Here are the slides from Ben Hughes's PuppetConf 2016 presentation called How You Actually Get Hacked. Watch the videos at https://www.youtube.com/playlist?list=PLV86BgbREluVjwwt-9UL8u2Uy8xnzpIqa
2. AKA Do you want ants?
Because that's how you get ants!
2 — @benjammingh for PuppetConf 2016
3. Who's this clown? 2
→ Infrastructure security at Etsy.
→ Puppet Labs Operations alumni.
→ First used Puppet on the 0.26 branch.
→ Has only been in big trouble with the phone
company once.
2
https://twitter.com/skullmandible/status/411281851131523072
3 — @benjammingh for PuppetConf 2016
4. What this talk is about?
→ Risk and threat modelling.
→ Reality, and infosec's aversion to it.
→ What to actually focus on, to be more secure, but
less hipster.
→ Security myopia and the best being the enemy of
the good.
4 — @benjammingh for PuppetConf 2016
5. What this talk is not about?
→ Mad 0day. Go to Infiltrate
→ Vendor Sponsorship. (Note however, it is Black
Friday soon www.etsy.com)
→ Me reading out breach reports.
→ Nessus.
5 — @benjammingh for PuppetConf 2016
7. Google Syndrome Disclaimer!
If you are Google/Facebook/BAE Systems/Raytheon/
Any part of Five Eyes/OPM, this hopefully and
somewhat obviously does not apply to you.
Also stop listening to funny haired people who work
at yarn websites for your security advice!
Smash the 1%, eat the rich!
7 — @benjammingh for PuppetConf 2016
21. "The state or condition of being or feeling secure."
-- The Oxford English Dictionary (as HRH Queen
Elizabeth the Second decrees)
21 — @benjammingh for PuppetConf 2016
24. Who are you defending against?
→ Scripts (mass own wordpress, nmap/zmap looking
for mongodb/mssql/etc)
→ Script kiddies (the above, but with a tutorial)
→ Bug Bounties (hand wave 80% of attacks on your
website?)
→ Red Teams/Pen tests (every... 6 months? maybe?)
24 — @benjammingh for PuppetConf 2016
25. Other attackers?
→ China!!!111 (though now Russia is in vogue)
→ Hackers in it for the lols (needs no explaination)
→ Hacktivists (I remain unconvinced these are real
→ Hacking for profit (not for fun. See China)
25 — @benjammingh for PuppetConf 2016
26. The main ones, ZOMG.
→ NSA.
→ now and then the FBI
→ everyone forgets about CSE (and all of Five Eyes)
→ GCHQ (who seem to have fewer morals..)
26 — @benjammingh for PuppetConf 2016
27. "How to NSA-Proof your Apple iCloud account. –
Underground Network"
"Blackphone 2: 'NSA Proof' Android Phone For
Privacy Seekers Now Available For Preorder"
"NSA-proof your e-mail in 2 hours"
"How NSA-Proof Are VPN Service Providers?"
27 — @benjammingh for PuppetConf 2016
28. "An NSA-proof operating system. Yes, for real."
"NSA-proof passwords"
"NSA-proof SSH"
"Physicists are building an NSA-proof internet"
28 — @benjammingh for PuppetConf 2016
29. The NSA should probably
not be in your threat model.
29 — @benjammingh for PuppetConf 2016
33. Which is also again saying
Learn to threat model in reality.
33 — @benjammingh for PuppetConf 2016
34. Impact!
What is the business
impact of this breach.
34 — @benjammingh for PuppetConf 2016
35. Defacement vs. DDoS
→ If you're a real time trading house large DNS
provider, DDoS is a really expensive thing,
defacement is not as big.
→ A political party website, DDoS is just annoying,
defacement could be huge.
35 — @benjammingh for PuppetConf 2016
36. Mail doxing/spooling
→ If you're a hacker in the 90s, having your mail
shared with a 'zine is annoying.
→ If you're a presidential candidate, your mail being
public could endanger an election.
36 — @benjammingh for PuppetConf 2016
37. In just your company
→ Credit card processing done by you or someone
else (hi Stripe)
→ PII or other user data.
→ Laptop being stolen (please tell me they're
encrypted and passworded...)
→ Annoying people from Lizard Squad on IRC, and
suffering a large DDoS.
37 — @benjammingh for PuppetConf 2016
40. How do systems get
(0wned|compromised|
breached)
40 — @benjammingh for PuppetConf 2016
41. Well here's how it happened in the 90s.
l33t$ cc -o humpdee humpdee.c
l33t$ ./humpdee 203.0.113.76
Humpdee c0ded by Tekneeq Crew!
Local address: 198.51.100.12
Return position: 678
Return address: 0x01423908
Got shell
# id
uid=0(root) gid=0(root)
41 — @benjammingh for PuppetConf 2016
43. (I'm trying to be invited back next year)
$shellcode = @("shellcodez"/L)
x31xdbxb0x1bxcdx80x31xc0xb0x02xcdx80x85xc0
x75x32x31xdbx89xd9xb1x01x31xc0xb0x3fxcdx80
x31xdbx89xd9xb1x02x31xc0xb0x3fxcdx80xebx1f
x5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b
x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8
x40xcdx80xe8xdcxffxffxff/bin/sh
|-shellcodez
madexploit { "humpdee":
ensure => shell,
targer => '203.0.113.76',
shellcode => $shellcode,
require => Date['90s'],
}
43 — @benjammingh for PuppetConf 2016
44. Timewarp to now!
→ 99% of servers don't have real routable IPs.
→ TEH CLOUD, NAT, Load balancers, &c.
→ A few people bought firewalls.
→ DEP, SEP, Stack cookies, ASLR, GENTOO!!!11
→ Hopefully you've patched this vuln from 1997?
44 — @benjammingh for PuppetConf 2016
45. iOS
(not IOS, that is somewhat less secure)
45 — @benjammingh for PuppetConf 2016
46. Things we know
→ FBI bought an "exploit" for $1M.
→ Zerodium had a $1M bounty for full remote end to
end compromise.
→ Apple's own bug bounty for certain things in in
the $100,000s range.
→ Maybe someone in your company has one of
these iPhone devices?
46 — @benjammingh for PuppetConf 2016
47. ZOMG!
an attacker could get a foothold in your
network for a cool $1m dollars!
47 — @benjammingh for PuppetConf 2016
48. Reality
→ So for the quick simple payment of $1m dollars
you're totally getting owned.
→ if your attacker has $1m spare to spend on just an
exploit.
→ and owning you is worth >$1m.
→ oh yeah, and there's no cheaper way to do it.
48 — @benjammingh for PuppetConf 2016
49. Reality 2
→ Attackers have budgets.
→ Majority of attacks have financial motives.
→ Defense is about raising those costs.
→ (whilst still allowing your company to continue to
make money)
49 — @benjammingh for PuppetConf 2016
50. Zero day is not
your biggest worry.
50 — @benjammingh for PuppetConf 2016
51. So how do we
fix this?
with threat modelling
51 — @benjammingh for PuppetConf 2016
52. Say you have N months allocated to a
security project.
Which of these will give a better return on
your overall security?
52 — @benjammingh for PuppetConf 2016
53. Rolling out the awesome
Grsecurity on all your
linux servers.
53 — @benjammingh for PuppetConf 2016
54. Rolling out a password
manager to everyone in
your organisation.
54 — @benjammingh for PuppetConf 2016
55. One of these is awesome
cool tech, which stops
mad 0day.
(and I really love the work of GRSec)
55 — @benjammingh for PuppetConf 2016
56. The other involves
talking to people in the
company and helping
them with a password
manager.
56 — @benjammingh for PuppetConf 2016
57. Arbitrary pie chart 3D DOUGHNUT CHART!
57 — @benjammingh for PuppetConf 2016
58. "The use of stolen, weak or default credentials in
breaches is not new, is not bleeding edge, is not
glamorous, but boy howdy it works"
- Verizon 2016 Data Breach Investigations Report
58 — @benjammingh for PuppetConf 2016
61. More question time!
If you care about lock security, do you:
→ buy cheap crappy keys but replace your locks in
your whole house every month?
or
→ buy decent (cough European) locks and not worry
about it.
61 — @benjammingh for PuppetConf 2016
62. No one does the former
right?
(not that many people do the latter either, but anyway)
62 — @benjammingh for PuppetConf 2016
63. (also no ones house gets broken in to with
lockpicks either, but stop poking holes in
my analogy)
63 — @benjammingh for PuppetConf 2016
65. Which of these is better?
→ "Password1234oct"
or
→ "ainwobchiFatodFeb0WrorckyishroocsyacIsAfby"
65 — @benjammingh for PuppetConf 2016
66. Which will be better next month?
→ "Password1234nov"
or
→ "ainwobchiFatodFeb0WrorckyishroocsyacIsAfby"
66 — @benjammingh for PuppetConf 2016
67. You're wrong Ben because reasons
→ Guessing the first one, you can guess the others.
→ It'll be written down as it changes all the time.
→ Has much less entropy so they can remember it.
→ Second one is hashcat proof, the first one is not.
67 — @benjammingh for PuppetConf 2016
68. If you want more than
just passwords!
Spend money on Duo and buy Yubikeys
68 — @benjammingh for PuppetConf 2016
69. Duo
→ gives you secure second factor over iPhone/
Android push notifications.
→ backup of SMS or phone call.
→ backup codes too.
→ more secure than TOTP 2FA.
69 — @benjammingh for PuppetConf 2016
70. Yubikeys == <3
→ Tiny USB cryptographic tokens that can tie in to
Duo to be a second factor.
→ no more having to find your phone (I know, life is
hard...)
→ Can also generate & store SSH/GPG RSA keys.
→ Now have U2F/FIDO for, well, Dropbox, GitHub, and
Google
70 — @benjammingh for PuppetConf 2016
73. Be nicer? Madness
At Etsy, we try, really hard, to make the security team
approachable and friendly!
(In spite of hiring me)
73 — @benjammingh for PuppetConf 2016
74. Why do this?
(Other than working for a hugging
company)
74 — @benjammingh for PuppetConf 2016
77. Solving phishing!
→ Can't be done, despite what Barracuda may want
to sell you.
→ 99% of people entering details vs. 9% of people
entering details isn't all that helpful.
→ (But still try to reduce it)
77 — @benjammingh for PuppetConf 2016
78. Solving phishing IR
Having people tell the security team when a phishy
email comes in, even if they've clicked on everything
and shared their passwords, is great.
78 — @benjammingh for PuppetConf 2016
79. Not solving phishing IR
Having a holier than thou, mad leet security team
who talk down to people when they report a
phishing email.
That will be the last time they bother to report
anything to you.
79 — @benjammingh for PuppetConf 2016
80. Love always finds a way.
→ If security block everything, people will just do it
anyway.
→ "Shadow" teams spin up, and just avoid all your
safeguards.
→ you block all outbound traffic bar the proxy,
someone will run corkscrew.
80 — @benjammingh for PuppetConf 2016
83. Conclusions
→ Start from securing from least skilled attacker up,
not most skilled down.
→ Be realistic about your threat model.
→ Whilst its cool to defend against people with
bigger budgets. Actually defending is better than
trying and failing.
83 — @benjammingh for PuppetConf 2016
84. Conclusions deux
→ Pick the boring definite wins, not the exciting
maybe wins.
→ Yes, you won't get a BlackHat talk out of them, but
you will be more secure.
→ Attackers want to win, Defenders can definitely
win if they pick the right fight.
84 — @benjammingh for PuppetConf 2016