SecurityIt's more than just your database you should worry aboutDavid BusbyInformation Security Architect2015-08-05
Sample Text PageDavid Busby
Percona since January 2013
R.D.B.A
EMEA && Security Lead
I.S.A (current)
15 years sysadmin / dev
Ju-Jitsu instructor for N.F.P club.
Volunteer assist teaching computing at Secondary school
AgendaGot F.U.D?
What is an attack surface?
D.A.C, M.A.C, I.P.S, I.D.S, WTF?
Heartbleed / Shellshock / #gate / #bandwagon
Detection or prevention: the boy who cried wolf
Emerging tech to keep an eye on.
2014 2015 it's been interesting
Here be dragons ...Previous talks focused on a select set of identification and preventionThis talk is different
Focus is on a mindset change for pure identification of potential attack vectors. Aswell as clarification of some points along the way
There's F.U.D by the ton; and we each get a shovel.
Got F.U.D?
Fear Uncertainty Doubt
C.R.I.M.E (CVE-2012-4929)
B.E.A.S.T (CVE-2011-3389)
Heartbleed (CVE-2014-0160)
Shellshock CVE-2014-6271, 6277, 6278, 7169, 7186, 7187
P.O.O.D.L.E (CVE-2014-3566)
BEAST Browser Exploit Against SSL TLS
Targets CBC Siphers; padding oracle attack to obtain plaintext; requires MITM strick control over the connection
CRIME Compression Ratio Info-leak Made Easy
Exploited compression optimization to reveal encrypted plaintext such as cookie data.
Poodle Padding Oracale On Downgraded Legacy Encryption
Padding oracle attack on CBC SSLv3 ciphers;
What's an attack surface?Potential areas for compromise
Application
Database
Network
Hardware
Software
Employees
Other
What's an attack surface?Application
Engine / Interpreter, e.g. Java, PHP, etc.e.g. PHP CVE-2011-4885 (hash collide)
FrameworkOr most likely a plugin
Developer errors, SQLi, XSS, CSRF etc ...
HTTP Service Apache, Nginx, Lighthttpd, etc.
Sysadmin errors e.g. missconfiguration of SSL cipers / certs
What's an attack surface?Database Weak passwords
Overpermissive grants
Overly broad host spefications e.g. @%
Vulnerabilities in service (often denoted by CVE's e.g. MySQL CVE-2012-2122)
Poor isolation (Network, users etc)
Malicious plugins e.g. UDF's
What's an attack surface?Network Overly open ACL
Little or no isolation
Little or no monitoring
Little or no packet inspection
An open playground
Hardware embedded OS vulnerabilities
Other entry pointsIt's not limited to Ethernet / 2.4 && 5 GHz WiFi (look at the NSA ANT catalogue)
What's an attack surface?Hardware Lack of control of use
Malicious USB / Firewire / etcCOTTONMOUTH-I
Iron Geek's plug & prey
USB Rubber Ducky
USB LAN Turtle
Thunderstrike 2
Embedded firmware vulnerabilites
Freebie / Gift / Other
Lack of physical access controlse.g. Barclays 1.3M Theft
Lack of $vendor updates (e.g. Android)
ROWHAMMER
Lack of physical controlls:
- installation of tap / other device-
What's an attack surface?Lock all the things! Combination T.S.A locksEasily picked
Traditional tumbler locksPicking / bump keys
BiometricsMythbusters
Key pads Check for wear / dirt marks / vendor codes
Key switches (e.g. in lifts) As per above
Room card keys Magstripe read and write
RFIDEasily read tags content and replay
Lack of physical controlls:
- installation of tap / other device-
What's an attack surface?And then there's I.o.TT.V
Cameras
Light bulbs
Fridges
Home automation
Locks
PrinterCloud print
Etc
Supervisory Control And Data AcquisitionLet's put a hydro electric dam controll system on the internet!
Lack of physical controlls:
- installation of tap / other device-
What's an attack surface?
Lack of physical controlls:
- installation of tap / other device-
What's an attack surface?But wait there's more!
Your carsHacking 2014 Jeep Cherokee & Chrysler via internet connection
Medical devices Hospira drug pump
Wireless insulin pump
RF Enabled pacemakers
https://www.iamthecavalry.org/
Lack of physical controlls:
- installation of tap / other device-
What's an attack surface?Software Modified binaries
Install for FREE STUFF!
Unaudited source code cough coughTruecrypt, openssl ...
Poor isolation (no M.A.C, only D.A.C)
Process injection, buffer overflows etc
Unpatched software
Legacy softwaree.g. Adobe Flash
Lack of physical controlls:
- installation of tap / other device-
What's an attack surface?Employees I put all my details on this pastebin, can you take a look?
Sure you can use my phone / workstation!
So all I have to do is click this link?
Oh you're from HR? Sure I can install that!
A magic trick? YEY!
FREE STUFF?!
Lack of physical controlls:
- installation of tap / other device-
What's an attack surface?Employees Phishing / Spear Phishing
Social engineering
D.L.P bypass is no longer just crafted devicesMaking comodity USB "evil"
Derbycon presentationAdam Caudil && Brandon Wilson
Implied trustUniform / Badge != Proof
Lack of physical controlls:
- installation of tap / other device-
What's an attack surface?
Lack of physical controlls:
- installation of tap / other device-
What's an attack surface?Other Side channel attacksCache timing
Co-residency (side channel against cloud)
Unintentional emissionsMelissa Elliot Noise FloorS.D.R (Software Defined Radio)Monitor / Display, RAM, F.S.B, etc
Weaponized lunches?! Portable Instrument for Trace Acquisition
F.U.D!
BEAST Browser Exploit Against SSL TLS
Targets CBC Siphers; padding oracle attack to obtain plaintext; requires MITM strick control over the connection
CRIME Compression Ratio Info-leak Made Easy
Exploited compression optimization to reveal encrypted plaintext such as cookie data.
Poodle Padding Oracale On Downgraded Legacy Encryption
Padding oracle attack on CBC SSLv3 ciphers;
Well hold on
BEAST Browser Exploit Against SSL TLS
Targets CBC Siphers; padding oracle attack to obtain plaintext; requires MITM strick control over the connection
CRIME Compression Ratio Info-leak Made Easy
Exploited compression optimization to reveal encrypted plaintext such as cookie data.
Poodle Padding Oracale On Downgraded Legacy Encryption
Padding oracle attack on CBC SSLv3 ciphers;
D.A.C, M.A.C, I.P.S, I.D.S WTF?Discretionary Access Control POSIX permissionsFile mode
UID
GID
Software runs with same permissions as user and groupe.g. your brower could read ~/.ssh/id_rsa in this model
D.A.C, M.A.C, I.P.S, I.D.S WTF?Mandatory Access Control
SELinuxProcess running with context xe.g. MySQL
Access to resource ylisten *:3306
Denied access to resource zConnect *:80
App armor
Gazzang (Has some M.A.C)
Heartbleed/Shellshock/#bandwagonMedia
Need to drive views / purchases aka revenue
F.U.D slinging is an effective method for this. (Everything is a Virus) e.g. The Registers Critical SSL vulnerability out tomorrowNo detail
No sources
PURE F.U.D
Heartbleed/Shellshock/#bandwagonBut naming vulnerabilites has its placeC.R.I.M.E / CVE-2012-4929
B.E.A.S.T / CVE-2011-3389
Heartbleed CVE-2014-0160
Shellshock CVE-2014-6271, 6277, 6278, 7169, 7186, 7187
P.O.O.D.L.E CVE-2014-3566
BEAST Browser Exploit Against SSL TLS
Targets CBC Siphers; padding oracle attack to obtain plaintext; requires MITM strick control over the connection
CRIME Compression Ratio Info-leak Made Easy
Exploited compression optimization to reveal encrypted plaintext such as cookie data.
Poodle Padding Oracale On Downgraded Legacy Encryption
Padding oracle attack on CBC SSLv3 ciphers;
Heartbleed/Shellshock/#bandwagonEven if it can go a bit far ...
BEAST Browser Exploit Against SSL TLS
Targets CBC Siphers; padding oracle attack to obtain plaintext; requires MITM strick control over the connection
CRIME Compression Ratio Info-leak Made Easy
Exploited compression optimization to reveal encrypted plaintext such as cookie data.
Poodle Padding Oracale On Downgraded Legacy Encryption
Padding oracle attack on CBC SSLv3 ciphers;
Heartbleed/Shellshock/#bandwagonThere is hope behind the hype.Elastica Inc @ VimeoHeartbleed instructional video
Shellshock instructional video
Poodle instructional video
BEAST Browser Exploit Against SSL TLS
Targets CBC Siphers; padding oracle attack to obtain plaintext; requires MITM strick control over the connection
CRIME Compression Ratio Info-leak Made Easy
Exploited compression optimization to reveal encrypted plaintext such as cookie data.
Poodle Padding Oracale On Downgraded Legacy Encryption
Padding oracle attack on CBC SSLv3 ciphers;
Detection or preventionWhy not both?
Block known badBy writing your own rules
Reguarly syncing with emerging rules
Allow known goodIPS / WAF blocking your app? Write an exeception, carefully!Be selective!e.g. don't: if /cart(.*) then skip
Log everything elseAnd check the logs!
Detection or preventionWhy not both?
Generate alertse.g. logstash can send alerts to nagios
Y.M.W.VYou will know your applications behaviour
Consider what's out of contexte.g. 10x increase in additions to shopping cart for invalid items (could be someoneattempting SQLi)
10x increase in requests, could be a DoS
Detection or preventionDetectionAlert on set conditionsSQLi, Fuzzing, out of context requests.
Write Rules / exceptions to reduce noiseBe specific in said rules!
Prevention Block and alertReduce noise through blacklists.
{"timestamp":"2014-05-15T07:30:42.970624","event_type":"alert","src_ip":"101.227.170.42","src_port":58613,"dest_ip":"XXX.XXX.XXX.XXX","dest_port":22,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2500002,"rev":3231,"signature":"ET COMPROMISED Known Compromised or Hostile Host Traffic group 2","category":"Misc Attack","severity":2}}
Detection or preventionReduce NOISE! Avoiding the boy who cried wolf
Aka staff becoming desensitized to the slew of alerts that oh that's normal, just ignore
Familiarity breeds comtempt
Why not just buy $product? It's still an option but be 100% sure you know what you're buying.Paying over the odds for rebranded nessus is never good.
Ongoing rule updates, custom rule support, $vendor support to tune the appliance to your needs.
Emerging tech to keep an eye onFidoalliance.org
U2F (Universal two factor)
UAF (Universal authentication framework)
Google, yubico, ARM, bank of america, Lenovo, Mastercard, Discover, Microsoft, Paypal, Qualcomm, RSA, Samsung, Visa The list of members is extensive
TL;DR improve security by implementing a common two factor auth standard; and comoditizing it to improve addoption.
Emerging tech to keep an eye onKeybase.io
Nodejs
socializes GPGTracking sign a snapshot of their key and identity profileOn this date I verify this is Joe Blogs's gpg key, twitter account etc
TL;DR wrapper and service to help spread the use of GPG
https://keybase.io/oneiroi/
Emerging tech to keep an eye onSuricata
IDS / IPS
Libjannson eve.jsonCompatible with E.L.K stack: blog post
Multi threadedClaims 10Gbit support with no ruleset sacrifice
Protocol identification
File identification, extraction
Open Information Security Foundation
Emerging tech to keep an eye onE.L.K (Elastic search, Logstash, Kibana)
Easily store, index and visualize datae.g. suricata data
Emerging tech to keep an eye onDocker
No longer using LXC by defaultUses their own libcontainer
Vagrant / git esq cli
Raw hardware accessNot paravirtual
Suffers from container breakoutGains root on host system
REST API is very open
Docker Security page
Dan Walsh SELinux and Docker
Docker SWARM On ARM
Emerging tech to keep an eye onHaka
Software defined security
$developer sentric security
LUA DSL
Another tool in the $devops chain
E.L.K support
Why not IPTables / Netfilter / other Why not both?
Eases developers adoption
Emerging tech to keep an eye onVaultproject.io
AES GCM 256bitnonce per object
Audit backends
HA Capable
Potential for credential auto rotation
Emerging tech to keep an eye onUSB Armory
Freescale i.MX53 ARM Cortex-A8 800Mhz
512MB DDR3