Security isn’t deploying some overbearing big brother of a hardware or software solution; it’s not running scanning software which tells you you’re safe; because in reality in these type of setups you’re not. Security is akin to high availability you deploying multiple redundancies to ensure you can still operate, the same can and should be applied to security; identify the potential areas of attack, reduces this attack surface and deploy multiple redundancies to secure your deployments. In this session we'll wade through F.U.D Discuss what an attack surface is, including some not so well known examples of exploitation of said surface, demo of malicious HID devices and lock picking; discuss IoT (internet of things) and how commodity internet connected devices are racing ahead of any measures of security Discretionary vs Mandatory access controls, IPS vs IDS. Cover the recent trend in vulnerability naming, and some of the more ridiculous examples. Discuss attack detection and prevention, question why there's still a view that there needs to be a separation of the two. Cover some emerging technologies of note to aid in hardening infrastructure. The focus here is to promote an attitude change to thinking about points of vulnerability, and promote better security as a whole

1. Security
It's more than just your database you should
worry about
David Busby
Information Security Architect
2015-08-05

2. Sample Text Page
• David Busby
–Percona since January 2013
–R.D.B.A
–EMEA && Security Lead
–I.S.A (current)
–15 years sysadmin / dev
–Ju-Jitsu instructor for N.F.P club.
–Volunteer assist teaching computing at Secondary
school
2

3. Agenda
• Got F.U.D?
• What is an attack surface?
• D.A.C, M.A.C, I.P.S, I.D.S, WTF?
• Heartbleed / Shellshock / #gate / #bandwagon
• Detection or prevention: the boy who cried
wolf
• Emerging tech to keep an eye on.
• 2014 → 2015 … it's been “interesting”
3

4. Here be dragons ...
• Previous talks focused on a select set of
identification and prevention
●
This talk is different …
●
Focus is on a mindset change for pure
identification of potential attack vectors.
Aswell as clarification of some points along
the way
●
There's F.U.D by the ton; and we each get a
shovel.
4

5. Got F.U.D?
• Fear Uncertainty Doubt
• C.R.I.M.E (CVE-2012-4929)
• B.E.A.S.T (CVE-2011-3389)
• Heartbleed (CVE-2014-0160)
• Shellshock CVE-2014-6271, 6277, 6278, 7169,
7186, 7187
• P.O.O.D.L.E (CVE-2014-3566)
5

6. What's an “attack surface”?
• Potential areas for compromise
– Application
– Database
– Network
– Hardware
– Software
– Employees
– Other
6

7. What's an “attack surface”?
• Application
– Engine / Interpreter, e.g. Java, PHP, etc.
●
e.g. PHP CVE-2011-4885 (hash collide)
– Framework
●
Or most likely a plugin
– Developer errors, SQLi, XSS, CSRF etc ...
– HTTP Service Apache, Nginx, Lighthttpd, etc.
– Sysadmin errors e.g. missconfiguration of SSL
cipers / certs
7

8. What's an “attack surface”?
• Database
– Weak passwords
– Overpermissive grants
– Overly broad host spefications e.g. @%
●
Vulnerabilities in service (often denoted by CVE's
e.g. MySQL CVE-2012-2122)
– Poor isolation (Network, users etc)
– Malicious plugins e.g. UDF's
8

9. What's an “attack surface”?
• Network
– Overly open ACL
– Little or no isolation
– Little or no monitoring
– Little or no packet inspection
– “An open playground”
– Hardware embedded OS vulnerabilities
– Other entry points
●
It's not limited to Ethernet / 2.4 && 5 GHz WiFi
(look at the NSA ANT catalogue)
9

10. What's an “attack surface”?
• Hardware
– Lack of control of use
– Malicious USB / Firewire / etc
●
COTTONMOUTH-I
●
Iron Geek's plug & prey
●
USB Rubber Ducky
●
USB LAN Turtle
●
Thunderstrike 2
– Embedded firmware vulnerabilites
– “Freebie” / “Gift” / “Other”
– Lack of physical access controls
●
e.g. Barclays £1.3M Theft
– Lack of $vendor updates (e.g. Android)
– ROWHAMMER
10

11. What's an “attack surface”?
• Lock all the things!
– Combination T.S.A locks
●
Easily picked
– Traditional tumbler locks
●
Picking / bump keys
– Biometrics
●
Mythbusters
• Key pads
– Check for wear / dirt marks / vendor codes
• Key switches (e.g. in lifts)
– As per above
• Room card keys
– Magstripe read and write
• RFID
– Easily read tags content and replay
11

12. What's an “attack surface”?
• And then there's … I.o.T
– T.V
– Cameras
– Light bulbs
– Fridges
– Home automation
– Locks
– Printer
●
Cloud print …
– Etc
– Supervisory Control And Data Acquisition
●
Let's put a hydro electric dam controll system on the internet!
12

13. What's an “attack surface”?
13

14. What's an “attack surface”?
• But wait … there's more!
• Your cars
–Hacking 2014 Jeep Cherokee & Chrysler via internet conn
• Medical devices
– Hospira drug pump
– Wireless insulin pump
– RF Enabled pacemakers
• https://www.iamthecavalry.org/
14

15. What's an “attack surface”?
• Software
– Modified binaries
– “Install for FREE STUFF!”
– Unaudited source code … cough cough
●
Truecrypt, openssl ...
– Poor isolation (no M.A.C, only D.A.C)
– Process injection, buffer overflows etc …
– Unpatched software
– Legacy software
●
e.g. Adobe Flash
15

16. What's an “attack surface”?
• Employees
– “I put all my details on this pastebin, can you take a
look?”
– “Sure you can use my phone / workstation!”
– “So all I have to do is click this link?”
– “Oh you're from HR? Sure I can install that!”
– “A magic trick? YEY!”
– “FREE STUFF?!”
16

17. What's an “attack surface”?
• Employees
– Phishing / Spear Phishing
– Social engineering
– D.L.P bypass is no longer just crafted devices
●
Making comodity USB "evil"
●
Derbycon presentation
●
Adam Caudil && Brandon Wilson
– Implied trust
●
Uniform / Badge != Proof
17

18. What's an “attack surface”?
18

19. What's an “attack surface”?
• Other
– Side channel attacks
●
Cache timing
●
Co-residency (side channel against “cloud”)
– Unintentional “emissions”
●
Melissa Elliot “Noise Floor”
●
S.D.R (Software Defined Radio)
●
Monitor / Display, RAM, F.S.B, etc …
19

20. “Weaponized” lunches?!
• Portable Instrument for Trace Acquisition
20

21. F.U.D!
21

22. Well … hold on
22

23. D.A.C, M.A.C, I.P.S, I.D.S … WTF?
• Discretionary Access Control
– POSIX permissions
●
File mode
●
UID
●
GID
●
Software runs with same permissions as user
and group
●
e.g. your brower could read ~/.ssh/id_rsa in
this model
23

24. D.A.C, M.A.C, I.P.S, I.D.S … WTF?
• Mandatory Access Control
– SELinux
●
Process running with context x
●
e.g. MySQL
●
Access to resource y
●
listen *:3306
●
Denied access to resource z
●
Connect *:80
– App armor
– Gazzang (Has some M.A.C)
24

25. Heartbleed/Shellshock/#bandwagon
• “Media”
– Need to drive views / purchases aka revenue
– F.U.D “slinging” is an effective method for this.
(Everything is a Virus)
●
e.g. The Registers “Critical SSL vulnerability out
tomorrow”
●
No detail
●
No sources
●
PURE F.U.D
25

26. Heartbleed/Shellshock/#bandwagon
• But naming vulnerabilites has its place
●
C.R.I.M.E / CVE-2012-4929
●
B.E.A.S.T / CVE-2011-3389
●
Heartbleed CVE-2014-0160
●
Shellshock CVE-2014-6271, 6277, 6278,
7169, 7186, 7187
●
P.O.O.D.L.E CVE-2014-3566
26

27. Heartbleed/Shellshock/#bandwagon
• Even if it can go a bit far ...
27

28. Heartbleed/Shellshock/#bandwagon
• There is hope behind the hype.
●
Elastica Inc @ Vimeo
●
Heartbleed instructional video
●
Shellshock instructional video
●
Poodle instructional video
28

29. Detection or prevention
• Why not both?
– Block known “bad”
●
By writing your own rules
●
Reguarly syncing with emerging rules
– Allow known “good”
●
IPS / WAF blocking your app? Write an exeception,
carefully!
●
Be selective!
●
e.g. don't: if /cart(.*) then skip
– Log everything else
●
And check the logs!
29

30. Detection or prevention
• Why not both?
– Generate alerts
●
e.g. logstash can send alerts to nagios
– Y.M.W.V
●
You will know your applications behaviour
●
Consider what's “out of context”
●
e.g. 10x increase in additions to shopping cart for
invalid items (could be someoneattempting SQLi)
●
10x increase in requests, could be a DoS
30

31. Detection or prevention
• Detection
●
Alert on set conditions
●
SQLi, Fuzzing, out of context requests.
●
Write Rules / exceptions to reduce “noise”
●
Be specific in said rules!
• Prevention
●
Block and alert
●
Reduce “noise” through blacklists.
●
{"timestamp":"2014-05-
15T07:30:42.970624","event_type":"alert","src_ip":"101.227.170.42","src_port":58613,"dest_ip":"XXX.XXX.XXX.XXX
","dest_port":22,"proto":"TCP","alert":
{"action":"allowed","gid":1,"signature_id":2500002,"rev":3231,"signature":"ET COMPROMISED Known
Compromised or Hostile Host Traffic group 2","category":"Misc Attack","severity":2}}
31

32. Detection or prevention
• Reduce NOISE!
– Avoiding the “boy who cried wolf”
– Aka staff becoming desensitized to the slew of alerts that “oh
that's normal, just ignore”
– “Familiarity breeds comtempt”
• Why not just buy $product?
– It's still an option but be 100% sure you know what you're buying.
●
Paying over the odds for rebranded nessus is never good.
●
Ongoing rule updates, custom rule support, $vendor support to
“tune” the appliance to your needs.
32

33. Emerging tech to keep an eye on
• Fidoalliance.org
– U2F (Universal two factor)
– UAF (Universal authentication framework)
– Google, yubico, ARM, bank of america, Lenovo,
Mastercard, Discover, Microsoft, Paypal, Qualcomm,
RSA, Samsung, Visa …
●
The list of members is extensive
– TL;DR improve security by implementing a common
two factor auth standard; and comoditizing it to
improve addoption.
33

34. Emerging tech to keep an eye on
• Keybase.io
– Nodejs
– “socializes” GPG
●
Tracking → sign a “snapshot” of their key and
identity profile
●
“On this date I <name> verify this is Joe Blogs's
gpg key, twitter account … etc”
– TL;DR wrapper and service to help spread the use of
GPG
– https://keybase.io/oneiroi/
34

35. Emerging tech to keep an eye on
• Suricata
– IDS / IPS
– Libjannson → eve.json
●
Compatible with E.L.K stack: blog post
– Multi threaded
●
Claims 10Gbit support with no ruleset sacrifice
●
Protocol identification
●
File identification, extraction
– Open Information Security Foundation
35

36. Emerging tech to keep an eye on
• E.L.K (Elastic search, Logstash, Kibana)
– Easily store, index and visualize data
●
e.g. suricata data
36

37. Emerging tech to keep an eye on
• Docker
– No longer using LXC by default
●
Uses their own libcontainer
– Vagrant / git esq cli
– Raw hardware access
●
Not paravirtual
– Suffers from “container breakout”
●
Gains root on host system
– REST API is very open
– Docker Security page
– Dan Walsh SELinux and Docker
– Docker SWARM On ARM
37

38. Emerging tech to keep an eye on
• Haka
– “Software defined security”
– $developer sentric security
– LUA DSL
– Another tool in the $devops chain
– E.L.K support
• Why not IPTables / Netfilter / other
– Why not both?
– Eases developers adoption
38

39. Emerging tech to keep an eye on
• Vaultproject.io
– AES GCM 256bit
●
nonce per object
– Audit backends
– HA Capable
– Potential for credential auto rotation
39

40. Emerging tech to keep an eye on
• USB Armory
– Freescale i.MX53 ARM® Cortex™-A8 800Mhz
– 512MB DDR3
– <500 mA USB powered
– ARM® TrustZone®
●
Secure boot, storage, memory
40

41. 2014 … it's been interesting
• 2014
– Heartbleed, shellshock, poodle
– F.U.D
●
Gmail “leak” (wasn't gmail, just happened to have
gmail addresses)
●
Dropbox “leak” (wasn't dropbox, just happened that
users were using same credentials)
– Home Depot
– Target (Fall 2013, still “in the news”)
41

42. 2015 … it's been interesting
• 2015
– Hackingteam breach
– Many flash vulnerabilties
– BIND9 DoS CVE-2015-5477
– YubiKey NEO key extraction
– OpenSSL
●
FREAK
●
LOG JAM
– GHOST (CVE-2015-0235)
– ICANN Root DNS compromise
42

43. 2014 → 2015 … it's been interesting
• 2014 → 2015
– PLEASE!
●
No more “head in the sand”
●
No more “features before security”
– The cost of compromise is proven
– Increasing Ubiquity of I.o.T
●
without proper security measures is not maintainable
– It is beyond time to ensure security is in the product,
not as an afterthought.
43

44. 2014 → 2015 … it's been interesting
• 2014 → 2015
– You are not alone!
– https://www.iamthecavalry.org/
– http://www.openinfosecfoundation.org/
– https://www.reddit.com/r/netsec
– http://seclists.org/fulldisclosure/
– https://bugcrowd.com
– https://44con.com/
– http://dc4420.org/
– Deploy your own “Responsible disclosure program”, and
if you can Bug Bounty
44

45. The End …
• Questions? (And Thank you for attending!)
45