Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Operations security - SyPy Dec 2014 (Sydney Python users)

653 views

Published on

Operations security - opsec - with some Python related tips

Published in: Technology
  • Be the first to comment

Operations security - SyPy Dec 2014 (Sydney Python users)

  1. 1. OPSEC - operations security Mikko Ohtamaa SyPy / Sydney / Dec 2014 opensourcehacker.com moo9000
  2. 2. Agenda Background Team security User security Infrastructure security
  3. 3. Person-to-person Bitcoin exchange Bitcoin users are high value targets
  4. 4. Team security
  5. 5. Encrypt devices: computers AND phones ! Two-factor authentication on inbox and site admin ! Google 2FA account incidents: https://ello.co/gb/post/knOWk-qeTqfSpJ6f8-arCQ http://opensourcehacker.com/2012/10/24/ssh-key-and-passwordless-login-basics-for-developers/
  6. 6. Password manager (KeePassX) SSH keys, tied to your computer login http://opensourcehacker.com/2012/10/24/ssh-key-and-passwordless-login-basics-for-developers/
  7. 7. User security
  8. 8. Passwords are dead Password stealing attacks by keylogging and cache reading malware Strong passwords give only limited additional protection
  9. 9. Login attempt throttling Threshold logins per IP: script kiddie Threshold per username: spearhead brute force Threshold all logins per minute: botnet attack recaptcha.net http://opensourcehacker.com/2014/07/09/rolling-time-window-counters-with-redis-and- mitigating-botnet-driven-login-attacks/
  10. 10. Two-factor authentication for your users
  11. 11. Time-Based One-Time Password Algorithm Tic toc keycodes generated by a mobile app TOTP a.k.a Google Authenticator, RFC 6238 Does not require Google account.! OSS apps available
  12. 12. HMAC-Based One-Time Password Algorithm HOTP, RFC 4226 a.k.a. paper codes, one time pad Common in EU banking, unheard in some countries
  13. 13. SMS Yubikey As a service: authy.org For Django: https://github.com/miohtama/ django-twofactor
  14. 14. Third factor
  15. 15. Users accidentally give out their credentials Recycled passwords (blackmarket) Phishing (Google Adwords first link stealing) ! Phishers may get two-factor codes too
  16. 16. Third factor parameters Identify web browser (permacookie) Identify the country of IP address The reputation of IP address (botnet, Tor, VPS) IP address whitelist !
  17. 17. "Tinfoil never too tight" attacks Trojan kits with Bitcoin sites "autosteal" Browser add-ons modifying payment data in-fly Android and iOS malware SMS capture attacks Malicious Tor exit nodes ! http://thedroidguy.com/2014/06/popular-chinese-android-smartphone-malware-pre-installed- 93764 http://www.reddit.com/r/Bitcoin/comments/2573rw/bitcoin_is_secure_because_it_solves_the_byzantine/
  18. 18. Infrastructure security
  19. 19. fail2ban Daemon blocking IPs by continuous log file analysis (e.g. Apache, SSH, custom application logs)
  20. 20. Attack mitigation as a service proxies: cloudflare.net Whitehat bounty programs: crowdcurity.com Known bad IPs: projecthoneypot.org !
  21. 21. Hosting provider and physical attacks Store databases and logs on encrypted partition (LUKS) Backups as encrypted only: duplicity, GPG Server-to-server connections: SSH, VPN Virtual machines are always unsafe http://blog.bitly.com/#85169217199
  22. 22. Server security monitoring Log server, FSS (forward secure sealed) logs Intrusion detection (OSSEC) Firewalling ! http://louwrentius.com/systemd-forward-secure-sealing-of-system-logs-makes-little-sense. html
  23. 23. THANK YOU linkedin.com/in/ohtis opensourcehacker.com Open Source Hacker mikko@moo9000 opensourcehacker.com

×