A Choose Your Own Adventure for Devs, Ops, and other Humans
Given at ConFoo Vancouver 2016.
Write-up will be posted at https://www.netmeister.org/blog/opsec101.html
6. OPSEC
(simplified):
being
aware
of
what
informa:on
you
make
available,
and
how
it
may
be
used
against
you,
eh?
@jschauma ConFoo Vancouver 2016
7. OPSEC
(simplified):
being
aware
of
what
type
of
informa:on
you
make
available,
and
how
it
may
be
used
against
you,
eh?
@jschauma ConFoo Vancouver 2016
@jschauma ConFoo Vancouver 2016
9. A. Hey,
they
don’t
call
it
a
laptop
for
nothing!
B. Leave
the
open
laptop
outside
the
bathroom,
you're
just
gone
for
a
minute.
C. Close
the
laptop,
pack
it
up
or
leave
it
at
your
desk.
@jschauma ConFoo Vancouver 2016
12. A. Hit
ctrl+shiP+l
to
lock
your
laptop.
B. Close
your
laptop,
stash
it
in
your
lockable
desk
drawer
and
swallow
the
key.
C. PQ,
who
cares?
Your
laptop
is
configured
to
auto-‐lock
aPer
some
:me.
@jschauma ConFoo Vancouver 2016
14. A. Reimage
the
box
because
no
single
system
should
be
irreplacable.
B. Make
up
an
excuse
to
wait
un:l
Bob
is
back
from
his
vaca:on.
C. grep
the
password
out
of
Bob’s
conveniently
readable
~/.bash_history
@jschauma ConFoo Vancouver 2016
16. ● Do
clear
your
shell
history
once
in
a
while!
○ aYackers
use
it
as
info
on
how
to
admin
the
system
○ aYackers
use
it
to
mine
passwords
● Session
○ history -c
#
good
○ echo /dev/null > ~/.bash_history
#
beYer
● Persistent
○ echo ‘set +o history’ >> ~/.bashrc
#
good
○ ln -sf /dev/null ~/.bash_history
#
beYer
○ echo ‘set +o history’ >> /etc/profile
#
best
@jschauma ConFoo Vancouver 2016
https://v.gd/ConFooOpSec08
17. A. Take
off
your
shoes,
raise
your
arms
for
the
porno
cancer
scanner
and
say
'yessir,
may
I
have
another’.
B. Take
off
your
shoes,
shut
down
your
phone,
and
opt
for
the
freedom
grope.
C. Breeze
through
the
pre-‐approved
lane
because
you
gave
all
your
info
to
the
gubment
already.
@jschauma ConFoo Vancouver 2016
18. A. Enter
1
2
3
4,
the
same
combina:on
as
on
your
(TSA-‐approved)
luggage
lock.
B. Enter
a
32
character
complex
passphrase,
because
fingerprint
unlocking
is
unsafe.
C. Use
your
security
hedgehog.
@jschauma ConFoo Vancouver 2016
19. 10^4
=
10K
possibili:es
Time
to
brute
force:
<30min
@jschauma ConFoo Vancouver 2016
20. 10^6
=
1M
possibili:es
Time
to
brute
force:
>2d
@jschauma ConFoo Vancouver 2016
21. 6
alpha-‐numeric
chars
62^6
=
56,800,235,584
possibili:es
Time
to
brute
force:
196
years
@jschauma ConFoo Vancouver 2016
28. A. Put
on
your
privacy
sweater.
B. Pretend
not
to
no:ce
that
the
people
next
to
you
are
laughing
at
your
slides
as
you
work
on
them.
C. Perform
AES256-‐CBC-‐SHA1
encryp:on
in
your
head
and
only
enter
ciphertext.
@jschauma ConFoo Vancouver 2016
31. A. Turn
off
the
phone.
(Yeah,
right.)
B. Plug
your
phone
into
the
convenient
in-‐
seat
USB
port
to
charge.
C. Prac:ce
safe
OpSecs
by
using
your
USB
condom.
@jschauma ConFoo Vancouver 2016
33. A. Sweet!
You're
already
connected
to
the
'linksys’
access
point!
How
convenient!
B. Choose
the
hotel
wifi,
then
immediately
connect
to
your
VPN.
C. Close
your
laptop
again.
There
are
beYer
things
to
do
than
stare
at
a
computer
screen.
Oh,
look,
a
beer
appears
in
front
of
you!
Life
is
good.
https://v.gd/ConFooOpSec13
35. A. Leave
your
laptop
in
your
hotel
room;
it’s
turned
off,
and
belongs
to
the
company,
so
you
don’t
care
if
somebody
steals
it.
B. Lock
your
laptop
in
the
safe,
using
the
same
4
digit
code
you
use
everywhere
else.
C. Carry
the
laptop
with
you,
because
seriously,
the
hotel
probably
has
a
backdoor
into
the
safe
anyway.
@jschauma ConFoo Vancouver 2016
39. A. Follow
her
and
her
senior
engineers
on
TwiYer,
LinkedIn,
Facebook
and
share
that
cool
blog
post
about
their
great
work
culture
everywhere.
B. Head
to
their
campus
the
next
day.
(They
have
this
cool
sculpture
in
their
lobby
-‐
pic,
tweet,
awesome!)
C. Pull
the
ssh
key
of
one
of
their
developers
out
of
GitHub,
break
into
their
systems
and
leave
a
note
how
to
best
contact
you.
@jschauma ConFoo Vancouver 2016
41. Avoid
leaking
secrets
into
code
repositories.
● separate
code
and
config
● separate
config
and
secrets
● :ghten
your
.gi)gnore
file
● use
pre-‐commit
hooks
● github.com
!=
git.yourcompany.com
@jschauma ConFoo Vancouver 2016
42. A. You
never
log
out.
It's
weird
that
their
ads
now
seem
to
reflect
what
you
do
on
other
websites,
but
that's
probably
just
a
coincidence.
B. Hit
a
keyboard
shortcut
to
let
your
password
manager
fill
in
the
login.
C. Accidentally
alt-‐tab
and
type
your
password
into
Slack.
@jschauma ConFoo Vancouver 2016
https://v.gd/ConFooOpSec15
44. Use
a
Password
Manager,
eh?
@jschauma ConFoo Vancouver 2016
https://v.gd/ConFooOpSec17
45. Chat
like
everybody’s
logging.
(Somebody
always
is.)
@jschauma ConFoo Vancouver 2016
https://v.gd/ConFooOpSec18
46. A. That
dude’s
cray-‐cray.
None
of
this
applies
to
me.
Lalalalala.
B. ERMAHGERD!
I
R
TARGET!
*burns
laptop,
buys
new
eyeballs*
C. 1st
thing
back
at
work:
Compile
New
Hire
OpSec
kit.
47. New
Hire
OpSec
Kit
• Privacy
screen
• Laptop
webcam
cover
• FIDO
U2F
Security
Key
• USB
condom
• Password
Manager
License
• LiYle
Snitch
License
• RFID
Wallet
@jschauma ConFoo Vancouver 2016
https://v.gd/ConFooOpSec19
https://v.gd/ConFooOpSec20
48. Other
Easy
Wins
• enable
screen
locking
(laptop
&
mobile)
• whole
disk
encryp:on
• passcode/fingerprint
on
mobile
• ask
for
wifi
• use
2FA
• umask 077
&
shell
history
trunca:on
@jschauma ConFoo Vancouver 2016