operations security (opsec)
Post on 09-Jul-2015
342 Views
Preview:
DESCRIPTION
TRANSCRIPT
OPSEC - operations security
Mikko Ohtamaa ThaiPy / Bangkok / Nov 2014
opensourcehacker.com
moo9000
Agenda
Team security User security Infrastructure security
Person-to-person Bitcoin exchange
Bitcoin users are high value targets
Team security
Physical access (display sleep + password)
Encrypt devices (computers AND phones)
Two-factor authentication on email inbox
Two-factor authentication on site admin
Two-factor SSH
Google 2FA account incidents: https://ello.co/gb/post/knOWk-qeTqfSpJ6f8-arCQ
"Cyber hygiene" Password management (KeePassX) SSH keys (automatically unlock on your computer computer login) !
http://opensourcehacker.com/2012/10/24/ssh-key-and-passwordless-login-basics-for-developers/
User security
Passwords are dead
Password stealing attacks by keylogging and file-system reading malware
Strong password gives only limited additional protection
Throttle login attempts with CAPTCHAThreshold logins per IP (leaked credentials black market)
Threshold per username (spearhead brute force)
Threshold all logins per minute (botnet attack)
recaptcha.net - https://github.com/praekelt/django-recaptcha
http://opensourcehacker.com/2014/07/09/rolling-time-window-counters-with-redis-and-mitigating-botnet-driven-login-attacks/
Two-factor authentication for your users
Lack of two-factor
scenario: US 0.90% scenario: Great-Britain 0.90%
scenario: Australia 7.58%
www.schneier.com/blog/archives/2006/11/fighting_fraudu.html
Time-Based One-Time Password Algorithm
TOTP a.k.a Google Authenticator, RFC 6238 Google provides app for Android, iOS. Does not require Google account. Other OSS implementations
HMAC-Based One-Time Password Algorithm
HOTP, RFC 4226 a.k.a. paper codes, one time pad
Common in Nordic internet banking, unheard in many countries
SMS Yubikey Calculators and other hardware tokens As a service: authy.org twofactorauth.org
For Django: https://github.com/
miohtama/django-twofactor
Third factor
Users lose their credentials
Recycled passwords (blackmarket) Phishing (Google Adwords attack) Stolen two-factor codes
Third factor parameters
Unknown web browser (identified by cookie)
The of country of IP address
The reputation of IP address (botnet, Tor, VPS)
IP address whitelist
Confirm by email or by SMS “is it really you”
Mad general problem
“If your local computer is compromised by malware or anything else, it is just like a mad general”
http://www.reddit.com/r/Bitcoin/comments/2573rw/bitcoin_is_secure_because_it_solves_the_byzantine/
What I have seenMalicious browser add-on modifying sites in fly Android and iOS malware SMS capture attacks Spearhead email phishing Google AdWords phishing Malicious Tor exit nodes !http://thedroidguy.com/2014/06/popular-chinese-android-smartphone-malware-pre-
installed-93764
Infrastructure security
fail2banDaemon automatically blocking IPs by log file analysis
(e.g. Apache, SSH, your pplication)
Attack mitigation as a reverse proxy service: cloudflare.net Known bad IPs: projecthoneypot.org IP information: http://myip.ms/
Flood attacksFlood actions and anonymous forms: password reset email, invite email, user messaging
Mostly harmless / reputation hit
Have throttling and banning per IP
Throttle email actions with a custom log file and fail2ban
https://shubh.am/full-disclosure-coinbase-security/
Encrypt all the servers
Encrypt your server content - “mad hosting provider”
Encrypt backups: GPG, duplicity
Encrypt server-to-server connections: AutoSSH, VPN
Virtual machines are always unsafe
http://blog.bitly.com/#85169217199
Server security monitoringUntamperable logs (external log servers / systems forward secure sealing) Known processes and files list (Tripwire) Firewalling
http://louwrentius.com/systemd-forward-secure-sealing-of-system-logs-makes-little-sense.html
THANK YOU
opensourcehacker.com Open Source Hacker
mikko@opensourcehacker.commoo9000
https://www.youtube.com/watch?v=OSGv2VnC0go&feature=youtu.be
https://packaging.python.org/
top related