OpSec101

OPSEC 101- a Choose Your Own Adventure
for Devs, Ops and Other Humans
Jan Schaumann
@jschauma ConFoo Vancouver 2016


https://v.gd/ConFooOpSec01

OPSEC
(simpliﬁed):

being
aware
of
what
informa:on
you

make
available,
and

how
it
may
be
used
against
you,

eh?


OPSEC
(simpliﬁed):

being
aware
of
what
type
of
informa:on

you
make
available,
and

how
it
may
be
used
against
you,
eh?



Going
to
ConFoo!

A.  Hey,
they
don’t
call
it
a
laptop
for
nothing!

B.  Leave
the
open
laptop
outside
the
bathroom,

you're
just
gone
for
a
minute.

C.  Close
the
laptop,
pack
it
up
or
leave
it
at
your

desk.


https://v.gd/ConFooOpSec06https://v.gd/ConFooOpSec05

A.  Hit
ctrl+shiP+l
to
lock
your
laptop.

B.  Close
your
laptop,
stash
it
in
your
lockable

desk
drawer
and
swallow
the
key.

C.  PQ,
who
cares?
Your
laptop
is
conﬁgured
to

auto-‐lock
aPer
some
:me.


A.  Reimage
the
box
because
no
single
system

should
be
irreplacable.

B.  Make
up
an
excuse
to
wait
un:l
Bob
is
back

from
his
vaca:on.

C.  grep
the
password
out
of
Bob’s

conveniently
readable
~/.bash_history

●  Do
clear
your
shell
history
once
in
a
while!

○  aYackers
use
it
as
info
on
how
to
admin
the
system

○  aYackers
use
it
to
mine
passwords

●  Session

○  history -c

#
good

○  echo /dev/null > ~/.bash_history

#
beYer

●  Persistent

○  echo ‘set +o history’ >> ~/.bashrc

#
good

○  ln -sf /dev/null ~/.bash_history

#
beYer

○  echo ‘set +o history’ >> /etc/profile

#
best



A.  Take
oﬀ
your
shoes,
raise
your
arms
for
the

porno
cancer
scanner
and
say
'yessir,
may
I

have
another’.

B.  Take
oﬀ
your
shoes,
shut
down
your
phone,

and
opt
for
the
freedom
grope.

C.  Breeze
through
the
pre-‐approved
lane
because

you
gave
all
your
info
to
the
gubment
already.


A.  Enter
1
2
3
4,
the
same
combina:on
as

on
your
(TSA-‐approved)
luggage
lock.

B.  Enter
a
32
character
complex

passphrase,
because
ﬁngerprint

unlocking
is
unsafe.

C.  Use
your
security
hedgehog.


10^4
=
10K
possibili:es
Time
to
brute
force:
<30min


10^6
=
1M
possibili:es
Time
to
brute
force:
>2d


6
alpha-‐numeric
chars

62^6
=

56,800,235,584

possibili:es

Time
to
brute
force:

196
years


A.  Put
on
your
privacy
sweater.

B.  Pretend
not
to
no:ce
that
the
people
next
to
you

are
laughing
at
your
slides
as
you
work
on
them.

C.  Perform
AES256-‐CBC-‐SHA1
encryp:on
in
your

head
and
only
enter
ciphertext.


A.  Turn
oﬀ
the
phone.
(Yeah,
right.)

B.  Plug
your
phone
into
the
convenient
in-‐
seat
USB
port
to
charge.

C.  Prac:ce
safe
OpSecs
by
using
your
USB

condom.


A.  Sweet!

You're
already
connected
to
the

'linksys’
access
point!

How
convenient!

B.  Choose
the
hotel
wiﬁ,
then
immediately

connect
to
your
VPN.

C.  Close
your
laptop
again.
There
are
beYer
things

to
do
than
stare
at
a
computer
screen.

Oh,

look,
a
beer
appears
in
front
of
you!

Life
is

good.

BeYer
clean
up!

Right
on!


A.  Leave
your
laptop
in
your
hotel
room;
it’s
turned

oﬀ,
and
belongs
to
the
company,
so
you
don’t
care

if
somebody
steals
it.

B.  Lock
your
laptop
in
the
safe,
using
the
same
4
digit

code
you
use
everywhere
else.

C.  Carry
the
laptop
with
you,
because
seriously,
the

hotel
probably
has
a
backdoor
into
the
safe

anyway.


A.  Follow
her
and
her
senior
engineers
on
TwiYer,

LinkedIn,
Facebook
and
share
that
cool
blog
post

about
their
great
work
culture
everywhere.

B.  Head
to
their
campus
the
next
day.
(They
have
this

cool
sculpture
in
their
lobby
-‐
pic,
tweet,
awesome!)

C.  Pull
the
ssh
key
of
one
of
their
developers
out
of

GitHub,
break
into
their
systems
and
leave
a
note

how
to
best
contact
you.


Avoid
leaking
secrets

into
code
repositories.

●  separate
code
and
config

●  separate
config
and
secrets

●  :ghten
your
.gi)gnore
file

●  use
pre-‐commit
hooks

●  github.com
!=
git.yourcompany.com

A.  You
never
log
out.
It's
weird
that
their
ads
now

seem
to
reﬂect
what
you
do
on
other
websites,

but
that's
probably
just
a
coincidence.

B.  Hit
a
keyboard
shortcut
to
let
your
password

manager
ﬁll
in
the
login.

C.  Accidentally
alt-‐tab
and
type
your
password
into

Slack.


Compartmentaliza:on
FTW


Use
a
Password
Manager,
eh?



Chat
like
everybody’s
logging.

(Somebody
always
is.)



A.  That
dude’s
cray-‐cray.
None
of
this
applies
to

me.
Lalalalala.

B.  ERMAHGERD!
I
R
TARGET!
*burns
laptop,
buys

new
eyeballs*

C.  1st

thing
back
at
work:

Compile
New
Hire
OpSec
kit.

New
Hire
OpSec
Kit

•  Privacy
screen

•  Laptop
webcam
cover

•  FIDO
U2F
Security
Key

•  USB
condom

•  Password
Manager
License

•  LiYle
Snitch
License

•  RFID
Wallet



Other
Easy
Wins

•  enable
screen
locking
(laptop
&
mobile)

•  whole
disk
encryp:on

•  passcode/ﬁngerprint
on
mobile

•  ask
for
wiﬁ

•  use
2FA

•  umask 077
&
shell
history
trunca:on


OpSec101

Recommandé

Recommandé

Contenu connexe

Similaire à OpSec101

Similaire à OpSec101 (7)

Plus de Jan Schaumann

Plus de Jan Schaumann (11)

Dernier

Dernier (20)

OpSec101