SlideShare ist ein Scribd-Unternehmen logo

DevOpsTO meetup 2018-08

Teleport
Teleport

Whilst Google's rockstar Staff Developer Advocates like to call kubectl "the new SSH" as they make light of procedural problem-solving skills applied to Kubernetes' decidedly declarative world, real-world cluster operations still requires low-level access beneath the almighty kubelet. In this talk we'll review legacy SSH patterns relative to new way teams manage, deploy, and troubleshoot their applications running on elastic infrastructure. Along the way, Kevin will demo Teleport (https://github.com/gravitational/teleport), an open source re-implementation of SSH using Google's golang crypto, and show how to cross the chasm from traditional SSH anti-patterns into fancy new orchestrated worlds with automatically expiring access certificates.

Technologie
1 von 16
Downloaden Sie, um offline zu lesen
Kevin Nisbet Gravitational Access to distributed systems
LET’S SOLVE A PROBLEM • Scenario • Production… • Elastic Infrastructure • Separate Networks • The database is slow…
WHAT JUST HAPPENED… source: https://www.gagcartoons.com/cartoons/87/
TSH LOGIN • Generates new cryptographic keys • Connects to CA via Proxy • Signs a certificate granting access to the cluster
SHORT LIVED CERTIFICATES https://ssh-certificate-parser.gravitational.com Certificate Type: ssh-rsa-cert-v01@openssh.com Public Key: SHA256:DtwegGhmM6twU5IJYTj+Wc/zY7b1koIUC5B61qTpxyI Signing CA: SHA256:WCifMyKoyD5+5MLZFBYJMBmS/d4LeBK3iSLWwU36PTA Key ID: demo Principals: root,knisbet Valid After: effective immediatelly Valid Before: Jul 30 16:48:16 UTC Critical Options: none Extensions: permit-agent-forwarding permit-port-forwarding permit-pty teleport-roles: {"version":"v1","roles":["admin"]}
SHORT LIVED CERTIFICATES https://ssh-certificate-parser.gravitational.com Certificate Type: ssh-rsa-cert-v01@openssh.com Public Key: SHA256:DtwegGhmM6twU5IJYTj+Wc/zY7b1koIUC5B61qTpxyI Signing CA: SHA256:WCifMyKoyD5+5MLZFBYJMBmS/d4LeBK3iSLWwU36PTA Key ID: demo Principals: root,knisbet Valid After: effective immediatelly Valid Before: Jul 30 16:48:16 UTC Critical Options: none Extensions: permit-agent-forwarding permit-port-forwarding permit-pty teleport-roles: {"version":"v1","roles":["admin"]}
WHY CERTIFICATES? • Ever? • Lost a backup? • Run untrusted Software? • Rotated keys? • Sent the private key instead of the public? source: https://www.gagcartoons.com/cartoons/305/
• FreeBSD packaging servers hacked • http://www.infosecisland.com/blogview/22766-FreeBSD-Servers-Hacked-Lessons- on-SSH-Public-Key-Authentication.html • Malware & Hackers collect ssh keys • https://www.ssh.com/malware/ • Active attacks using stolen SSH keys (2008) • https://isc.sans.edu/forums/diary/ Active+attacks+using+stolen+SSH+keys+UPDATED/4937/ • New Attacker Scanning for SSH Private Keys on Websites • https://www.wordfence.com/blog/2017/10/ssh-key-website-scans/ • CIA malware can steal SSH Credentials • https://www.bleepingcomputer.com/news/security/cia-malware-can-steal-ssh- credentials-session-traffic/
• Large Database of Device Certificates, SSH keys published • https://www.pindrop.com/blog/large-database-of-device-certificates-ssh-keys- published/ • Learning from the Expedia Heist • https://medium.com/starting-up-security/learning-from-the-expedia- heist-6cf8a0069ce0 • New ‘MASK’APT Campaign called most sophisticated yet • https://threatpost.com/new-mask-apt-campaign-called-most-sophisticated-yet/104148/ • Multi-billion dollar defence firm fails to protect private SSH keys • https://www.appviewx.com/multi-billion-dollar-defense-firm-fails-protect-private-ssh- keys/ • The default OpenSSH key encryption is worse than plaintext • https://latacora.singles/2018/08/03/the-default-openssh.html
TSH LS • List all the servers in you’re infrastructure • New servers join the cluster, old ones leave • Labels • Automatically update as infra changes
TSH SSH • SSH to the Node • Or the Label(s) • Automatic Bastions • Auditable • and SCP
SESSION RECORDING • Record what happens in production • Proxy • Endpoint
ARCHITECTURE
KUBERNETES INTEGRATION • Short lived certificates • Multi-factor authentication • Audit all k8s actions • Session recording • Currently Alpha
QUESTIONS More Information https://gravitational.com/teleport https://github.com/gravitational/teleport We’re Hiring https://github.com/gravitational/careers jobs@gravitational.com

Empfohlen

Managing SSH Acccess Without Managing SSH Keys
Managing SSH Acccess Without Managing SSH KeysManaging SSH Acccess Without Managing SSH Keys
Managing SSH Acccess Without Managing SSH KeysNiall Sheridan
 
Azure Blockchain Service - myth or reality | Radu Vunvulea | ITCamp | Cluj-Na...
Azure Blockchain Service - myth or reality | Radu Vunvulea | ITCamp | Cluj-Na...Azure Blockchain Service - myth or reality | Radu Vunvulea | ITCamp | Cluj-Na...
Azure Blockchain Service - myth or reality | Radu Vunvulea | ITCamp | Cluj-Na...Radu Vunvulea
 
An analysis of TLS handshake proxying
An analysis of TLS handshake proxyingAn analysis of TLS handshake proxying
An analysis of TLS handshake proxyingNick Sullivan
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices WorldDiogo Mónica
 
Bletchley
BletchleyBletchley
BletchleyDiogo Mónica
 
Various Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and KeytoolVarious Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and KeytoolCheapSSLsecurity
 
Big Data Expo 2015 - SMT Ware The Age of Software Defined Business
Big Data Expo 2015 - SMT Ware The Age of Software Defined BusinessBig Data Expo 2015 - SMT Ware The Age of Software Defined Business
Big Data Expo 2015 - SMT Ware The Age of Software Defined BusinessBigDataExpo
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 

Empfohlen

Managing SSH Acccess Without Managing SSH Keys
Managing SSH Acccess Without Managing SSH KeysManaging SSH Acccess Without Managing SSH Keys
Managing SSH Acccess Without Managing SSH KeysNiall Sheridan
 
Azure Blockchain Service - myth or reality | Radu Vunvulea | ITCamp | Cluj-Na...
Azure Blockchain Service - myth or reality | Radu Vunvulea | ITCamp | Cluj-Na...Azure Blockchain Service - myth or reality | Radu Vunvulea | ITCamp | Cluj-Na...
Azure Blockchain Service - myth or reality | Radu Vunvulea | ITCamp | Cluj-Na...Radu Vunvulea
 
An analysis of TLS handshake proxying
An analysis of TLS handshake proxyingAn analysis of TLS handshake proxying
An analysis of TLS handshake proxyingNick Sullivan
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices WorldDiogo Mónica
 
Bletchley
BletchleyBletchley
BletchleyDiogo Mónica
 
Various Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and KeytoolVarious Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and KeytoolCheapSSLsecurity
 
Big Data Expo 2015 - SMT Ware The Age of Software Defined Business
Big Data Expo 2015 - SMT Ware The Age of Software Defined BusinessBig Data Expo 2015 - SMT Ware The Age of Software Defined Business
Big Data Expo 2015 - SMT Ware The Age of Software Defined BusinessBigDataExpo
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Cloudflare
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytoolCheapSSLsecurity
 
Leveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of BotnetsLeveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of BotnetsDiogo Mónica
 
Azure Unchained (Azure boot camp Sofia 2017)
Azure Unchained (Azure boot camp Sofia 2017)Azure Unchained (Azure boot camp Sofia 2017)
Azure Unchained (Azure boot camp Sofia 2017)Valio Bonev
 
Moby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit PresentationMoby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit PresentationDiogo Mónica
 
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...Peter LaFond
 
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23Nick Sullivan
 
Blockchains - Architecture Overview and Consenus Models - Apr 26th, 2017
Blockchains - Architecture Overview and Consenus Models - Apr 26th, 2017Blockchains - Architecture Overview and Consenus Models - Apr 26th, 2017
Blockchains - Architecture Overview and Consenus Models - Apr 26th, 2017Lothar Wieske
 
POA based Side-Chain Architecture
POA based Side-Chain ArchitecturePOA based Side-Chain Architecture
POA based Side-Chain ArchitectureLuniverse Dunamu
 
Some tales about TLS
Some tales about TLSSome tales about TLS
Some tales about TLShannob
 
Доклад разработчиков Exonum на третьем митапе сообщества блокчейн-разработчик...
Доклад разработчиков Exonum на третьем митапе сообщества блокчейн-разработчик...Доклад разработчиков Exonum на третьем митапе сообщества блокчейн-разработчик...
Доклад разработчиков Exonum на третьем митапе сообщества блокчейн-разработчик...Дмитрий Плахов
 
20190606 blockchain101
20190606 blockchain10120190606 blockchain101
20190606 blockchain101Hu Kenneth
 
Blockchain
BlockchainBlockchain
BlockchainTinaGupta23
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp VaultMayank Patel
 
Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...
Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...
Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...Дмитрий Плахов
 
Luniverse Partners Day - Jay
Luniverse Partners Day - JayLuniverse Partners Day - Jay
Luniverse Partners Day - JayLuniverse Dunamu
 
TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)hannob
 
OpenSSL
OpenSSLOpenSSL
OpenSSLTimbal Mayank
 
Resource slides for blockchain related question
Resource slides for blockchain related questionResource slides for blockchain related question
Resource slides for blockchain related questionLin Lin (Wendy)
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scaleAlex Schoof
 
201811 Bitcoin, Blockchain and the Technology behind Cryptocurrencies
201811 Bitcoin, Blockchain and the Technology behind Cryptocurrencies201811 Bitcoin, Blockchain and the Technology behind Cryptocurrencies
201811 Bitcoin, Blockchain and the Technology behind CryptocurrenciesPaperchain
 
2018 SAI workshop blockchain Kristof Verslype
2018 SAI workshop blockchain Kristof Verslype2018 SAI workshop blockchain Kristof Verslype
2018 SAI workshop blockchain Kristof VerslypeSmals
 

Weitere ähnliche Inhalte

Was ist angesagt?

Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Cloudflare
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytoolCheapSSLsecurity
 
Leveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of BotnetsLeveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of BotnetsDiogo Mónica
 
Azure Unchained (Azure boot camp Sofia 2017)
Azure Unchained (Azure boot camp Sofia 2017)Azure Unchained (Azure boot camp Sofia 2017)
Azure Unchained (Azure boot camp Sofia 2017)Valio Bonev
 
Moby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit PresentationMoby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit PresentationDiogo Mónica
 
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...Peter LaFond
 
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23Nick Sullivan
 
Blockchains - Architecture Overview and Consenus Models - Apr 26th, 2017
Blockchains - Architecture Overview and Consenus Models - Apr 26th, 2017Blockchains - Architecture Overview and Consenus Models - Apr 26th, 2017
Blockchains - Architecture Overview and Consenus Models - Apr 26th, 2017Lothar Wieske
 
POA based Side-Chain Architecture
POA based Side-Chain ArchitecturePOA based Side-Chain Architecture
POA based Side-Chain ArchitectureLuniverse Dunamu
 
Some tales about TLS
Some tales about TLSSome tales about TLS
Some tales about TLShannob
 
Доклад разработчиков Exonum на третьем митапе сообщества блокчейн-разработчик...
Доклад разработчиков Exonum на третьем митапе сообщества блокчейн-разработчик...Доклад разработчиков Exonum на третьем митапе сообщества блокчейн-разработчик...
Доклад разработчиков Exonum на третьем митапе сообщества блокчейн-разработчик...Дмитрий Плахов
 
20190606 blockchain101
20190606 blockchain10120190606 blockchain101
20190606 blockchain101Hu Kenneth
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp VaultMayank Patel
 
Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...
Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...
Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...Дмитрий Плахов
 
Luniverse Partners Day - Jay
Luniverse Partners Day - JayLuniverse Partners Day - Jay
Luniverse Partners Day - JayLuniverse Dunamu
 
TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)hannob
 
Resource slides for blockchain related question
Resource slides for blockchain related questionResource slides for blockchain related question
Resource slides for blockchain related questionLin Lin (Wendy)
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scaleAlex Schoof
 

Was ist angesagt? (20)

Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytool
 
Leveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of BotnetsLeveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of Botnets
 
Azure Unchained (Azure boot camp Sofia 2017)
Azure Unchained (Azure boot camp Sofia 2017)Azure Unchained (Azure boot camp Sofia 2017)
Azure Unchained (Azure boot camp Sofia 2017)
 
Moby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit PresentationMoby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit Presentation
 
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
 
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
 
Blockchains - Architecture Overview and Consenus Models - Apr 26th, 2017
Blockchains - Architecture Overview and Consenus Models - Apr 26th, 2017Blockchains - Architecture Overview and Consenus Models - Apr 26th, 2017
Blockchains - Architecture Overview and Consenus Models - Apr 26th, 2017
 
POA based Side-Chain Architecture
POA based Side-Chain ArchitecturePOA based Side-Chain Architecture
POA based Side-Chain Architecture
 
Some tales about TLS
Some tales about TLSSome tales about TLS
Some tales about TLS
 
Доклад разработчиков Exonum на третьем митапе сообщества блокчейн-разработчик...
Доклад разработчиков Exonum на третьем митапе сообщества блокчейн-разработчик...Доклад разработчиков Exonum на третьем митапе сообщества блокчейн-разработчик...
Доклад разработчиков Exonum на третьем митапе сообщества блокчейн-разработчик...
 
20190606 blockchain101
20190606 blockchain10120190606 blockchain101
20190606 blockchain101
 
Blockchain
BlockchainBlockchain
Blockchain
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
 
Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...
Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...
Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...
 
Luniverse Partners Day - Jay
Luniverse Partners Day - JayLuniverse Partners Day - Jay
Luniverse Partners Day - Jay
 
TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)
 
OpenSSL
OpenSSLOpenSSL
OpenSSL
 
Resource slides for blockchain related question
Resource slides for blockchain related questionResource slides for blockchain related question
Resource slides for blockchain related question
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
 

Ähnlich wie DevOpsTO meetup 2018-08

201811 Bitcoin, Blockchain and the Technology behind Cryptocurrencies
201811 Bitcoin, Blockchain and the Technology behind Cryptocurrencies201811 Bitcoin, Blockchain and the Technology behind Cryptocurrencies
201811 Bitcoin, Blockchain and the Technology behind CryptocurrenciesPaperchain
 
2018 SAI workshop blockchain Kristof Verslype
2018 SAI workshop blockchain Kristof Verslype2018 SAI workshop blockchain Kristof Verslype
2018 SAI workshop blockchain Kristof VerslypeSmals
 
Are we security yet
Are we security yetAre we security yet
Are we security yetCristian Vat
 
Technical considerations for Blockchain networks with AWS
Technical considerations for Blockchain networks with AWSTechnical considerations for Blockchain networks with AWS
Technical considerations for Blockchain networks with AWSatSistemas
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
Multifactor Authentication on the Blockchain
Multifactor Authentication on the BlockchainMultifactor Authentication on the Blockchain
Multifactor Authentication on the BlockchainReza Ismail
 
OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014Victor Morales
 
Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!All Things Open
 
Blockchain e mercato
Blockchain e mercatoBlockchain e mercato
Blockchain e mercatoCDagata
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebCASCouncil
 
Blockchain IoT Night / 25th Oct 2017
Blockchain IoT Night / 25th Oct 2017Blockchain IoT Night / 25th Oct 2017
Blockchain IoT Night / 25th Oct 2017Lothar Wieske
 
IDC - Blockchain Threat Model
IDC - Blockchain Threat ModelIDC - Blockchain Threat Model
IDC - Blockchain Threat ModelPeteLind
 
Kerberos, Token and Hadoop
Kerberos, Token and HadoopKerberos, Token and Hadoop
Kerberos, Token and HadoopKai Zheng
 
Why OpenStack on UCS? An Introduction to Red Hat and Cisco OpenStack Solution
Why OpenStack on UCS? An Introduction to Red Hat and Cisco OpenStack SolutionWhy OpenStack on UCS? An Introduction to Red Hat and Cisco OpenStack Solution
Why OpenStack on UCS? An Introduction to Red Hat and Cisco OpenStack SolutionElizabeth Sale
 
The Basic Theories of Blockchain
The Basic Theories of BlockchainThe Basic Theories of Blockchain
The Basic Theories of BlockchainSota Watanabe
 
IstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockIstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockBGA Cyber Security
 

Ähnlich wie DevOpsTO meetup 2018-08 (20)

201811 Bitcoin, Blockchain and the Technology behind Cryptocurrencies
201811 Bitcoin, Blockchain and the Technology behind Cryptocurrencies201811 Bitcoin, Blockchain and the Technology behind Cryptocurrencies
201811 Bitcoin, Blockchain and the Technology behind Cryptocurrencies
 
2018 SAI workshop blockchain Kristof Verslype
2018 SAI workshop blockchain Kristof Verslype2018 SAI workshop blockchain Kristof Verslype
2018 SAI workshop blockchain Kristof Verslype
 
Are we security yet
Are we security yetAre we security yet
Are we security yet
 
Blockchain presentation for prudential
Blockchain presentation for prudentialBlockchain presentation for prudential
Blockchain presentation for prudential
 
Technical considerations for Blockchain networks with AWS
Technical considerations for Blockchain networks with AWSTechnical considerations for Blockchain networks with AWS
Technical considerations for Blockchain networks with AWS
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
Multifactor Authentication on the Blockchain
Multifactor Authentication on the BlockchainMultifactor Authentication on the Blockchain
Multifactor Authentication on the Blockchain
 
OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014
 
Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill Chain
 
Blockchain e mercato
Blockchain e mercatoBlockchain e mercato
Blockchain e mercato
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure Web
 
Blockchain IoT Night / 25th Oct 2017
Blockchain IoT Night / 25th Oct 2017Blockchain IoT Night / 25th Oct 2017
Blockchain IoT Night / 25th Oct 2017
 
IDC - Blockchain Threat Model
IDC - Blockchain Threat ModelIDC - Blockchain Threat Model
IDC - Blockchain Threat Model
 
Kerberos, Token and Hadoop
Kerberos, Token and HadoopKerberos, Token and Hadoop
Kerberos, Token and Hadoop
 
Why OpenStack on UCS? An Introduction to Red Hat and Cisco OpenStack Solution
Why OpenStack on UCS? An Introduction to Red Hat and Cisco OpenStack SolutionWhy OpenStack on UCS? An Introduction to Red Hat and Cisco OpenStack Solution
Why OpenStack on UCS? An Introduction to Red Hat and Cisco OpenStack Solution
 
The Basic Theories of Blockchain
The Basic Theories of BlockchainThe Basic Theories of Blockchain
The Basic Theories of Blockchain
 
Hacking QNX
Hacking QNXHacking QNX
Hacking QNX
 
Blockchains 101
Blockchains 101Blockchains 101
Blockchains 101
 
IstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockIstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShock
 

Mehr von Teleport

Top 10 Hacks of the Last Decade
Top 10 Hacks of the Last DecadeTop 10 Hacks of the Last Decade
Top 10 Hacks of the Last DecadeTeleport
 
Introducing Teleport cloud
Introducing Teleport cloudIntroducing Teleport cloud
Introducing Teleport cloudTeleport
 
Teleport 5.0 release webinar
Teleport 5.0 release webinarTeleport 5.0 release webinar
Teleport 5.0 release webinarTeleport
 
Webinar - 2020-09-23 - Escape the ticketing turmoil with Teleport PagerDuty &...
Webinar - 2020-09-23 - Escape the ticketing turmoil with Teleport PagerDuty &...Webinar - 2020-09-23 - Escape the ticketing turmoil with Teleport PagerDuty &...
Webinar - 2020-09-23 - Escape the ticketing turmoil with Teleport PagerDuty &...Teleport
 
Industry Best Practices For SSH - DevOps.com Webinar
Industry Best Practices For SSH - DevOps.com WebinarIndustry Best Practices For SSH - DevOps.com Webinar
Industry Best Practices For SSH - DevOps.com WebinarTeleport
 
Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at DecisivTeleport
 
Introduction to Gravitational Teleport
Introduction to Gravitational TeleportIntroduction to Gravitational Teleport
Introduction to Gravitational TeleportTeleport
 

Mehr von Teleport (7)

Top 10 Hacks of the Last Decade
Top 10 Hacks of the Last DecadeTop 10 Hacks of the Last Decade
Top 10 Hacks of the Last Decade
 
Introducing Teleport cloud
Introducing Teleport cloudIntroducing Teleport cloud
Introducing Teleport cloud
 
Teleport 5.0 release webinar
Teleport 5.0 release webinarTeleport 5.0 release webinar
Teleport 5.0 release webinar
 
Webinar - 2020-09-23 - Escape the ticketing turmoil with Teleport PagerDuty &...
Webinar - 2020-09-23 - Escape the ticketing turmoil with Teleport PagerDuty &...Webinar - 2020-09-23 - Escape the ticketing turmoil with Teleport PagerDuty &...
Webinar - 2020-09-23 - Escape the ticketing turmoil with Teleport PagerDuty &...
 
Industry Best Practices For SSH - DevOps.com Webinar
Industry Best Practices For SSH - DevOps.com WebinarIndustry Best Practices For SSH - DevOps.com Webinar
Industry Best Practices For SSH - DevOps.com Webinar
 
Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at Decisiv
 
Introduction to Gravitational Teleport
Introduction to Gravitational TeleportIntroduction to Gravitational Teleport
Introduction to Gravitational Teleport
 

Kürzlich hochgeladen

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 

Kürzlich hochgeladen (20)

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 

DevOpsTO meetup 2018-08

  • 2.
  • 3. LET’S SOLVE A PROBLEM • Scenario • Production… • Elastic Infrastructure • Separate Networks • The database is slow…
  • 4. WHAT JUST HAPPENED… source: https://www.gagcartoons.com/cartoons/87/
  • 5. TSH LOGIN • Generates new cryptographic keys • Connects to CA via Proxy • Signs a certificate granting access to the cluster
  • 6. SHORT LIVED CERTIFICATES https://ssh-certificate-parser.gravitational.com Certificate Type: ssh-rsa-cert-v01@openssh.com Public Key: SHA256:DtwegGhmM6twU5IJYTj+Wc/zY7b1koIUC5B61qTpxyI Signing CA: SHA256:WCifMyKoyD5+5MLZFBYJMBmS/d4LeBK3iSLWwU36PTA Key ID: demo Principals: root,knisbet Valid After: effective immediatelly Valid Before: Jul 30 16:48:16 UTC Critical Options: none Extensions: permit-agent-forwarding permit-port-forwarding permit-pty teleport-roles: {"version":"v1","roles":["admin"]}
  • 7. SHORT LIVED CERTIFICATES https://ssh-certificate-parser.gravitational.com Certificate Type: ssh-rsa-cert-v01@openssh.com Public Key: SHA256:DtwegGhmM6twU5IJYTj+Wc/zY7b1koIUC5B61qTpxyI Signing CA: SHA256:WCifMyKoyD5+5MLZFBYJMBmS/d4LeBK3iSLWwU36PTA Key ID: demo Principals: root,knisbet Valid After: effective immediatelly Valid Before: Jul 30 16:48:16 UTC Critical Options: none Extensions: permit-agent-forwarding permit-port-forwarding permit-pty teleport-roles: {"version":"v1","roles":["admin"]}
  • 8. WHY CERTIFICATES? • Ever? • Lost a backup? • Run untrusted Software? • Rotated keys? • Sent the private key instead of the public? source: https://www.gagcartoons.com/cartoons/305/
  • 9. • FreeBSD packaging servers hacked • http://www.infosecisland.com/blogview/22766-FreeBSD-Servers-Hacked-Lessons- on-SSH-Public-Key-Authentication.html • Malware & Hackers collect ssh keys • https://www.ssh.com/malware/ • Active attacks using stolen SSH keys (2008) • https://isc.sans.edu/forums/diary/ Active+attacks+using+stolen+SSH+keys+UPDATED/4937/ • New Attacker Scanning for SSH Private Keys on Websites • https://www.wordfence.com/blog/2017/10/ssh-key-website-scans/ • CIA malware can steal SSH Credentials • https://www.bleepingcomputer.com/news/security/cia-malware-can-steal-ssh- credentials-session-traffic/
  • 10. • Large Database of Device Certificates, SSH keys published • https://www.pindrop.com/blog/large-database-of-device-certificates-ssh-keys- published/ • Learning from the Expedia Heist • https://medium.com/starting-up-security/learning-from-the-expedia- heist-6cf8a0069ce0 • New ‘MASK’APT Campaign called most sophisticated yet • https://threatpost.com/new-mask-apt-campaign-called-most-sophisticated-yet/104148/ • Multi-billion dollar defence firm fails to protect private SSH keys • https://www.appviewx.com/multi-billion-dollar-defense-firm-fails-protect-private-ssh- keys/ • The default OpenSSH key encryption is worse than plaintext • https://latacora.singles/2018/08/03/the-default-openssh.html
  • 11. TSH LS • List all the servers in you’re infrastructure • New servers join the cluster, old ones leave • Labels • Automatically update as infra changes
  • 12. TSH SSH • SSH to the Node • Or the Label(s) • Automatic Bastions • Auditable • and SCP
  • 13. SESSION RECORDING • Record what happens in production • Proxy • Endpoint
  • 15. KUBERNETES INTEGRATION • Short lived certificates • Multi-factor authentication • Audit all k8s actions • Session recording • Currently Alpha