the sky is falling
play

The sky is falling Nephological tales of security woe Ben Toews - PowerPoint PPT Presentation

Aug 15, 2023 •167 likes •588 views

The sky is falling Nephological tales of security woe Ben Toews Snakeoil as a Service People are concerned about security these days - - People arent sure about the security impact of the cloud - Scared people are good customers - Lots of

  1. The sky is falling Nephological tales of security woe

  2. Ben Toews

  3. Snakeoil as a Service People are concerned about security these days - - People aren’t sure about the security impact of the cloud - Scared people are good customers - Lots of people are exploiting this fear to sell bullshit snake oil

  4. don’t panic Don’t buy snakeoil - - The cloud has a lot of security benefits

  5. tales of woe - We’ll walk through some examples of cloud security incidents and talk about what went wrong.

  6. Adobe October 2013 - - Adobe is a desktop software company. - They manage downloads through a web app. - “attackers illegally entered our network” - Wasn’t cloud related http://helpx.adobe.com/x-productkb/policy-pricing/ecc.html http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/ https://github.com/blog/1698-weak-passwords-brute-forced

  7. 38 million passwords - Compromise led to 38 million stolen account passwords

  8. crypto is hard Encrypted, not hashed - - ECB Block cipher (64 bit blocks) - Password hints helped too

  9. MongoHQ October 2013 - - Internal support system account with same password as on Adobe - Adobe -> - Internal support system (w/ impersonation) -> - Customer data (passwords were bcrypted) -> - Bu ff er mongodb access -> social media auth tokens http://techcrunch.com/2013/10/29/hosting-service-mongohq-su ff ers-major-security-breach-that-explains-bu ff ers-hack-over-the-weekend/ http://arstechnica.com/security/2013/10/hack-of-mongohq-exposes-passwords-user-databases-to-intruders/ http://open.bu ff erapp.com/bu ff er-has-been-hacked-here-is-whats-going-on/

  10. GitHub November 2013 - - “Brute force” attack using Adobe passwords - Already had strong rate limiting - Rate limiting didn’t help much - 40,000 unique IP addresses - ~5 login attempts per account - Used stolen accounts to get Ripple currency

  11. account security shared passwords - - 2FA

  12. Luke Chadwick He’s just one random example - - Open source repo w/ AWS creds - >$3000 AWS bill - Thousands of AWS creds in public repos - Working with AWS to scan repos http://vertis.io/2013/12/16/unauthorised-litecoin-mining.html

  13. Bitly May 2014 - - Link shortener - AWS key for backup database stored in source code - Employee account compromised - GitHub contacted them (they never mention GitHub) http://www.cso.com.au/article/544802/bitly_reveals_hackers_stole_secret_keys_from_hosted_code_repository/

  14. Bonsai June 2014 - - Elastic search hosting - Old AWS master key hard coded in source code - Source code leaked - Noticed and outage due to attacker deleting random stu ff - Worked with Amazon to lock things down and restore backups http://status.bonsai.io/incidents/qt70mqtjbf0s

  15. credential storage Don’t store creds in source code -

  16. Code Spaces June 2014 Code spaces was a git and subversion hosting provider. http://www.csoonline.com/article/2365062/disaster-recovery/code-spaces-forced-to-close-its-doors-after-security-incident.html http://arstechnica.com/security/2014/06/aws-console-breach-leads-to-demise-of-service-with-proven-backup-plan/ http://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761 http://blog.trendmicro.com/the-code-spaces-nightmare/

  17. DDoS They noticed a DDoS attack. The attacker left a note in their AWS console asking them for money. WAIT, they left the note *in* the AWS console.

  18. AWS compromised DDoS was smokescreen. AWS account was compromised. They tried to regain controll of account. Attacker noticed. Attacker deleted everything.

  19. “will not be able to operate beyond this point” They wen’t out of business 12 hours after the incident began.

  20. account security shared passwords - - 2FA

  21. disaster recovery - I hear DR plans are good

  22. trust Trustworthy providers (not Code Spaces) - - Verify trust.

  23. Linode April 2013 - - 0day in ColdFusion - DB and webapp access - Properly encrypted credit card data - Salted/hashed passwords - Lost deploy keys for instances -

  24. credential storage They did a pretty good job -

  25. the sky is falling This isn’t just the cloud - - Alert Logic report - Incidents are still more common in on-prem

  26. ebay � 145,000,000 http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ -

  27. JP Morgan � Chase 76,000,000 http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ -

  28. Target � 70,000,000 http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ -

  29. Home Depot � 56,000,000 http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ -

  30. Living Social � 50,000,000 http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ -

  31. Community � Health Services 4,500,000 http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ -

  32. AOL � 2,400,000 http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ -

  33. � How do you actually secure stu ff ? -

  34. trust You can usually trust your cloud provider - - They have people who are good at security - Don’t get cut on the bleeding edge - Use established providers - Look for security docs - Email support

  35. verify Audit your logs - - FIND AWS LOG PRODUCT

  36. ���� Account Security - - Application Security - Network/Host Security - Physical Security

  37. SaaS ���� Need to trust everything up to the application - - Strong account security - Password manager - 2FA - Least privilege - Credential storage

  38. PaaS ���� Need to trust everything up to the server - - Need to focus on appsec in addition to previous concerns (+ more creds to manage) - This is where people start putting creds in code - Static analysis - Hire appsec people - Hire consultants - Bounty program

  39. IaaS ���� Need to trust everything up to the hardware - - Host/network security in addition to previous concerns (+ more creds) - Harden the OS - Patch (not always possible - eg. Heartbleed ELB) - Firewall (metadata API) - IDS

  40. OnPrem ���� Trust no one - - Guards with Guns

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

FALLING RAIN ESTATE, PHASE ONE Bamah Nissi Multilinks Limited FALLING RAIN ESTATE: A 40 hectare

FALLING RAIN ESTATE, PHASE ONE Bamah Nissi Multilinks Limited FALLING RAIN ESTATE: A 40 hectare

FALLING RAIN ESTATE, PHASE ONE Bamah Nissi Multilinks Limited FALLING RAIN ESTATE: A 40 hectare located behind (LBS) Lagos Business School, is a gated community that display a blend of natural scenery and planned architectural aesthetics. The

496 views • 7 slides
Fall Protection Falling is no joke. . . . . . According to the Bureau of Labor Statistics ,

Fall Protection Falling is no joke. . . . . . According to the Bureau of Labor Statistics ,

Fall Protection Falling is no joke. . . . . . According to the Bureau of Labor Statistics , roughly 570 fatal work injuries that occurred in 2012 resulted from workers falling to a lower level. 45% of injuries involved falls of 20 ft or less

642 views • 31 slides
Detecting Potential Falling Objects by Inferring Human Action and Natural Disturbance Bo Zheng*,

Detecting Potential Falling Objects by Inferring Human Action and Natural Disturbance Bo Zheng*,

Detecting Potential Falling Objects by Inferring Human Action and Natural Disturbance Bo Zheng*, Yibiao Zhao* (*equal contribution) Joey C. Yu, Katsushi Ikeuchi , Song-Chun Zhu Goal- understand the potential falling objects Oh, i ts

346 views • 31 slides
falling Safety Checklists Tools and Resources to preserve your independence Dot Boyd

falling Safety Checklists Tools and Resources to preserve your independence Dot Boyd

Fall Prevention Webinar Who tends to fall and why What increases your risk of falling What you can do to reduce your risk of falling Safety Checklists Tools and Resources to preserve your independence Dot Boyd Senior Safety

724 views • 29 slides
EYEWEAR THAT T EYE WEAR THAT TAKES AKES CAR ARE OF YOU E OF YOU 1 Fal Falling is a

EYEWEAR THAT T EYE WEAR THAT TAKES AKES CAR ARE OF YOU E OF YOU 1 Fal Falling is a

EYEWEAR THAT T EYE WEAR THAT TAKES AKES CAR ARE OF YOU E OF YOU 1 Fal Falling is a recognized public health problem. Not only the leading g cause of accide dental de death in pe peopl ple over 75 ver 75 years rs of age ge worl rldw

432 views • 9 slides
Ed Ellis THE SKY IS FALLING! (NO, REALLY, IT IS) The national rail network is in serious

Ed Ellis THE SKY IS FALLING! (NO, REALLY, IT IS) The national rail network is in serious

RESTRICTING SIGNALS AHEAD Ed Ellis THE SKY IS FALLING! (NO, REALLY, IT IS) The national rail network is in serious danger Railroad management has been lulled to sleep by the need to move energy Truckers are eating our lunch

404 views • 11 slides
For many of us we need to adopt a longer-term perspective and become investors not savers. While

For many of us we need to adopt a longer-term perspective and become investors not savers. While

Interest rates are falling and have been falling for many years now. Low rates present stern challenges for all of us. It makes it harder to save towards our retirement nest egg and harder to live off that nest egg in our retirement. To meet the

635 views • 44 slides
Be Angry ry and Do Not Sin The world is falling apart. Heres how we fix it. Therefore, la

Be Angry ry and Do Not Sin The world is falling apart. Heres how we fix it. Therefore, la

Be Angry ry and Do Not Sin The world is falling apart. Heres how we fix it. Therefore, la laying aside fals lsehood, SPEAK TRUTH EACH ONE of you WIT ITH HIS IS NEIGHBOR, for we are members of one another. BE ANGRY, AND yet DO NOT SIN

374 views • 8 slides
Falling Short of Expectations? Stress-Testing the European Banking System Viral V. Acharya (NYU

Falling Short of Expectations? Stress-Testing the European Banking System Viral V. Acharya (NYU

Falling Short of Expectations? Stress-Testing the European Banking System Viral V. Acharya (NYU Stern, CEPR and NBER) and Sascha Steffen (ESMT) January 2014 1 Falling Short of Expectations? Stress-Testing the European Banking System

517 views • 27 slides
Falling between stools? Straddling disciplines within academia and discovering the limits of

Falling between stools? Straddling disciplines within academia and discovering the limits of

Falling between stools? Straddling disciplines within academia and discovering the limits of quantitative approaches in transdisciplinary research Dr Stephen Mackenzie Trinity College Dublin and Newcastle University Academic background pre

410 views • 20 slides
Prevention of falling objects Risk, Uncertainty, Organisation & Culture Ole

Prevention of falling objects Risk, Uncertainty, Organisation & Culture Ole

Prevention of falling objects Risk, Uncertainty, Organisation & Culture Ole Andreas Engen Professor, SEROS University of Stavanger uis.no 03.09.2013 Objectives This lecture will place organisational events, incidents and

573 views • 19 slides
The Impacts of Structural Changes, underemployment, stagnant or falling wages and less secure

The Impacts of Structural Changes, underemployment, stagnant or falling wages and less secure

The Impacts of Structural Changes, underemployment, stagnant or falling wages and less secure jobs on homelessness UNDESA EXPERT GROUP MEETING 22-24 May, 2019 UNITED NATIONS OFFICE AT NAIROBI, KENYA Ken Chamuva Sh Shawa Se Senior

519 views • 11 slides
Falling Balls Falling Balls force pushing the ball upward? force pushing the ball upward? Yes

Falling Balls Falling Balls force pushing the ball upward? force pushing the ball upward? Yes

Falling Balls 1 Falling Balls 2 Introductory Question Introductory Question Suppose I throw a ball upward into the air. Suppose I throw a ball upward into the air. After the ball leaves my hand, is there any After the ball leaves my

397 views • 4 slides
Using iPhone signals to help detect falls By: Kingsley Udoyi Background Falling is one of the

Using iPhone signals to help detect falls By: Kingsley Udoyi Background Falling is one of the

Using iPhone signals to help detect falls By: Kingsley Udoyi Background Falling is one of the major health related threats to the elderly today. A lot of fall detection methods either require specialized hardware or invades peoples

407 views • 9 slides
Falling B Behind nd : Addressing Wisconsins Workforce Housing Shortage to Strengthen

Falling B Behind nd : Addressing Wisconsins Workforce Housing Shortage to Strengthen

Falling B Behind nd : Addressing Wisconsins Workforce Housing Shortage to Strengthen Families, Communities and Our Economy Kurt Paulsen, July 2019 The opinions expressed herein do not necessarily constitute the opinions of the City of

772 views • 31 slides
The future of some Bianchi A spacetimes with an ensemble of free falling particles Ernesto

The future of some Bianchi A spacetimes with an ensemble of free falling particles Ernesto

The future of some Bianchi A spacetimes with an ensemble of free falling particles Ernesto Nungesser AEI, Golm Southampton, April 4 2012 Overview Motivation Previous important results What is a Bianchi spacetime? What is the Vlasov

717 views • 22 slides
M-SRBT Minuteman Linear Rail Assembly Preassembled Shaft, Rail, and Matched Centerline1. LM76SL

M-SRBT Minuteman Linear Rail Assembly Preassembled Shaft, Rail, and Matched Centerline1. LM76SL

M-SRBT Minuteman Linear Rail Assembly Preassembled Shaft, Rail, and Matched Centerline1. LM76SL Linear Bearing(s) PART NUMBER DIMENSIONS LINEAR GUIDE BAR E T F T SERIES SIZE LENGTH SST A B C D BEARING DIAMETER M - SRB ? - 08 -

325 views • 18 slides
Worship: A Matter of Life and Death Worship: A Matter of Life and Death Worship: A Matter of

Worship: A Matter of Life and Death Worship: A Matter of Life and Death Worship: A Matter of

Worship: A Matter of Life and Death Worship: A Matter of Life and Death Worship: A Matter of Life and Death Worship: A Matter of Life and Death 1 Come, let us Come, let us Come, let us Come, let us sing for joy to the LORD; let us shout

680 views • 30 slides
Energy as a National Security Challenge Environmental Entrepreneurs Mission Critical 9

Energy as a National Security Challenge Environmental Entrepreneurs Mission Critical 9

The Caliber of Your Choice Energy as a National Security Challenge Environmental Entrepreneurs Mission Critical 9 November 2011 Dan Nolan - Sabot 6, Inc. An Energy Security Company 1800 Diagonal Ave Ste 600 - Alexandria, VA 22314

692 views • 51 slides
Learned from the Fukushima Dai-ichi Accident Bill Borchardt Executive Director for Operations

Learned from the Fukushima Dai-ichi Accident Bill Borchardt Executive Director for Operations

Status of the Lessons Learned from the Fukushima Dai-ichi Accident Bill Borchardt Executive Director for Operations April 23, 2013 Agenda Overview Mike Johnson Status Update Mike Johnson Orders Dave Skeen Requests for

345 views • 20 slides
Engineering Culture Secret Sauce of Great Software Great Software process model Great

Engineering Culture Secret Sauce of Great Software Great Software process model Great

Engineering Culture Secret Sauce of Great Software Great Software process model Great Software language framework technology Great Software tools Great Software trends Great Software 4 Great Software Overlooked Deep impact

993 views • 53 slides
Dynamic graphical models for security and safety joint modeling July 12 th 2015 GraMSec Workshop,

Dynamic graphical models for security and safety joint modeling July 12 th 2015 GraMSec Workshop,

Dynamic graphical models for security and safety joint modeling July 12 th 2015 GraMSec Workshop, Verona Marc Bouissou 1,2 Siwar Kriaa 1,2 Ludovic Pitre-Cambacds 1 1 EDF R&D, 2 cole Centrale Paris Context: pervasive computing Rail

784 views • 74 slides
Pondering and Patrolling Perimeter Defenses Bill Cheswick ches@lumeta.com http://www.lumeta.com

Pondering and Patrolling Perimeter Defenses Bill Cheswick ches@lumeta.com http://www.lumeta.com

Pondering and Patrolling Perimeter Defenses Bill Cheswick ches@lumeta.com http://www.lumeta.com 16 June 2005 Pondering Perimeters: DOE 1 of 105 Brief personal history Started at Bell Labs in December 1987 Immediately took over

1.21k views • 105 slides
MA111: Contemporary mathematics Turn the entrance quiz in as usual on an 3x5 index card. The

MA111: Contemporary mathematics Turn the entrance quiz in as usual on an 3x5 index card. The

MA111: Contemporary mathematics Turn the entrance quiz in as usual on an 3x5 index card. The question is on the worksheet: How long does this take? Name Duration Need to finish these first M: Make the pasta 34 minutes (P) Put out the pots

245 views • 3 slides

More recommend