security its-more-than-just-your-database-you-should-worry-about

SecurityIt's more than just your database you should worry aboutDavid BusbyInformation Security Architect2015-08-05

Sample Text PageDavid Busby

Percona since January 2013

R.D.B.A

EMEA && Security Lead

I.S.A (current)

15 years sysadmin / dev

Ju-Jitsu instructor for N.F.P club.

Volunteer assist teaching computing at Secondary school

AgendaGot F.U.D?

What is an attack surface?

D.A.C, M.A.C, I.P.S, I.D.S, WTF?

Heartbleed / Shellshock / #gate / #bandwagon

Detection or prevention: the boy who cried wolf

Emerging tech to keep an eye on.

2014 2015 it's been interesting

Here be dragons ...Previous talks focused on a select set of identification and preventionThis talk is different

Focus is on a mindset change for pure identification of potential attack vectors. Aswell as clarification of some points along the way

There's F.U.D by the ton; and we each get a shovel.

Got F.U.D?

Fear Uncertainty Doubt

C.R.I.M.E (CVE-2012-4929)

B.E.A.S.T (CVE-2011-3389)

Heartbleed (CVE-2014-0160)

Shellshock CVE-2014-6271, 6277, 6278, 7169, 7186, 7187

P.O.O.D.L.E (CVE-2014-3566)

BEAST Browser Exploit Against SSL TLS

Targets CBC Siphers; padding oracle attack to obtain plaintext; requires MITM strick control over the connection

CRIME Compression Ratio Info-leak Made Easy

Exploited compression optimization to reveal encrypted plaintext such as cookie data.

Poodle Padding Oracale On Downgraded Legacy Encryption

Padding oracle attack on CBC SSLv3 ciphers;

What's an attack surface?Potential areas for compromise

Application

Database

Network

Hardware

Software

Employees

Other

What's an attack surface?Application

Engine / Interpreter, e.g. Java, PHP, etc.e.g. PHP CVE-2011-4885 (hash collide)

FrameworkOr most likely a plugin

Developer errors, SQLi, XSS, CSRF etc ...

HTTP Service Apache, Nginx, Lighthttpd, etc.

Sysadmin errors e.g. missconfiguration of SSL cipers / certs

What's an attack surface?Database Weak passwords

Overpermissive grants

Overly broad host spefications e.g. @%

Vulnerabilities in service (often denoted by CVE's e.g. MySQL CVE-2012-2122)

Poor isolation (Network, users etc)

Malicious plugins e.g. UDF's

What's an attack surface?Network Overly open ACL

Little or no isolation

Little or no monitoring

Little or no packet inspection

An open playground

Hardware embedded OS vulnerabilities

Other entry pointsIt's not limited to Ethernet / 2.4 && 5 GHz WiFi (look at the NSA ANT catalogue)

What's an attack surface?Hardware Lack of control of use

Malicious USB / Firewire / etcCOTTONMOUTH-I

Iron Geek's plug & prey

USB Rubber Ducky

USB LAN Turtle

Thunderstrike 2

Embedded firmware vulnerabilites

Freebie / Gift / Other

Lack of physical access controlse.g. Barclays 1.3M Theft

Lack of $vendor updates (e.g. Android)

ROWHAMMER

Lack of physical controlls:

- installation of tap / other device-

What's an attack surface?Lock all the things! Combination T.S.A locksEasily picked

Traditional tumbler locksPicking / bump keys

BiometricsMythbusters

Key pads Check for wear / dirt marks / vendor codes

Key switches (e.g. in lifts) As per above

Room card keys Magstripe read and write

RFIDEasily read tags content and replay



What's an attack surface?And then there's I.o.TT.V

Cameras

Light bulbs

Fridges

Home automation

Locks

PrinterCloud print

Etc

Supervisory Control And Data AcquisitionLet's put a hydro electric dam controll system on the internet!



What's an attack surface?



What's an attack surface?But wait there's more!

Your carsHacking 2014 Jeep Cherokee & Chrysler via internet connection

Medical devices Hospira drug pump

Wireless insulin pump

RF Enabled pacemakers

https://www.iamthecavalry.org/



What's an attack surface?Software Modified binaries

Install for FREE STUFF!

Unaudited source code cough coughTruecrypt, openssl ...

Poor isolation (no M.A.C, only D.A.C)

Process injection, buffer overflows etc

Unpatched software

Legacy softwaree.g. Adobe Flash



What's an attack surface?Employees I put all my details on this pastebin, can you take a look?

Sure you can use my phone / workstation!

So all I have to do is click this link?

Oh you're from HR? Sure I can install that!

A magic trick? YEY!

FREE STUFF?!



What's an attack surface?Employees Phishing / Spear Phishing

Social engineering

D.L.P bypass is no longer just crafted devicesMaking comodity USB "evil"

Derbycon presentationAdam Caudil && Brandon Wilson

Implied trustUniform / Badge != Proof



What's an attack surface?



What's an attack surface?Other Side channel attacksCache timing

Co-residency (side channel against cloud)

Unintentional emissionsMelissa Elliot Noise FloorS.D.R (Software Defined Radio)Monitor / Display, RAM, F.S.B, etc

Weaponized lunches?! Portable Instrument for Trace Acquisition

F.U.D!







Well hold on







D.A.C, M.A.C, I.P.S, I.D.S WTF?Discretionary Access Control POSIX permissionsFile mode

UID

GID

Software runs with same permissions as user and groupe.g. your brower could read ~/.ssh/id_rsa in this model

D.A.C, M.A.C, I.P.S, I.D.S WTF?Mandatory Access Control

SELinuxProcess running with context xe.g. MySQL

Access to resource ylisten *:3306

Denied access to resource zConnect *:80

App armor

Gazzang (Has some M.A.C)

Heartbleed/Shellshock/#bandwagonMedia

Need to drive views / purchases aka revenue

F.U.D slinging is an effective method for this. (Everything is a Virus) e.g. The Registers Critical SSL vulnerability out tomorrowNo detail

No sources

PURE F.U.D

Heartbleed/Shellshock/#bandwagonBut naming vulnerabilites has its placeC.R.I.M.E / CVE-2012-4929

B.E.A.S.T / CVE-2011-3389

Heartbleed CVE-2014-0160

Shellshock CVE-2014-6271, 6277, 6278, 7169, 7186, 7187

P.O.O.D.L.E CVE-2014-3566







Heartbleed/Shellshock/#bandwagonEven if it can go a bit far ...







Heartbleed/Shellshock/#bandwagonThere is hope behind the hype.Elastica Inc @ VimeoHeartbleed instructional video

Shellshock instructional video

Poodle instructional video







Detection or preventionWhy not both?

Block known badBy writing your own rules

Reguarly syncing with emerging rules

Allow known goodIPS / WAF blocking your app? Write an exeception, carefully!Be selective!e.g. don't: if /cart(.*) then skip

Log everything elseAnd check the logs!

Detection or preventionWhy not both?

Generate alertse.g. logstash can send alerts to nagios

Y.M.W.VYou will know your applications behaviour

Consider what's out of contexte.g. 10x increase in additions to shopping cart for invalid items (could be someoneattempting SQLi)

10x increase in requests, could be a DoS

Detection or preventionDetectionAlert on set conditionsSQLi, Fuzzing, out of context requests.

Write Rules / exceptions to reduce noiseBe specific in said rules!

Prevention Block and alertReduce noise through blacklists.

{"timestamp":"2014-05-15T07:30:42.970624","event_type":"alert","src_ip":"101.227.170.42","src_port":58613,"dest_ip":"XXX.XXX.XXX.XXX","dest_port":22,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2500002,"rev":3231,"signature":"ET COMPROMISED Known Compromised or Hostile Host Traffic group 2","category":"Misc Attack","severity":2}}

Detection or preventionReduce NOISE! Avoiding the boy who cried wolf

Aka staff becoming desensitized to the slew of alerts that oh that's normal, just ignore

Familiarity breeds comtempt

Why not just buy $product? It's still an option but be 100% sure you know what you're buying.Paying over the odds for rebranded nessus is never good.

Ongoing rule updates, custom rule support, $vendor support to tune the appliance to your needs.

Emerging tech to keep an eye onFidoalliance.org

U2F (Universal two factor)

UAF (Universal authentication framework)

Google, yubico, ARM, bank of america, Lenovo, Mastercard, Discover, Microsoft, Paypal, Qualcomm, RSA, Samsung, Visa The list of members is extensive

TL;DR improve security by implementing a common two factor auth standard; and comoditizing it to improve addoption.

Emerging tech to keep an eye onKeybase.io

Nodejs

socializes GPGTracking sign a snapshot of their key and identity profileOn this date I verify this is Joe Blogs's gpg key, twitter account etc

TL;DR wrapper and service to help spread the use of GPG

https://keybase.io/oneiroi/

Emerging tech to keep an eye onSuricata

IDS / IPS

Libjannson eve.jsonCompatible with E.L.K stack: blog post

Multi threadedClaims 10Gbit support with no ruleset sacrifice

Protocol identification

File identification, extraction

Open Information Security Foundation

Emerging tech to keep an eye onE.L.K (Elastic search, Logstash, Kibana)

Easily store, index and visualize datae.g. suricata data

Emerging tech to keep an eye onDocker

No longer using LXC by defaultUses their own libcontainer

Vagrant / git esq cli

Raw hardware accessNot paravirtual

Suffers from container breakoutGains root on host system

REST API is very open

Docker Security page

Dan Walsh SELinux and Docker

Docker SWARM On ARM

Emerging tech to keep an eye onHaka

Software defined security

$developer sentric security

LUA DSL

Another tool in the $devops chain

E.L.K support

Why not IPTables / Netfilter / other Why not both?

Eases developers adoption

Emerging tech to keep an eye onVaultproject.io

AES GCM 256bitnonce per object

Audit backends

HA Capable

Potential for credential auto rotation

Emerging tech to keep an eye onUSB Armory

Freescale i.MX53 ARM Cortex-A8 800Mhz

512MB DDR3

security its-more-than-just-your-database-you-should-worry-about

Technology