Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Maciej Lasyk OWASP Poland, 2013-10-17
Recruitment process @OWASP? ● Because this system is web application (partially) ● Because we based (100%) on FOSS (ope...
Recruitment ● Lot of recruitment agencies / services ● Huge number of potential candidates ● Whole team is involved i...
SysAdmin / Operations ● He is sysop, developer, QA and network specialist ● Also great for performance tuning ● Respo...
Let’s play then ● Any idea? Not Quake / Diablo / Warcraft ;) ● pythonchallenge.com, wechall.net – CTFs are great! ● t...
Let's start the ball rolling Application Stage 1 – simple task Problem: huge candidates number (>100) Target: reject not...
Stage 1 – telnet / SMTP RFC-821/1869: HELO/EHLO ??.....?? GPG us ur CV using http://..../gpg.asc Lack of GPG knowledge ...
Stage 1 – telnet / SMTP RFC-821/1869: HELO/EHLO my.hostname 1 trap – not server’s hostname but client’s (90% catched) G...
Stage 1 – node.js ● At the beginning – pure C server. After 3am.. Node.js (simplicity) ;) ● What’s wrong with node.js? ...
Node.js – how it works? - Event driven - Event loop - Callbacks - SPA, async, REST, Json http://magnetik.github.io/
Node.js - threats ............................................________ ....................................,.-'".............
Node.js – evil eval()
Node.js – evil eval() This way we added new functionality to the server during runtime! http://node.js/myurl
Node.js - npm https://blog.nodejitsu.com/npm-innovation-through-modularity Amount of npm modules in the time Amount of n...
Node.js – how can? ● Use frameworks: https://npmjs.org/ - carefully ● Npm modules are not validated! Check those: ● W...
Node.js – SELinux sandbox 'home_dir' and 'tmp_dir' ● ● App can r/w from std(in|out) + only defined FDs ● No network a...
Node.js – SELinux sandbox
Node.js – how can #2 ● Freeze node.js version per project? ● Let’s read & learn: ● https://media.blackhat.com/bh-us-11...
Stage 2 – social engineering ● Stage’s target is to verify & check candidate’s security awareness ● Christopher Hadnagy...
Stage 3 - virtualization ● Our needs? ● Boot process supervision ● Console access ● Resource management ● Redundan...
Stage 3 - virtualization boot console resources mgmt. redundant storage rescue VM security
Stage 3 - virtualization VS Performance XEN/HVM or KVM?
Stage 3 - virtualization VS Performance XEN/HVM or KVM? We had great performance issues with XEN/HVM The winner is „hat i...
Stage 3 – network security https://en.wikipedia.org DMZ (Demilitarized Zone) – logical or physical partition
Stage 3 – network security https://en.wikipedia.org DMZ (Demilitarized Zone) – logical or physical partition
Stage 3 – network security ● Separated, dedicated DMZ (VLAN?) for host ● No routing / communication from this DMZ with ...
Stage 3 – network security ● Network isolation on KVM host: ● Host/network bridge: L2 switch ● netfilter / nwfilter (I...
Stage 3 –boot process, VNC ● Accessing boot process – VNC ● VNC security? SSL? Complications.. ● Maybe VNC over SSH t...
Stage 3 – restricted shells ● SSH tunneling requires SSH access (thank You Captain Obvious!) ● SSH access is a threat p...
Stage 3 – restricted shells ● Restricted shells are threat by default – unless we know how to use those! ● Under some c...
Stage 3 – restricted shells ● Rbash: ● CentOSie / RHEL approved / friendly / legit ;) ● Protects from directory traver...
Stage 3 – SSH tunnel / VNC ● We must go deeper! VM host VM-Proxy rshell / ibsh rshell / rbash Candidate VNC server scre...
Stage 3 – restricted shells ● Other restricted shells: ● rssh – allows scp, sftp, rsync ● sudosh - http://sourceforge....
Stage 3 – control groups ● resource management in a simple way (ulimits, nice, limits.conf).. but.. ● Could you set 50 ...
Stage 3 – control groups https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Resource_Mana...
Stage 3 – web application ● OpenStack? „Couple” of compliations ;) “Out of the box” – yup – I’ve heard about that ;) Cou...
Stage 3 – web application Commodore OS ???
Stage 3 – web application Commodore OS Vision FTW!
Stage 3 – web application ● Apache + mod_security ● mod_security + OWASP rules ● PHP & Python :) ● Simplicity! ● ...
Stage 3 – recording SSH sessions ● We have to record all sessions – also those under „screen” ● Real time recording ● ...
Stage 3 – data security ● What if we loose any of the VMs...? Brrr.... ● Risk assesement – what would be enough for us?...
Podsumowanie
Maciej Lasyk http://maciek.lasyk.info maciek@lasyk.info Twitter: @docent_net OWASP Poland, 2013-10-17
Upcoming SlideShare
Loading in …5
×

Shall we play a game?

442,072 views

Published on

How to run system administrator recruitment process? By creating platform based on open source parts in just 2 nights! I gave this talk in Poland / Kraków OWASP chapter meeting on 17th October 2013 at our local Google for Entrepreneurs site. It's focused on security and also shows how to create recruitment process in CTF / challenge way.

This story covers mostly security details of this whole platform. There's great chance, that I will give another talk about this system but this time focusing on technical details. Stay tuned ;)

Published in: Technology
no profile picture user
  • HELLO I AM JECCY. I AM SEXY LADY. CAN YOU WILL BE IF YOU WANT, SO COME TO HERE IN MY SIDE. CLICK HERE........... www.jobsish.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hello Am Paul from the united state i am a medical Doctor and am always busy,But my love Kate could not cope and she decided to ask for a divorce i really loved and cherish Kate and was ready to do anything to make her happy when Kate told me that she need a divorce i was thinking may be she was joking then i got a mail from my lawyer saying that Kate has other for a divorce and we need to be in court Next Monday i was like no this will never happen i got home did not meet Kate at home she has packed all her belonging,i was so frustrated and down could not even concentrate on my work.As i was going through a magazine looking through the Picture at the back of it saw a testimony and the Heading was I WANT TO THANK Dr. OCUSODO FOR MAKING MY LOVER CANCEL THE DIVORCE.i sat upright and read the testimony and saw how Dr. OCUSODO helped a lady in bring back her relationship without wasting much of time i instantly contacted Dr. OCUSODO and shared my problem with him but he told me not to worry that he assures me that my love would cancel the divorce within 48hours really my lover did so.As i got home so Kate with all her belongings outside pleading that i should forgive her which i did am so happy now the Divorce has been cancelled and Kate is back home and she loves me more than anything in this world,All thanks to Dr. OCUSODO you don’t need to cry anymore Dr. OCUSODO has been sent by God to clean out tears you can contact Dr. OCUSODO for help now : drocusodospellcaster@gmail.com or drocusodospellcaster@yahoo.com whats-app Or call number::: +2349067457724
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • My name is Jenny Floreess, I never thought I will smile again, My husband left me with two kids for one year, All effort to bring him back failed I thought I'm not going to see him again not until I met a lady called Jesse who told me about a spell caster called Dr. ocusodo, She gave me his email address and mobile number and I contacted him and he assured me that within 48hours my husband will come back to me, In less than 48hours my husband came back started begging for forgiveness saying it is the devils work, so I'm still surprise till now about this miracle,i couldn't conceive but as soon as the spell was cast,i became pregnant and gave birth to my third child,if you need any assistance from him you can contact him via:email: drocusodospellcaster@gmail.com or drocusodospellcaster@yahoo.com WhatsApp or call him now: +2349067457724
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Save Your Relationship and Get Your Ex Boyfriend/Girlfriend Back!contact: Unityspelltemple@gmail.com is certainly the best spell caster online and his result is 100% guarantee. My Name Olivia Stephen form Tx,USA. After 12years of marriage, me and my husband has been into one quarrel or the other until he finally left me and moved to California to be with another woman. I felt my life was over and my kids thought they would never see their father again. i tried to be strong just for the kids but i could not control the pains that torments my heart, my heart was filled with sorrows and pains because i was really in love with my husband. Every day and night i think of him and always wish he would come back to me, I was really upset and i needed help, so i searched for help online and I came across a website that suggested that Dr Unity can help get ex back fast. So, I felt I should give him a try. I contacted him and he told me what to do and i did it then he did a Love spell for me. 28 hours later, my husband really called me and told me that he miss me and the kids so much, So Amazing!! So that was how he came back that same day,with lots of love and joy,and he apologized for his mistake,and for the pain he caused me and the kids. Then from that day,our Marriage was now stronger than how it were before, All thanks to Dr Unity. he is so powerful and i decided to share my story on the internet that Dr.Unity real and powerful spell caster who i will always pray to live long to help his children in the time of trouble, if you are here and you need Love-spell to Win your Man Back from Another Woman or Win your Boyfriend/girlfriend back forever. Do not cry anymore, contact this powerful spell caster now. Here’s his contact Call/WhatsApp: +2348071622464 , Email: Unityspelltemple@gmail.com , blogsite:https://unityspelltmple.blogspot.com . Website:https://unityspelltempleblog.wordpress.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Does the thought of being your own boss weigh on your mind often. Many of us want to be more challenged in life and to set our expectations higher than our peers. Why let the mediocrity of your peers at work distract you from having everything you deserve in life? Reach out for more and be all you can be. My goal is to develop as many leaders as I can. I want to invest my time in them and help them grow into great leaders. The reason is simple: When there are more leaders, my business grows and prospers with their business. You may not show great potential or leadership skills now, but if you are coachable and willing to challenge yourself, I can make you a great leader. I have a passion for watching and helping people to go beyond their expectations and dreams. I make investing my time in building leaders a priority and I will take intentional steps to help you grow. Are you that person that wants to own your own business and to consistently reap the the rewards of your efforts. I want to spend my time investing in you and making you a great leader that can build others too. PM me or email me for more details. Website: https://www.advocare.com/18079765/ Email: dondoolin.advocare@gmail.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
Show More
Show More

Shall we play a game?

  1. 1. Maciej Lasyk OWASP Poland, 2013-10-17
  2. 2. Recruitment process @OWASP? ● Because this system is web application (partially) ● Because we based (100%) on FOSS (open-source) ● Because security matters ● Because OWASP people cares about security and can affect recruitment processes (hopefully) ;)
  3. 3. Recruitment ● Lot of recruitment agencies / services ● Huge number of potential candidates ● Whole team is involved in recruitment ● Candidate evaluation takes really lot of time
  4. 4. SysAdmin / Operations ● He is sysop, developer, QA and network specialist ● Also great for performance tuning ● Responsible for critical data (all data) ● Easy handles moving UPSes between racks ;) ● Anytime day / night understands what you’re talking to him ● Everything he does respects high security standards ● Loves playing games (do you know sysop that doesn’t play)? ;)
  5. 5. Let’s play then ● Any idea? Not Quake / Diablo / Warcraft ;) ● pythonchallenge.com, wechall.net – CTFs are great! ● trueability.com – event for sysops ● So maybe CTF / challenge? ● Such system would have to fulfill some requirements: ● Optimization of recruitment process time ● Minimisation of the risk of rejecting good candidate ● Draw attention as very interesting (you like mindfscks?)
  6. 6. Let's start the ball rolling Application Stage 1 – simple task Problem: huge candidates number (>100) Target: reject not suitable cands (>80% rejections!) Stage 2 – call/social.eng. Target: recognition, manipulation Stage 3 – challenge Global Thermonuclear War ;)
  7. 7. Stage 1 – telnet / SMTP RFC-821/1869: HELO/EHLO ??.....?? GPG us ur CV using http://..../gpg.asc Lack of GPG knowledge :( RTFM!
  8. 8. Stage 1 – telnet / SMTP RFC-821/1869: HELO/EHLO my.hostname 1 trap – not server’s hostname but client’s (90% catched) GPG us ur CV using http://..../gpg.asc Lack of GPG knowledge :( RTFM!
  9. 9. Stage 1 – node.js ● At the beginning – pure C server. After 3am.. Node.js (simplicity) ;) ● What’s wrong with node.js? ● ● http://osvdb.org/ - 2 hits ● http://1337day.com/, http://www.exploit-db.com/ - 1 hit ● ● http://seclists.org/bugtraq/ - 0 hits https://nodesecurity.io/advisories - 4 hits Does it mean that node.js is safe & secure?
  10. 10. Node.js – how it works? - Event driven - Event loop - Callbacks - SPA, async, REST, Json http://magnetik.github.io/
  11. 11. Node.js - threats ............................................________ ....................................,.-'"...................``~., .............................,.-"..................................."-., .........................,/...............................................":, .....................,?......................................................, .................../...........................................................,} ................./......................................................,:`^`..} .............../...................................................,:"........./ ..............?.....__.........................................:`.........../ ............./__.(....."~-,_..............................,:`........../ .........../(_...."~,_........"~,_....................,:`........_/ ..........{.._$;_......"=,_......."-,_.......,.-~-,},.~";/....} ...........((.....*~_......."=-._......";,,./`..../"............../ ...,,,___.`~,......"~.,....................`.....}............../ ............(....`=-,,.......`........................(......;_,,-" ............/.`~,......`-...................................../ .............`~.*-,.....................................|,./.....,__ ,,_..........}.>-._...................................|..............`=~-, .....`=~-,__......`,................................. ...................`=~-,,.,............................... ................................`:,,...........................`..............__ .....................................`=-,...................,%`>--==`` ........................................_..........._,-%.......` ● no logging ● No error handling - DoS ● No configuration – “+” or “-”? ● No filters checking user-input ● JS: function as a variable ● Evil eval(code). Server-side XSS ● setInterval(code,2), setTimeout(code,2), str = new Function(code) ● Moduły npm – who creates those?
  12. 12. Node.js – evil eval()
  13. 13. Node.js – evil eval() This way we added new functionality to the server during runtime! http://node.js/myurl
  14. 14. Node.js - npm https://blog.nodejitsu.com/npm-innovation-through-modularity Amount of npm modules in the time Amount of npm-mods/day comparison to node.js and others
  15. 15. Node.js – how can? ● Use frameworks: https://npmjs.org/ - carefully ● Npm modules are not validated! Check those: ● Watch module dependencies! ● must have: your own error handling & logging ● This is server – we need proper server security solutions: ● Monitoring – think how to monitor your app ● Control-groups – set limits for resources ● SELinux sandbox https://nodesecurity.io
  16. 16. Node.js – SELinux sandbox 'home_dir' and 'tmp_dir' ● ● App can r/w from std(in|out) + only defined FDs ● No network access ● No access to foreign processes / files ● We can easily connect sandbox with cgroups :) ● Helpful: semodule -DB (no dontaudit) ● grep XXX /var/log/audit/audit.log | audit2allow -M node.sandbox ● semodule -i node.sandbox.pp
  17. 17. Node.js – SELinux sandbox
  18. 18. Node.js – how can #2 ● Freeze node.js version per project? ● Let’s read & learn: ● https://media.blackhat.com/bh-us-11/Sullivan/BH_US_11_Sullivan_Server_Side_WP.pdf ● http://lab.cs.ttu.ee/dl91 ● https://github.com/toolness/security-adventure ● Pseudo–configuration – set limits in your code (e.g. POST size) ● try...catch ftw ● use strict; - helps even with eval case (partially) ● Bunyan / dtrace: https://npmjs.org/package/bunyan ● node.js OS? Oh and use / build node.js packages (fpm or whatever)
  19. 19. Stage 2 – social engineering ● Stage’s target is to verify & check candidate’s security awareness ● Christopher Hadnagy – SE framework (2k10): ● http://www.social-engineer.org/framework/Social_Engineering_Framework ● Everyone can act as recruiter and call anyone ● Building network / connections on Linkedin is very easy ● Trust (lingo, easiness in some env: research) ● Sysop knows really much about env – he’s good target ● So one has to only get sysop’s trust and decrease his carefulness
  20. 20. Stage 3 - virtualization ● Our needs? ● Boot process supervision ● Console access ● Resource management ● Redundant storage ● Rescue mode for VMs ● Security by default > AWS > KVM/libvirt > XEN/libvirt > LXC
  21. 21. Stage 3 - virtualization boot console resources mgmt. redundant storage rescue VM security
  22. 22. Stage 3 - virtualization VS Performance XEN/HVM or KVM?
  23. 23. Stage 3 - virtualization VS Performance XEN/HVM or KVM? We had great performance issues with XEN/HVM The winner is „hat in the red” and its PV (but with the cgroups help – under heavy load KVM is not that stable)
  24. 24. Stage 3 – network security https://en.wikipedia.org DMZ (Demilitarized Zone) – logical or physical partition
  25. 25. Stage 3 – network security https://en.wikipedia.org DMZ (Demilitarized Zone) – logical or physical partition
  26. 26. Stage 3 – network security ● Separated, dedicated DMZ (VLAN?) for host ● No routing / communication from this DMZ with other segments ● Low – cost solutions? ● OpenWRT / DDWRT way || Pure Linux server ● 802.1Q – VLANs
  27. 27. Stage 3 – network security ● Network isolation on KVM host: ● Host/network bridge: L2 switch ● netfilter / nwfilter (IBM) ● By default there’s no packets isolation in the bridged network - ebtables null, no filtering ● ebtables – filtering l2– so we gain isolation ● Or virsh nwfilter-list ● allow-arp,dhcp,dhcp-server,clean-traffic, noarp-ip-spoofing, no-arp-mac-spoofing, noarp-spoofing, no-ip-multicast, no-ip-spoofing, no-mac-broadcast, no-mac-spoofing, no- other-l2-traffic ● L2 filtering? /proc/sys/net/bridge https://www.redhat.com/archives/libvir-list/2010-June/msg00762.html http://pic.dhe.ibm.com/infocenter/lnxinfo/v3r0m0/topic/liaat/liaatsecurity_pdf.pdf
  28. 28. Stage 3 –boot process, VNC ● Accessing boot process – VNC ● VNC security? SSL? Complications.. ● Maybe VNC over SSH tunnel? ● Encryption ● No certificates issues ● Every admin can easily use VNC
  29. 29. Stage 3 – restricted shells ● SSH tunneling requires SSH access (thank You Captain Obvious!) ● SSH access is a threat per se ● Let’s limit this SSH / shell access – use restricted shells Restricted shells by. Google ;) =>
  30. 30. Stage 3 – restricted shells ● Restricted shells are threat by default – unless we know how to use those! ● Under some circumstances one could escape the rshell: https://en.wikipedia.org/wiki/Rbash
  31. 31. Stage 3 – restricted shells ● Rbash: ● CentOSie / RHEL approved / friendly / legit ;) ● Protects from directory traversal ● Prohibits access to files via direct path ● Prohibits setting PATH or other shell env variables ● No commands output redirection ● PATH=$HOME/bin – and reconsider 2x what to put into this „bin” https://en.wikipedia.org/wiki/Rbash
  32. 32. Stage 3 – SSH tunnel / VNC ● We must go deeper! VM host VM-Proxy rshell / ibsh rshell / rbash Candidate VNC server screen / ssh tunnel
  33. 33. Stage 3 – restricted shells ● Other restricted shells: ● rssh – allows scp, sftp, rsync ● sudosh - http://sourceforge.net/projects/sudosh ● ● One can define allowed operations for user ● ● Allows saving whole user session and replay it Little outdated – better use sudosh3 Ibsh (small, fast, secure): http://sourceforge.net/projects/ibsh/
  34. 34. Stage 3 – control groups ● resource management in a simple way (ulimits, nice, limits.conf).. but.. ● Could you set 50 IOPS for defined process? ● What about 100Kbp/s limit for particular user? ● issues with memory–leaks in Java?
  35. 35. Stage 3 – control groups https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Resource_Management_Guide/ch01.html ● ● ● Debian & RHEL friendly Running apps in cgroup context Setting cgroup context for process during runtime
  36. 36. Stage 3 – web application ● OpenStack? „Couple” of compliations ;) “Out of the box” – yup – I’ve heard about that ;) Could you deploy it in a few hours – securely?
  37. 37. Stage 3 – web application Commodore OS ???
  38. 38. Stage 3 – web application Commodore OS Vision FTW!
  39. 39. Stage 3 – web application ● Apache + mod_security ● mod_security + OWASP rules ● PHP & Python :) ● Simplicity! ● VM management with simple daemon + screen: ● ● while(1) do: manage_VMs(); And this just works!
  40. 40. Stage 3 – recording SSH sessions ● We have to record all sessions – also those under „screen” ● Real time recording ● sudosh3 (sudosh fork) – kinda proxy shell – great ;) ● auditd – lov-lewel tool for recording syscalls ● Asciinema (ascii.io, Marcin Kulik) – great one, but not for audit purposes ● Ttyrec – outdated: http://0xcc.net/ttyrec/index.html.en ● Ssh logging patch - outdated: http://www.kdvelectronics.eu/ssh-logging/ssh-logging.html
  41. 41. Stage 3 – data security ● What if we loose any of the VMs...? Brrr.... ● Risk assesement – what would be enough for us? ● RAID1 / Mirror – “usually” is enough for a 3 – month time ● Backups – useful ;) RAID / replication are not backups... ● GlusterFS / DRBD – if you have enough resources – try it :) KVM active host KVM passive host LVM LVM replication Gluster brick Gluster brick
  42. 42. Podsumowanie
  43. 43. Maciej Lasyk http://maciek.lasyk.info maciek@lasyk.info Twitter: @docent_net OWASP Poland, 2013-10-17

×