Operations security (OPSEC) in IT

Embed Size (px)

Citation preview

Michal paek
@spazef0rze www.michalspacek.cz
(with added speaker notes)

Protecting information
from unfriendly eyes

Operations security (OPSEC) is a term originating in U.S. military jargon. In IT, it says what to do to protect your servers, developers, information, and other resources. Targeting developers, new trend in computer security, is becoming increasingly common because they usually have access to production servers and other critical infrastructure.

Firefox had quite a critical security issue in summer 2015. It's internal PDF viewer allowed JavaScript coming from the Internet to be executed with local privileges, bypassing same-origin policy.

Subversion
FTP clients

.bash_history.mysql_history.pgsql_history.ssh*pass**access*

An exploit for this vulnerability was found in the wild before a patched version of Firefox was available. The exploit was distributed via an advertising platform and was targeting developers. It looked for Subversion credentials, config files for several popular FTP clients on Windows. Additionally, on Linux and OSX it looked for usual suspects and some more, like files with names containing the string pass and access. The exploit have uploaded these files to a remote machine basically stealing credentials and some more. After patching the vulnerability, Mozilla has recommended to change all your passwords and keys.

Bugzilla: a security issue

The fix was available the very next day after the exploit was found. How come it was fixed so fast? Mozilla actually knew about this vulnerability and they had a bug filed in their bug tracking system called Bugzilla. This issue was not public for obvious reasons. Firefox devs had access, of course. Mozilla believes that somebody has stolen the info from Bugzilla and used that info to build the exploit.

Bugzilla: a security issue

password

George, developer

Stealing such critical info, how? This Firefox developer, let's call him George, used to use one of his passwords to log in to Bugzilla to see this bug he had access to.

Bugzilla: a security issue

password

Other website

password

George, developer

But George was stupid and re-used his Bugzilla password on some other website. This other website got hacked, somebody found George's password and used the password to access Bugzilla and that secret security bug report regarding the PDF viewer vulnerability.

Yes, George has failed miserably! Due to his mistake all the Firefox users have been fucked up. Don't be like George and don't reuse your passwords. Use strong unique passwords everywhere, and I mean it. You have access to interesting systems and servers and you don't want them hacked because it might affect a lot of your users.

Meet Xcode, a suite of tools for developing software for iOS and OSX. In September 2015, somebody have distributed modified copies of Xcode to Chinese developers and these modified copies have produced apps which were hacked. And these hacked apps were then distributed to regular users from the app store. In China, it takes a while to download the real Xcode so devs were happy to download it from other faster location but of course they didn't know it's a modified copy producing hacked apps.

Password manager

Bad guys are targeting developers because they have access to juicy systems. Attacks similar to the Xcode "hack" and the Firefox issue will be more and more common. So here's the first step for you to be better at OPSEC: don't reuse passwords.

Disable Flash and Java

Step 2: disable Flash Player and Java in your browsers, or even uninstall it completely. If you have Chrome, don't forget to disable the bundled Flash plugin, too. If you need Flash or Java in your browser, use a virtual machine and after watching your fav X-rated movie just reset it to previous state, or drop it.

Set click-to-play

Step 3: set (right-)click-to-play for plugins in your browser. Don't use any extensions for that as they are easy easy to bypass. Use a browser setting.

Block ads

Step 4: use an ad-blocker. As Douglas Crockford once said, "The most reliable, cost effective method to inject evil code is to buy an ad."

And remember, we're developers (developers, developers, developers, hi Steve!), we have access to interesting systems which might be somehow useful for attackers. Protect yourself, your users, and your company, too.

@spazef0rze www.michalspacek.cz