Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Michal Špaček
@spazef0rze www.michalspacek.cz
(with added speaker notes)
Protecting information
from unfriendly eyes
Operations security (OPSEC) is a term originating in U.S. military jargon. In ...
Firefox had quite a critical security issue in summer 2015. It's internal PDF viewer
allowed JavaScript coming from the In...
Subversion
FTP clients
.bash_history
.mysql_history
.pgsql_history
.ssh
*pass*
*access*
An exploit for this vulnerability ...
Bugzilla: a security issue
The fix was available the very next day after the exploit was found. How come it
was fixed so f...
Bugzilla: a security issue
password
George, developer
Stealing such critical info, how? This Firefox developer, let's call...
Bugzilla: a security issue
password
Other website
password
George, developer
But George was stupid and re-used his Bugzill...
Yes, George has failed miserably! Due to his mistake all the Firefox users have
been fucked up. Don't be like George and d...
Meet Xcode, a suite of tools for developing software for iOS and OSX. In
September 2015, somebody have distributed modifie...
Password manager
Bad guys are targeting developers because they have access to juicy systems.
Attacks similar to the Xcode...
Disable Flash and Java
Step 2: disable Flash Player and Java in your browsers, or even uninstall it
completely. If you hav...
Set click-to-play
Step 3: set (right-)click-to-play for plugins in your browser. Don't use any
extensions for that as they...
Block ads
Step 4: use an ad-blocker. As Douglas Crockford once said, "The most reliable,
cost effective method to inject e...
And remember, we're developers (developers, developers, developers, hi Steve!),
we have access to interesting systems whic...
Upcoming SlideShare
Loading in …5
×

Operations security (OPSEC) in IT

1,056 views

Published on

Operations security (OPSEC) is a term originating in U.S. military jargon. In IT, it says what to do to protect your servers, developers, information, and other resources. Targeting developers, new trend in computer security, is becoming increasingly common because they usually have access to production servers and other critical infrastructure.

Published in: Internet
  • Login to see the comments

  • Be the first to like this

Operations security (OPSEC) in IT

  1. 1. Michal Špaček @spazef0rze www.michalspacek.cz (with added speaker notes)
  2. 2. Protecting information from unfriendly eyes Operations security (OPSEC) is a term originating in U.S. military jargon. In IT, it says what to do to protect your servers, developers, information, and other resources. Targeting developers, new trend in computer security, is becoming increasingly common because they usually have access to production servers and other critical infrastructure.
  3. 3. Firefox had quite a critical security issue in summer 2015. It's internal PDF viewer allowed JavaScript coming from the Internet to be executed with local privileges, bypassing same-origin policy.
  4. 4. Subversion FTP clients .bash_history .mysql_history .pgsql_history .ssh *pass* *access* An exploit for this vulnerability was found in the wild before a patched version of Firefox was available. The exploit was distributed via an advertising platform and was targeting developers. It looked for Subversion credentials, config files for several popular FTP clients on Windows. Additionally, on Linux and OSX it looked for usual suspects and some more, like files with names containing the string pass and access. The exploit have uploaded these files to a remote machine basically stealing credentials and some more. After patching the vulnerability, Mozilla has recommended to change all your passwords and keys.
  5. 5. Bugzilla: a security issue The fix was available the very next day after the exploit was found. How come it was fixed so fast? Mozilla actually knew about this vulnerability and they had a bug filed in their bug tracking system called Bugzilla. This issue was not public for obvious reasons. Firefox devs had access, of course. Mozilla believes that somebody has stolen the info from Bugzilla and used that info to build the exploit.
  6. 6. Bugzilla: a security issue password George, developer Stealing such critical info, how? This Firefox developer, let's call him George, used to use one of his passwords to log in to Bugzilla to see this bug he had access to.
  7. 7. Bugzilla: a security issue password Other website password George, developer But George was stupid and re-used his Bugzilla password on some other website. This other website got hacked, somebody found George's password and used the password to access Bugzilla and that secret security bug report regarding the PDF viewer vulnerability.
  8. 8. Yes, George has failed miserably! Due to his mistake all the Firefox users have been fucked up. Don't be like George and don't reuse your passwords. Use strong unique passwords everywhere, and I mean it. You have access to interesting systems and servers and you don't want them hacked because it might affect a lot of your users.
  9. 9. Meet Xcode, a suite of tools for developing software for iOS and OSX. In September 2015, somebody have distributed modified copies of Xcode to Chinese developers and these modified copies have produced apps which were hacked. And these hacked apps were then distributed to regular users from the app store. In China, it takes a while to download the real Xcode so devs were happy to download it from other faster location but of course they didn't know it's a modified copy producing hacked apps.
  10. 10. Password manager Bad guys are targeting developers because they have access to juicy systems. Attacks similar to the Xcode "hack" and the Firefox issue will be more and more common. So here's the first step for you to be better at OPSEC: don't reuse passwords.
  11. 11. Disable Flash and Java Step 2: disable Flash Player and Java in your browsers, or even uninstall it completely. If you have Chrome, don't forget to disable the bundled Flash plugin, too. If you need Flash or Java in your browser, use a virtual machine and after watching your fav X-rated movie just reset it to previous state, or drop it.
  12. 12. Set click-to-play Step 3: set (right-)click-to-play for plugins in your browser. Don't use any extensions for that as they are easy easy to bypass. Use a browser setting.
  13. 13. Block ads Step 4: use an ad-blocker. As Douglas Crockford once said, "The most reliable, cost effective method to inject evil code is to buy an ad."
  14. 14. And remember, we're developers (developers, developers, developers, hi Steve!), we have access to interesting systems which might be somehow useful for attackers. Protect yourself, your users, and your company, too. @spazef0rze www.michalspacek.cz

×