Operations security (OPSEC)

OPSEC - operations security

Mikko Ohtamaa ThaiPy / Bangkok / Nov 2014

opensourcehacker.com

moo9000

Agenda

Team security User security Infrastructure security

Person-to-person Bitcoin exchange

Bitcoin users are high value targets

Team security

Physical access (display sleep + password)

Encrypt devices (computers AND phones)

Two-factor authentication on email inbox

Two-factor authentication on site admin

Two-factor SSH

Google 2FA account incidents: https://ello.co/gb/post/knOWk-qeTqfSpJ6f8-arCQ

"Cyber hygiene" Password management (KeePassX) SSH keys (automatically unlock on your computer computer login) !

http://opensourcehacker.com/2012/10/24/ssh-key-and-passwordless-login-basics-for-developers/

User security

Passwords are dead

Password stealing attacks by keylogging and file-system reading malware

Strong password gives only limited additional protection

Throttle login attempts with CAPTCHAThreshold logins per IP (leaked credentials black market)

Threshold per username (spearhead brute force)

Threshold all logins per minute (botnet attack)

recaptcha.net - https://github.com/praekelt/django-recaptcha

http://opensourcehacker.com/2014/07/09/rolling-time-window-counters-with-redis-and-mitigating-botnet-driven-login-attacks/

Two-factor authentication for your users

Lack of two-factor

scenario: US 0.90% scenario: Great-Britain 0.90%

scenario: Australia 7.58%

www.schneier.com/blog/archives/2006/11/fighting_fraudu.html

Time-Based One-Time Password Algorithm

TOTP a.k.a Google Authenticator, RFC 6238 Google provides app for Android, iOS. Does not require Google account. Other OSS implementations

HMAC-Based One-Time Password Algorithm

HOTP, RFC 4226 a.k.a. paper codes, one time pad

Common in Nordic internet banking, unheard in many countries

SMS Yubikey Calculators and other hardware tokens As a service: authy.org twofactorauth.org

For Django: https://github.com/

miohtama/django-twofactor

Third factor

Users lose their credentials

Recycled passwords (blackmarket) Phishing (Google Adwords attack) Stolen two-factor codes

Third factor parameters

Unknown web browser (identified by cookie)

The of country of IP address

The reputation of IP address (botnet, Tor, VPS)

IP address whitelist

Confirm by email or by SMS “is it really you”

Mad general problem

“If your local computer is compromised by malware or anything else, it is just like a mad general”

http://www.reddit.com/r/Bitcoin/comments/2573rw/bitcoin_is_secure_because_it_solves_the_byzantine/

What I have seenMalicious browser add-on modifying sites in fly Android and iOS malware SMS capture attacks Spearhead email phishing Google AdWords phishing Malicious Tor exit nodes !http://thedroidguy.com/2014/06/popular-chinese-android-smartphone-malware-pre-

installed-93764

Infrastructure security

fail2banDaemon automatically blocking IPs by log file analysis

(e.g. Apache, SSH, your pplication)

Attack mitigation as a reverse proxy service: cloudflare.net Known bad IPs: projecthoneypot.org IP information: http://myip.ms/

Flood attacksFlood actions and anonymous forms: password reset email, invite email, user messaging

Mostly harmless / reputation hit

Have throttling and banning per IP

Throttle email actions with a custom log file and fail2ban

https://shubh.am/full-disclosure-coinbase-security/

Encrypt all the servers

Encrypt your server content - “mad hosting provider”

Encrypt backups: GPG, duplicity

Encrypt server-to-server connections: AutoSSH, VPN

Virtual machines are always unsafe

http://blog.bitly.com/#85169217199

Server security monitoringUntamperable logs (external log servers / systems forward secure sealing) Known processes and files list (Tripwire) Firewalling

http://louwrentius.com/systemd-forward-secure-sealing-of-system-logs-makes-little-sense.html

THANK YOU

opensourcehacker.com Open Source Hacker

mikko@opensourcehacker.commoo9000

https://www.youtube.com/watch?v=OSGv2VnC0go&feature=youtu.be

https://packaging.python.org/