Help the hackers get your data

Help the hackers get your data

In May 2018 something happened to the internet, GDPR came online,
and suddenly users in the EU had a lot more rights to their digital privacy,
which is awesome. But on the flip side the implementation of the GDPR and
procedures regarding it, are very vague, and were meant to be written as
we go along, with whatever comes up as best practices.
Books and talks have been written and given about the data encryption, problems
encountered with event sourcing systems, questionaries about the purposes of
collecting user data... So many words, and hours of many lives spent...
Yet, something has been overlooked, something so basic, we do not even notice it.
If you are working on an enterprise class project, or on other large projects,
you might have an infra team that would deal with this and tell you what you need
to do to be secure (at least good ones will)
But... if you are working on smaller projects, and you have mom and pop shops
to support, you deserve the same level of security bigger projects have...
I am talking about secrets and credentials management for your application, the most
overlooked aspect of any application.
This talk gives you a look at secrets management and security from the business side of things, and tries to give you actionable information how to talk to your clients, and bosses about this subject

F2d82b268a7cbccc9809c939428df64f?s=128

Vranac Srdjan

September 12, 2019
Tweet

Transcript

  1. HELP THE HACKERS GET YOUR DATA 1 — Srdjan Vranac,

    Code4Hire, @vranac`
  2. WHOAMI 2 — Srdjan Vranac, Code4Hire, @vranac`

  3. SEATEC ASTRONOMY 3 — Srdjan Vranac, Code4Hire, @vranac`

  4. TOO MANY SECRETS 4 — Srdjan Vranac, Code4Hire, @vranac`

  5. SECURITY IS IMPORTANT M'KAY 5 — Srdjan Vranac, Code4Hire, @vranac`

  6. Good software engineer has technical skills, communications skills AND business

    skills — Antonio Peric-Mazar (Locastic CEO) 6 — Srdjan Vranac, Code4Hire, @vranac`
  7. Take off your developers hat Focus on the business goals

    less on academics — David Cramer (Sentry CEO) from "Mastering Duct Tape" PyCon balkan 2018 7 — Srdjan Vranac, Code4Hire, @vranac`
  8. COST AND SECURITY ARE AFTERTHOUGHT 8 — Srdjan Vranac, Code4Hire,

    @vranac`
  9. BY THINKING IN TERMS OF BUSINESS AND COST AND EXPENSES

    SECURITY STARTS TO CLIMB MORE AND MORE ON THE PRIORITY LIST 9 — Srdjan Vranac, Code4Hire, @vranac`
  10. LOW HANGING FRUIT 10 — Srdjan Vranac, Code4Hire, @vranac`

  11. 11 — Srdjan Vranac, Code4Hire, @vranac`

  12. DATA BREACHES EXPOSED 4.1 BILLION RECORDS IN FIRST SIX MONTHS

    OF 2019 12 — Srdjan Vranac, Code4Hire, @vranac`
  13. COMMON WAYS OF REVEALING YOUR SECRETS? > making your information

    public, > malicious party gaining access to your infrastructure 13 — Srdjan Vranac, Code4Hire, @vranac`
  14. MALICIOUS PARTY GAINING ACCESS TO YOUR INFRASTRUCTURE 14 — Srdjan

    Vranac, Code4Hire, @vranac`
  15. # location: /etc/pam_scripts/login-email-notification.sh #!/bin/sh EMAIL_TO="sysadmin@example.com" EMAIL_FROM="ssh-alert@server1.example.com" SUBJECT="SSH Login Notification" MESSAGE="

    A user signed into your server through SSH. ------------------------------------------- Username: ${PAM_USER} IP Address: ${PAM_RHOST}" if [ ${PAM_TYPE} = "open_session" ]; then echo "${MESSAGE}" | mail -n -r "${EMAIL_FROM}" -s "${SUBJECT}" "${EMAIL_TO}" fi exit 0 # location: /etc/pam.d/sshd # Login Email Notification session required pam_exec.so /etc/pam_scripts/login-email-notification.sh 15 — Srdjan Vranac, Code4Hire, @vranac`
  16. You don't store your users passwords in your database, yet

    the access-credentials to said database are written down in cleartext in a file on your server. Sounds familiar? — Andreas Heigl 16 — Srdjan Vranac, Code4Hire, @vranac`
  17. STORY TIME! 17 — Srdjan Vranac, Code4Hire, @vranac`

  18. ENVIRONMENT VARIABLES 18 — Srdjan Vranac, Code4Hire, @vranac`

  19. 19 — Srdjan Vranac, Code4Hire, @vranac`

  20. tr '\0' '\n' < /proc/<pid>/environ 20 — Srdjan Vranac, Code4Hire,

    @vranac`
  21. CONTAINERS!!!111 docker inspect -f \ '{{range $index, $value := .Config.Env}}{{println

    $value}}{{end}}' \ container_name 21 — Srdjan Vranac, Code4Hire, @vranac`
  22. web_app: image: code4hire/dev-images:php-7.2-cli hostname: "web_app" working_dir: ${WEB_DESTINATION_PATH} volumes: - ${WEB_APP_PATH}:${WEB_DESTINATION_PATH}

    - ${WEB_REPORTS_PATH}:${WEB_REPORTS_DESTINATION_PATH} - ./auth.json:/root/.composer/auth.json - "${DATA_PATH}/datadog:/var/run/datadog:ro" environment: - APPLICATION_ENV=${APPLICATION_ENV} - WEB_LOGGER_NAME=${WEB_LOGGER_NAME} - WEB_LOG_PATH=${WEB_LOG_PATH} - WEB_LOG_LEVEL=${LOG_LEVEL} - WEB_LOG_TO_CONSOLE=${LOG_TO_CONSOLE} - SENTRY_DSN=${SENTRY_DSN} - RMQ_HOST=${RMQ_HOST} - RMQ_PORT=${RMQ_PORT} - RMQ_USERNAME=${RMQ_USERNAME} - RMQ_PASSWORD=${RMQ_PASSWORD} - RMQ_VHOST=${RMQ_VHOST} - RMQ_PREFETCH_COUNT=${RMQ_PREFETCH_COUNT} - RMQ_DEFAULT_EXCHANGE_NAME=${RMQ_DEFAULT_EXCHANGE_NAME} - RMQ_DEFAULT_EXCHANGE_TYPE=${RMQ_DEFAULT_EXCHANGE_TYPE} ... 22 — Srdjan Vranac, Code4Hire, @vranac`
  23. DOCKER SECRETS!!! /run/secrets/NAME 23 — Srdjan Vranac, Code4Hire, @vranac`

  24. IF OPS TEAM ALLOWS THIS! PLEASE HAVE A TALK WITH

    THEM! 24 — Srdjan Vranac, Code4Hire, @vranac`
  25. LIABILITY & CRIMINAL NEGLIGENCE 25 — Srdjan Vranac, Code4Hire, @vranac`

  26. INSURANCE 26 — Srdjan Vranac, Code4Hire, @vranac`

  27. CERTIFICATION 27 — Srdjan Vranac, Code4Hire, @vranac`

  28. SECURITY COST/DAMAGE CONTROL 28 — Srdjan Vranac, Code4Hire, @vranac`

  29. HOW CAN THIS SITUATION BE IMPROVED? SECRETS MANAGEMENT APPLICATIONS 29

    — Srdjan Vranac, Code4Hire, @vranac`
  30. EASE OF SETUP AND OPERATION 30 — Srdjan Vranac, Code4Hire,

    @vranac`
  31. SECRET ROTATION 31 — Srdjan Vranac, Code4Hire, @vranac`

  32. DYNAMIC SECRETS {{ USERNAME }}:{{ password }}@tcp({{ mysql_server }}:3306)/{{ DATABASE

    }} 32 — Srdjan Vranac, Code4Hire, @vranac`
  33. ENCRYPTION IN TRANSPORT AND AT REST 33 — Srdjan Vranac,

    Code4Hire, @vranac`
  34. CHOICES OF BACKENDS 34 — Srdjan Vranac, Code4Hire, @vranac`

  35. COST 35 — Srdjan Vranac, Code4Hire, @vranac`

  36. Ansible Vault, Barbican, Chef Data Bags, Chef Vault, Citadel, Confidant,

    Configuration Storage Systems (Consul, etcd, Zookeeper), Conjur, Crypt, EJSON, Keywhiz, Knox, Red October, Trousseau, Vault (Hashicorp) 36 — Srdjan Vranac, Code4Hire, @vranac`
  37. AWS SECRETS MANAGER 37 — Srdjan Vranac, Code4Hire, @vranac`

  38. EXAMPLE 1: PRODUCTION-SCALE WEB APPLICATION Cost Dimensions - 2 SSH

    keys per server and 5 database credentials per database. - 2 API calls per SSH key per day. 24 API calls per database credential per day. - 7 API calls per database credential per week to rotate credentials safely. 15 secrets (2 SSH keys * 1 load balancer + 2 SSH keys * 2 web servers + 2 SSH keys * 2 app servers + 5 database credentials * 1 database) @ $0.40 / secret / month 4,040 API calls (2 SSH keys/server * 5 servers * 1 API call/day * 30 days + 5 database credentials * 1 database * 24 API calls/day * 30 days + 5 database credentials * 1 database * 7 API calls/week * 4 weeks) @ $0.05/10,000 calls $6.02 TOTAL (PER MONTH) 38 — Srdjan Vranac, Code4Hire, @vranac`
  39. EXAMPLE 2: USING EPHEMERAL SECRETS TO AUTHENTICATE MICRO SERVICES Cost

    Dimensions 5M secrets (each valid for 1 hour). 2 API calls per secret per month. Note: Since these secrets are stored in Secrets Manager for an hour, the price per secret is calculated as $0.40 * 1 hour / (30 days * 24 hours) = $0.00056 / secret/ hour $2,800.00 5M secrets @ $0.00056 / secret/ hour $50.00 10M API calls (5M secret * 2 API calls) @ $0.05/10,000 calls $2,850.00 TOTAL (PER MONTH) 39 — Srdjan Vranac, Code4Hire, @vranac`
  40. HASHICORP VAULT 40 — Srdjan Vranac, Code4Hire, @vranac`

  41. GOOD FIT? 41 — Srdjan Vranac, Code4Hire, @vranac`

  42. sharing shamir's algorithm secret 42 — Srdjan Vranac, Code4Hire, @vranac`

  43. VAULT STARTUP UNSEAL -> DECRYPT -> AUTHENTICATE -> LOAD POLICIES

    -> READY 43 — Srdjan Vranac, Code4Hire, @vranac`
  44. VAULT OPERATES EXCLUSIVELY IN A WHITELIST MODE 44 — Srdjan

    Vranac, Code4Hire, @vranac`
  45. PHP $client = new \GuzzleHttp\Client([ 'base_uri' => $baseUrl, 'timeout' =>

    2.0, 'headers' => [ 'X-Vault-Token' => $accessToken, 'Accept' => 'application/json', ] ]); $response = $client->request('GET', '/v1/secret/hello/excited'); $response->getBody()->seek(0); $output = json_decode(trim($responseBody->getContents())); print_r($output->data->excited) yes 45 — Srdjan Vranac, Code4Hire, @vranac`
  46. EVERYTHING IS AWESOME? RIGHT? > sealing/unsealing > http calls 46

    — Srdjan Vranac, Code4Hire, @vranac`
  47. HOW DOES IT ALL FIT TOGETHER: > vault token goes

    into config (ironic, I know) > token gets sent to the vault server, and client token is returned > only retrieval of secrets granted by the ACL assigned is possible > when lease on client token expires, vault token is used to obtain new one 47 — Srdjan Vranac, Code4Hire, @vranac`
  48. IN CASE OF BREACH: > your tripwire system is triggered

    > your files are downloaded (possibly config as well) > you remove server from public > you rotate the token generated > you update the config > you make server publicly available 48 — Srdjan Vranac, Code4Hire, @vranac`
  49. BUT DO YOU GO FOR IT ON EVERY PROJECT? >

    user data, maybe PII, maybe not? yes > any kind of sensitive data? yes > any kind of payments on the system? definitely yes 49 — Srdjan Vranac, Code4Hire, @vranac`
  50. FINAL WORDS 50 — Srdjan Vranac, Code4Hire, @vranac`

  51. average cost of a large data breach (in which more

    than one million records are lost) in 2018 was $3.9 MILLION DOLLARS 51 — Srdjan Vranac, Code4Hire, @vranac`
  52. THE END 52 — Srdjan Vranac, Code4Hire, @vranac`