puppetconf 2016: how you actually get hacked – ben hughes, etsy
TRANSCRIPT
How You Actually Get Hacked
1 — @benjammingh for PuppetConf 2016
AKA Do you want ants?Because that's how you get ants!
2 — @benjammingh for PuppetConf 2016
Who's this clown? 2
→ Infrastructure security at Etsy.→ Puppet Labs Operations alumni.
→ First used Puppet on the 0.26 branch.→ Has only been in big trouble with the phone
company once.
2 https://twitter.com/skullmandible/status/4112818511315230723 — @benjammingh for PuppetConf 2016
What this talk is about?→ Risk and threat modelling.
→ Reality, and infosec's aversion to it.→ What to actually focus on, to be more secure, but
less hipster.→ Security myopia and the best being the enemy of
the good.
4 — @benjammingh for PuppetConf 2016
What this talk is not about?→ Mad 0day. Go to Infiltrate
→ Vendor Sponsorship. (Note however, it is Black Friday soon www.etsy.com)
→ Me reading out breach reports.→ Nessus.
5 — @benjammingh for PuppetConf 2016
Mild audience participation
warning!6 — @benjammingh for PuppetConf 2016
Google Syndrome Disclaimer!If you are Google/Facebook/BAE Systems/Raytheon/
Any part of Five Eyes/OPM, this hopefully and somewhat obviously does not apply to you.
Also stop listening to funny haired people who work at yarn websites for your security advice!
Smash the 1%, eat the rich!
7 — @benjammingh for PuppetConf 2016
Threat modelling
The who now?
8 — @benjammingh for PuppetConf 2016
H1B fashion model visa.
9 — @benjammingh for PuppetConf 2016
Working out who might attack you and how
10 — @benjammingh for PuppetConf 2016
Evaluating risks and reality
(and impact)
11 — @benjammingh for PuppetConf 2016
Are humans good at evaluating risk?
12 — @benjammingh for PuppetConf 2016
Have you ever said:"Have a safe flight!"
13 — @benjammingh for PuppetConf 2016
Has anyone ever said:"Have a safe drive to the
airport!"14 — @benjammingh for PuppetConf 2016
Flying:→ An entire spare pilot.→ Computer controlled.→ A spare engine!
→ 100s of hours training/qualifications.→ regular safety checks.
16 — @benjammingh for PuppetConf 2016
Taxis→ ....
→ have the strange smelling pine tree thing?
17 — @benjammingh for PuppetConf 2016
Every statistic says flying is 100x safer
18 — @benjammingh for PuppetConf 2016
Securitywhat is it?
20 — @benjammingh for PuppetConf 2016
"The state or condition of being or feeling secure."-- The Oxford English Dictionary (as HRH Queen
Elizabeth the Second decrees)
21 — @benjammingh for PuppetConf 2016
"Being or feeling secure"
22 — @benjammingh for PuppetConf 2016
Secure [from whom?]
23 — @benjammingh for PuppetConf 2016
Who are you defending against?→ Scripts (mass own wordpress, nmap/zmap looking
for mongodb/mssql/etc)→ Script kiddies (the above, but with a tutorial)
→ Bug Bounties (hand wave 80% of attacks on your website?)
→ Red Teams/Pen tests (every... 6 months? maybe?)
24 — @benjammingh for PuppetConf 2016
Other attackers?→ China!!!111 (though now Russia is in vogue)
→ Hackers in it for the lols (needs no explaination)→ Hacktivists (I remain unconvinced these are real
→ Hacking for profit (not for fun. See China)
25 — @benjammingh for PuppetConf 2016
The main ones, ZOMG.→ NSA.
→ now and then the FBI→ everyone forgets about CSE (and all of Five Eyes)
→ GCHQ (who seem to have fewer morals..)
26 — @benjammingh for PuppetConf 2016
"How to NSA-Proof your Apple iCloud account. – Underground Network"
"Blackphone 2: 'NSA Proof' Android Phone For Privacy Seekers Now Available For Preorder"
"NSA-proof your e-mail in 2 hours""How NSA-Proof Are VPN Service Providers?"
27 — @benjammingh for PuppetConf 2016
"An NSA-proof operating system. Yes, for real.""NSA-proof passwords"
"NSA-proof SSH""Physicists are building an NSA-proof internet"
28 — @benjammingh for PuppetConf 2016
The NSA should probablynot be in your threat model.
29 — @benjammingh for PuppetConf 2016
Whaaa?But shouldn't we defend against everyone?
30 — @benjammingh for PuppetConf 2016
Once you can defend against everyone up to
the NSA,then try to defend
against the NSA.31 — @benjammingh for PuppetConf 2016
*cough*(please infosec, stop this NSA fetishism &
security nihilism)*cough*
32 — @benjammingh for PuppetConf 2016
Which is also again sayingLearn to threat model in reality.
33 — @benjammingh for PuppetConf 2016
Impact!What is the business
impact of this breach.34 — @benjammingh for PuppetConf 2016
Defacement vs. DDoS
→ If you're a real time trading house large DNS provider, DDoS is a really expensive thing,
defacement is not as big.→ A political party website, DDoS is just annoying,
defacement could be huge.
35 — @benjammingh for PuppetConf 2016
Mail doxing/spooling→ If you're a hacker in the 90s, having your mail
shared with a 'zine is annoying.→ If you're a presidential candidate, your mail being
public could endanger an election.
36 — @benjammingh for PuppetConf 2016
In just your company→ Credit card processing done by you or someone
else (hi Stripe)→ PII or other user data.
→ Laptop being stolen (please tell me they're encrypted and passworded...)
→ Annoying people from Lizard Squad on IRC, and suffering a large DDoS.
37 — @benjammingh for PuppetConf 2016
Breaches38 — @benjammingh for PuppetConf 2016
How do systems get(0wned|compromised|
breached)40 — @benjammingh for PuppetConf 2016
Well here's how it happened in the 90s.
l33t$ cc -o humpdee humpdee.cl33t$ ./humpdee 203.0.113.76Humpdee c0ded by Tekneeq Crew!
Local address: 198.51.100.12Return position: 678Return address: 0x01423908Got shell# iduid=0(root) gid=0(root)
41 — @benjammingh for PuppetConf 2016
Big thanks to our teal 90s sponsor . . . .s$ '$&ty . . .s$$$sss..yssss. $$$' ,&ft,ysp ,sss. ,saaas. ,saaas. .ssuiis ss $$$' d$$',`$$b $$$ .$$f",`$$$P"Y$$b d$V" `$$b d$$' "$$b d$$" `$$$" $$$ $$$sss$$$ $$$$$K. $$$ ;$$$ $$$sss$$& $$$sss$$$ $$$ ,$$$ $$$ .,$$$, .ss $$$ `$$bs. $$$, $$$ $$$' .ss $$$' ,ss.$$$ .,;$$$ "Y$$" `Y$$sd$P",$$$, Y$$B.$$$i. $$$L`Y$bsd$P' `T$bsd$$P `V$baod$$$ `"" `"""""' '"""' """"'"""" """' `""""" `""""' `"""""Y$$ .$$$. . . . . . . . .y$$$b. . 'Y$P' . Y" .'
http://www.attrition.org/hosted/tekneeq/42 — @benjammingh for PuppetConf 2016
(I'm trying to be invited back next year)
$shellcode = @("shellcodez"/L) \x31\xdb\xb0\x1b\xcd\x80\x31\xc0\xb0\x02\xcd\x80\x85\xc0\ \x75\x32\x31\xdb\x89\xd9\xb1\x01\x31\xc0\xb0\x3f\xcd\x80\ \x31\xdb\x89\xd9\xb1\x02\x31\xc0\xb0\x3f\xcd\x80\xeb\x1f\ \x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\ \x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\ \x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh |-shellcodez
madexploit { "humpdee": ensure => shell, targer => '203.0.113.76', shellcode => $shellcode, require => Date['90s'], }
43 — @benjammingh for PuppetConf 2016
Timewarp to now!→ 99% of servers don't have real routable IPs.
→ TEH CLOUD, NAT, Load balancers, &c.→ A few people bought firewalls.
→ DEP, SEP, Stack cookies, ASLR, GENTOO!!!11→ Hopefully you've patched this vuln from 1997?
44 — @benjammingh for PuppetConf 2016
iOS(not IOS, that is somewhat less secure)
45 — @benjammingh for PuppetConf 2016
Things we know→ FBI bought an "exploit" for $1M.
→ Zerodium had a $1M bounty for full remote end to end compromise.
→ Apple's own bug bounty for certain things in in the $100,000s range.
→ Maybe someone in your company has one of these iPhone devices?
46 — @benjammingh for PuppetConf 2016
ZOMG!an attacker could get a foothold in your
network for a cool $1m dollars!
47 — @benjammingh for PuppetConf 2016
Reality→ So for the quick simple payment of $1m dollars
you're totally getting owned.→ if your attacker has $1m spare to spend on just an
exploit.→ and owning you is worth >$1m.
→ oh yeah, and there's no cheaper way to do it.
48 — @benjammingh for PuppetConf 2016
Reality 2→ Attackers have budgets.
→ Majority of attacks have financial motives.→ Defense is about raising those costs.
→ (whilst still allowing your company to continue to make money)
49 — @benjammingh for PuppetConf 2016
Zero day is notyour biggest worry.
50 — @benjammingh for PuppetConf 2016
So how do we fix this?
with threat modelling51 — @benjammingh for PuppetConf 2016
Say you have N months allocated to a security project.
Which of these will give a better return on your overall security?
52 — @benjammingh for PuppetConf 2016
Rolling out the awesome Grsecurity on all your
linux servers.
53 — @benjammingh for PuppetConf 2016
Rolling out a password manager to everyone in
your organisation.
54 — @benjammingh for PuppetConf 2016
One of these is awesome cool tech, which stops
mad 0day.(and I really love the work of GRSec)
55 — @benjammingh for PuppetConf 2016
The other involves talking to people in the
company and helping them with a password
manager.56 — @benjammingh for PuppetConf 2016
Arbitrary pie chart 3D DOUGHNUT CHART!
57 — @benjammingh for PuppetConf 2016
"The use of stolen, weak or default credentials in breaches is not new, is not bleeding edge, is not
glamorous, but boy howdy it works"- Verizon 2016 Data Breach Investigations Report
58 — @benjammingh for PuppetConf 2016
Passwords59 — @benjammingh for PuppetConf 2016
Passwords == keys
60 — @benjammingh for PuppetConf 2016
More question time!If you care about lock security, do you:
→ buy cheap crappy keys but replace your locks in your whole house every month?
or→ buy decent (cough European) locks and not worry
about it.61 — @benjammingh for PuppetConf 2016
No one does the former right?
(not that many people do the latter either, but anyway)
62 — @benjammingh for PuppetConf 2016
(also no ones house gets broken in to with lockpicks either, but stop poking holes in
my analogy)
63 — @benjammingh for PuppetConf 2016
Which of these is better?→ "Password1234oct"
or→ "ainwobchiFatodFeb0WrorckyishroocsyacIsAfby"
65 — @benjammingh for PuppetConf 2016
Which will be better next month?→ "Password1234nov"
or→ "ainwobchiFatodFeb0WrorckyishroocsyacIsAfby"
66 — @benjammingh for PuppetConf 2016
You're wrong Ben because reasons→ Guessing the first one, you can guess the others.→ It'll be written down as it changes all the time.→ Has much less entropy so they can remember it.→ Second one is hashcat proof, the first one is not.
67 — @benjammingh for PuppetConf 2016
If you want more than just passwords!
Spend money on Duo and buy Yubikeys
68 — @benjammingh for PuppetConf 2016
Duo→ gives you secure second factor over iPhone/
Android push notifications.→ backup of SMS or phone call.
→ backup codes too.→ more secure than TOTP 2FA.
69 — @benjammingh for PuppetConf 2016
Yubikeys == <3→ Tiny USB cryptographic tokens that can tie in to
Duo to be a second factor.→ no more having to find your phone (I know, life is
hard...)→ Can also generate & store SSH/GPG RSA keys.
→ Now have U2F/FIDO for, well, Dropbox, GitHub, and Google
70 — @benjammingh for PuppetConf 2016
But most importantly...
71 — @benjammingh for PuppetConf 2016
STOP MAKING YOUR COLLEAGUES HATE YOU!
72 — @benjammingh for PuppetConf 2016
Be nicer? MadnessAt Etsy, we try, really hard, to make the security team
approachable and friendly!
(In spite of hiring me)
73 — @benjammingh for PuppetConf 2016
Why do this?(Other than working for a hugging
company)
74 — @benjammingh for PuppetConf 2016
PhishingThis is pretty new, has anyone heard of it?
76 — @benjammingh for PuppetConf 2016
Solving phishing!→ Can't be done, despite what Barracuda may want
to sell you.→ 99% of people entering details vs. 9% of people
entering details isn't all that helpful.→ (But still try to reduce it)
77 — @benjammingh for PuppetConf 2016
Solving phishing IRHaving people tell the security team when a phishy email comes in, even if they've clicked on everything
and shared their passwords, is great.
78 — @benjammingh for PuppetConf 2016
Not solving phishing IRHaving a holier than thou, mad leet security team
who talk down to people when they report a phishing email.
That will be the last time they bother to report anything to you.
79 — @benjammingh for PuppetConf 2016
Love always finds a way.→ If security block everything, people will just do it
anyway.→ "Shadow" teams spin up, and just avoid all your
safeguards.→ you block all outbound traffic bar the proxy,
someone will run corkscrew.
80 — @benjammingh for PuppetConf 2016
Security people, be
nicer ❤81 — @benjammingh for PuppetConf 2016
And now the second half
82 — @benjammingh for PuppetConf 2016
Conclusions→ Start from securing from least skilled attacker up,
not most skilled down.→ Be realistic about your threat model.
→ Whilst its cool to defend against people with bigger budgets. Actually defending is better than
trying and failing.
83 — @benjammingh for PuppetConf 2016
Conclusions deux→ Pick the boring definite wins, not the exciting
maybe wins.→ Yes, you won't get a BlackHat talk out of them, but
you will be more secure.→ Attackers want to win, Defenders can definitely
win if they pick the right fight.
84 — @benjammingh for PuppetConf 2016
Thank you→ Twidder: @benjammingh
→ LinkedIn: lnkdin.me/p/benyeah→ SpeakerDeck: speakerdeck.com/barnbarn
→ JitHub: github.com/barn→ Etsy: Careers --- CodeAsCraft <--- our blog
→ Fax: pending.85 — @benjammingh for PuppetConf 2016
Wham!
86 — @benjammingh for PuppetConf 2016