This document discusses potential stages and tasks for a recruitment challenge system for the OWASP organization. It proposes 3 stages:
Stage 1 involves basic tasks using telnet/SMTP to test technical skills. Stage 2 involves a social engineering challenge to test security awareness. Stage 3 involves securing a virtualized network using techniques like restricted shells, SSH tunnels, control groups, and firewalls. The goal is to optimize the recruitment process while minimizing risk of rejecting qualified candidates.
Because this system is web application (partially)
Because we based (100%) on FOSS (open-source)
Because security matters
Because OWASP people cares about security and can affect recruitment processes (hopefully) ;)
Ведущий: Макс Мороз
Обзор системы ClusterFuzz, позволяющей осуществить проверку браузера Chrome на наличие уязвимостей в режиме реального времени и получить воспроизводимые результаты исследования каждого конкретного сбоя. Будут продемонстрированы преимущества использования различных санитайзеров и LibFuzzer, библиотеки для направленного фаззинга. Будет приведена подробная статистика видов уязвимостей, найденных в Chrome. Слушатели узнают о подводных камнях распределенного фаззинга; о том, как можно запустить свои собственные фаззеры в инфраструктуре Google и получить вознаграждение за найденные уязвимости.
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...PROIDEA
Users of modern Linux containerization technologies are frequently at loss with what kind of security guarantees are delivered by tools they use. Typical questions range from Can these be used to isolate software with known security shortcomings and rich history of security vulnerabilities? to even Can I used such technique to isolate user-generated and potentially hostile assembler payloads?
Modern Linux OS code-base as well as independent authors provide a plethora of options for those who desire to make sure that their computational loads are solidly confined. Potential users can choose from solutions ranging from Docker-like confinement projects, through Xen hypervisors, seccomp-bpf and ptrace-based sandboxes, to isolation frameworks based on hardware virtualization (e.g. KVM).
The talk will discuss available today techniques, with focus on (frequently overstated) promises regarding their strength. In the end, as they say: “Many speed bumps don’t make a wall
ZeroMQ is a good tool to know, because it provides a huge variety of socket and messaging patterns that you can leverage in your infrastructure to solve specific problems without using heavyweight message queues to do the same job. This talk illustrates 4 basic sockets provided by zeromq and the many ways you can use them.
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...Yandex
Lightweight virtualization", also called "OS-level virtualization", is not new. On Linux it evolved from VServer to OpenVZ, and, more recently, to Linux Containers (LXC). It is not Linux-specific; on FreeBSD it's called "Jails", while on Solaris it’s "Zones". Some of those have been available for a decade and are widely used to provide VPS (Virtual Private Servers), cheaper alternatives to virtual machines or physical servers. But containers have other purposes and are increasingly popular as the core components of public and private Platform-as-a-Service (PAAS), among others.
Just like a virtual machine, a Linux Container can run (almost) anywhere. But containers have many advantages over VMs: they are lightweight and easier to manage. After operating a large-scale PAAS for a few years, dotCloud realized that with those advantages, containers could become the perfect format for software delivery, since that is how dotCloud delivers from their build system to their hosts. To make it happen everywhere, dotCloud open-sourced Docker, the next generation of the containers engine powering its PAAS. Docker has been extremely successful so far, being adopted by many projects in various fields: PAAS, of course, but also continuous integration, testing, and more.
Ведущий: Артем Шишкин
Доклад описывает разработку средства отладки при помощи виртуализации: как применить существующие средства виртуализации для отладки, как обеспечить целостность отлаживаемой среды, как сделать отладку интерактивной и как обуздать низкоуровневую специфику аппаратной виртуализации. Докладчик расскажет об интеграции железа с операционной системой и о том, как встроить отладчик прямо в прошивку. Будут рассмотрены несколько жизненных примеров динамического анализа.
Because this system is web application (partially)
Because we based (100%) on FOSS (open-source)
Because security matters
Because OWASP people cares about security and can affect recruitment processes (hopefully) ;)
Ведущий: Макс Мороз
Обзор системы ClusterFuzz, позволяющей осуществить проверку браузера Chrome на наличие уязвимостей в режиме реального времени и получить воспроизводимые результаты исследования каждого конкретного сбоя. Будут продемонстрированы преимущества использования различных санитайзеров и LibFuzzer, библиотеки для направленного фаззинга. Будет приведена подробная статистика видов уязвимостей, найденных в Chrome. Слушатели узнают о подводных камнях распределенного фаззинга; о том, как можно запустить свои собственные фаззеры в инфраструктуре Google и получить вознаграждение за найденные уязвимости.
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...PROIDEA
Users of modern Linux containerization technologies are frequently at loss with what kind of security guarantees are delivered by tools they use. Typical questions range from Can these be used to isolate software with known security shortcomings and rich history of security vulnerabilities? to even Can I used such technique to isolate user-generated and potentially hostile assembler payloads?
Modern Linux OS code-base as well as independent authors provide a plethora of options for those who desire to make sure that their computational loads are solidly confined. Potential users can choose from solutions ranging from Docker-like confinement projects, through Xen hypervisors, seccomp-bpf and ptrace-based sandboxes, to isolation frameworks based on hardware virtualization (e.g. KVM).
The talk will discuss available today techniques, with focus on (frequently overstated) promises regarding their strength. In the end, as they say: “Many speed bumps don’t make a wall
ZeroMQ is a good tool to know, because it provides a huge variety of socket and messaging patterns that you can leverage in your infrastructure to solve specific problems without using heavyweight message queues to do the same job. This talk illustrates 4 basic sockets provided by zeromq and the many ways you can use them.
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...Yandex
Lightweight virtualization", also called "OS-level virtualization", is not new. On Linux it evolved from VServer to OpenVZ, and, more recently, to Linux Containers (LXC). It is not Linux-specific; on FreeBSD it's called "Jails", while on Solaris it’s "Zones". Some of those have been available for a decade and are widely used to provide VPS (Virtual Private Servers), cheaper alternatives to virtual machines or physical servers. But containers have other purposes and are increasingly popular as the core components of public and private Platform-as-a-Service (PAAS), among others.
Just like a virtual machine, a Linux Container can run (almost) anywhere. But containers have many advantages over VMs: they are lightweight and easier to manage. After operating a large-scale PAAS for a few years, dotCloud realized that with those advantages, containers could become the perfect format for software delivery, since that is how dotCloud delivers from their build system to their hosts. To make it happen everywhere, dotCloud open-sourced Docker, the next generation of the containers engine powering its PAAS. Docker has been extremely successful so far, being adopted by many projects in various fields: PAAS, of course, but also continuous integration, testing, and more.
Ведущий: Артем Шишкин
Доклад описывает разработку средства отладки при помощи виртуализации: как применить существующие средства виртуализации для отладки, как обеспечить целостность отлаживаемой среды, как сделать отладку интерактивной и как обуздать низкоуровневую специфику аппаратной виртуализации. Докладчик расскажет об интеграции железа с операционной системой и о том, как встроить отладчик прямо в прошивку. Будут рассмотрены несколько жизненных примеров динамического анализа.
An Introduction to the Formalised Memory Model for Linux KernelSeongJae Park
Linux kernel provides executable and formalized memory model. These slides describe the nature of parallel programming in the Linux kernel and what memory model is and why it is necessary and important for kernel programmers. The slides were used at KOSSCON 2018 (https://kosscon.kr/).
LAS16-211: Using LAVA V2 for advanced KVM testingLinaro
LAS16-211: Testing LAVA V2 for advanced KVM testing
Speakers: Riku Voipio
Date: September 27, 2016
★ Session Description ★
The new LAVA dispatcher allows explicit control of starting/controlling guest. Walk through how to use V2 dispatcher for KVM and other VM testing and explore usage of libvirt etc. Share experiences in using V2 dispatcher in general. Plan support for migration and other advanced multinode tests.
★ Resources ★
Etherpad: pad.linaro.org/p/las16-211
Presentations & Videos: http://connect.linaro.org/resource/las16/las16-211/
★ Event Details ★
Linaro Connect Las Vegas 2016 – #LAS16
September 26-30, 2016
http://www.linaro.org
http://connect.linaro.org
Kernel Recipes 2015 - So you want to write a Linux driver frameworkAnne Nicolas
Writing a new driver framework in Linux is hard. There are many pitfalls along the way; this talk hopes to point out some of those pitfalls and hard lessons learned through examples, advice and humorous anecdotes in the hope that it will aid those adventurous enough to take on the task of writing a new driver framework. The scope of the talk includes internal framework design as well as external API design exposed to drivers and consumers of the framework. This presentation pulls directly from the Michael Turquette’s experience authoring the Common Clock
Framework and maintaining that code for the last four years.
Additionally Mike has solicited tips and advice from other subsystem maintainers, for a well-rounded overview. Be prepared to learn some winning design patterns and hear some embarrassing stories of framework design gone wrong.
Mike Turquette, BayLibre
Introduction to Docker (and a bit more) at LSPE meetup SunnyvaleJérôme Petazzoni
What's Docker, why does it matter, how does it use Linux Containers, why should you use it, and how? You'll find answers to those questions (and a bit more) in this presentation, given February 20th 2014 at the Large Scale Production Engineering Meet-Up at Yahoo, in Sunnyvale.
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000CTruncer
This talk will initially cover Device Guard, and how it works. After discussing high level methods of attacking Device Guard, we will go into detail on WMImplant, a tool which can be used to operate on Device Guard protected systems.
Egress-Assess and Owning Data ExfiltrationCTruncer
This talk discusses how Egress-Assess can be used to help attackers and defenders learn how to exfiltrate data outside of their network over a variety of protocols, describes how data is exfiltrated over different supported protocols, and demonstrates the weaponization of the tool!
This talk goes over the host identification process we follow, the development of EyeWitness 1.0, the problems which lead to 2.0 and talk about future work on EyeWitness.
OpenWrt is a Linux distribution for embedded systems that runs on many routers and networking devices today. In this session we'll talk about OpenWrt's origins, architecture and get down to building apps for the platform.
Along the way we will touch on some basic firmware concepts and at last present the final working OpenWrt router and its capabilities.
Anton Lerner, Architect at Sitaro, computer geek, developer and occasional maker.
Sitaro provides total cyber protection for small business and home networks. Sitaro prevents massive scale IoT cyber attacks.
Find out more information in the meetup event page - https://www.meetup.com/Tel-Aviv-Yafo-Linux-Kernel-Meetup/events/245319189/
How to run system administrator recruitment process? By creating platform based on open source parts in just 2 nights! I gave this talk in Poland / Kraków OWASP chapter meeting on 17th October 2013 at our local Google for Entrepreneurs site. It's focused on security and also shows how to create recruitment process in CTF / challenge way.
This story covers mostly security details of this whole platform. There's great chance, that I will give another talk about this system but this time focusing on technical details. Stay tuned ;)
A guest lecture at National University of Defense Technology (NUDT) in 2016 to postgraduate students in China about emerging technologies in the Linux operating system.
An Introduction to the Formalised Memory Model for Linux KernelSeongJae Park
Linux kernel provides executable and formalized memory model. These slides describe the nature of parallel programming in the Linux kernel and what memory model is and why it is necessary and important for kernel programmers. The slides were used at KOSSCON 2018 (https://kosscon.kr/).
LAS16-211: Using LAVA V2 for advanced KVM testingLinaro
LAS16-211: Testing LAVA V2 for advanced KVM testing
Speakers: Riku Voipio
Date: September 27, 2016
★ Session Description ★
The new LAVA dispatcher allows explicit control of starting/controlling guest. Walk through how to use V2 dispatcher for KVM and other VM testing and explore usage of libvirt etc. Share experiences in using V2 dispatcher in general. Plan support for migration and other advanced multinode tests.
★ Resources ★
Etherpad: pad.linaro.org/p/las16-211
Presentations & Videos: http://connect.linaro.org/resource/las16/las16-211/
★ Event Details ★
Linaro Connect Las Vegas 2016 – #LAS16
September 26-30, 2016
http://www.linaro.org
http://connect.linaro.org
Kernel Recipes 2015 - So you want to write a Linux driver frameworkAnne Nicolas
Writing a new driver framework in Linux is hard. There are many pitfalls along the way; this talk hopes to point out some of those pitfalls and hard lessons learned through examples, advice and humorous anecdotes in the hope that it will aid those adventurous enough to take on the task of writing a new driver framework. The scope of the talk includes internal framework design as well as external API design exposed to drivers and consumers of the framework. This presentation pulls directly from the Michael Turquette’s experience authoring the Common Clock
Framework and maintaining that code for the last four years.
Additionally Mike has solicited tips and advice from other subsystem maintainers, for a well-rounded overview. Be prepared to learn some winning design patterns and hear some embarrassing stories of framework design gone wrong.
Mike Turquette, BayLibre
Introduction to Docker (and a bit more) at LSPE meetup SunnyvaleJérôme Petazzoni
What's Docker, why does it matter, how does it use Linux Containers, why should you use it, and how? You'll find answers to those questions (and a bit more) in this presentation, given February 20th 2014 at the Large Scale Production Engineering Meet-Up at Yahoo, in Sunnyvale.
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000CTruncer
This talk will initially cover Device Guard, and how it works. After discussing high level methods of attacking Device Guard, we will go into detail on WMImplant, a tool which can be used to operate on Device Guard protected systems.
Egress-Assess and Owning Data ExfiltrationCTruncer
This talk discusses how Egress-Assess can be used to help attackers and defenders learn how to exfiltrate data outside of their network over a variety of protocols, describes how data is exfiltrated over different supported protocols, and demonstrates the weaponization of the tool!
This talk goes over the host identification process we follow, the development of EyeWitness 1.0, the problems which lead to 2.0 and talk about future work on EyeWitness.
OpenWrt is a Linux distribution for embedded systems that runs on many routers and networking devices today. In this session we'll talk about OpenWrt's origins, architecture and get down to building apps for the platform.
Along the way we will touch on some basic firmware concepts and at last present the final working OpenWrt router and its capabilities.
Anton Lerner, Architect at Sitaro, computer geek, developer and occasional maker.
Sitaro provides total cyber protection for small business and home networks. Sitaro prevents massive scale IoT cyber attacks.
Find out more information in the meetup event page - https://www.meetup.com/Tel-Aviv-Yafo-Linux-Kernel-Meetup/events/245319189/
How to run system administrator recruitment process? By creating platform based on open source parts in just 2 nights! I gave this talk in Poland / Kraków OWASP chapter meeting on 17th October 2013 at our local Google for Entrepreneurs site. It's focused on security and also shows how to create recruitment process in CTF / challenge way.
This story covers mostly security details of this whole platform. There's great chance, that I will give another talk about this system but this time focusing on technical details. Stay tuned ;)
A guest lecture at National University of Defense Technology (NUDT) in 2016 to postgraduate students in China about emerging technologies in the Linux operating system.
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios CoreNagios
Eric Mislivec's presentation on getting started with Nagios Core. The presentation was given during the Nagios World Conference North America held Oct 13th - Oct 16th, 2014 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/conference.
Linux container (LXC) seems to be preferred technology for deployment of Platform as a service (PaaS) in cloud. Partly because it's easy to install on top of existing visualization platforms (KVM, VMware, VirtualBox), partly because it is lightweight solution to provide separation and process allocations between separate containers running under single kernel.
In this talk we will take a look at LXC and try to explain how to combine it with mandatory access control (MAC) mechanisms within Linux kernel to provide secure separation between different users of applications.
The current Linux kernel /proc/PID interface is great, time-proven and reliable way to get info about processes running on a system. Right? Well, yes and no. We found out (and you, too, might have noticed it) this is what makes ps and top slow when there are thousands of processes running. Besides the speed, there are a number of other problems with the current /proc/PID interface.
The talk describes all those in great details, then goes on to the alternative we are proposing for inclusion to the kernel, a new interface called task_diag. The new interface is slick, fast (5-10x speed improvement), and extendable.
Containing the Gear: Deep Dive on SELinux, Multi-tenancy, Containers & Security with Dan Walsh
Presenter: Dan Walsh
In this talk, Dan will do a deep dive into the Origin PaaS use of SELinux and containerization. He will discuss how SELinux being utilized to ensure that Origin is the the most secure PAAS available today. He will address some of his ideas for the future of Origin and SELinux.
From 2013-04-14 OpenShift Origin Community Day in Portland, Oregon
Developed for the Denver Art Museum by Ashley Blewer, this slide-deck covers some of the basics of diagnosing issues with Archivematica. Ashley covers everything from the software components involved with Archivematica, to monitoring logs, system monitoring, and upgrading your system. The presentation concludes with some useful links for tech-savvy preservationists, and Archivematica-unfamiliar system's administrators!
Workflow story: Theory versus Practice in large enterprises by Marcin PiebiakNETWAYS
Uphill battle against large enterprise it environments and IT corporate culture. How those difficulties turned out opportunities and clever implementations. Interesting modules, integrations and workflow pieces.
New Jersey Red Hat Users Group Presentation: Provisioning anywhereRodrique Heron
This presentation is from the October 10, 2017, Red Hat Users Group meeting. Please check us out on meetup.com.
https://www.meetup.com/NorthernNJRHUG
Tools like Docker and Ansible enable new capabilities and speed, and this session will help you and your organization to put it all in context and be more successful and collaborative than ever before.
This session will provide both practical advice to improve your organization's provisioning process, as well as discuss best practices to achieve the much sought-after "push button infrastructure" across multi-cloud environments.
Provisioning means more than simply deploying VMs (or cloud instances) and participants will leave this session with a fresh understanding of the various aspects that go into providing a reliable, flexible and portable platform to their businesses' workloads.
Our Speaker: Andre Pitanga, Red Hat Solutions Architect
Andre is at heart just a chill and optimistic guy. He's delivered agile infrastructure projects with some of the world's biggest banks, financial analytics and media companies, but he swears he didn't break anything. When not reviewing or writing Ansible playbooks, he can be found working shoulder-to-shoulder with his awesome clients to build better platforms the open source way.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
2. Recruitment process @OWASP?
● Because this system is web application (partially)
● Because we based (100%) on FOSS (open-source)
● Because security matters
● Because OWASP people cares about security and can affect
recruitment processes (hopefully) ;)
3. Recruitment
● Lot of recruitment agencies / services
● Huge number of potential candidates
● Whole team is involved in recruitment
● Candidate evaluation takes really lot of time
4. SysAdmin / Operations
● He is sysop, developer, QA and network specialist
● Also great for performance tuning
● Responsible for critical data (all data)
● Easy handles moving UPSes between racks ;)
● Anytime day / night understands what you’re talking to him
● Everything he does respects high security standards
● Loves playing games (do you know sysop that doesn’t play)? ;)
5. Let’s play then
● Any idea? Not Quake / Diablo / Warcraft ;)
● pythonchallenge.com, wechall.net – CTFs are great!
● trueability.com – event for sysops
● So maybe CTF / challenge?
● Such system would have to fulfill some requirements:
● Optimization of recruitment process time
● Minimisation of the risk of rejecting good candidate
● Draw attention as very interesting (you like mindfscks?)
6. Let's start the ball rolling
Stage 1 – simple task
Stage 2 – call/social.eng.
Stage 3 – challenge
Application Problem: huge candidates number (>100)
Target: reject not suitable cands (>80% rejections!)
Target: recognition, manipulation
Global Thermonuclear War ;)
7. Stage 1 – telnet / SMTP
RFC-821/1869:
HELO/EHLO ??.....??
GPG us ur CV using
http://..../gpg.asc
Lack of GPG knowledge :(
RTFM!
8. Stage 1 – telnet / SMTP
RFC-821/1869:
HELO/EHLO my.hostname
1 trap – not server’s hostname
but client’s (90% catched)
GPG us ur CV using
http://..../gpg.asc
Lack of GPG knowledge :(
RTFM!
9. Stage 1 – node.js
● At the beginning – pure C server. After 3am.. Node.js (simplicity) ;)
● What’s wrong with node.js?
● http://seclists.org/bugtraq/ - 0 hits
● http://osvdb.org/ - 2 hits
● http://1337day.com/, http://www.exploit-db.com/ - 1 hit
● https://nodesecurity.io/advisories - 4 hits
● Does it mean that node.js is safe & secure?
10. Node.js – how it works?
http://magnetik.github.io/
- Event driven
- Event loop
- Callbacks
- SPA, async, REST, Json
11. Node.js - threats
● no logging
● No error handling - DoS
● No configuration – “+” or “-”?
● No filters checking user-input
● JS: function as a variable
● Evil eval(code). Server-side XSS
● setInterval(code,2), setTimeout(code,2), str = new Function(code)
● Moduły npm – who creates those?
............................................________
....................................,.-'"...................``~.,
.............................,.-"..................................."-.,
.........................,/...............................................":,
.....................,?......................................................,
.................../...........................................................,}
................./......................................................,:`^`..}
.............../...................................................,:"........./
..............?.....__.........................................:`.........../
............./__.(....."~-,_..............................,:`........../
.........../(_...."~,_........"~,_....................,:`........_/
..........{.._$;_......"=,_......."-,_.......,.-~-,},.~";/....}
...........((.....*~_......."=-._......";,,./`..../"............../
...,,,___.`~,......"~.,....................`.....}............../
............(....`=-,,.......`........................(......;_,,-"
............/.`~,......`-...................................../
.............`~.*-,.....................................|,./.....,__
,,_..........}.>-._...................................|..............`=~-,
.....`=~-,__......`,.................................
...................`=~-,,.,...............................
................................`:,,...........................`..............__
.....................................`=-,...................,%`>--==``
........................................_..........._,-%.......`
15. Node.js – how can?
● Use frameworks: https://npmjs.org/ - carefully
● Npm modules are not validated! Check those: https://nodesecurity.io
● Watch module dependencies!
● must have: your own error handling & logging
● This is server – we need proper server security solutions:
● Monitoring – think how to monitor your app
● Control-groups – set limits for resources
● SELinux sandbox
16. Node.js – SELinux sandbox
●'home_dir' and 'tmp_dir'
● App can r/w from std(in|out) + only defined FDs
● No network access
● No access to foreign processes / files
● We can easily connect sandbox with cgroups :)
● Helpful: semodule -DB (no dontaudit)
● grep XXX /var/log/audit/audit.log | audit2allow -M node.sandbox
● semodule -i node.sandbox.pp
18. Node.js – how can #2
● Freeze node.js version per project?
● Let’s read & learn:
● https://media.blackhat.com/bh-us-11/Sullivan/BH_US_11_Sullivan_Server_Side_WP.pdf
● http://lab.cs.ttu.ee/dl91
● https://github.com/toolness/security-adventure
● Pseudo–configuration – set limits in your code (e.g. POST size)
● try...catch ftw
● use strict; - helps even with eval case (partially)
● Bunyan / dtrace: https://npmjs.org/package/bunyan
● node.js OS? Oh and use / build node.js packages (fpm or whatever)
19. Stage 2 – social engineering
● Stage’s target is to verify & check candidate’s security awareness
● Christopher Hadnagy – SE framework (2k10):
● http://www.social-engineer.org/framework/Social_Engineering_Framework
● Everyone can act as recruiter and call anyone
● Building network / connections on Linkedin is very easy
● Trust (lingo, easiness in some env: research)
● Sysop knows really much about env – he’s good target
● So one has to only get sysop’s trust and decrease his carefulness
22. Stage 3 - virtualization
VS
Performance XEN/HVM or KVM?
23. Stage 3 - virtualization
VS
We had great performance issues with XEN/HVM
The winner is „hat in the red” and its PV
(but with the cgroups help – under heavy load KVM is
not that stable)
Performance XEN/HVM or KVM?
26. Stage 3 – network security
● Separated, dedicated DMZ (VLAN?) for host
● No routing / communication from this DMZ with other segments
● Low – cost solutions?
● OpenWRT / DDWRT way || Pure Linux server
● 802.1Q – VLANs
27. Stage 3 – network security
● Network isolation on KVM host:
● Host/network bridge: L2 switch
● netfilter / nwfilter (IBM)
● By default there’s no packets isolation in the
bridged network - ebtables null, no filtering
● ebtables – filtering l2– so we gain isolation
● Or virsh nwfilter-list
● allow-arp,dhcp,dhcp-server,clean-traffic, no-
arp-ip-spoofing, no-arp-mac-spoofing, no-
arp-spoofing, no-ip-multicast, no-ip-spoofing,
no-mac-broadcast, no-mac-spoofing, no-
other-l2-traffic
● L2 filtering? /proc/sys/net/bridge
https://www.redhat.com/archives/libvir-list/2010-June/msg00762.html
http://pic.dhe.ibm.com/infocenter/lnxinfo/v3r0m0/topic/liaat/liaatsecurity_pdf.pdf
28. Stage 3 –boot process, VNC
● Accessing boot process – VNC
● VNC security? SSL? Complications..
● Maybe VNC over SSH tunnel?
● Encryption
● No certificates issues
● Every admin can easily use VNC
29. Stage 3 – restricted shells
● SSH tunneling requires SSH access (thank You Captain Obvious!)
● SSH access is a threat per se
● Let’s limit this SSH / shell access – use restricted shells
Restricted shells by. Google ;) =>
30. Stage 3 – restricted shells
● Restricted shells are threat by default – unless we know how to use those!
● Under some circumstances one could escape the rshell:
https://en.wikipedia.org/wiki/Rbash
31. Stage 3 – restricted shells
● Rbash:
● CentOSie / RHEL approved / friendly / legit ;)
● Protects from directory traversal
● Prohibits access to files via direct path
● Prohibits setting PATH or other shell env variables
● No commands output redirection
● PATH=$HOME/bin – and reconsider 2x what to put into this „bin”
https://en.wikipedia.org/wiki/Rbash
32. Stage 3 – SSH tunnel / VNC
● We must go deeper!
Candidate
VM-Proxy
screen / ssh tunnel
VM host
rshell / ibsh
rshell / rbash
VNC server
33. Stage 3 – restricted shells
● Other restricted shells:
● rssh – allows scp, sftp, rsync
● sudosh - http://sourceforge.net/projects/sudosh
● Allows saving whole user session and replay it
● One can define allowed operations for user
● Little outdated – better use sudosh3
● Ibsh (small, fast, secure): http://sourceforge.net/projects/ibsh/
34. Stage 3 – control groups
● resource management in a simple way (ulimits, nice, limits.conf).. but..
● Could you set 50 IOPS for defined process?
● What about 100Kbp/s limit for particular user?
● issues with memory–leaks in Java?
35. Stage 3 – control groups
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Resource_Management_Guide/ch01.html
● Debian & RHEL friendly
● Running apps in cgroup context
● Setting cgroup context for process during runtime
36. Stage 3 – web application
● OpenStack?
„Couple” of compliations ;) “Out of the box” – yup – I’ve heard
about that ;) Could you deploy it in a few hours – securely?
38. Stage 3 – web application
Commodore OS Vision FTW!
39. Stage 3 – web application
● Apache + mod_security
● mod_security + OWASP rules
● PHP & Python :)
● Simplicity!
● VM management with simple daemon + screen:
● while(1) do: manage_VMs();
● And this just works!
40. Stage 3 – recording SSH sessions
● We have to record all sessions – also those under „screen”
● Real time recording
● sudosh3 (sudosh fork) – kinda proxy shell – great ;)
● auditd – lov-lewel tool for recording syscalls
● Asciinema (ascii.io, Marcin Kulik) – great one, but not for audit purposes
● Ttyrec – outdated: http://0xcc.net/ttyrec/index.html.en
● Ssh logging patch - outdated: http://www.kdvelectronics.eu/ssh-logging/ssh-logging.html
41. Stage 3 – data security
● What if we loose any of the VMs...? Brrr....
● Risk assesement – what would be enough for us?
● RAID1 / Mirror – “usually” is enough for a 3 – month time
● Backups – useful ;) RAID / replication are not backups...
● GlusterFS / DRBD – if you have enough resources – try it :)
LVM
Gluster brick
KVM active host
LVM
Gluster brick
KVM passive host
replication