OpSec101

148 views

Published on

A Choose Your Own Adventure for Devs, Ops, and other Humans

Given at ConFoo Vancouver 2016.
Write-up will be posted at https://www.netmeister.org/blog/opsec101.html

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
148
On SlideShare
0
From Embeds
0
Number of Embeds
28
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

OpSec101

  1. 1. OPSEC 101- a Choose Your Own Adventure for Devs, Ops and Other Humans Jan Schaumann @jschauma ConFoo Vancouver 2016  
  2. 2. @jschauma ConFoo Vancouver 2016   https://v.gd/ConFooOpSec01
  3. 3. https://v.gd/ConFooOpSec02 @jschauma ConFoo Vancouver 2016  
  4. 4. https://v.gd/ConFooOpSec03 @jschauma ConFoo Vancouver 2016  
  5. 5. https://v.gd/ConFooOpSec04 @jschauma ConFoo Vancouver 2016  
  6. 6. OPSEC  (simplified):   being  aware  of  what  informa:on  you   make  available,  and   how  it  may  be  used  against  you,   eh?   @jschauma ConFoo Vancouver 2016  
  7. 7. OPSEC  (simplified):   being  aware  of  what  type  of  informa:on   you  make  available,  and   how  it  may  be  used  against  you,  eh?   @jschauma ConFoo Vancouver 2016  @jschauma ConFoo Vancouver 2016  
  8. 8. @jschauma ConFoo Vancouver 2016   Going  to  ConFoo!  
  9. 9. A.  Hey,  they  don’t  call  it  a  laptop  for  nothing!   B.  Leave  the  open  laptop  outside  the  bathroom,   you're  just  gone  for  a  minute.     C.  Close  the  laptop,  pack  it  up  or  leave  it  at  your   desk.   @jschauma ConFoo Vancouver 2016  
  10. 10. @jschauma ConFoo Vancouver 2016  
  11. 11. https://v.gd/ConFooOpSec06https://v.gd/ConFooOpSec05 @jschauma ConFoo Vancouver 2016  
  12. 12. A.  Hit  ctrl+shiP+l  to  lock  your  laptop.   B.  Close  your  laptop,  stash  it  in  your  lockable   desk  drawer  and  swallow  the  key.   C.  PQ,  who  cares?  Your  laptop  is  configured  to   auto-­‐lock  aPer  some  :me.   @jschauma ConFoo Vancouver 2016  
  13. 13. @jschauma ConFoo Vancouver 2016  
  14. 14. A.  Reimage  the  box  because  no  single  system   should  be  irreplacable.   B.  Make  up  an  excuse  to  wait  un:l  Bob  is  back   from  his  vaca:on.   C.  grep  the  password  out  of  Bob’s   conveniently  readable  ~/.bash_history @jschauma ConFoo Vancouver 2016  
  15. 15. @jschauma ConFoo Vancouver 2016   https://v.gd/ConFooOpSec07
  16. 16. ●  Do  clear  your  shell  history  once  in  a  while!   ○  aYackers  use  it  as  info  on  how  to  admin  the  system   ○  aYackers  use  it  to  mine  passwords     ●  Session   ○  history -c                                                                                                                                            #  good   ○  echo /dev/null > ~/.bash_history                                    #  beYer     ●  Persistent   ○  echo ‘set +o history’ >> ~/.bashrc                    #  good   ○  ln -sf /dev/null ~/.bash_history                  #  beYer   ○  echo ‘set +o history’ >> /etc/profile    #  best   @jschauma ConFoo Vancouver 2016   https://v.gd/ConFooOpSec08
  17. 17. A.  Take  off  your  shoes,  raise  your  arms  for  the   porno  cancer  scanner  and  say  'yessir,  may  I   have  another’.   B.  Take  off  your  shoes,  shut  down  your  phone,   and  opt  for  the  freedom  grope.   C.  Breeze  through  the  pre-­‐approved  lane  because   you  gave  all  your  info  to  the  gubment  already.   @jschauma ConFoo Vancouver 2016  
  18. 18. A.  Enter  1  2  3  4,  the  same  combina:on  as   on  your  (TSA-­‐approved)  luggage  lock.   B.  Enter  a  32  character  complex   passphrase,  because  fingerprint   unlocking  is  unsafe.   C.  Use  your  security  hedgehog.   @jschauma ConFoo Vancouver 2016  
  19. 19. 10^4  =  10K  possibili:es   Time  to  brute  force:  <30min   @jschauma ConFoo Vancouver 2016  
  20. 20. 10^6  =  1M  possibili:es   Time  to  brute  force:  >2d   @jschauma ConFoo Vancouver 2016  
  21. 21. 6  alpha-­‐numeric  chars     62^6  =   56,800,235,584   possibili:es   Time  to  brute  force:   196  years   @jschauma ConFoo Vancouver 2016  
  22. 22. @jschauma ConFoo Vancouver 2016  
  23. 23. @jschauma ConFoo Vancouver 2016   https://v.gd/ConFooOpSec09
  24. 24. @jschauma ConFoo Vancouver 2016   https://v.gd/ConFooOpSec10
  25. 25. @jschauma ConFoo Vancouver 2016  
  26. 26. @jschauma ConFoo Vancouver 2016  
  27. 27. A.  Put  on  your  privacy  sweater.   B.  Pretend  not  to  no:ce  that  the  people  next  to  you   are  laughing  at  your  slides  as  you  work  on  them.   C.  Perform  AES256-­‐CBC-­‐SHA1  encryp:on  in  your   head  and  only  enter  ciphertext.   @jschauma ConFoo Vancouver 2016  
  28. 28. @jschauma ConFoo Vancouver 2016   https://v.gd/ConFooOpSec11
  29. 29. @jschauma ConFoo Vancouver 2016   https://v.gd/ConFooOpSec11
  30. 30. A.  Turn  off  the  phone.  (Yeah,  right.)   B.  Plug  your  phone  into  the  convenient  in-­‐ seat  USB  port  to  charge.   C.  Prac:ce  safe  OpSecs  by  using  your  USB   condom.   @jschauma ConFoo Vancouver 2016  
  31. 31. https://v.gd/ConFooOpSec12 @jschauma ConFoo Vancouver 2016  
  32. 32. A.  Sweet!    You're  already  connected  to  the   'linksys’  access  point!    How  convenient!   B.  Choose  the  hotel  wifi,  then  immediately   connect  to  your  VPN.   C.  Close  your  laptop  again.  There  are  beYer  things   to  do  than  stare  at  a  computer  screen.    Oh,   look,  a  beer  appears  in  front  of  you!    Life  is   good.   https://v.gd/ConFooOpSec13
  33. 33. BeYer  clean  up!   Right  on!   @jschauma ConFoo Vancouver 2016  
  34. 34. A.  Leave  your  laptop  in  your  hotel  room;  it’s  turned   off,  and  belongs  to  the  company,  so  you  don’t  care   if  somebody  steals  it.   B.  Lock  your  laptop  in  the  safe,  using  the  same  4  digit   code  you  use  everywhere  else.   C.  Carry  the  laptop  with  you,  because  seriously,  the   hotel  probably  has  a  backdoor  into  the  safe   anyway.   @jschauma ConFoo Vancouver 2016  
  35. 35. @jschauma ConFoo Vancouver 2016  
  36. 36. @jschauma ConFoo Vancouver 2016  
  37. 37. https://v.gd/ConFooOpSec14 @jschauma ConFoo Vancouver 2016  
  38. 38. A.  Follow  her  and  her  senior  engineers  on  TwiYer,   LinkedIn,  Facebook  and  share  that  cool  blog  post   about  their  great  work  culture  everywhere.   B.  Head  to  their  campus  the  next  day.  (They  have  this   cool  sculpture  in  their  lobby  -­‐  pic,  tweet,  awesome!)   C.  Pull  the  ssh  key  of  one  of  their  developers  out  of   GitHub,  break  into  their  systems  and  leave  a  note   how  to  best  contact  you.   @jschauma ConFoo Vancouver 2016  
  39. 39. @jschauma ConFoo Vancouver 2016  
  40. 40. Avoid  leaking  secrets   into  code  repositories.   ●  separate  code  and  config   ●  separate  config  and  secrets     ●  :ghten  your  .gi)gnore  file   ●  use  pre-­‐commit  hooks     ●  github.com  !=  git.yourcompany.com @jschauma ConFoo Vancouver 2016  
  41. 41. A.  You  never  log  out.  It's  weird  that  their  ads  now   seem  to  reflect  what  you  do  on  other  websites,   but  that's  probably  just  a  coincidence.   B.  Hit  a  keyboard  shortcut  to  let  your  password   manager  fill  in  the  login.   C.  Accidentally  alt-­‐tab  and  type  your  password  into   Slack.   @jschauma ConFoo Vancouver 2016  https://v.gd/ConFooOpSec15
  42. 42. Compartmentaliza:on  FTW   @jschauma ConFoo Vancouver 2016  https://v.gd/ConFooOpSec16
  43. 43. Use  a  Password  Manager,  eh?   @jschauma ConFoo Vancouver 2016   https://v.gd/ConFooOpSec17
  44. 44. Chat  like  everybody’s  logging.   (Somebody  always  is.)   @jschauma ConFoo Vancouver 2016   https://v.gd/ConFooOpSec18
  45. 45. A.  That  dude’s  cray-­‐cray.  None  of  this  applies  to   me.  Lalalalala.   B.  ERMAHGERD!  I  R  TARGET!  *burns  laptop,  buys   new  eyeballs*   C.  1st    thing  back  at  work:              Compile  New  Hire  OpSec  kit.  
  46. 46. New  Hire  OpSec  Kit   •  Privacy  screen   •  Laptop  webcam  cover   •  FIDO  U2F  Security  Key   •  USB  condom   •  Password  Manager  License   •  LiYle  Snitch  License   •  RFID  Wallet   @jschauma ConFoo Vancouver 2016   https://v.gd/ConFooOpSec19 https://v.gd/ConFooOpSec20
  47. 47. Other  Easy  Wins   •  enable  screen  locking  (laptop  &  mobile)   •  whole  disk  encryp:on   •  passcode/fingerprint  on  mobile   •  ask  for  wifi   •  use  2FA   •  umask 077  &  shell  history  trunca:on   @jschauma ConFoo Vancouver 2016  
  48. 48. @jschauma ConFoo Vancouver 2016  

×