4Hire, @vranac`

    View Slide