jan schaumann señor network security engineer · pdf filesafely drinking from the fire...
Post on 06-Feb-2018
217 Views
Preview:
TRANSCRIPT
@jschauma Safely Drinking From The Fire Hose
Jan Schaumann Señor Network Security Engineer jschauma@etsy.com B60D A9F7 0D89 544A 7995 7D25 5A5B 4375 275F 0BB5
@jschauma @jschauma
08/28/12 2
I <3 logs!
web logs mail logs system logs
vpn logs
@jschauma @jschauma
08/28/12 2
Log Bongzilla, aka Splunk
Is this how Octocat came to be?
Logs go in…
security alerts come out
@jschauma @jschauma
08/28/12 2
Splunk Alerts FTW!
YO DAWG, I HERD YOU LIKE LOGS
SO I PUT SOME LOGS IN YOUR LOGS SO YOU CAN SPLUNK WHILE YOU SPLUNK
@jschauma @jschauma
08/28/12 2
sudo make me a sandwich
@jschauma @jschauma
08/28/12 5
Know your patterns.
VPN Connections
July 4th was a Wednesday
People slacking off early on a Friday, eh?
People making up for last week?
@jschauma @jschauma That was unexpected…
@jschauma @jschauma
08/28/12 6
XSS detection
Announcement of Bug Bounty program: http://is.gd/UTZ5wD
code push to address reported vulnerabilities
@jschauma @jschauma Geolocate all the things!
08/28/12 3
@jschauma @jschauma
IP : 79.182.16.1 - bzq-79-182-16-1.red.bezeqint.net Geolocation : Even Yehuda, 02, IL Whois : *SE4-DRP*, RIPE, BEZEQINT-BROADBAND Requests : 146 Method : GET URL : /suggest_username.php?first-name=test&last-name= onerror%3Dalert(0)%3E&email=shai%40exploit.co.il
08/28/12 6
XSS detection
Method : POST URL : /your/profile Data : u'fb_avatar_url=&gender=female&city3=&new_city= "><img src=x onerror=prompt(1);>&new_region=&new_countrycode= &new_latlon=,&city3_dup="><img src=x’ […]
13 minutes after we announced our security bug bounty program
http://is.gd/UTZ5wD
@jschauma @jschauma
08/28/12 6
IP : 216.185.114.219 – unknown
SQLi detection
Geolocation : Jurong East, 00, SG Whois : ThePlanet.com Internet Services, Inc., ARIN, NET216 Requests : 20 Method : GET URL : /listing/102946830/womens-shirt-beige-tunic-womens- blouse?ref=999999.9%27+union+all+select+0x313032353438303035 36%2C0x31303235343830303536%2C0x31303235343830303536 %2C0x31303235343830303536%2C0x31303235343830303536%2 C0x31303235343830303536%2C0x31303235343830303536%2C0 x31303235343830303536%2C0x31303235343830303536%2C0x31 830303536%2C0x31303235343830303536%2C0x31303235343830 303536%2C0x31303235343830303536%2C0x31303235343830303 536+and+%27x%27%3D%27x
Method : GET URL : /category/furniture?page=499999%27%20union%20 select%20unhex(hex(version()))%20 […]
@jschauma @jschauma
08/28/12 2
Know when people can’t log in…
@jschauma @jschauma
08/28/12 6
Admin : <username> (<internal login>, <site login>)
High number of failed logins
IP : 64.124.192.210 - 64.124.192.210.t01419-07.above.net Geolocation : Brooklyn, NY, US Whois : ETSY Inc, ARIN, NET64 # of failed logins : 13
Admin : jschauma (jschauma, jschauma) IP : 207.38.139.33 - 207-38-139-33.c3-0.avec-ubr2.nyr- avec.ny.cable.rcn.com
Geolocation : New York, United States Whois : RCN Corporation, ARIN, NET207 # of failed logins : 16
doesn’t know what he’s doing; do not trust!
@jschauma @jschauma
08/28/12 4
Geolocate all the things!
@jschauma @jschauma
08/28/12 6
Admin : <username> (<internal login>, <site login>) IP : 83.160.48.31 - a83-160-48-31.adsl.xs4all.nl Geolocation : Rotterdam, 11, NL Whois : XS4ALL Internet BV, RIPE, DEMON-NL-DSL
“Unexpected” login detection
Admin : <username> (<internal login>, <site login>) IP : 217.192.56.102 – unknown Geolocation : Zurich, 25, CH Whois : The Hub Zuerich Assoc., RIPE, THE-HUB-ZUERICH-NET
Admin : <username> (<internal login>, <site login>) IP : 24.231.49.240 - unknown Geolocation : Nassau, 23, BS Whois : Cable Bahamas, ARIN, CABLEBAHAMAS-NET
Admin : <username> (<internal login>, <site login>) IP : 200.49.191.120 - map120.network49.191.tigo.net.gt Geolocation : Guatemala City, 07, GT Whois : COMCEL GUATEMALA S.A., LACNIC
@jschauma @jschauma I said: “Please insert girder!”
@jschauma @jschauma
08/28/12 6
Identify scrapers.
Admin : <username> (<internal login>, <site login>) IP : 50.17.73.70 - ec2-50-17-73-70.compute-1.amazonaws.com Geolocation : Ashburn, VA, US Whois : Amazon.com, Inc., ARIN, NET50 Provider : Amazon AWS Count : 7
Admin : <username> (<internal login>, <site login>) IP : 207.228.237.110 – unknown Geolocation : New York, NY, US Whois : HopOne Internet Corporation, ARIN, NET207 Provider : HopOne Count : 1
@jschauma @jschauma
08/28/12 6
Re-re-re-re-re-CAPTCHA
source=”info.log" reCAPTCHA status="incorrect" | transaction ip | \ where eventcount > 50 | table ip,eventcount | sort -eventcount
@jschauma @jschauma
08/28/12 6
Of Liars and Outliers (good book, btw)
wtf happened here?
Ooh, right… this: http://is.gd/fognju
http://is.gd/0hRDLY http://is.gd/WxcA0r
@jschauma @jschauma
08/28/12 2
This talk was too long!
Explain them.
Log it now, log it all.
Geolocate all the things.
Build profiles. (Creepy, I know.)
Reduce false positives. (Whitelists!)
Have defined reactions to all alerts.
Notice the outliers.
That’s all, folks! Thanks!
top related