28
OPSEC - operations security Mikko Ohtamaa ThaiPy / Bangkok / Nov 2014 opensourcehacker.com moo9000

Operations security (OPSEC)

Embed Size (px)

DESCRIPTION

Operations security (OPSEC) presentations given in Bangkok Python meetup. The presentation covers topics about device encryption, two factor-authentication, SSH, preventing brute force attacks and ensuring your infrastructure integrity.

Citation preview

Page 1: Operations security (OPSEC)

OPSEC - operations security

Mikko Ohtamaa ThaiPy / Bangkok / Nov 2014

opensourcehacker.com

moo9000

Page 2: Operations security (OPSEC)

Agenda

Team security User security Infrastructure security

Page 3: Operations security (OPSEC)

Person-to-person Bitcoin exchange

Bitcoin users are high value targets

Page 4: Operations security (OPSEC)

Team security

Page 5: Operations security (OPSEC)

Physical access (display sleep + password)

Encrypt devices (computers AND phones)

Two-factor authentication on email inbox

Two-factor authentication on site admin

Two-factor SSH

Google 2FA account incidents: https://ello.co/gb/post/knOWk-qeTqfSpJ6f8-arCQ

Page 6: Operations security (OPSEC)

"Cyber hygiene" Password management (KeePassX) SSH keys (automatically unlock on your computer computer login) !

http://opensourcehacker.com/2012/10/24/ssh-key-and-passwordless-login-basics-for-developers/

Page 7: Operations security (OPSEC)

User security

Page 8: Operations security (OPSEC)

Passwords are dead

Password stealing attacks by keylogging and file-system reading malware

Strong password gives only limited additional protection

Page 9: Operations security (OPSEC)

Throttle login attempts with CAPTCHAThreshold logins per IP (leaked credentials black market)

Threshold per username (spearhead brute force)

Threshold all logins per minute (botnet attack)

recaptcha.net - https://github.com/praekelt/django-recaptcha

http://opensourcehacker.com/2014/07/09/rolling-time-window-counters-with-redis-and-mitigating-botnet-driven-login-attacks/

Page 10: Operations security (OPSEC)

Two-factor authentication for your users

Page 11: Operations security (OPSEC)

Lack of two-factor

scenario: US 0.90% scenario: Great-Britain 0.90%

scenario: Australia 7.58%

www.schneier.com/blog/archives/2006/11/fighting_fraudu.html

Page 12: Operations security (OPSEC)

Time-Based One-Time Password Algorithm

TOTP a.k.a Google Authenticator, RFC 6238 Google provides app for Android, iOS. Does not require Google account. Other OSS implementations

Page 13: Operations security (OPSEC)

HMAC-Based One-Time Password Algorithm

HOTP, RFC 4226 a.k.a. paper codes, one time pad

Common in Nordic internet banking, unheard in many countries

Page 14: Operations security (OPSEC)

SMS Yubikey Calculators and other hardware tokens As a service: authy.org twofactorauth.org

Page 15: Operations security (OPSEC)

For Django: https://github.com/

miohtama/django-twofactor

Page 16: Operations security (OPSEC)

Third factor

Page 17: Operations security (OPSEC)

Users lose their credentials

Recycled passwords (blackmarket) Phishing (Google Adwords attack) Stolen two-factor codes

Page 18: Operations security (OPSEC)

Third factor parameters

Unknown web browser (identified by cookie)

The of country of IP address

The reputation of IP address (botnet, Tor, VPS)

IP address whitelist

Confirm by email or by SMS “is it really you”

Page 19: Operations security (OPSEC)

Mad general problem

“If your local computer is compromised by malware or anything else, it is just like a mad general”

http://www.reddit.com/r/Bitcoin/comments/2573rw/bitcoin_is_secure_because_it_solves_the_byzantine/

Page 20: Operations security (OPSEC)

What I have seenMalicious browser add-on modifying sites in fly Android and iOS malware SMS capture attacks Spearhead email phishing Google AdWords phishing Malicious Tor exit nodes !http://thedroidguy.com/2014/06/popular-chinese-android-smartphone-malware-pre-

installed-93764

Page 21: Operations security (OPSEC)

Infrastructure security

Page 22: Operations security (OPSEC)

fail2banDaemon automatically blocking IPs by log file analysis

(e.g. Apache, SSH, your pplication)

Page 23: Operations security (OPSEC)

Attack mitigation as a reverse proxy service: cloudflare.net Known bad IPs: projecthoneypot.org IP information: http://myip.ms/

Page 24: Operations security (OPSEC)

Flood attacksFlood actions and anonymous forms: password reset email, invite email, user messaging

Mostly harmless / reputation hit

Have throttling and banning per IP

Throttle email actions with a custom log file and fail2ban

https://shubh.am/full-disclosure-coinbase-security/

Page 25: Operations security (OPSEC)

Encrypt all the servers

Encrypt your server content - “mad hosting provider”

Encrypt backups: GPG, duplicity

Encrypt server-to-server connections: AutoSSH, VPN

Virtual machines are always unsafe

http://blog.bitly.com/#85169217199

Page 26: Operations security (OPSEC)

Server security monitoringUntamperable logs (external log servers / systems forward secure sealing) Known processes and files list (Tripwire) Firewalling

http://louwrentius.com/systemd-forward-secure-sealing-of-system-logs-makes-little-sense.html

Page 27: Operations security (OPSEC)

THANK YOU

opensourcehacker.com Open Source Hacker

[email protected]

Page 28: Operations security (OPSEC)

https://www.youtube.com/watch?v=OSGv2VnC0go&feature=youtu.be

https://packaging.python.org/