SecurityIt's more than just your database you should worry about
David BusbyInformation Security Architect2014-11-02
Sample Text Page
•David Busby–Percona since January 2013–R.D.B.A–EMEA && Security Lead–I.S.A (current)–14 years sysadmin / dev–Ju-Jitsu instructor for N.F.P club.–Volunteer assist teaching computing at Secondary
school
2
Agenda
•Got F.U.D?•What is an attack surface?•D.A.C, M.A.C, I.P.S, I.D.S, WTF?•Heartbleed / Shellshock / #gate / #bandwagon•Detection or prevention: the boy who cried
wolf• Emerging tech to keep an eye on.• 2014 … it's been interesting
3
Here be dragons ...
• Previous talks focused on a select set of identification and prevention● This talk is different …● Focus is on a mindset change for pure
identification of potential attack vectors. Aswell as clarification of some points along the way
● There's F.U.D by the ton; and we each get a shovel.
4
Got F.U.D?
• Fear Uncertainty Doubt• C.R.I.M.E (CVE-2012-4929)• B.E.A.S.T (CVE-2011-3389)•Heartbleed (CVE-2014-0160)• Shellshock CVE-2014-6271, 6277, 6278, 7169,
7186, 7187• P.O.O.D.L.E (CVE-2014-3566)
5
What's an “attack surface”?
• Potential areas for compromise– Application– Database– Network– Hardware– Software– Employees– Other
6
What's an “attack surface”?
• Application– Engine / Interpreter, e.g. Java, PHP, etc.
● e.g. PHP CVE-2011-4885 (hash collide)– Framework
● Or most likely a plugin– Developer errors, SQLi, XSS, CSRF etc ...– HTTP Service Apache, Nginx, Lighthttpd, etc.– Sysadmin errors e.g. missconfiguration of SSL
cipers / certs
7
What's an “attack surface”?
•Database – Weak passwords– Overpermissive grants– Overly broad host spefications e.g. @%● Vulnerabilities in service (often denoted by CVE's
e.g. CVE-2012-2122)– Poor isolation (Network, users etc)– Malicious plugins e.g. UDF's
8
What's an “attack surface”?
•Network – Overly open ACL– Little or no isolation– Little or no monitoring– Little or no packet inspection– “An open playground”– Hardware embedded OS vulnerabilities– Other entry points
● It's not limited to Ethernet / 2.4 && 5 GHz WiFi (look at the NSA ANT catalogue)
9
What's an “attack surface”?
•Hardware – Lack of tamper evident seals– Lack of control of use– Malicious USB / Firewire / etc
● COTTONMOUTH-I● Iron Geek's plug & prey● USB Rubber Ducky– Embedded firmware vulnerabilites– “Freebie” / “Gift” / “Other”– Lack of physical access controls
● e.g. Barclays £1.3M Theft– Lack of $vendor updates (e.g. Android)
10
What's an “attack surface”?
• Lock all the things!– Combination T.S.A locks
● Easily picked– Traditional tumbler locks
● Picking / bump keys– Biometrics
● Mythbusters• Key pads– Check for wear / dirt marks / vedor codes
• Key switches (e.g. in lifts)– As per above
• Room card keys– Magstripe read and write
• RFID– Easily read tags content and replay
11
What's an “attack surface”?
• And then there's … I.o.T– T.V– Cameras– Light bulbs– Fridges– Home automation– Locks– Printer
● Cloud print …– Etc
– Supervisory Control And Data Acquisition● Let's put a hydro electric dam controll system on the internet!
12
What's an “attack surface”?
• But wait … there's more!• Your cars•Medical devices (more famously RF enabled
pacemakers), wireless insulin pumps etc …• https://www.iamthecavalry.org/
13
What's an “attack surface”?
• Software – Modified binaries– “Install for FREE STUFF!”– Unaudited source code … cough cough
● Truecrypt, openssl ...– Poor isolation (no M.A.C, only D.A.C)– Process injection, buffer overflows etc …– Unpatched software
14
What's an “attack surface”?
• Employees – “I put all my details on this pastebin, can you take a
look?”– “Sure you can use my phone / workstation!”– “So all I have to do is click this link?”– “Oh you're from HR? Sure I can install that!”– “A magic trick? YEY!”– “FREE STUFF?!”
15
What's an “attack surface”?
• Employees – Phishing / Spear Phishing– Social engineering– D.L.P bypass is no longer just crafted devices
● Making comodity USB "evil"● Derbycon presentation
● Adam Caudil && Brandon Wilson– Implied trust
● Uniform / Badge != Proof
16
What's an “attack surface”?
•Other – Side channel attacks
● Cache timing● Co-residency (side channel against “cloud”)– Unintentional “emissions”
● Melissa Elliot “Noise Floor”● S.D.R (Software Defined Radio)
● Monitor / Display, RAM, F.S.B, etc ...
17
F.U.D!18
Well … not so much19
D.A.C, M.A.C, I.P.S, I.D.S … WTF?
•Discretionary Access Control– POSIX permissions
● File mode● UID● GID● Software runs with same permissions as user
and group● e.g. your brower could read ~/.ssh/id_rsa in
this model
20
D.A.C, M.A.C, I.P.S, I.D.S … WTF?
•Mandatory Access Control– SELinux
● Process running with context x● e.g. MySQL● Access to resource y
● listen *:3306● Denied access to resource z
● Connect *:80– App armor– Gazzang (Has some M.A.C)
21
Heartbleed/Shellshock/#bandwagon
• “Media”– Need to drive views / purchases aka revenue– F.U.D “slinging” is an effective method for this.
(Everything is a Virus) ● e.g. The Registers “Critical SSL vulnerability out
tomorrow”● No detail● No sources● PURE F.U.D
22
Heartbleed/Shellshock/#bandwagon
• But naming vulnerabilites has its place● C.R.I.M.E / CVE-2012-4929● B.E.A.S.T / CVE-2011-3389● Heartbleed CVE-2014-0160● Shellshock CVE-2014-6271, 6277, 6278,
7169, 7186, 7187● P.O.O.D.L.E CVE-2014-3566
23
Heartbleed/Shellshock/#bandwagon
• Even if it can go a bit far ...
24
Heartbleed/Shellshock/#bandwagon
• There is hope behind the hype.● Elastica Inc @ Vimeo
● Heartbleed instructional video● Shellshock instructional video● Poodle instructional video
25
Detection or prevention
•Why not both?– Block known “bad”
● By writing your own rules● Reguarly syncing with emerging rules– Allow known “good”
● IPS / WAF blocking your app? Write an exeception, carefully!● Be selective!
● e.g. don't: if /cart(.*) then skip– Log everything else
● And check the logs!
26
Detection or prevention
•Why not both?– Generate alerts
● e.g. logstash can send alerts to nagios– Y.M.W.V
● You will know your applications behaviour● Consider what's “out of context”
● e.g. 10x increase in additions to shopping cart for invalid items (could be someoneattempting SQLi)
● 10x increase in requests, could be a DoS
27
Detection or prevention
• Detection● Alert on set conditions
● SQLi, Fuzzing, out of context requests.● Write Rules / exceptions to reduce “noise”
● Be specific in said rules!• Prevention
● Block and alert● Reduce “noise” through blacklists.● {"timestamp":"2014-05-
15T07:30:42.970624","event_type":"alert","src_ip":"101.227.170.42","src_port":58613,"dest_ip":"XXX.XXX.XXX.XXX","dest_port":22,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2500002,"rev":3231,"signature":"ET COMPROMISED Known Compromised or Hostile Host Traffic group 2","category":"Misc Attack","severity":2}}
28
Detection or prevention
• Reduce NOISE!– Avoiding the “boy who cried wolf”– Aka staff becoming desensitized to the slew of alerts that “oh
that's normal, just ignore”– “Familiarity breeds comtempt”
• Why not just buy $product?– It's still an option but be 100% sure you know what you're buying.
● Paying over the odds for rebranded nessus is never good.● Ongoing rule updates, custom rule support, $vendor support to
“tune” the appliance to your needs.
29
Emerging tech to keep an eye on
• Fidoalliance.org– U2F (Universal two factor)– UAF (Universal authentication framework)– Google, yubico, ARM, bank of america, Lenovo,
Mastercard, Discover, Microsoft, Paypal, Qualcomm, RSA, Samsung, Visa …● The list of members is extensive– TL;DR improve security by implementing a common
two factor auth standard; and comoditizing it to improve addoption.
30
Emerging tech to keep an eye on
• Keybase.io– Nodejs– “socializes” GPG
● Tracking → sign a “snapshot” of their key and identity profile● “On this date I <name> verify this is Joe Blogs's
gpg key, twitter account … etc”– TL;DR wrapper and service to help spread the use of
GPG– https://keybase.io/oneiroi/
31
Emerging tech to keep an eye on
• Suricata– IDS / IPS– Libjannson → eve.json
● Compatible with E.L.K stack: blog post– Multi threaded
● Claims 10Gbit support with no ruleset sacrifice● Protocol identification● File identification, extraction– Open Information Security Foundation
32
Emerging tech to keep an eye on
• E.L.K (Elastic search, Logstash, Kibana)– Easily store, index and visualize data
● e.g. suricata data
33
Emerging tech to keep an eye on
•Docker– Wrapper for LXC
● “Linux containers”– Vagrant / git esq cli– Raw hardware access
● Not paravirtual– Suffers from “container breakout”
● Gains root on host system– REST API is very open– Docker Security page– Dan Walsh SELinux and Docker
34
Emerging tech to keep an eye on
•Haka– “Software defined security”– $developer sentric security– LUA DSL– Another tool in the $devops chain– E.L.K support• Why not IPTables / Netfilter / other– Why not both?– Eases developers adoption
35
2014 … it's been interesting
• 2014– Isn't over yet ...– Heartbleed, shellshock, poodle– F.U.D
● Gmail “leak” (wasn't gmail, just happened to have gmail addresses)
● Dropbox “leak” (wasn't dropbox, just happened that users were using same credentials)
– Home Depot– Target (Fall 2013, still “in the news”)
36
2014 … it's been interesting
• 2014– No more “head in the sand”– No more “features before security”– The cost of compromise is proven– Increasing Ubiquity of I.o.T
● without proper security measures is not maintainable– Time to build security into the product, not as an
afterthought.
37
2014 … it's been interesting
• 2014– You are not alone!– https://www.iamthecavalry.org/– http://www.openinfosecfoundation.org/– https://www.reddit.com/r/netsec– http://seclists.org/fulldisclosure/– https://bugcrowd.com– https://44con.com/– http://dc4420.org/– Deploy your own “Responsible disclosure program”
38
The End …
•Questions? (And Thank you for attending!)• I also have a tirade of equipment with me if
anyone is interested in learning more; see me after this talk.
39
