SlideShare a Scribd company logo

Operations security (OPSEC)

Mikko Ohtamaa
Mikko Ohtamaa

Operations security (OPSEC) presentations given in Bangkok Python meetup. The presentation covers topics about device encryption, two factor-authentication, SSH, preventing brute force attacks and ensuring your infrastructure integrity.

Technology
1 of 28
Download to read offline
OPSEC - operations security Mikko Ohtamaa ThaiPy / Bangkok / Nov 2014 opensourcehacker.com moo9000
Agenda Team security User security Infrastructure security
Person-to-person Bitcoin exchange Bitcoin users are high value targets
Team security
Physical access (display sleep + password) Encrypt devices (computers AND phones) Two-factor authentication on email inbox Two-factor authentication on site admin Two-factor SSH Google 2FA account incidents: https://ello.co/gb/post/knOWk-qeTqfSpJ6f8-arCQ
"Cyber hygiene" Password management (KeePassX) SSH keys (automatically unlock on your computer computer login) ! http://opensourcehacker.com/2012/10/24/ssh-key-and-passwordless-login-basics-for-developers/
User security
Passwords are dead Password stealing attacks by keylogging and file-system reading malware Strong password gives only limited additional protection
Throttle login attempts with CAPTCHA Threshold logins per IP (leaked credentials black market) Threshold per username (spearhead brute force) Threshold all logins per minute (botnet attack) recaptcha.net - https://github.com/praekelt/django-recaptcha http://opensourcehacker.com/2014/07/09/rolling-time-window-counters-with-redis-and- mitigating-botnet-driven-login-attacks/
Two-factor authentication for your users
Lack of two-factor scenario: US 0.90% scenario: Great-Britain 0.90% scenario: Australia 7.58% www.schneier.com/blog/archives/2006/11/fighting_fraudu.html
Time-Based One-Time Password Algorithm TOTP a.k.a Google Authenticator, RFC 6238 Google provides app for Android, iOS. Does not require Google account. Other OSS implementations
HMAC-Based One-Time Password Algorithm HOTP, RFC 4226 a.k.a. paper codes, one time pad Common in Nordic internet banking, unheard in many countries
SMS Yubikey Calculators and other hardware tokens As a service: authy.org twofactorauth.org
For Django: https://github.com/ miohtama/django-twofactor
Third factor
Users lose their credentials Recycled passwords (blackmarket) Phishing (Google Adwords attack) Stolen two-factor codes
Third factor parameters Unknown web browser (identified by cookie) The of country of IP address The reputation of IP address (botnet, Tor, VPS) IP address whitelist Confirm by email or by SMS “is it really you”
Mad general problem “If your local computer is compromised by malware or anything else, it is just like a mad general” http://www.reddit.com/r/Bitcoin/comments/2573rw/bitcoin_is_secure_because_it_solves_the_byzantine/
What I have seen Malicious browser add-on modifying sites in fly Android and iOS malware SMS capture attacks Spearhead email phishing Google AdWords phishing Malicious Tor exit nodes http://thed! roidguy.com/2014/06/popular-chinese-android-smartphone-malware-pre-installed- 93764
Infrastructure security
fail2ban Daemon automatically blocking IPs by log file analysis (e.g. Apache, SSH, your pplication)
Attack mitigation as a reverse proxy service: cloudflare.net Known bad IPs: projecthoneypot.org IP information: http://myip.ms/
Flood attacks Flood actions and anonymous forms: password reset email, invite email, user messaging Mostly harmless / reputation hit Have throttling and banning per IP Throttle email actions with a custom log file and fail2ban https://shubh.am/full-disclosure-coinbase-security/
Encrypt all the servers Encrypt your server content - “mad hosting provider” Encrypt backups: GPG, duplicity Encrypt server-to-server connections: AutoSSH, VPN Virtual machines are always unsafe http://blog.bitly.com/#85169217199
Server security monitoring Untamperable logs (external log servers / systems forward secure sealing) Known processes and files list (Tripwire) Firewalling http://louwrentius.com/systemd-forward-secure-sealing-of-system-logs-makes-little-sense. html
THANK YOU opensourcehacker.com Open Source Hacker mikko@moo9000 opensourcehacker.com
https://www.youtube.com/watch?v=OSGv2VnC0go&feature=youtu.be https://packaging.python.org/

Recommended

Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
HackIT Ukraine
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key logger
Patel Mit
 
Introduction to Web Server Security
Introduction to Web Server SecurityIntroduction to Web Server Security
Introduction to Web Server Security
JITENDRA KUMAR PATEL
 
Week12 final
Week12 finalWeek12 final
Week12 final
Irfan Ali Memon
 
Attack chaining for web exploitation
Attack chaining for web exploitationAttack chaining for web exploitation
Attack chaining for web exploitation
n|u - The Open Security Community
 
Hackers dictionary
Hackers dictionaryHackers dictionary
Hackers dictionaryTabraiz Bukhari
 
Cyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ VikjavaCyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ Vikjava
Security Bootcamp
 
Newbytes NullHyd
Newbytes NullHydNewbytes NullHyd
Newbytes NullHyd
n|u - The Open Security Community
 

Recommended

Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
HackIT Ukraine
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key logger
Patel Mit
 
Introduction to Web Server Security
Introduction to Web Server SecurityIntroduction to Web Server Security
Introduction to Web Server Security
JITENDRA KUMAR PATEL
 
Week12 final
Week12 finalWeek12 final
Week12 final
Irfan Ali Memon
 
Attack chaining for web exploitation
Attack chaining for web exploitationAttack chaining for web exploitation
Attack chaining for web exploitation
n|u - The Open Security Community
 
Hackers dictionary
Hackers dictionaryHackers dictionary
Hackers dictionaryTabraiz Bukhari
 
Cyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ VikjavaCyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ Vikjava
Security Bootcamp
 
Newbytes NullHyd
Newbytes NullHydNewbytes NullHyd
Newbytes NullHyd
n|u - The Open Security Community
 
Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018
Sumanth Damarla
 
Web Server Security Guidelines
Web Server Security GuidelinesWeb Server Security Guidelines
Web Server Security Guidelineswebhostingguy
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
Chris Shiflett
 
News Bytes - December 2015
News Bytes - December 2015News Bytes - December 2015
News Bytes - December 2015
n|u - The Open Security Community
 
Cryptolocker Ransomware Attack
Cryptolocker Ransomware AttackCryptolocker Ransomware Attack
Cryptolocker Ransomware Attack
Keval Bhogayata
 
Agnitum Outpost Pro product line
Agnitum Outpost Pro product lineAgnitum Outpost Pro product line
Agnitum Outpost Pro product line
Pavel Fyodorov
 
Password Cracking
Password Cracking Password Cracking
Password Cracking
Sina Manavi
 
Web site hacking;what does it mean
Web site hacking;what does it meanWeb site hacking;what does it mean
Web site hacking;what does it mean
MetaKave
 
Banking malware zeu s zombies are using in online banking theft.
Banking malware zeu s zombies are using in online banking theft.Banking malware zeu s zombies are using in online banking theft.
Banking malware zeu s zombies are using in online banking theft.
Nahidul Kibria
 
ip spoofing by Ipshita Nandy
ip spoofing by Ipshita Nandy ip spoofing by Ipshita Nandy
ip spoofing by Ipshita Nandy
IpshitaNandy
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Study
securityxploded
 
News Bytes
News BytesNews Bytes
News Bytes
Megha Sahu
 
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
DevDay.org
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Sina Manavi
 
NewsBytes - Nullhyd
NewsBytes - Nullhyd NewsBytes - Nullhyd
NewsBytes - Nullhyd
n|u - The Open Security Community
 
Cyber attacks 2015
Cyber attacks 2015Cyber attacks 2015
Cyber attacks 2015
Mukesh Chaudhari
 
Web server security challenges
Web server security challengesWeb server security challenges
Web server security challenges
Martins Chibuike Onuoha
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
 
The rise of malware(ransomware)
The rise of malware(ransomware)The rise of malware(ransomware)
The rise of malware(ransomware)
phexcom1
 
Meeting-avoidance for self-managing developers
Meeting-avoidance for self-managing developersMeeting-avoidance for self-managing developers
Meeting-avoidance for self-managing developers
Peter Hilton
 
(Moonconf 2016) Fetching Moths from the Works: Correctness Methods in Software
(Moonconf 2016) Fetching Moths from the Works: Correctness Methods in Software(Moonconf 2016) Fetching Moths from the Works: Correctness Methods in Software
(Moonconf 2016) Fetching Moths from the Works: Correctness Methods in Software
Brian Troutwine
 
Cqrs 101 all your base belong to us
Cqrs 101 all your base belong to usCqrs 101 all your base belong to us
Cqrs 101 all your base belong to us
Tom Janssens
 

More Related Content

What's hot

Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018
Sumanth Damarla
 
Web Server Security Guidelines
Web Server Security GuidelinesWeb Server Security Guidelines
Web Server Security Guidelineswebhostingguy
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
Chris Shiflett
 
News Bytes - December 2015
News Bytes - December 2015News Bytes - December 2015
News Bytes - December 2015
n|u - The Open Security Community
 
Cryptolocker Ransomware Attack
Cryptolocker Ransomware AttackCryptolocker Ransomware Attack
Cryptolocker Ransomware Attack
Keval Bhogayata
 
Agnitum Outpost Pro product line
Agnitum Outpost Pro product lineAgnitum Outpost Pro product line
Agnitum Outpost Pro product line
Pavel Fyodorov
 
Password Cracking
Password Cracking Password Cracking
Password Cracking
Sina Manavi
 
Web site hacking;what does it mean
Web site hacking;what does it meanWeb site hacking;what does it mean
Web site hacking;what does it mean
MetaKave
 
Banking malware zeu s zombies are using in online banking theft.
Banking malware zeu s zombies are using in online banking theft.Banking malware zeu s zombies are using in online banking theft.
Banking malware zeu s zombies are using in online banking theft.
Nahidul Kibria
 
ip spoofing by Ipshita Nandy
ip spoofing by Ipshita Nandy ip spoofing by Ipshita Nandy
ip spoofing by Ipshita Nandy
IpshitaNandy
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Study
securityxploded
 
News Bytes
News BytesNews Bytes
News Bytes
Megha Sahu
 
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
DevDay.org
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Sina Manavi
 
NewsBytes - Nullhyd
NewsBytes - Nullhyd NewsBytes - Nullhyd
NewsBytes - Nullhyd
n|u - The Open Security Community
 
Cyber attacks 2015
Cyber attacks 2015Cyber attacks 2015
Cyber attacks 2015
Mukesh Chaudhari
 
Web server security challenges
Web server security challengesWeb server security challenges
Web server security challenges
Martins Chibuike Onuoha
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
 
The rise of malware(ransomware)
The rise of malware(ransomware)The rise of malware(ransomware)
The rise of malware(ransomware)
phexcom1
 

What's hot (19)

Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018
 
Web Server Security Guidelines
Web Server Security GuidelinesWeb Server Security Guidelines
Web Server Security Guidelines
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
News Bytes - December 2015
News Bytes - December 2015News Bytes - December 2015
News Bytes - December 2015
 
Cryptolocker Ransomware Attack
Cryptolocker Ransomware AttackCryptolocker Ransomware Attack
Cryptolocker Ransomware Attack
 
Agnitum Outpost Pro product line
Agnitum Outpost Pro product lineAgnitum Outpost Pro product line
Agnitum Outpost Pro product line
 
Password Cracking
Password Cracking Password Cracking
Password Cracking
 
Web site hacking;what does it mean
Web site hacking;what does it meanWeb site hacking;what does it mean
Web site hacking;what does it mean
 
Banking malware zeu s zombies are using in online banking theft.
Banking malware zeu s zombies are using in online banking theft.Banking malware zeu s zombies are using in online banking theft.
Banking malware zeu s zombies are using in online banking theft.
 
ip spoofing by Ipshita Nandy
ip spoofing by Ipshita Nandy ip spoofing by Ipshita Nandy
ip spoofing by Ipshita Nandy
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Study
 
News Bytes
News BytesNews Bytes
News Bytes
 
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
 
NewsBytes - Nullhyd
NewsBytes - Nullhyd NewsBytes - Nullhyd
NewsBytes - Nullhyd
 
Cyber attacks 2015
Cyber attacks 2015Cyber attacks 2015
Cyber attacks 2015
 
Web server security challenges
Web server security challengesWeb server security challenges
Web server security challenges
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
The rise of malware(ransomware)
The rise of malware(ransomware)The rise of malware(ransomware)
The rise of malware(ransomware)
 

Viewers also liked

Meeting-avoidance for self-managing developers
Meeting-avoidance for self-managing developersMeeting-avoidance for self-managing developers
Meeting-avoidance for self-managing developers
Peter Hilton
 
(Moonconf 2016) Fetching Moths from the Works: Correctness Methods in Software
(Moonconf 2016) Fetching Moths from the Works: Correctness Methods in Software(Moonconf 2016) Fetching Moths from the Works: Correctness Methods in Software
(Moonconf 2016) Fetching Moths from the Works: Correctness Methods in Software
Brian Troutwine
 
Cqrs 101 all your base belong to us
Cqrs 101 all your base belong to usCqrs 101 all your base belong to us
Cqrs 101 all your base belong to us
Tom Janssens
 
Automation With Humans in Mind: Making Complex Systems Predictable, Reliable ...
Automation With Humans in Mind: Making Complex Systems Predictable, Reliable ...Automation With Humans in Mind: Making Complex Systems Predictable, Reliable ...
Automation With Humans in Mind: Making Complex Systems Predictable, Reliable ...
Brian Troutwine
 
Ur Domain Haz Monoids DDDx NYC 2014
Ur Domain Haz Monoids DDDx NYC 2014Ur Domain Haz Monoids DDDx NYC 2014
Ur Domain Haz Monoids DDDx NYC 2014
Cyrille Martraire
 
Writing the docs
Writing the docsWriting the docs
Writing the docs
Mikko Ohtamaa
 
HTTP demystified for web developers
HTTP demystified for web developersHTTP demystified for web developers
HTTP demystified for web developers
Peter Hilton
 
Documentation avoidance for developers
Documentation avoidance for developersDocumentation avoidance for developers
Documentation avoidance for developers
Peter Hilton
 
Common ddd pitfalls
Common ddd pitfallsCommon ddd pitfalls
Common ddd pitfalls
Tom Janssens
 
How to write maintainable code
How to write maintainable codeHow to write maintainable code
How to write maintainable code
Peter Hilton
 
Instrumentation as a Living Documentation: Teaching Humans About Complex Systems
Instrumentation as a Living Documentation: Teaching Humans About Complex SystemsInstrumentation as a Living Documentation: Teaching Humans About Complex Systems
Instrumentation as a Living Documentation: Teaching Humans About Complex Systems
Brian Troutwine
 
Selling ddd
Selling dddSelling ddd
Selling ddd
Tom Janssens
 
Websauna - introduction to the best Python web framework
Websauna - introduction to the best Python web frameworkWebsauna - introduction to the best Python web framework
Websauna - introduction to the best Python web framework
Mikko Ohtamaa
 
Tom and jef’s awesome modellathon
Tom and jef’s awesome modellathonTom and jef’s awesome modellathon
Tom and jef’s awesome modellathon
Tom Janssens
 
Domain-Driven Design in legacy application
Domain-Driven Design in legacy applicationDomain-Driven Design in legacy application
Domain-Driven Design in legacy application
Cyrille Martraire
 
Play framework: lessons learned
Play framework: lessons learnedPlay framework: lessons learned
Play framework: lessons learnedPeter Hilton
 
Process-oriented reactive service architecture
Process-oriented reactive service architectureProcess-oriented reactive service architecture
Process-oriented reactive service architecture
Peter Hilton
 
Domain-driven design - tactical patterns
Domain-driven design - tactical patternsDomain-driven design - tactical patterns
Domain-driven design - tactical patterns
Tom Janssens
 
DDD session BrownBagLunch (FR)
DDD session BrownBagLunch (FR)DDD session BrownBagLunch (FR)
DDD session BrownBagLunch (FR)
Cyrille Martraire
 
I T.A.K.E. talk: "When DDD meets FP, good things happen"
I T.A.K.E. talk: "When DDD meets FP, good things happen"I T.A.K.E. talk: "When DDD meets FP, good things happen"
I T.A.K.E. talk: "When DDD meets FP, good things happen"
Cyrille Martraire
 

Viewers also liked (20)

Meeting-avoidance for self-managing developers
Meeting-avoidance for self-managing developersMeeting-avoidance for self-managing developers
Meeting-avoidance for self-managing developers
 
(Moonconf 2016) Fetching Moths from the Works: Correctness Methods in Software
(Moonconf 2016) Fetching Moths from the Works: Correctness Methods in Software(Moonconf 2016) Fetching Moths from the Works: Correctness Methods in Software
(Moonconf 2016) Fetching Moths from the Works: Correctness Methods in Software
 
Cqrs 101 all your base belong to us
Cqrs 101 all your base belong to usCqrs 101 all your base belong to us
Cqrs 101 all your base belong to us
 
Automation With Humans in Mind: Making Complex Systems Predictable, Reliable ...
Automation With Humans in Mind: Making Complex Systems Predictable, Reliable ...Automation With Humans in Mind: Making Complex Systems Predictable, Reliable ...
Automation With Humans in Mind: Making Complex Systems Predictable, Reliable ...
 
Ur Domain Haz Monoids DDDx NYC 2014
Ur Domain Haz Monoids DDDx NYC 2014Ur Domain Haz Monoids DDDx NYC 2014
Ur Domain Haz Monoids DDDx NYC 2014
 
Writing the docs
Writing the docsWriting the docs
Writing the docs
 
HTTP demystified for web developers
HTTP demystified for web developersHTTP demystified for web developers
HTTP demystified for web developers
 
Documentation avoidance for developers
Documentation avoidance for developersDocumentation avoidance for developers
Documentation avoidance for developers
 
Common ddd pitfalls
Common ddd pitfallsCommon ddd pitfalls
Common ddd pitfalls
 
How to write maintainable code
How to write maintainable codeHow to write maintainable code
How to write maintainable code
 
Instrumentation as a Living Documentation: Teaching Humans About Complex Systems
Instrumentation as a Living Documentation: Teaching Humans About Complex SystemsInstrumentation as a Living Documentation: Teaching Humans About Complex Systems
Instrumentation as a Living Documentation: Teaching Humans About Complex Systems
 
Selling ddd
Selling dddSelling ddd
Selling ddd
 
Websauna - introduction to the best Python web framework
Websauna - introduction to the best Python web frameworkWebsauna - introduction to the best Python web framework
Websauna - introduction to the best Python web framework
 
Tom and jef’s awesome modellathon
Tom and jef’s awesome modellathonTom and jef’s awesome modellathon
Tom and jef’s awesome modellathon
 
Domain-Driven Design in legacy application
Domain-Driven Design in legacy applicationDomain-Driven Design in legacy application
Domain-Driven Design in legacy application
 
Play framework: lessons learned
Play framework: lessons learnedPlay framework: lessons learned
Play framework: lessons learned
 
Process-oriented reactive service architecture
Process-oriented reactive service architectureProcess-oriented reactive service architecture
Process-oriented reactive service architecture
 
Domain-driven design - tactical patterns
Domain-driven design - tactical patternsDomain-driven design - tactical patterns
Domain-driven design - tactical patterns
 
DDD session BrownBagLunch (FR)
DDD session BrownBagLunch (FR)DDD session BrownBagLunch (FR)
DDD session BrownBagLunch (FR)
 
I T.A.K.E. talk: "When DDD meets FP, good things happen"
I T.A.K.E. talk: "When DDD meets FP, good things happen"I T.A.K.E. talk: "When DDD meets FP, good things happen"
I T.A.K.E. talk: "When DDD meets FP, good things happen"
 

Similar to Operations security (OPSEC)

Operations security - SyPy Dec 2014 (Sydney Python users)
Operations security - SyPy Dec 2014 (Sydney Python users)Operations security - SyPy Dec 2014 (Sydney Python users)
Operations security - SyPy Dec 2014 (Sydney Python users)
Mikko Ohtamaa
 
Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Mikko Ohtamaa
 
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpMitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Joann Davis
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011
Ashwin Patil, GCIH, GCIA, GCFE
 
News bytes Sept-2011
News bytes Sept-2011News bytes Sept-2011
News bytes Sept-2011
Ashwin Patil, GCIH, GCIA, GCFE
 
How to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsHow to 2FA-enable Open Source Applications
How to 2FA-enable Open Source Applications
All Things Open
 
INTERNET SECURITY.pptx
INTERNET SECURITY.pptxINTERNET SECURITY.pptx
INTERNET SECURITY.pptx
babepa2317
 
Bitrix Software Security
Bitrix Software SecurityBitrix Software Security
Bitrix Software Security
FTS Capital Group Sp. z o.o.
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Cenzic
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Hack the hack
Hack the hackHack the hack
Hack the hack
Shakti Ranjan
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71
 
Parag presentation on ethical hacking
Parag presentation on ethical hackingParag presentation on ethical hacking
Parag presentation on ethical hacking
parag101
 
Firewalls (Distributed computing)
Firewalls (Distributed computing)Firewalls (Distributed computing)
Firewalls (Distributed computing)Sri Prasanna
 
Ethical_Hacking_ppt
Ethical_Hacking_pptEthical_Hacking_ppt
Ethical_Hacking_ppt
Narayanan
 
Cyper security & Ethical hacking
Cyper security & Ethical hackingCyper security & Ethical hacking
Cyper security & Ethical hacking
Cmano Kar
 
Event - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security PerimetersEvent - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security Perimeters
Somyos U.
 
3 Hkcert Trend
3 Hkcert Trend3 Hkcert Trend
3 Hkcert TrendSC Leung
 

Similar to Operations security (OPSEC) (20)

Operations security - SyPy Dec 2014 (Sydney Python users)
Operations security - SyPy Dec 2014 (Sydney Python users)Operations security - SyPy Dec 2014 (Sydney Python users)
Operations security - SyPy Dec 2014 (Sydney Python users)
 
Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015
 
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpMitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 Aitp
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011
 
News bytes Sept-2011
News bytes Sept-2011News bytes Sept-2011
News bytes Sept-2011
 
How to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsHow to 2FA-enable Open Source Applications
How to 2FA-enable Open Source Applications
 
INTERNET SECURITY.pptx
INTERNET SECURITY.pptxINTERNET SECURITY.pptx
INTERNET SECURITY.pptx
 
Bitrix Software Security
Bitrix Software SecurityBitrix Software Security
Bitrix Software Security
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Hack the hack
Hack the hackHack the hack
Hack the hack
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
 
Parag presentation on ethical hacking
Parag presentation on ethical hackingParag presentation on ethical hacking
Parag presentation on ethical hacking
 
Firewalls (Distributed computing)
Firewalls (Distributed computing)Firewalls (Distributed computing)
Firewalls (Distributed computing)
 
Ethical_Hacking_ppt
Ethical_Hacking_pptEthical_Hacking_ppt
Ethical_Hacking_ppt
 
Cyper security & Ethical hacking
Cyper security & Ethical hackingCyper security & Ethical hacking
Cyper security & Ethical hacking
 
Event - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security PerimetersEvent - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security Perimeters
 
3 Hkcert Trend
3 Hkcert Trend3 Hkcert Trend
3 Hkcert Trend
 

More from Mikko Ohtamaa

Plone, battle-scarred community with battle tanks
Plone, battle-scarred community with battle tanksPlone, battle-scarred community with battle tanks
Plone, battle-scarred community with battle tanksMikko Ohtamaa
 
World Plone Day 2013
World Plone Day 2013World Plone Day 2013
World Plone Day 2013
Mikko Ohtamaa
 
Test lol
Test lolTest lol
Test lol
Mikko Ohtamaa
 
Solving problems one Plone package at a time
Solving problems one Plone package at a timeSolving problems one Plone package at a time
Solving problems one Plone package at a time
Mikko Ohtamaa
 
Saving Plone from Plone agony
Saving Plone from Plone agonySaving Plone from Plone agony
Saving Plone from Plone agony
Mikko Ohtamaa
 
Beautiful Maintainable ModularJavascript Codebase with RequireJS - HelsinkiJ...
Beautiful Maintainable ModularJavascript Codebase with RequireJS - HelsinkiJ... Beautiful Maintainable ModularJavascript Codebase with RequireJS - HelsinkiJ...
Beautiful Maintainable ModularJavascript Codebase with RequireJS - HelsinkiJ...
Mikko Ohtamaa
 
VVV validation and linting tool
VVV validation and linting toolVVV validation and linting tool
VVV validation and linting tool
Mikko Ohtamaa
 
Plone IDE - the future of Plone development
Plone IDE - the future of Plone developmentPlone IDE - the future of Plone development
Plone IDE - the future of Plone development
Mikko Ohtamaa
 
Javascript - How to avoid the bad parts
Javascript - How to avoid the bad partsJavascript - How to avoid the bad parts
Javascript - How to avoid the bad parts
Mikko Ohtamaa
 
The Easy Way - Plone Conference 2011
The Easy Way - Plone Conference 2011The Easy Way - Plone Conference 2011
The Easy Way - Plone Conference 2011Mikko Ohtamaa
 
Mobile Landscape 2011
Mobile Landscape 2011Mobile Landscape 2011
Mobile Landscape 2011
Mikko Ohtamaa
 
Mobiilimarkkinoinnin mahdollisuudet nyt
Mobiilimarkkinoinnin mahdollisuudet nytMobiilimarkkinoinnin mahdollisuudet nyt
Mobiilimarkkinoinnin mahdollisuudet nyt
Mikko Ohtamaa
 
The World Outside Plone
The World Outside PloneThe World Outside Plone
The World Outside Plone
Mikko Ohtamaa
 
mFabrik Case Studies
mFabrik Case StudiesmFabrik Case Studies
mFabrik Case Studies
Mikko Ohtamaa
 
Building HTML based mobile phone applications
Building HTML based mobile phone applicationsBuilding HTML based mobile phone applications
Building HTML based mobile phone applications
Mikko Ohtamaa
 

More from Mikko Ohtamaa (15)

Plone, battle-scarred community with battle tanks
Plone, battle-scarred community with battle tanksPlone, battle-scarred community with battle tanks
Plone, battle-scarred community with battle tanks
 
World Plone Day 2013
World Plone Day 2013World Plone Day 2013
World Plone Day 2013
 
Test lol
Test lolTest lol
Test lol
 
Solving problems one Plone package at a time
Solving problems one Plone package at a timeSolving problems one Plone package at a time
Solving problems one Plone package at a time
 
Saving Plone from Plone agony
Saving Plone from Plone agonySaving Plone from Plone agony
Saving Plone from Plone agony
 
Beautiful Maintainable ModularJavascript Codebase with RequireJS - HelsinkiJ...
Beautiful Maintainable ModularJavascript Codebase with RequireJS - HelsinkiJ... Beautiful Maintainable ModularJavascript Codebase with RequireJS - HelsinkiJ...
Beautiful Maintainable ModularJavascript Codebase with RequireJS - HelsinkiJ...
 
VVV validation and linting tool
VVV validation and linting toolVVV validation and linting tool
VVV validation and linting tool
 
Plone IDE - the future of Plone development
Plone IDE - the future of Plone developmentPlone IDE - the future of Plone development
Plone IDE - the future of Plone development
 
Javascript - How to avoid the bad parts
Javascript - How to avoid the bad partsJavascript - How to avoid the bad parts
Javascript - How to avoid the bad parts
 
The Easy Way - Plone Conference 2011
The Easy Way - Plone Conference 2011The Easy Way - Plone Conference 2011
The Easy Way - Plone Conference 2011
 
Mobile Landscape 2011
Mobile Landscape 2011Mobile Landscape 2011
Mobile Landscape 2011
 
Mobiilimarkkinoinnin mahdollisuudet nyt
Mobiilimarkkinoinnin mahdollisuudet nytMobiilimarkkinoinnin mahdollisuudet nyt
Mobiilimarkkinoinnin mahdollisuudet nyt
 
The World Outside Plone
The World Outside PloneThe World Outside Plone
The World Outside Plone
 
mFabrik Case Studies
mFabrik Case StudiesmFabrik Case Studies
mFabrik Case Studies
 
Building HTML based mobile phone applications
Building HTML based mobile phone applicationsBuilding HTML based mobile phone applications
Building HTML based mobile phone applications
 

Recently uploaded

Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
Vlad Stirbu
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..
UiPathCommunity
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 

Recently uploaded (20)

Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 

Operations security (OPSEC)

  • 1. OPSEC - operations security Mikko Ohtamaa ThaiPy / Bangkok / Nov 2014 opensourcehacker.com moo9000
  • 2. Agenda Team security User security Infrastructure security
  • 3. Person-to-person Bitcoin exchange Bitcoin users are high value targets
  • 5. Physical access (display sleep + password) Encrypt devices (computers AND phones) Two-factor authentication on email inbox Two-factor authentication on site admin Two-factor SSH Google 2FA account incidents: https://ello.co/gb/post/knOWk-qeTqfSpJ6f8-arCQ
  • 6. "Cyber hygiene" Password management (KeePassX) SSH keys (automatically unlock on your computer computer login) ! http://opensourcehacker.com/2012/10/24/ssh-key-and-passwordless-login-basics-for-developers/
  • 8. Passwords are dead Password stealing attacks by keylogging and file-system reading malware Strong password gives only limited additional protection
  • 9. Throttle login attempts with CAPTCHA Threshold logins per IP (leaked credentials black market) Threshold per username (spearhead brute force) Threshold all logins per minute (botnet attack) recaptcha.net - https://github.com/praekelt/django-recaptcha http://opensourcehacker.com/2014/07/09/rolling-time-window-counters-with-redis-and- mitigating-botnet-driven-login-attacks/
  • 11. Lack of two-factor scenario: US 0.90% scenario: Great-Britain 0.90% scenario: Australia 7.58% www.schneier.com/blog/archives/2006/11/fighting_fraudu.html
  • 12. Time-Based One-Time Password Algorithm TOTP a.k.a Google Authenticator, RFC 6238 Google provides app for Android, iOS. Does not require Google account. Other OSS implementations
  • 13. HMAC-Based One-Time Password Algorithm HOTP, RFC 4226 a.k.a. paper codes, one time pad Common in Nordic internet banking, unheard in many countries
  • 14. SMS Yubikey Calculators and other hardware tokens As a service: authy.org twofactorauth.org
  • 15. For Django: https://github.com/ miohtama/django-twofactor
  • 17. Users lose their credentials Recycled passwords (blackmarket) Phishing (Google Adwords attack) Stolen two-factor codes
  • 18. Third factor parameters Unknown web browser (identified by cookie) The of country of IP address The reputation of IP address (botnet, Tor, VPS) IP address whitelist Confirm by email or by SMS “is it really you”
  • 19. Mad general problem “If your local computer is compromised by malware or anything else, it is just like a mad general” http://www.reddit.com/r/Bitcoin/comments/2573rw/bitcoin_is_secure_because_it_solves_the_byzantine/
  • 20. What I have seen Malicious browser add-on modifying sites in fly Android and iOS malware SMS capture attacks Spearhead email phishing Google AdWords phishing Malicious Tor exit nodes http://thed! roidguy.com/2014/06/popular-chinese-android-smartphone-malware-pre-installed- 93764
  • 22. fail2ban Daemon automatically blocking IPs by log file analysis (e.g. Apache, SSH, your pplication)
  • 23. Attack mitigation as a reverse proxy service: cloudflare.net Known bad IPs: projecthoneypot.org IP information: http://myip.ms/
  • 24. Flood attacks Flood actions and anonymous forms: password reset email, invite email, user messaging Mostly harmless / reputation hit Have throttling and banning per IP Throttle email actions with a custom log file and fail2ban https://shubh.am/full-disclosure-coinbase-security/
  • 25. Encrypt all the servers Encrypt your server content - “mad hosting provider” Encrypt backups: GPG, duplicity Encrypt server-to-server connections: AutoSSH, VPN Virtual machines are always unsafe http://blog.bitly.com/#85169217199
  • 26. Server security monitoring Untamperable logs (external log servers / systems forward secure sealing) Known processes and files list (Tripwire) Firewalling http://louwrentius.com/systemd-forward-secure-sealing-of-system-logs-makes-little-sense. html
  • 27. THANK YOU opensourcehacker.com Open Source Hacker mikko@moo9000 opensourcehacker.com