際際滷

際際滷Share a Scribd company logo

The road to hell v0.6

Download as PPTX, PDF
Security B-Sides
Security B-Sides

The document discusses how "best practices" and security measures are often misapplied and can do more harm than good if not properly tailored to the specific environment. It provides numerous examples of security practices that have been implemented mindlessly without considering their actual effectiveness or impact on usability and productivity. The overall message is that a thoughtful, risk-based approach is needed rather than blindly following rules or checking boxes to obtain compliance.

1 of 44
The road to Hellis paved with best practices
WarningImage: Caution, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from zippy'sphotostream<RANT>30 juli 2010
WhyNot all best practices seem to make us more secure.Often overlooked:when applied to a particular condition or circumstance.30 juli 2010
Who am I?Frank BreedijkSecurity Engineer at Schuberg PhilisAuthor of SeccubusBlogging for CupFighter.netEmail: fbreedijk@schubergphilis.comTwitter: @seccubusBlog: http://www.cupfighter.netProject: http://www.seccubus.com Company: http://www.schubergphilis.com
The burden of administrationAdding more security to a system often means more administration and bureaucracy.It often also means less time to do actual system administration.30 juli 2010Image: Bureaucracy illustration, a Creative Commons Attribution Share-Alike (2.0) image from kongharald'sphotostream
Firewalls from two different vendorsReasoning:If one vendor has a serious flaw, there will not be a total compromise.Reality:Firewall bypass bugs are rareTwo rule basesTwo different technologiesMost likely outside firewall will pass anything nat-ed behind inside firewallMost firewall brand use the same IP stack anyway30 juli 2010Image from: http://searchnetworking.techtarget.com.au/articles/16554-Choosing-the-right-firewall-topology?topic_id=891
Its like two locks on a bicycleImage: safe safer safest, a Creative Commons Attribution (2.0) image from 20918261@N00's photostreamMost bicycle thieves in Amsterdam only know how to quickly open one type of lock30 juli 2010
But just two locks isnt enoughImage: history of missing circles, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from camil_t'sphotostreamLike every technology you need to know how to apply it to benefit from it.30 juli 2010
Is complexity bad?There are about 25,000 parts in a commercial jet engine.In order to make a working jet engine you need at a maximum 1,000 parts30 juli 2010Image: conjoined twin roundabouts, a Creative Commons Attribution Non-Commercial (2.0) image from duncan'sphotostream
Is complexity bad?Complexity can also aid securityIt should never be the basis of your securityNever underestimate the power of security by obscurityObscurity can defeat plausible deniabilityEncryption is a classical example of security by obscurity30 juli 2010Image: Maze Lock Guarantees You'll Perish In A Fire, a Creative Commons Attribution Share-Alike (2.0) image from billypalooza'sphotostream
What about encryption30 juli 2010Image: Security, cartoon #538 fromxkcd.com
Encryption is not a silver bulletImage: silver bullet, a Creative Commons Attribution Share-Alike (2.0) image from eschipul'sphotostreamMany attacks:Key theftBrute forceSocial engineeringEnd point compromiseMan in the browser attackMan in the Middle attackDowngrade attackRubber hose cryptologySide channel attackCache timing attackReplay attacks30 juli 2010
If a security measure is too hard it will more likely hurtPassword requirements:Likely password:30 juli 20107 characterswelcome1 capitalWelcome1 numeralW3lc0m3W3lc0m3!1 special10 charactersW3lc0m3!!!30 days max cannot use last 12Welcome01!The predictability of human behavior can aid in password cracking attempts.See the work of Matt Weir: "Using Probabilistic Techniques to Aid in Password Cracking Attackshttp://tinyurl.com/RTHpasswd
Security making life too hardYou cannot paste a password into an RDP login boxConsequences:I set up a really hard adminstrator passwordI put it in the password vaultI now have to type 15 random characters to gain accessI may start to remember this passwordI may start to use weaker passwordsMaybe I will write the password down30 juli 2010
Dont turn system administration into an obstacle raceImage: lubbock_track_regionals_2010147, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from jduty'sphotostreamIf your only users are system administrators why would you:Make home directory 600Make roots home directory 100Restrict access to /var/logEtc30 juli 2010
There is strength in numbersImage by Frank BreedijkLimit the number of system administrators30 juli 2010
Does this consider the level of the system administrators?Or are all animals equal30 juli 2010Images by Frank Breedijk
What is the right number of administrators30 juli 201052520473550184235531715619120331128
Please dont force me toIt would be easyThe auditors would be happyI could do my jobit would be so wrong!30 juli 2010Image: Being John Malcovichmovie poster
Whats the solution?Know your administratorsSet clear rulesMake it obvious when rules are about to be brokenMonitorUse system loggingLog ChangesLog in multiple placesKeep you admin happyPeer review30 juli 2010Image: Perita, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from ournew'sphotostream
Limit remote accessPermission for remote access to **** must be strictly limited to those specific employees who have a strong business need for the access.Why?Stop data leaving the premises?Reduce risk of duress?Keep an eye on your actions?That warm and fuzzy feeling?30 juli 2010Image: Threads 140.365, a Creative Commons Attribution Non-Commercial No-Derivative-Works (2.0) image from stephangeyer'sphotostream
Can you really stop data leaks?People will try to work from home anywayCD-R, USB, MicroSD, SmartPhone, PDA, Portable Harddisk, Printout or simply mail it home30 juli 2010Memories, PenDrives...., a Creative Commons Attribution Non-Commercial No-Derivative-Works (2.0) image from kikiprinci'sphotostream
DuressImage: South Beach Sisters, a Creative Commons Attribution Non-Commercial (2.0) image from adwriter'sphotostreamIf you are working form home they can make you do stuff at gunpoint30 juli 2010
Keeping an eye on youHow would you make sure that the person watching me understands what Im doing?Would it be impossible to backdoor a system while somebody is watching you?What is the chance an administrator backdoors a system just so he can do his job ?30 juli 2010Photo-A-Day #982f 12/16/07, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from abennett96's photostream
Teleworking has advantagesImage: Old Modem Front, a Creative Commons Attribution (2.0) image from rexroof'sphotostreamRemote system administration = Faster response time + More dedicated staff + Better uptime + Better maintained system =Better security30 juli 2010
Remove all identifying bannersO.K. disclosing exact versions is badBut what about just displaying the products:ApacheX-powered-by: ASP.NETOpenSSHWont they just try all?30 juli 2010
What about warning banners?You must annoy user and administrators by displaying a large annoying legal banner prior to login.And it tells me its an interesting system, and who owns it even before I have logged in.30 juli 2010
PingA lot of systems on the internet cannot be pinged anymoreGreat:I know the systems IPI know its not workingI cannot ping itI can still do a tcptracerouteWhy?30 juli 2010Image: pong undead!!!, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from astio'sphotostream
Firewall log monitoringYou must monitor your firewall traffic logsWhy?If it is passed by firewall it was allowed in the first placeIf it got rejected, it got rejected, why worry about it?There is no evil bit (except in RFC 3514)30 juli 2010Image: EVIL a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from krazydad'sphotostream
Idle session time outIts just there to piss users off30 juli 2010
Single sign onIt is bad because: One credential will give you access to everythingWhat is the alternative? Passwords.xls?30 juli 2010Title / Main topic / Sub-topic
Dont take away my toolsRemove development toolsRemoving telnet (client)Taking SUID from pingRemove security toolsPing?Traceroute?OpenSSL?30 juli 2010Image: 105. 283, a Creative Commons Attribution Non-Commercial (2.0) image from pwn'sphotostream
No access to social mediaURL filtering:Twitter, Facebook, Craigslist, WordpressWebmail, Hotmail, GMailYouTube, Break.com, FailblogGoogle CacheIm so glad I have UMTS30 juli 2010Creative Commons Attribution Non-Commercial No-Derivative-Works (2.0) image from _brilho-de-conta'sphotostream
Intrusion Detection System (IDS)Proving the Internet is evilProtecting the network by blacklisting all evilIDS/IPS is not all bad:It is very good for detection anomalies30 juli 2010
Using your cell phone in datacentersWhy?30 juli 2010Image: Thanks Dan, your gifts from Shanghai are always a treat, a Creative Commons Attribution Non-Commercial No-Derivative-Works (2.0) image from joepemberton'sphotostream
Interference has happened30 juli 2010Image: Strowger, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from pritch'sphotostreamImage taken fromwww.muscom.nl
Its because of the cameras30 juli 2010Image: Don't Mind If I Do a Creative Commons Attribution Non-Commercial (2.0) image from jeremybrooks'sphotostream
Lets get seriousImage: Taken with Frank Breedijks BlackBerry at DefCon 17</RANT>30 juli 2010
ComplianceCompliance (e.g. PCI compliance) put a business driver into securityIf you implement these security measures you will get a discountFirewallsIDSRegular vulnerability scanPhysical securityExpect a business decision30 juli 2010The Lure Of Gold, a Creative Commons Attribution Share-Alike (2.0) image from bogenfreund'sphotostream
If all you got is a hammerEverything looks like a nailConsider what you need to secure, before you decide how to30 juli 2010Image: Glass smash with liquid, a Creative Commons Attribution Non-Commercial (2.0) image from whisperwolf'sphotostream
Do not disengage your brain30 juli 2010Image: homer's minibrain, a Creative Commons Attribution Share-Alike (2.0) image from mabi'sphotostream
What is the risk?30 juli 2010
Questions??30 juli 2010Image: "1 more minute?" RichieHawtinasksRocco // Awakenings Festival 2007, a CreativeCommonsAttributionNon-CommercialNo-Derivative-Works (2.0) image frommerlijnhoek'sphotostream
Feedback...Please send/tell me your examples of non-security through stupidityEmail: fbreedijk@schubergphilis.comTwitter: @seccubusBlog: http://cupfighter.netProject: http://seccubus.com Company: http://schubergphilis.com

More Related Content

The road to hell v0.6

  • 1. The road to Hellis paved with best practices
  • 2. WarningImage: Caution, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from zippy'sphotostream<RANT>30 juli 2010
  • 3. WhyNot all best practices seem to make us more secure.Often overlooked:when applied to a particular condition or circumstance.30 juli 2010
  • 4. Who am I?Frank BreedijkSecurity Engineer at Schuberg PhilisAuthor of SeccubusBlogging for CupFighter.netEmail: fbreedijk@schubergphilis.comTwitter: @seccubusBlog: http://www.cupfighter.netProject: http://www.seccubus.com Company: http://www.schubergphilis.com
  • 5. The burden of administrationAdding more security to a system often means more administration and bureaucracy.It often also means less time to do actual system administration.30 juli 2010Image: Bureaucracy illustration, a Creative Commons Attribution Share-Alike (2.0) image from kongharald'sphotostream
  • 6. Firewalls from two different vendorsReasoning:If one vendor has a serious flaw, there will not be a total compromise.Reality:Firewall bypass bugs are rareTwo rule basesTwo different technologiesMost likely outside firewall will pass anything nat-ed behind inside firewallMost firewall brand use the same IP stack anyway30 juli 2010Image from: http://searchnetworking.techtarget.com.au/articles/16554-Choosing-the-right-firewall-topology?topic_id=891
  • 7. Its like two locks on a bicycleImage: safe safer safest, a Creative Commons Attribution (2.0) image from 20918261@N00's photostreamMost bicycle thieves in Amsterdam only know how to quickly open one type of lock30 juli 2010
  • 8. But just two locks isnt enoughImage: history of missing circles, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from camil_t'sphotostreamLike every technology you need to know how to apply it to benefit from it.30 juli 2010
  • 9. Is complexity bad?There are about 25,000 parts in a commercial jet engine.In order to make a working jet engine you need at a maximum 1,000 parts30 juli 2010Image: conjoined twin roundabouts, a Creative Commons Attribution Non-Commercial (2.0) image from duncan'sphotostream
  • 10. Is complexity bad?Complexity can also aid securityIt should never be the basis of your securityNever underestimate the power of security by obscurityObscurity can defeat plausible deniabilityEncryption is a classical example of security by obscurity30 juli 2010Image: Maze Lock Guarantees You'll Perish In A Fire, a Creative Commons Attribution Share-Alike (2.0) image from billypalooza'sphotostream
  • 11. What about encryption30 juli 2010Image: Security, cartoon #538 fromxkcd.com
  • 12. Encryption is not a silver bulletImage: silver bullet, a Creative Commons Attribution Share-Alike (2.0) image from eschipul'sphotostreamMany attacks:Key theftBrute forceSocial engineeringEnd point compromiseMan in the browser attackMan in the Middle attackDowngrade attackRubber hose cryptologySide channel attackCache timing attackReplay attacks30 juli 2010
  • 13. If a security measure is too hard it will more likely hurtPassword requirements:Likely password:30 juli 20107 characterswelcome1 capitalWelcome1 numeralW3lc0m3W3lc0m3!1 special10 charactersW3lc0m3!!!30 days max cannot use last 12Welcome01!The predictability of human behavior can aid in password cracking attempts.See the work of Matt Weir: "Using Probabilistic Techniques to Aid in Password Cracking Attackshttp://tinyurl.com/RTHpasswd
  • 14. Security making life too hardYou cannot paste a password into an RDP login boxConsequences:I set up a really hard adminstrator passwordI put it in the password vaultI now have to type 15 random characters to gain accessI may start to remember this passwordI may start to use weaker passwordsMaybe I will write the password down30 juli 2010
  • 15. Dont turn system administration into an obstacle raceImage: lubbock_track_regionals_2010147, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from jduty'sphotostreamIf your only users are system administrators why would you:Make home directory 600Make roots home directory 100Restrict access to /var/logEtc30 juli 2010
  • 16. There is strength in numbersImage by Frank BreedijkLimit the number of system administrators30 juli 2010
  • 17. Does this consider the level of the system administrators?Or are all animals equal30 juli 2010Images by Frank Breedijk
  • 18. What is the right number of administrators30 juli 201052520473550184235531715619120331128
  • 19. Please dont force me toIt would be easyThe auditors would be happyI could do my jobit would be so wrong!30 juli 2010Image: Being John Malcovichmovie poster
  • 20. Whats the solution?Know your administratorsSet clear rulesMake it obvious when rules are about to be brokenMonitorUse system loggingLog ChangesLog in multiple placesKeep you admin happyPeer review30 juli 2010Image: Perita, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from ournew'sphotostream
  • 21. Limit remote accessPermission for remote access to **** must be strictly limited to those specific employees who have a strong business need for the access.Why?Stop data leaving the premises?Reduce risk of duress?Keep an eye on your actions?That warm and fuzzy feeling?30 juli 2010Image: Threads 140.365, a Creative Commons Attribution Non-Commercial No-Derivative-Works (2.0) image from stephangeyer'sphotostream
  • 22. Can you really stop data leaks?People will try to work from home anywayCD-R, USB, MicroSD, SmartPhone, PDA, Portable Harddisk, Printout or simply mail it home30 juli 2010Memories, PenDrives...., a Creative Commons Attribution Non-Commercial No-Derivative-Works (2.0) image from kikiprinci'sphotostream
  • 23. DuressImage: South Beach Sisters, a Creative Commons Attribution Non-Commercial (2.0) image from adwriter'sphotostreamIf you are working form home they can make you do stuff at gunpoint30 juli 2010
  • 24. Keeping an eye on youHow would you make sure that the person watching me understands what Im doing?Would it be impossible to backdoor a system while somebody is watching you?What is the chance an administrator backdoors a system just so he can do his job ?30 juli 2010Photo-A-Day #982f 12/16/07, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from abennett96's photostream
  • 25. Teleworking has advantagesImage: Old Modem Front, a Creative Commons Attribution (2.0) image from rexroof'sphotostreamRemote system administration = Faster response time + More dedicated staff + Better uptime + Better maintained system =Better security30 juli 2010
  • 26. Remove all identifying bannersO.K. disclosing exact versions is badBut what about just displaying the products:ApacheX-powered-by: ASP.NETOpenSSHWont they just try all?30 juli 2010
  • 27. What about warning banners?You must annoy user and administrators by displaying a large annoying legal banner prior to login.And it tells me its an interesting system, and who owns it even before I have logged in.30 juli 2010
  • 28. PingA lot of systems on the internet cannot be pinged anymoreGreat:I know the systems IPI know its not workingI cannot ping itI can still do a tcptracerouteWhy?30 juli 2010Image: pong undead!!!, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from astio'sphotostream
  • 29. Firewall log monitoringYou must monitor your firewall traffic logsWhy?If it is passed by firewall it was allowed in the first placeIf it got rejected, it got rejected, why worry about it?There is no evil bit (except in RFC 3514)30 juli 2010Image: EVIL a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from krazydad'sphotostream
  • 30. Idle session time outIts just there to piss users off30 juli 2010
  • 31. Single sign onIt is bad because: One credential will give you access to everythingWhat is the alternative? Passwords.xls?30 juli 2010Title / Main topic / Sub-topic
  • 32. Dont take away my toolsRemove development toolsRemoving telnet (client)Taking SUID from pingRemove security toolsPing?Traceroute?OpenSSL?30 juli 2010Image: 105. 283, a Creative Commons Attribution Non-Commercial (2.0) image from pwn'sphotostream
  • 33. No access to social mediaURL filtering:Twitter, Facebook, Craigslist, WordpressWebmail, Hotmail, GMailYouTube, Break.com, FailblogGoogle CacheIm so glad I have UMTS30 juli 2010Creative Commons Attribution Non-Commercial No-Derivative-Works (2.0) image from _brilho-de-conta'sphotostream
  • 34. Intrusion Detection System (IDS)Proving the Internet is evilProtecting the network by blacklisting all evilIDS/IPS is not all bad:It is very good for detection anomalies30 juli 2010
  • 35. Using your cell phone in datacentersWhy?30 juli 2010Image: Thanks Dan, your gifts from Shanghai are always a treat, a Creative Commons Attribution Non-Commercial No-Derivative-Works (2.0) image from joepemberton'sphotostream
  • 36. Interference has happened30 juli 2010Image: Strowger, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from pritch'sphotostreamImage taken fromwww.muscom.nl
  • 37. Its because of the cameras30 juli 2010Image: Don't Mind If I Do a Creative Commons Attribution Non-Commercial (2.0) image from jeremybrooks'sphotostream
  • 38. Lets get seriousImage: Taken with Frank Breedijks BlackBerry at DefCon 17</RANT>30 juli 2010
  • 39. ComplianceCompliance (e.g. PCI compliance) put a business driver into securityIf you implement these security measures you will get a discountFirewallsIDSRegular vulnerability scanPhysical securityExpect a business decision30 juli 2010The Lure Of Gold, a Creative Commons Attribution Share-Alike (2.0) image from bogenfreund'sphotostream
  • 40. If all you got is a hammerEverything looks like a nailConsider what you need to secure, before you decide how to30 juli 2010Image: Glass smash with liquid, a Creative Commons Attribution Non-Commercial (2.0) image from whisperwolf'sphotostream
  • 41. Do not disengage your brain30 juli 2010Image: homer's minibrain, a Creative Commons Attribution Share-Alike (2.0) image from mabi'sphotostream
  • 42. What is the risk?30 juli 2010
  • 43. Questions??30 juli 2010Image: "1 more minute?" RichieHawtinasksRocco // Awakenings Festival 2007, a CreativeCommonsAttributionNon-CommercialNo-Derivative-Works (2.0) image frommerlijnhoek'sphotostream
  • 44. Feedback...Please send/tell me your examples of non-security through stupidityEmail: fbreedijk@schubergphilis.comTwitter: @seccubusBlog: http://cupfighter.netProject: http://seccubus.com Company: http://schubergphilis.com