Security isn’t deploying some overbearing big brother of a hardware or software solution; it’s not running scanning software which tells you you’re safe; because in reality in these type of setups you’re not. Security is akin to high availability you deploying multiple redundancies to ensure you can still operate, the same can and should be applied to security; identify the potential areas of attack, reduces this attack surface and deploy multiple redundancies to secure your deployments.

1. Security
It's more than just your database you should
worry about
David Busby
Information Security Architect
2014-11-02

2. Sample Text Page
• David Busby
–Percona since January 2013
–R.D.B.A
–EMEA && Security Lead
–I.S.A (current)
–14 years sysadmin / dev
–Ju-Jitsu instructor for N.F.P club.
–Volunteer assist teaching computing at Secondary
school
2

3. Agenda
• Got F.U.D?
•What is an attack surface?
• D.A.C, M.A.C, I.P.S, I.D.S, WTF?
• Heartbleed / Shellshock / #gate / #bandwagon
• Detection or prevention: the boy who cried
wolf
• Emerging tech to keep an eye on.
• 2014 … it's been interesting
3

4. Here be dragons ...
• Previous talks focused on a select set of
identification and prevention
● This talk is different …
● Focus is on a mindset change for pure
identification of potential attack vectors.
Aswell as clarification of some points along
the way
● There's F.U.D by the ton; and we each get a
shovel.
4

5. Got F.U.D?
• Fear Uncertainty Doubt
• C.R.I.M.E (CVE-2012-4929)
• B.E.A.S.T (CVE-2011-3389)
• Heartbleed (CVE-2014-0160)
• Shellshock CVE-2014-6271, 6277, 6278, 7169,
7186, 7187
• P.O.O.D.L.E (CVE-2014-3566)
5

6. What's an “attack surface”?
• Potential areas for compromise
– Application
– Database
– Network
– Hardware
– Software
– Employees
– Other
6

7. What's an “attack surface”?
• Application
– Engine / Interpreter, e.g. Java, PHP, etc.
● e.g. PHP CVE-2011-4885 (hash collide)
– Framework
● Or most likely a plugin
– Developer errors, SQLi, XSS, CSRF etc ...
– HTTP Service Apache, Nginx, Lighthttpd, etc.
– Sysadmin errors e.g. missconfiguration of SSL
cipers / certs
7

8. What's an “attack surface”?
• Database
– Weak passwords
– Overpermissive grants
– Overly broad host spefications e.g. @%
● Vulnerabilities in service (often denoted by CVE's
e.g. CVE-2012-2122)
– Poor isolation (Network, users etc)
– Malicious plugins e.g. UDF's
8

9. What's an “attack surface”?
• Network
– Overly open ACL
– Little or no isolation
– Little or no monitoring
– Little or no packet inspection
– “An open playground”
– Hardware embedded OS vulnerabilities
– Other entry points
● It's not limited to Ethernet / 2.4 && 5 GHz WiFi
(look at the NSA ANT catalogue)
9

10. What's an “attack surface”?
• Hardware
– Lack of tamper evident seals
– Lack of control of use
– Malicious USB / Firewire / etc
● COTTONMOUTH-I
● Iron Geek's plug & prey
● USB Rubber Ducky
– Embedded firmware vulnerabilites
– “Freebie” / “Gift” / “Other”
– Lack of physical access controls
● e.g. Barclays £1.3M Theft
– Lack of $vendor updates (e.g. Android)
10

11. What's an “attack surface”?
• Lock all the things!
– Combination T.S.A locks
● Easily picked
– Traditional tumbler locks
● Picking / bump keys
– Biometrics
● Mythbusters
• Key pads
– Check for wear / dirt marks / vedor codes
• Key switches (e.g. in lifts)
– As per above
• Room card keys
– Magstripe read and write
• RFID
– Easily read tags content and replay
11

12. What's an “attack surface”?
• And then there's … I.o.T
– T.V
– Cameras
– Light bulbs
– Fridges
– Home automation
– Locks
– Printer
● Cloud print …
– Etc
– Supervisory Control And Data Acquisition
● Let's put a hydro electric dam controll system on the internet!
12

13. What's an “attack surface”?
• But wait … there's more!
• Your cars
•Medical devices (more famously RF enabled
pacemakers), wireless insulin pumps etc …
• https://www.iamthecavalry.org/
13

14. What's an “attack surface”?
• Software
– Modified binaries
– “Install for FREE STUFF!”
– Unaudited source code … cough cough
● Truecrypt, openssl ...
– Poor isolation (no M.A.C, only D.A.C)
– Process injection, buffer overflows etc …
– Unpatched software
14

15. What's an “attack surface”?
• Employees
– “I put all my details on this pastebin, can you take a
look?”
– “Sure you can use my phone / workstation!”
– “So all I have to do is click this link?”
– “Oh you're from HR? Sure I can install that!”
– “A magic trick? YEY!”
– “FREE STUFF?!”
15

16. What's an “attack surface”?
• Employees
– Phishing / Spear Phishing
– Social engineering
– D.L.P bypass is no longer just crafted devices
● Making comodity USB "evil"
● Derbycon presentation
● Adam Caudil && Brandon Wilson
– Implied trust
● Uniform / Badge != Proof
16

17. What's an “attack surface”?
• Other
– Side channel attacks
● Cache timing
● Co-residency (side channel against “cloud”)
– Unintentional “emissions”
● Melissa Elliot “Noise Floor”
● S.D.R (Software Defined Radio)
● Monitor / Display, RAM, F.S.B, etc ...
17

18. F.U.D!
18

19. Well … not so much
19

20. D.A.C, M.A.C, I.P.S, I.D.S … WTF?
• Discretionary Access Control
– POSIX permissions
● File mode
● UID
● GID
● Software runs with same permissions as user
and group
● e.g. your brower could read ~/.ssh/id_rsa in
this model
20

21. D.A.C, M.A.C, I.P.S, I.D.S … WTF?
•Mandatory Access Control
– SELinux
● Process running with context x
● e.g. MySQL
● Access to resource y
● listen *:3306
● Denied access to resource z
● Connect *:80
– App armor
– Gazzang (Has some M.A.C)
21

22. Heartbleed/Shellshock/#bandwagon
• “Media”
– Need to drive views / purchases aka revenue
– F.U.D “slinging” is an effective method for this.
(Everything is a Virus)
● e.g. The Registers “Critical SSL vulnerability out
tomorrow”
● No detail
● No sources
● PURE F.U.D
22

23. Heartbleed/Shellshock/#bandwagon
• But naming vulnerabilites has its place
● C.R.I.M.E / CVE-2012-4929
● B.E.A.S.T / CVE-2011-3389
● Heartbleed CVE-2014-0160
● Shellshock CVE-2014-6271, 6277, 6278,
7169, 7186, 7187
● P.O.O.D.L.E CVE-2014-3566
23

24. Heartbleed/Shellshock/#bandwagon
• Even if it can go a bit far ...
24

25. Heartbleed/Shellshock/#bandwagon
• There is hope behind the hype.
● Elastica Inc @ Vimeo
● Heartbleed instructional video
● Shellshock instructional video
● Poodle instructional video
25

26. Detection or prevention
•Why not both?
– Block known “bad”
● By writing your own rules
● Reguarly syncing with emerging rules
– Allow known “good”
● IPS / WAF blocking your app? Write an exeception,
carefully!
● Be selective!
● e.g. don't: if /cart(.*) then skip
– Log everything else
● And check the logs!
26

27. Detection or prevention
•Why not both?
– Generate alerts
● e.g. logstash can send alerts to nagios
– Y.M.W.V
● You will know your applications behaviour
● Consider what's “out of context”
● e.g. 10x increase in additions to shopping cart for
invalid items (could be someoneattempting SQLi)
● 10x increase in requests, could be a DoS
27

28. Detection or prevention
• Detection
● Alert on set conditions
● SQLi, Fuzzing, out of context requests.
● Write Rules / exceptions to reduce “noise”
● Be specific in said rules!
• Prevention
● Block and alert
● Reduce “noise” through blacklists.
● {"timestamp":"2014-05-
15T07:30:42.970624","event_type":"alert","src_ip":"101.227.170.42","src_port":58613,"dest_ip":"XXX.XXX.XXX.XXX
","dest_port":22,"proto":"TCP","alert":
{"action":"allowed","gid":1,"signature_id":2500002,"rev":3231,"signature":"ET COMPROMISED Known
Compromised or Hostile Host Traffic group 2","category":"Misc Attack","severity":2}}
28

29. Detection or prevention
• Reduce NOISE!
– Avoiding the “boy who cried wolf”
– Aka staff becoming desensitized to the slew of alerts that “oh
that's normal, just ignore”
– “Familiarity breeds comtempt”
• Why not just buy $product?
– It's still an option but be 100% sure you know what you're buying.
● Paying over the odds for rebranded nessus is never good.
● Ongoing rule updates, custom rule support, $vendor support to
“tune” the appliance to your needs.
29

30. Emerging tech to keep an eye on
• Fidoalliance.org
– U2F (Universal two factor)
– UAF (Universal authentication framework)
– Google, yubico, ARM, bank of america, Lenovo,
Mastercard, Discover, Microsoft, Paypal, Qualcomm,
RSA, Samsung, Visa …
● The list of members is extensive
– TL;DR improve security by implementing a common
two factor auth standard; and comoditizing it to
improve addoption.
30

31. Emerging tech to keep an eye on
• Keybase.io
– Nodejs
– “socializes” GPG
● Tracking → sign a “snapshot” of their key and
identity profile
● “On this date I <name> verify this is Joe Blogs's
gpg key, twitter account … etc”
– TL;DR wrapper and service to help spread the use of
GPG
– https://keybase.io/oneiroi/
31

32. Emerging tech to keep an eye on
• Suricata
– IDS / IPS
– Libjannson → eve.json
● Compatible with E.L.K stack: blog post
– Multi threaded
● Claims 10Gbit support with no ruleset sacrifice
● Protocol identification
● File identification, extraction
– Open Information Security Foundation
32

33. Emerging tech to keep an eye on
• E.L.K (Elastic search, Logstash, Kibana)
– Easily store, index and visualize data
● e.g. suricata data
33

34. Emerging tech to keep an eye on
• Docker
– Wrapper for LXC
● “Linux containers”
– Vagrant / git esq cli
– Raw hardware access
● Not paravirtual
– Suffers from “container breakout”
● Gains root on host system
– REST API is very open
– Docker Security page
– Dan Walsh SELinux and Docker
34

35. Emerging tech to keep an eye on
• Haka
– “Software defined security”
– $developer sentric security
– LUA DSL
– Another tool in the $devops chain
– E.L.K support
• Why not IPTables / Netfilter / other
– Why not both?
– Eases developers adoption
35

36. 2014 … it's been interesting
• 2014
– Isn't over yet ...
– Heartbleed, shellshock, poodle
– F.U.D
● Gmail “leak” (wasn't gmail, just happened to have
gmail addresses)
● Dropbox “leak” (wasn't dropbox, just happened that
users were using same credentials)
– Home Depot
– Target (Fall 2013, still “in the news”)
36

37. 2014 … it's been interesting
• 2014
– No more “head in the sand”
– No more “features before security”
– The cost of compromise is proven
– Increasing Ubiquity of I.o.T
● without proper security measures is not maintainable
– Time to build security into the product, not as an
afterthought.
37

38. 2014 … it's been interesting
• 2014
– You are not alone!
– https://www.iamthecavalry.org/
– http://www.openinfosecfoundation.org/
– https://www.reddit.com/r/netsec
– http://seclists.org/fulldisclosure/
– https://bugcrowd.com
– https://44con.com/
– http://dc4420.org/
– Deploy your own “Responsible disclosure program”
38

39. The End …
• Questions? (And Thank you for attending!)
• I also have a tirade of equipment with me if
anyone is interested in learning more; see me
after this talk.
39