the bad things happen when you’re not looking – ryan huber – qcon

See the live blog table of contents. Gist is posted at https://goo.gl/ZAxCnH (github login required)

Ryan was the first security employee at Slack. He is doing an experiment where red slides means don’t take pictures or tweet about the slide. I really like that idea. It makes speaker intent clear.

How find out about a problem

  • Don’t want to find out from Brian Krebs that you’ve been breached
  • Don’t want hackers to tell you something strange is going on. They are done at that point and are showing off
  • Even worse – don’t notice

General Notes

  • Time to detect is important metric
  • Credential theft is biggest/one of the biggest
  • Goal – watch as many things as possible, but don’t be a dashboard. Want as little as possible on the dashboard. If it is mostly empty, things will get noticed when they are there.
  • Bad model – NetCool – train people to acknowledge all alerts and they miss things because bad habit
  • The defender’s advantage – if the attackers don’t know what you are looking for/trip wire, they dont know what to avoid
  • “Zero days are not invisibility cloaks” – other boxes can pick up on it
  • The hypothetcial malicious insider – a former security team member has a lot of knowledge. And an insider with credentials has access
  • Don’t overwhelm users. Confirm bulk actions in bulk not one at a time.
  • Canaries – need to validate monitoring, recording, etc.
  • Do table top red team exercises if not doing real ones.

Slack Security

  • Setup reliable logging platform
    • RELP (reliable event logging protocol)
    • steamstash/logstash -> Elastic search (Splunk is superior but costs more)
    • Two weeks of data is about 2 terrabytes of logged data. Almost never sits on disk
  • auditd – part of Linux. Run auditctl commands and kernel looks for matching events.
  • audisp – works with auditd to transform data
  • osquery – Facebook project for system monitoring using SQL
  • ElastAlert – yelp project to pick up on ElasticSearch events. Does queries on a timer against Elastic Search.
  • AlertCenter – have SecurityBot looking at alerts. Security bot posts to Slack asking user to type “acknowledge” on phone to confirm action. That way, know have phone and not just Slack account. If no reply in X hours, goes to Pagerduty. Automated triage to avoid flood of data. Instead of security team looking at all alerts, whole company is helping. This means the security team responds to less than 5 alerts a day.

Rules

  • Listeners – specific events
  • Time awake – nobody is awake for 24 hours. Trigger an alert when this happens
  • GeoIP – Doesn’t work perfectly. T-Mobile has feature that can travel abroad without paying roaming. This works by routing some traffic through Texas so your location keeps jumping between Texas and aboard
  • IPs – less unique IPs than you’d think. Worth looking at when user comes from new IP.

security war stories – shuman ghosemajumder – qcon

For my other blog posts on QCon, see the live blog table of contents. Shuman is from ShapeSecurity and used to be the “Click Fraud Czar” at Google – which protects AdWords from malicious users.

  • “Computer security is like broccoli. You know you should have it but would rather have chocolate”
  • “My objective today is not to scare you, but it doesn’t necessarily hurt”
  • “If I were legally responsible for the security of the software I wrote, I would quit my job immediately … and probably move to a non-extredition country” – anon at QCon

How make completely secure

  1. Get rid of business model
  2. Don’t connect to internet

Security is relative – really about tradeoffs

History

  • 1903 – Marconi showing telegraph at Royal Institution. Tapping didn’t sound right to his assistant’s assistant. A magician (Nevil Maskelyne) was tapping “rats” in morse code. Then changed to “There was a young fellow if Italy who diddled the public quite prettily.” Marconi claimed nobody could interfere – don’t promise what you can’t deliver! And an early white hat hacker to identify that.
  • 1939 – Bletchley Park – crack Enigma during World War II
  • 1957 – Joe Engressia learned if one whistles at a certain frequency, can get free long distance calls. In 60’s and 70’s if couldn’t whistle at 2600 hertz, produced blue box to hack this.
  • 1968 – Morris worm – one of first worms
  • 1992 – First polymorphic virus – constantly changes as infect each new machine so anti-virsu looking for standard signature can’t see it
  • 1994 – First kit for script kiddies. Didn’t need to be very skilled to attack.
  • 2002 – Bill Gates finally made security a top priority at Microsoft

Present

  • Don’t even have to go back 24 hours to find a data breach.
  • Mark Zuckerberg’s bad password
  • Credential stuffing – relatively new type of attack with multiple specialists. Has multiple parts.
    • Attackers usually have .1%-2% success rate in finding password reuse.  (using one stolen password on another site)
    • If steal a million stolen passwords, can quickly take over 10K accounts without anyone knowing.
    • Invisible – don’t know account is hacked.
    • Using botnet so target site can’t detect pattern of bad attempts either. Looks like a popular day on your website and not a hacking attempt
    • Over 500 million leaked passwords on dark net. So starting with known good passwords
    • Good – Netflix reset passwords based on ANOTHER company’s breach
    • Sentry MDA has credentials stuffing tool. Raw materials: credentials that are out there, IP addresses in proxy list and even help to get past captchas. Third party system for getting passed captchas as well mixing OCR (computers doing it) and mturk (humans doing it in developing countries)
    • Organic traffic has pattern/cycles throughout day. Inorganic traffic has different shape. Can see normal shape if look at graph without login URLs.
    • Botnets are distributed globally so can’t block IP by region.
    • Other things like monitoring also produces a spike.
    • Every website has a tiny bit of attacks. These crawlers are just the background radiation of the internet. This is an opportunistic probe. A bigger attacher has a profit motive so will stop or re-tool. The idea is to make is as expensive as possible for the attacker.

Future

  • Because the present isn’t scary enough, the future is scarier
  • Attack surface is related to complexity
  • “Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can” – Jamie Zawinski.
  • Weak AI is already here. (ex: AIs representing users) Strong AI is much further out.
  • Sci fi: Black Mirror. Device records everything and you can replay it on demand. Privacy and security implications. Imagine if this data could be changed or published.
  • New attack surfaces:
    • autonomous vehicles
    • always on IoT devices like Amazon Echo could do surveillance
    • Apple Home – can unlock your home doors. Can turn on your lights/stereo at night randomly like horror movie. Someone could have a heard attack because think house is possessed
  • New technology creates new attacks
    • Audio/video fidelity – could steal fingerprints from far away or record every conversation from far away
    • Battery life – run surveillance device for weeks
    • CPU power – defeat encryption
  • New attacks create unforeseen consequences – now we have to take off shoes before flying

What can we do?

  • Pareto Principle – focus on where get most benefit
  • Cybercriminals innovate. So do security services/standards/platforms

irs’ IPPIN problems

Krebs reported that the IRS suspended online lookup of your six digit IPPIN. I agree that was the least secure part of the process and earlier in the month wrote:

Next, I had to answer four questions to confirm my identity. Two had an answer of “n/a” just like the annual credit report system. I don’t think this is overly difficult for the bad guys to get past nor does Krebbs. In fact, the best way to protect yourself against this is to sign up so your identity already has an account and nobody else can sign up for you.

This problem was avoidable though. The IRS should have required people to register for an online account or at least supplying an email when signing up for the mailed PIN in the first place. That way they know who the account is supposed to belong to.

After all, someone would get a message that the account was already created if someone tried to steal my IPPIN. (Don’t bother, I’ve already submitted my taxes.)

The IRS said they will be using a different system next year. Curious to see what they do given you can’t opt out of IPPIN!