SlideShare une entreprise Scribd logo

The road to hell v0.6

Télécharger en tant que PPTX, PDF
Security B-Sides
Security B-Sides
1  sur  44
The road to Hell… …is paved with best practices
Warning Image: Caution, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from zippy'sphotostream <RANT> 30 juli 2010
Why… Not all “best practices” seem to make us more secure. Often overlooked: “…when applied to a particular condition or circumstance.” 30 juli 2010
Who am I? Frank Breedijk Security Engineer at Schuberg Philis Author of Seccubus Blogging for CupFighter.net Email: fbreedijk@schubergphilis.com Twitter: @seccubus Blog: http://www.cupfighter.net Project: http://www.seccubus.com Company: http://www.schubergphilis.com
The burden of administration… “Adding more security” to a system often means more administration and bureaucracy. It often also means less time to do actual system administration. 30 juli 2010 Image: Bureaucracy illustration, a Creative Commons Attribution Share-Alike (2.0) image from kongharald'sphotostream
Firewalls from two different vendors… Reasoning: If one vendor has a serious flaw, there will not be a total compromise. Reality: Firewall bypass bugs are rare Two rule bases Two different technologies Most likely outside firewall will pass anything nat-ed behind inside firewall Most firewall brand use the same IP stack anyway 30 juli 2010 Image from: http://searchnetworking.techtarget.com.au/articles/16554-Choosing-the-right-firewall-topology?topic_id=891
Its like two locks on a bicycle Image: safe safer safest, a Creative Commons Attribution (2.0) image from 20918261@N00's photostream Most bicycle thieves in Amsterdam only know how to quickly open one type of lock 30 juli 2010
But just two locks isn’t enough… Image: history of missing circles, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from camil_t'sphotostream Like every technology you need to know how to apply it to benefit from it. 30 juli 2010
Is complexity bad? There are about 25,000 parts in a commercial jet engine. In order to make a working jet engine you need at a maximum 1,000 parts 30 juli 2010 Image: conjoined twin roundabouts, a Creative Commons Attribution Non-Commercial (2.0) image from duncan'sphotostream
Is complexity bad? Complexity can also aid security… It should never be the basis of your security Never underestimate the power of security by obscurity Obscurity can defeat plausible deniability Encryption is a classical example of security by obscurity 30 juli 2010 Image: Maze Lock Guarantees You'll Perish In A Fire, a Creative Commons Attribution Share-Alike (2.0) image from billypalooza'sphotostream
What about encryption… 30 juli 2010 Image: Security, cartoon #538 fromxkcd.com
Encryption is not a silver bullet… Image: silver bullet, a Creative Commons Attribution Share-Alike (2.0) image from eschipul'sphotostream Many attacks: Key theft Brute force Social engineering End point compromise Man in the browser attack Man in the Middle attack Downgrade attack Rubber hose cryptology Side channel attack Cache timing attack Replay attacks 30 juli 2010
If a “security measure” is too hard… it will more likely hurt Password requirements: Likely password: 30 juli 2010 7 characters welcome 1 capital Welcome 1 numeral W3lc0m3 W3lc0m3! 1 special 10 characters W3lc0m3!!! 30 days max – cannot use last 12 Welcome01! The predictability of human behavior can aid in password cracking attempts. See the work of Matt Weir: "Using Probabilistic Techniques to Aid in Password Cracking Attacks“ http://tinyurl.com/RTHpasswd
Security making life too hard… You cannot paste a password into an RDP login box Consequences: I set up a really hard adminstrator password I put it in the password vault I now have to type 15 random characters to gain access I may start to remember this password I may start to use weaker passwords Maybe I will write the password down 30 juli 2010
Don’t turn system administration into an obstacle race… Image: lubbock_track_regionals_2010147, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from jduty'sphotostream If your only users are system administrators why would you: Make home directory 600 Make roots home directory 100 Restrict access to /var/log Etc… 30 juli 2010
There is strength in numbers… Image by Frank Breedijk “Limit the number of system administrators” 30 juli 2010
Does this consider the level of the system administrators? Or are all animals equal… 30 juli 2010 Images by Frank Breedijk
What is the right number of administrators… 30 juli 2010 5 25 20 47 35 50 18 42 35 53 17 15 6 19 120 33 11 28
Please don’t force me to… It would be easy… The auditors would be happy… I could do my job… …it would be so wrong! 30 juli 2010 Image: Being John Malcovichmovie poster
What’s the solution? Know your administrators… Set clear rules Make it obvious when rules are about to be broken Monitor Use system logging Log Changes Log in multiple places Keep you admin happy Peer review 30 juli 2010 Image: Perita, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from ournew'sphotostream
Limit remote access… “Permission for remote access to **** must be strictly limited to those specific employees who have a strong business need for the access.” Why? Stop data leaving the premises? Reduce risk of duress? Keep an eye on your actions? That warm and fuzzy feeling? 30 juli 2010 Image: Threads 140.365, a Creative Commons Attribution Non-Commercial No-Derivative-Works (2.0) image from stephangeyer'sphotostream
Can you really stop data “leaks”? People will try to work from home anyway CD-R, USB, MicroSD, SmartPhone, PDA, Portable Harddisk, Printout or simply mail it home 30 juli 2010 Memories, PenDrives...., a Creative Commons Attribution Non-Commercial No-Derivative-Works (2.0) image from kikiprinci'sphotostream
Duress Image: South Beach Sisters, a Creative Commons Attribution Non-Commercial (2.0) image from adwriter'sphotostream If you are working form home they can make you do stuff at gunpoint… 30 juli 2010
Keeping an eye on you… How would you make sure that the person watching me understands what I’m doing? Would it be impossible to backdoor a system while somebody is watching you? What is the chance an administrator backdoors a system just so he “can do his job” ? 30 juli 2010 Photo-A-Day #982f 12/16/07, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from abennett96's photostream
Teleworking has advantages Image: Old Modem Front, a Creative Commons Attribution (2.0) image from rexroof'sphotostream Remote system administration = Faster response time + More dedicated staff + Better uptime + Better maintained system = Better security 30 juli 2010
Remove all identifying banners O.K. disclosing exact versions is bad… But what about just displaying the products: Apache X-powered-by: ASP.NET OpenSSH Won’t they just try all? 30 juli 2010
What about warning banners? You must annoy user and administrators by displaying a large annoying legal banner prior to login. And it tells me its an interesting system, and who owns it even before I have logged in. 30 juli 2010
Ping A lot of systems on the internet cannot be pinged anymore… Great: I know the systems IP I know its not working I cannot ping it I can still do a tcptraceroute Why? 30 juli 2010 Image: pong undead!!!, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from astio'sphotostream
Firewall log monitoring You must monitor your firewall traffic logs… Why? If it is passed by firewall it was allowed in the first place… If it got rejected, it got rejected, why worry about it? There is no “evil bit” (except in RFC 3514) 30 juli 2010 Image: EVIL a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from krazydad'sphotostream
Idle session time out… Its just there to piss users off 30 juli 2010
Single sign on… It is bad because: One credential will give you access to everything… What is the alternative? Passwords.xls? 30 juli 2010 Title / Main topic / Sub-topic
Don’t take away my tools… Remove development tools Removing telnet (client) Taking SUID from ping Remove security tools Ping? Traceroute? OpenSSL? 30 juli 2010 Image: 105. 283, a Creative Commons Attribution Non-Commercial (2.0) image from pwn'sphotostream
No access to social media… URL filtering: Twitter, Facebook, Craigslist, Wordpress Webmail, Hotmail, GMail YouTube, Break.com, Failblog Google Cache I’m so glad I have UMTS 30 juli 2010 Creative Commons Attribution Non-Commercial No-Derivative-Works (2.0) image from _brilho-de-conta'sphotostream
Intrusion Detection System (IDS) Proving the Internet is evil™ Protecting the network by blacklisting all evil… IDS/IPS is not all bad: It is very good for detection anomalies 30 juli 2010
Using your cell phone in datacenters… Why? 30 juli 2010 Image: Thanks Dan, your gifts from Shanghai are always a treat, a Creative Commons Attribution Non-Commercial No-Derivative-Works (2.0) image from joepemberton'sphotostream
Interference has happened… 30 juli 2010 Image: Strowger, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from pritch'sphotostream Image taken fromwww.muscom.nl
Its because of the cameras… 30 juli 2010 Image: Don't Mind If I Do a Creative Commons Attribution Non-Commercial (2.0) image from jeremybrooks'sphotostream
Lets get serious… Image: Taken with Frank Breedijk’s BlackBerry at DefCon 17 </RANT> 30 juli 2010
Compliance… Compliance (e.g. PCI compliance) put a business driver into security If you implement these security measures you will get a discount Firewalls IDS Regular vulnerability scan Physical security Expect a business decision 30 juli 2010 The Lure Of Gold, a Creative Commons Attribution Share-Alike (2.0) image from bogenfreund'sphotostream
If all you got is a hammer… Everything looks like a nail… Consider what you need to secure, before you decide how to… 30 juli 2010 Image: Glass smash with liquid, a Creative Commons Attribution Non-Commercial (2.0) image from whisperwolf'sphotostream
Do not disengage your brain… 30 juli 2010 Image: homer's minibrain, a Creative Commons Attribution Share-Alike (2.0) image from mabi'sphotostream
What is the risk? 30 juli 2010
Questions? ? 30 juli 2010 Image: "1 more minute?" RichieHawtinasksRocco // Awakenings Festival 2007, a CreativeCommonsAttributionNon-CommercialNo-Derivative-Works (2.0) image frommerlijnhoek'sphotostream
Feedback... Please send/tell me your examples of non-security through stupidity Email: fbreedijk@schubergphilis.com Twitter: @seccubus Blog: http://cupfighter.net Project: http://seccubus.com Company: http://schubergphilis.com

Recommandé

Net303 policy primer
Net303 policy primerNet303 policy primer
Net303 policy primerKaleisma
 
Youtube Policy Primer
Youtube Policy PrimerYoutube Policy Primer
Youtube Policy PrimerESutton17
 
Case study: Road to Hell
Case study: Road to HellCase study: Road to Hell
Case study: Road to HellAdishri Gulati
 
Group 1 road to hell
Group 1 road to hellGroup 1 road to hell
Group 1 road to hellRika Galluetz
 
The Road to Hell
The Road to HellThe Road to Hell
The Road to HellNext2ndOpinion
 
Group 1 stanley oneal
Group 1 stanley onealGroup 1 stanley oneal
Group 1 stanley onealRika Galluetz
 
The biggest communication problem
The biggest communication problemThe biggest communication problem
The biggest communication problemMotivational Goldenwords
 
Enterprise Portals - Gateway to the Gold
Enterprise Portals - Gateway to the GoldEnterprise Portals - Gateway to the Gold
Enterprise Portals - Gateway to the GoldSecurity B-Sides
 

Recommandé

Net303 policy primer
Net303 policy primerNet303 policy primer
Net303 policy primerKaleisma
 
Youtube Policy Primer
Youtube Policy PrimerYoutube Policy Primer
Youtube Policy PrimerESutton17
 
Case study: Road to Hell
Case study: Road to HellCase study: Road to Hell
Case study: Road to HellAdishri Gulati
 
Group 1 road to hell
Group 1 road to hellGroup 1 road to hell
Group 1 road to hellRika Galluetz
 
The Road to Hell
The Road to HellThe Road to Hell
The Road to HellNext2ndOpinion
 
Group 1 stanley oneal
Group 1 stanley onealGroup 1 stanley oneal
Group 1 stanley onealRika Galluetz
 
The biggest communication problem
The biggest communication problemThe biggest communication problem
The biggest communication problemMotivational Goldenwords
 
Enterprise Portals - Gateway to the Gold
Enterprise Portals - Gateway to the GoldEnterprise Portals - Gateway to the Gold
Enterprise Portals - Gateway to the GoldSecurity B-Sides
 
Getting punched in the face
Getting punched in the faceGetting punched in the face
Getting punched in the faceSecurity B-Sides
 
Security YMCA
Security YMCASecurity YMCA
Security YMCASecurity BSides London
 
Lord of the bing b-sides atl
Lord of the bing b-sides atlLord of the bing b-sides atl
Lord of the bing b-sides atlSecurity B-Sides
 
From fishing to phishing to ?
From fishing to phishing to ?From fishing to phishing to ?
From fishing to phishing to ?Security B-Sides
 
Black is beautiful
Black is beautifulBlack is beautiful
Black is beautifulYaaYaa Fraser
 
Black beauty powerpoint
Black beauty powerpointBlack beauty powerpoint
Black beauty powerpointFatiha Junaidi
 
How to make fashion mood board
How to make fashion mood boardHow to make fashion mood board
How to make fashion mood boardsuniltalekar1
 
Fashion Presentation
Fashion PresentationFashion Presentation
Fashion Presentationjessicachammas
 
The beauty of fashion.ppt
The beauty of fashion.pptThe beauty of fashion.ppt
The beauty of fashion.pptPyramid Connections
 
Fashion
FashionFashion
FashionUniversiti Sains Malaysia
 
Updated: Identity Assurance by Our Own Volition and Memory
Updated: Identity Assurance by Our Own Volition and MemoryUpdated: Identity Assurance by Our Own Volition and Memory
Updated: Identity Assurance by Our Own Volition and MemoryHitoshi Kokumai
 
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPSecurity Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPxsist10
 
Security Theatre - Benelux
Security Theatre - BeneluxSecurity Theatre - Benelux
Security Theatre - Beneluxxsist10
 
The Nature of Security
The Nature of SecurityThe Nature of Security
The Nature of Securitygnat
 
Hacker tool talk: maltego
Hacker tool talk: maltegoHacker tool talk: maltego
Hacker tool talk: maltegoChris Hammond-Thrasher
 
Computer security
Computer securityComputer security
Computer securityKawsar Ahmed
 
Security Theatre - Confoo
Security Theatre - ConfooSecurity Theatre - Confoo
Security Theatre - Confooxsist10
 
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c 2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c Security B-Sides
 
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Security B-Sides
 
Social Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySocial Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySecurity B-Sides
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...Security B-Sides
 
Risk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonRisk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonSecurity B-Sides
 

Contenu connexe

En vedette

Getting punched in the face
Getting punched in the faceGetting punched in the face
Getting punched in the faceSecurity B-Sides
 
Lord of the bing b-sides atl
Lord of the bing b-sides atlLord of the bing b-sides atl
Lord of the bing b-sides atlSecurity B-Sides
 
From fishing to phishing to ?
From fishing to phishing to ?From fishing to phishing to ?
From fishing to phishing to ?Security B-Sides
 
Black beauty powerpoint
Black beauty powerpointBlack beauty powerpoint
Black beauty powerpointFatiha Junaidi
 
How to make fashion mood board
How to make fashion mood boardHow to make fashion mood board
How to make fashion mood boardsuniltalekar1
 

En vedette (10)

Getting punched in the face
Getting punched in the faceGetting punched in the face
Getting punched in the face
 
Security YMCA
Security YMCASecurity YMCA
Security YMCA
 
Lord of the bing b-sides atl
Lord of the bing b-sides atlLord of the bing b-sides atl
Lord of the bing b-sides atl
 
From fishing to phishing to ?
From fishing to phishing to ?From fishing to phishing to ?
From fishing to phishing to ?
 
Black is beautiful
Black is beautifulBlack is beautiful
Black is beautiful
 
Black beauty powerpoint
Black beauty powerpointBlack beauty powerpoint
Black beauty powerpoint
 
How to make fashion mood board
How to make fashion mood boardHow to make fashion mood board
How to make fashion mood board
 
Fashion Presentation
Fashion PresentationFashion Presentation
Fashion Presentation
 
The beauty of fashion.ppt
The beauty of fashion.pptThe beauty of fashion.ppt
The beauty of fashion.ppt
 
Fashion
FashionFashion
Fashion
 

Similaire à The road to hell v0.6

Updated: Identity Assurance by Our Own Volition and Memory
Updated: Identity Assurance by Our Own Volition and MemoryUpdated: Identity Assurance by Our Own Volition and Memory
Updated: Identity Assurance by Our Own Volition and MemoryHitoshi Kokumai
 
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPSecurity Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPxsist10
 
Security Theatre - Benelux
Security Theatre - BeneluxSecurity Theatre - Benelux
Security Theatre - Beneluxxsist10
 
The Nature of Security
The Nature of SecurityThe Nature of Security
The Nature of Securitygnat
 
Security Theatre - Confoo
Security Theatre - ConfooSecurity Theatre - Confoo
Security Theatre - Confooxsist10
 

Similaire à The road to hell v0.6 (7)

Updated: Identity Assurance by Our Own Volition and Memory
Updated: Identity Assurance by Our Own Volition and MemoryUpdated: Identity Assurance by Our Own Volition and Memory
Updated: Identity Assurance by Our Own Volition and Memory
 
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPSecurity Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHP
 
Security Theatre - Benelux
Security Theatre - BeneluxSecurity Theatre - Benelux
Security Theatre - Benelux
 
The Nature of Security
The Nature of SecurityThe Nature of Security
The Nature of Security
 
Hacker tool talk: maltego
Hacker tool talk: maltegoHacker tool talk: maltego
Hacker tool talk: maltego
 
Computer security
Computer securityComputer security
Computer security
 
Security Theatre - Confoo
Security Theatre - ConfooSecurity Theatre - Confoo
Security Theatre - Confoo
 

Plus de Security B-Sides

2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c 2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c Security B-Sides
 
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Security B-Sides
 
Social Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySocial Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySecurity B-Sides
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...Security B-Sides
 
Risk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonRisk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonSecurity B-Sides
 
Security? Who cares! - Brett Hardin
Security? Who cares! - Brett HardinSecurity? Who cares! - Brett Hardin
Security? Who cares! - Brett HardinSecurity B-Sides
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
 
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...Security B-Sides
 
The Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio VaccineThe Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio VaccineSecurity B-Sides
 
Dominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsDominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsSecurity B-Sides
 
Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)Security B-Sides
 
Efficient extraction of data using binary search and ordering information
Efficient extraction of data using binary search and ordering informationEfficient extraction of data using binary search and ordering information
Efficient extraction of data using binary search and ordering informationSecurity B-Sides
 
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)Community-oriented Computer Security Incident Response Teams (C-CSIRTS)
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)Security B-Sides
 
Vulnerability Management Scoring Systems
Vulnerability Management Scoring SystemsVulnerability Management Scoring Systems
Vulnerability Management Scoring SystemsSecurity B-Sides
 

Plus de Security B-Sides (20)

2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c 2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
 
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
 
Social Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySocial Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike Bailey
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...
 
Risk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonRisk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex Hutton
 
Security? Who cares! - Brett Hardin
Security? Who cares! - Brett HardinSecurity? Who cares! - Brett Hardin
Security? Who cares! - Brett Hardin
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
 
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
 
The Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio VaccineThe Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio Vaccine
 
Dominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsDominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource tools
 
2009 Zacon Haroon Meer
2009 Zacon Haroon Meer2009 Zacon Haroon Meer
2009 Zacon Haroon Meer
 
Make Tea Not War
Make Tea Not WarMake Tea Not War
Make Tea Not War
 
OWASP Proxy
OWASP ProxyOWASP Proxy
OWASP Proxy
 
Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)
 
Exploitation
ExploitationExploitation
Exploitation
 
Layer 2 Hackery
Layer 2 HackeryLayer 2 Hackery
Layer 2 Hackery
 
Efficient extraction of data using binary search and ordering information
Efficient extraction of data using binary search and ordering informationEfficient extraction of data using binary search and ordering information
Efficient extraction of data using binary search and ordering information
 
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)Community-oriented Computer Security Incident Response Teams (C-CSIRTS)
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)
 
Vulnerability Management Scoring Systems
Vulnerability Management Scoring SystemsVulnerability Management Scoring Systems
Vulnerability Management Scoring Systems
 
TCP Sorcery
TCP SorceryTCP Sorcery
TCP Sorcery
 

The road to hell v0.6

  • 1. The road to Hell… …is paved with best practices
  • 2. Warning Image: Caution, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from zippy'sphotostream <RANT> 30 juli 2010
  • 3. Why… Not all “best practices” seem to make us more secure. Often overlooked: “…when applied to a particular condition or circumstance.” 30 juli 2010
  • 4. Who am I? Frank Breedijk Security Engineer at Schuberg Philis Author of Seccubus Blogging for CupFighter.net Email: fbreedijk@schubergphilis.com Twitter: @seccubus Blog: http://www.cupfighter.net Project: http://www.seccubus.com Company: http://www.schubergphilis.com
  • 5. The burden of administration… “Adding more security” to a system often means more administration and bureaucracy. It often also means less time to do actual system administration. 30 juli 2010 Image: Bureaucracy illustration, a Creative Commons Attribution Share-Alike (2.0) image from kongharald'sphotostream
  • 6. Firewalls from two different vendors… Reasoning: If one vendor has a serious flaw, there will not be a total compromise. Reality: Firewall bypass bugs are rare Two rule bases Two different technologies Most likely outside firewall will pass anything nat-ed behind inside firewall Most firewall brand use the same IP stack anyway 30 juli 2010 Image from: http://searchnetworking.techtarget.com.au/articles/16554-Choosing-the-right-firewall-topology?topic_id=891
  • 7. Its like two locks on a bicycle Image: safe safer safest, a Creative Commons Attribution (2.0) image from 20918261@N00's photostream Most bicycle thieves in Amsterdam only know how to quickly open one type of lock 30 juli 2010
  • 8. But just two locks isn’t enough… Image: history of missing circles, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from camil_t'sphotostream Like every technology you need to know how to apply it to benefit from it. 30 juli 2010
  • 9. Is complexity bad? There are about 25,000 parts in a commercial jet engine. In order to make a working jet engine you need at a maximum 1,000 parts 30 juli 2010 Image: conjoined twin roundabouts, a Creative Commons Attribution Non-Commercial (2.0) image from duncan'sphotostream
  • 10. Is complexity bad? Complexity can also aid security… It should never be the basis of your security Never underestimate the power of security by obscurity Obscurity can defeat plausible deniability Encryption is a classical example of security by obscurity 30 juli 2010 Image: Maze Lock Guarantees You'll Perish In A Fire, a Creative Commons Attribution Share-Alike (2.0) image from billypalooza'sphotostream
  • 11. What about encryption… 30 juli 2010 Image: Security, cartoon #538 fromxkcd.com
  • 12. Encryption is not a silver bullet… Image: silver bullet, a Creative Commons Attribution Share-Alike (2.0) image from eschipul'sphotostream Many attacks: Key theft Brute force Social engineering End point compromise Man in the browser attack Man in the Middle attack Downgrade attack Rubber hose cryptology Side channel attack Cache timing attack Replay attacks 30 juli 2010
  • 13. If a “security measure” is too hard… it will more likely hurt Password requirements: Likely password: 30 juli 2010 7 characters welcome 1 capital Welcome 1 numeral W3lc0m3 W3lc0m3! 1 special 10 characters W3lc0m3!!! 30 days max – cannot use last 12 Welcome01! The predictability of human behavior can aid in password cracking attempts. See the work of Matt Weir: "Using Probabilistic Techniques to Aid in Password Cracking Attacks“ http://tinyurl.com/RTHpasswd
  • 14. Security making life too hard… You cannot paste a password into an RDP login box Consequences: I set up a really hard adminstrator password I put it in the password vault I now have to type 15 random characters to gain access I may start to remember this password I may start to use weaker passwords Maybe I will write the password down 30 juli 2010
  • 15. Don’t turn system administration into an obstacle race… Image: lubbock_track_regionals_2010147, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from jduty'sphotostream If your only users are system administrators why would you: Make home directory 600 Make roots home directory 100 Restrict access to /var/log Etc… 30 juli 2010
  • 16. There is strength in numbers… Image by Frank Breedijk “Limit the number of system administrators” 30 juli 2010
  • 17. Does this consider the level of the system administrators? Or are all animals equal… 30 juli 2010 Images by Frank Breedijk
  • 18. What is the right number of administrators… 30 juli 2010 5 25 20 47 35 50 18 42 35 53 17 15 6 19 120 33 11 28
  • 19. Please don’t force me to… It would be easy… The auditors would be happy… I could do my job… …it would be so wrong! 30 juli 2010 Image: Being John Malcovichmovie poster
  • 20. What’s the solution? Know your administrators… Set clear rules Make it obvious when rules are about to be broken Monitor Use system logging Log Changes Log in multiple places Keep you admin happy Peer review 30 juli 2010 Image: Perita, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from ournew'sphotostream
  • 21. Limit remote access… “Permission for remote access to **** must be strictly limited to those specific employees who have a strong business need for the access.” Why? Stop data leaving the premises? Reduce risk of duress? Keep an eye on your actions? That warm and fuzzy feeling? 30 juli 2010 Image: Threads 140.365, a Creative Commons Attribution Non-Commercial No-Derivative-Works (2.0) image from stephangeyer'sphotostream
  • 22. Can you really stop data “leaks”? People will try to work from home anyway CD-R, USB, MicroSD, SmartPhone, PDA, Portable Harddisk, Printout or simply mail it home 30 juli 2010 Memories, PenDrives...., a Creative Commons Attribution Non-Commercial No-Derivative-Works (2.0) image from kikiprinci'sphotostream
  • 23. Duress Image: South Beach Sisters, a Creative Commons Attribution Non-Commercial (2.0) image from adwriter'sphotostream If you are working form home they can make you do stuff at gunpoint… 30 juli 2010
  • 24. Keeping an eye on you… How would you make sure that the person watching me understands what I’m doing? Would it be impossible to backdoor a system while somebody is watching you? What is the chance an administrator backdoors a system just so he “can do his job” ? 30 juli 2010 Photo-A-Day #982f 12/16/07, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from abennett96's photostream
  • 25. Teleworking has advantages Image: Old Modem Front, a Creative Commons Attribution (2.0) image from rexroof'sphotostream Remote system administration = Faster response time + More dedicated staff + Better uptime + Better maintained system = Better security 30 juli 2010
  • 26. Remove all identifying banners O.K. disclosing exact versions is bad… But what about just displaying the products: Apache X-powered-by: ASP.NET OpenSSH Won’t they just try all? 30 juli 2010
  • 27. What about warning banners? You must annoy user and administrators by displaying a large annoying legal banner prior to login. And it tells me its an interesting system, and who owns it even before I have logged in. 30 juli 2010
  • 28. Ping A lot of systems on the internet cannot be pinged anymore… Great: I know the systems IP I know its not working I cannot ping it I can still do a tcptraceroute Why? 30 juli 2010 Image: pong undead!!!, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from astio'sphotostream
  • 29. Firewall log monitoring You must monitor your firewall traffic logs… Why? If it is passed by firewall it was allowed in the first place… If it got rejected, it got rejected, why worry about it? There is no “evil bit” (except in RFC 3514) 30 juli 2010 Image: EVIL a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from krazydad'sphotostream
  • 30. Idle session time out… Its just there to piss users off 30 juli 2010
  • 31. Single sign on… It is bad because: One credential will give you access to everything… What is the alternative? Passwords.xls? 30 juli 2010 Title / Main topic / Sub-topic
  • 32. Don’t take away my tools… Remove development tools Removing telnet (client) Taking SUID from ping Remove security tools Ping? Traceroute? OpenSSL? 30 juli 2010 Image: 105. 283, a Creative Commons Attribution Non-Commercial (2.0) image from pwn'sphotostream
  • 33. No access to social media… URL filtering: Twitter, Facebook, Craigslist, Wordpress Webmail, Hotmail, GMail YouTube, Break.com, Failblog Google Cache I’m so glad I have UMTS 30 juli 2010 Creative Commons Attribution Non-Commercial No-Derivative-Works (2.0) image from _brilho-de-conta'sphotostream
  • 34. Intrusion Detection System (IDS) Proving the Internet is evil™ Protecting the network by blacklisting all evil… IDS/IPS is not all bad: It is very good for detection anomalies 30 juli 2010
  • 35. Using your cell phone in datacenters… Why? 30 juli 2010 Image: Thanks Dan, your gifts from Shanghai are always a treat, a Creative Commons Attribution Non-Commercial No-Derivative-Works (2.0) image from joepemberton'sphotostream
  • 36. Interference has happened… 30 juli 2010 Image: Strowger, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from pritch'sphotostream Image taken fromwww.muscom.nl
  • 37. Its because of the cameras… 30 juli 2010 Image: Don't Mind If I Do a Creative Commons Attribution Non-Commercial (2.0) image from jeremybrooks'sphotostream
  • 38. Lets get serious… Image: Taken with Frank Breedijk’s BlackBerry at DefCon 17 </RANT> 30 juli 2010
  • 39. Compliance… Compliance (e.g. PCI compliance) put a business driver into security If you implement these security measures you will get a discount Firewalls IDS Regular vulnerability scan Physical security Expect a business decision 30 juli 2010 The Lure Of Gold, a Creative Commons Attribution Share-Alike (2.0) image from bogenfreund'sphotostream
  • 40. If all you got is a hammer… Everything looks like a nail… Consider what you need to secure, before you decide how to… 30 juli 2010 Image: Glass smash with liquid, a Creative Commons Attribution Non-Commercial (2.0) image from whisperwolf'sphotostream
  • 41. Do not disengage your brain… 30 juli 2010 Image: homer's minibrain, a Creative Commons Attribution Share-Alike (2.0) image from mabi'sphotostream
  • 42. What is the risk? 30 juli 2010
  • 43. Questions? ? 30 juli 2010 Image: "1 more minute?" RichieHawtinasksRocco // Awakenings Festival 2007, a CreativeCommonsAttributionNon-CommercialNo-Derivative-Works (2.0) image frommerlijnhoek'sphotostream
  • 44. Feedback... Please send/tell me your examples of non-security through stupidity Email: fbreedijk@schubergphilis.com Twitter: @seccubus Blog: http://cupfighter.net Project: http://seccubus.com Company: http://schubergphilis.com