PuppetConf 2016: How You Actually Get Hacked – Ben Hughes, Etsy

How You Actually Get Hacked
1 — @benjammingh for PuppetConf 2016

AKA Do you want ants?
Because that's how you get ants!

Who's this clown? 2
→ Infrastructure security at Etsy.
→ Puppet Labs Operations alumni.
→ First used Puppet on the 0.26 branch.
→ Has only been in big trouble with the phone
company once.
2
https://twitter.com/skullmandible/status/411281851131523072

What this talk is about?
→ Risk and threat modelling.
→ Reality, and infosec's aversion to it.
→ What to actually focus on, to be more secure, but
less hipster.
→ Security myopia and the best being the enemy of
the good.

What this talk is not about?
→ Mad 0day. Go to Inﬁltrate
→ Vendor Sponsorship. (Note however, it is Black
Friday soon www.etsy.com)
→ Me reading out breach reports.
→ Nessus.

Mild audience
participation
warning!

Google Syndrome Disclaimer!
If you are Google/Facebook/BAE Systems/Raytheon/
Any part of Five Eyes/OPM, this hopefully and
somewhat obviously does not apply to you.
Also stop listening to funny haired people who work
at yarn websites for your security advice!
Smash the 1%, eat the rich!

Threat
modelling
The who now?

H1B fashion
model visa.

Working out who might
attack you and how

Evaluating risks and
reality
(and impact)

Are humans good at
evaluating risk?

Have you ever said:
"Have a safe ﬂight!"

Has anyone ever said:
"Have a safe drive to the
airport!"

Flying:
→ An entire spare pilot.
→ Computer controlled.
→ A spare engine!
→ 100s of hours training/qualiﬁcations.
→ regular safety checks.

Taxis
→ ....
→ have the strange smelling pine tree thing?

Every statistic says ﬂying
is 100x safer

Security
what is it?

"The state or condition of being or feeling secure."
-- The Oxford English Dictionary (as HRH Queen
Elizabeth the Second decrees)

"Being or feeling secure"

Secure [from whom?]

Who are you defending against?
→ Scripts (mass own wordpress, nmap/zmap looking
for mongodb/mssql/etc)
→ Script kiddies (the above, but with a tutorial)
→ Bug Bounties (hand wave 80% of attacks on your
website?)
→ Red Teams/Pen tests (every... 6 months? maybe?)

Other attackers?
→ China!!!111 (though now Russia is in vogue)
→ Hackers in it for the lols (needs no explaination)
→ Hacktivists (I remain unconvinced these are real
→ Hacking for proﬁt (not for fun. See China)

The main ones, ZOMG.
→ NSA.
→ now and then the FBI
→ everyone forgets about CSE (and all of Five Eyes)
→ GCHQ (who seem to have fewer morals..)

"How to NSA-Proof your Apple iCloud account. –
Underground Network"
"Blackphone 2: 'NSA Proof' Android Phone For
Privacy Seekers Now Available For Preorder"
"NSA-proof your e-mail in 2 hours"
"How NSA-Proof Are VPN Service Providers?"

"An NSA-proof operating system. Yes, for real."
"NSA-proof passwords"
"NSA-proof SSH"
"Physicists are building an NSA-proof internet"

The NSA should probably
not be in your threat model.

Whaaa?
But shouldn't we defend against everyone?

Once you can defend
against everyone up to
the NSA,
then try to defend
against the NSA.

*cough*
(please infosec, stop this NSA fetishism &
security nihilism)
*cough*

Which is also again saying
Learn to threat model in reality.

Impact!
What is the business
impact of this breach.

Defacement vs. DDoS
→ If you're a real time trading house large DNS
provider, DDoS is a really expensive thing,
defacement is not as big.
→ A political party website, DDoS is just annoying,
defacement could be huge.

Mail doxing/spooling
→ If you're a hacker in the 90s, having your mail
shared with a 'zine is annoying.
→ If you're a presidential candidate, your mail being
public could endanger an election.

In just your company
→ Credit card processing done by you or someone
else (hi Stripe)
→ PII or other user data.
→ Laptop being stolen (please tell me they're
encrypted and passworded...)
→ Annoying people from Lizard Squad on IRC, and
suffering a large DDoS.

Breaches

How do systems get
(0wned|compromised|
breached)

Well here's how it happened in the 90s.
l33t$ cc -o humpdee humpdee.c
l33t$ ./humpdee 203.0.113.76
Humpdee c0ded by Tekneeq Crew!
Local address: 198.51.100.12
Return position: 678
Return address: 0x01423908
Got shell
# id
uid=0(root) gid=0(root)

Big thanks to our teal 90s sponsor
.
. .
.s$ '$&ty . .
.s$$$sss..yssss. $$$' ,&ft,ysp ,sss. ,saaas. ,saaas. .ssuiis ss
$$$' d$$',`$$b $$$ .$$f",`$$$P"Y$$b d$V" `$$b d$$' "$$b d$$" `$$$"
$$$ $$$sss$$$ $$$$$K. $$$ ;$$$ $$$sss$$& $$$sss$$$ $$$ ,$$$
$$$ .,$$$, .ss $$$ `$$bs. $$$, $$$ $$$' .ss $$$' ,ss.$$$ .,;$$$
"Y$$" `Y$$sd$P",$$$, Y$$B.$$$i. $$$L`Y$bsd$P' `T$bsd$$P `V$baod$$$
`"" `"""""' '"""' """"'"""" """' `""""" `""""' `"""""Y$$
.$$$.
. . . . . . . .y$$$b. .
'Y$P'
. Y"
.'
http://www.attrition.org/hosted/tekneeq/

(I'm trying to be invited back next year)
$shellcode = @("shellcodez"/L)
x31xdbxb0x1bxcdx80x31xc0xb0x02xcdx80x85xc0
x75x32x31xdbx89xd9xb1x01x31xc0xb0x3fxcdx80
x31xdbx89xd9xb1x02x31xc0xb0x3fxcdx80xebx1f
x5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b
x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8
x40xcdx80xe8xdcxffxffxff/bin/sh
|-shellcodez
madexploit { "humpdee":
ensure => shell,
targer => '203.0.113.76',
shellcode => $shellcode,
require => Date['90s'],
}

Timewarp to now!
→ 99% of servers don't have real routable IPs.
→ TEH CLOUD, NAT, Load balancers, &c.
→ A few people bought ﬁrewalls.
→ DEP, SEP, Stack cookies, ASLR, GENTOO!!!11
→ Hopefully you've patched this vuln from 1997?

iOS
(not IOS, that is somewhat less secure)

Things we know
→ FBI bought an "exploit" for $1M.
→ Zerodium had a $1M bounty for full remote end to
end compromise.
→ Apple's own bug bounty for certain things in in
the $100,000s range.
→ Maybe someone in your company has one of
these iPhone devices?

ZOMG!
an attacker could get a foothold in your
network for a cool $1m dollars!

Reality
→ So for the quick simple payment of $1m dollars
you're totally getting owned.
→ if your attacker has $1m spare to spend on just an
exploit.
→ and owning you is worth >$1m.
→ oh yeah, and there's no cheaper way to do it.

Reality 2
→ Attackers have budgets.
→ Majority of attacks have ﬁnancial motives.
→ Defense is about raising those costs.
→ (whilst still allowing your company to continue to
make money)

Zero day is not
your biggest worry.

So how do we
ﬁx this?
with threat modelling

Say you have N months allocated to a
security project.
Which of these will give a better return on
your overall security?

Rolling out the awesome
Grsecurity on all your
linux servers.

Rolling out a password
manager to everyone in
your organisation.

One of these is awesome
cool tech, which stops
mad 0day.
(and I really love the work of GRSec)

The other involves
talking to people in the
company and helping
them with a password
manager.

Arbitrary pie chart 3D DOUGHNUT CHART!

"The use of stolen, weak or default credentials in
breaches is not new, is not bleeding edge, is not
glamorous, but boy howdy it works"
- Verizon 2016 Data Breach Investigations Report

Passwords

Passwords == keys

More question time!
If you care about lock security, do you:
→ buy cheap crappy keys but replace your locks in
your whole house every month?
or
→ buy decent (cough European) locks and not worry
about it.

No one does the former
right?
(not that many people do the latter either, but anyway)

(also no ones house gets broken in to with
lockpicks either, but stop poking holes in
my analogy)

Which of these is better?
→ "Password1234oct"
or
→ "ainwobchiFatodFeb0WrorckyishroocsyacIsAfby"

Which will be better next month?
→ "Password1234nov"
or
→ "ainwobchiFatodFeb0WrorckyishroocsyacIsAfby"

You're wrong Ben because reasons
→ Guessing the ﬁrst one, you can guess the others.
→ It'll be written down as it changes all the time.
→ Has much less entropy so they can remember it.
→ Second one is hashcat proof, the ﬁrst one is not.

If you want more than
just passwords!
Spend money on Duo and buy Yubikeys

Duo
→ gives you secure second factor over iPhone/
Android push notiﬁcations.
→ backup of SMS or phone call.
→ backup codes too.
→ more secure than TOTP 2FA.

Yubikeys == <3
→ Tiny USB cryptographic tokens that can tie in to
Duo to be a second factor.
→ no more having to ﬁnd your phone (I know, life is
hard...)
→ Can also generate & store SSH/GPG RSA keys.
→ Now have U2F/FIDO for, well, Dropbox, GitHub, and
Google

But most
importantly...

STOP MAKING YOUR
COLLEAGUES HATE YOU!

Be nicer? Madness
At Etsy, we try, really hard, to make the security team
approachable and friendly!
(In spite of hiring me)

Why do this?
(Other than working for a hugging
company)

Phishing
This is pretty new, has anyone heard of it?

Solving phishing!
→ Can't be done, despite what Barracuda may want
to sell you.
→ 99% of people entering details vs. 9% of people
entering details isn't all that helpful.
→ (But still try to reduce it)

Solving phishing IR
Having people tell the security team when a phishy
email comes in, even if they've clicked on everything
and shared their passwords, is great.

Not solving phishing IR
Having a holier than thou, mad leet security team
who talk down to people when they report a
phishing email.
That will be the last time they bother to report
anything to you.

Love always ﬁnds a way.
→ If security block everything, people will just do it
anyway.
→ "Shadow" teams spin up, and just avoid all your
safeguards.
→ you block all outbound trafﬁc bar the proxy,
someone will run corkscrew.

Security
people, be
nicer ❤

And now the
second half

Conclusions
→ Start from securing from least skilled attacker up,
not most skilled down.
→ Be realistic about your threat model.
→ Whilst its cool to defend against people with
bigger budgets. Actually defending is better than
trying and failing.

Conclusions deux
→ Pick the boring definite wins, not the exciting
maybe wins.
→ Yes, you won't get a BlackHat talk out of them, but
you will be more secure.
→ Attackers want to win, Defenders can definitely
win if they pick the right fight.

Thank you
→ Twidder: @benjammingh
→ LinkedIn: lnkdin.me/p/benyeah
→ SpeakerDeck: speakerdeck.com/barnbarn
→ JitHub: github.com/barn
→ Etsy: Careers --- CodeAsCraft <--- our blog
→ Fax: pending.

Wham!

PuppetConf 2016: How You Actually Get Hacked – Ben Hughes, Etsy

Recommandé

Recommandé

Contenu connexe

Similaire à PuppetConf 2016: How You Actually Get Hacked – Ben Hughes, Etsy

Similaire à PuppetConf 2016: How You Actually Get Hacked – Ben Hughes, Etsy (20)

Plus de Puppet

Plus de Puppet (20)

Dernier

Dernier (20)

PuppetConf 2016: How You Actually Get Hacked – Ben Hughes, Etsy