Sunday, September 22, 2019

2019-034- Tracy Maleeff, empathy as a service, derbycon discussion


Podcast Interview (Youtube): https://youtu.be/4tdJwBMh3ow

Tracy Maleeff (pronounced like may-leaf) - https://twitter.com/InfoSecSherpa

https://medium.com/@InfoSecSherpa

https://nuzzel.com/InfoSecSherpa 

 

 

Python secure coding class - November 2nd / 5 Saturdays @nxvl Teaching

https://www.eventbrite.com/e/secure-python-coding-with-nicolas-valcarcel-registration-72804597511

 

 

Derbycon Talk: https://www.youtube.com/watch?v=KILlp4KMIPA 

 

Plugs:

Nuzzel newsletter: https://nuzzel.com/infosecsherpa

OSINT-y Goodness blog: https://medium.com/@infosecsherpa 

 

Tomato pie: 

https://www.eater.com/2016/8/19/12525602/tomato-pie-philadelphia-new-jersey

 

Infosec is a service industry job (gasp!)

 

Customer service is an attitude, not department

 

Reference Interview:
https://en.wikipedia.org/wiki/Reference_interview


Approachability

    Does your org make it easy to contact you?

    What is your tone of writing?
    What does your outgoing communication look like?

    Reign in your attitude, language, etc…

 

“I am using an online translator” (great idea!)

What is your department’s reputation?

    Create an assessment of your department…

 

“I didn’t know there was humans in security?” --

       

Interest

    Be interested in solving the problem.

    Make interaction a ‘safe space’

        No judging, mocking

    LOL, “EE Cummings”

        https://poets.org/poem/amores-i

Listening

    Pay attention to what the end user doesn’t say.

    Don’t interrupt the end user

   

   

Interviewing

    Repeat back what the user said or asked

    Tone: Ask clarification questions, not accusatory questions

   

Searching

    Did security fail the user?

Answering

    Teachable moments

        Building trust/relationship equity

        “While you’re on the phone…”

    “Thank you for your time”

Follow-Up

    Think of ways to create a culture of security

    Create canned emails

    Random acts of kindness

        cyberCupcakes!!!! Or potentially small value gift cards(?)

    Kindness as currency

        Christmas cookies 

            Spreading goodwill

        building relationship equity

            Reciprocity 

        Lunch and learns

 

People can’t be educated into vaccinations, but behaviorial nudges help

    “Telling people facts won’t change behavior”

 

 

 

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Download here!

Sunday, September 15, 2019

2019-033-Part 2 of the Kubernetes security audit discussion (Jay Beale & Aaron Small)


 

Topics:

Infosec Campout report

 

Jay Beale (co-lead for audit) *Bust-a-Kube*  

Aaron Small (product mgr at GKE/Google)

 

Atreides Partners

Trail of Bits

 

What was the Audit? 

How did it come about? 

 

Who were the players?

    Kubernetes Working Group

        Aaron, Craig, Jay, Joel

    Outside vendors:

        Atredis: Josh, Nathan Keltner

        Trail of Bits: Stefan Edwards, Bobby Tonic , Dominik

    Kubernetes Project Leads/Devs

        Interviewed devs -- this was much of the info that went into the threat model

        Rapid Risk Assessments - let’s put the GitHub repository in the show notes

   

What did it produce?

    Vuln Report

    Threat Model - https://github.com/kubernetes/community/blob/master/wg-security-audit/findings/Kubernetes%20Threat%20Model.pdf

    White Papers

    https://github.com/kubernetes/community/tree/master/wg-security-audit/findings

 

    Discuss the results:

        Threat model findings

            Controls silently fail, leading to a false sense of security

                Pod Security Policies, Egress Network Rules

            Audit model isn’t strong enough for non-repudiation

                By default, API server doesn’t log user movements through system

            TLS Encryption weaknesses

                Most components accept cleartext HTTP

                Boot strapping to add Kubelets is particularly weak       

                Multiple components do not check certificates and/or use self-signed certs

                HTTPS isn’t enforced

                Certificates are long-lived, with no revocation capability

                Etcd doesn’t authenticate connections by default

            Controllers all Bundled together

                Confused Deputy: b/c lower priv controllers bundled in same binary as higher

            Secrets not encrypted at rest by default

            Etcd doesn’t have signatures on its write-ahead log

            DoS attack: you can set anti-affinity on your pods to get nothing else scheduled on their nodes

 

            Port 10255 has an unauthenticated HTTP server for status and health checking

 

        Vulns / Findings (not complete list, but interesting)

            Hostpath pod security policy bypass via persistent volumes

            TOCTOU when moving PID to manager’s group

            Improperly patched directory traversal in kubectl cp

            Bearer tokens revealed in logs

            Lots of MitM risk:

            SSH not checking fingerprints: InsecureIgnoreHostKey

            gRPC transport seems all set to WithInsecure()

HTTPS connections not checking certs 

            Some HTTPS connections are unauthenticated

            Output encoding on JSON construction

                This might lead to further work, as JSON can get written to logs that may be consumed elsewhere.

            Non-constant time check on passwords

Lack of re-use / library-ification of code

 

    Who will use these findings and how? Devs, google, bad guys? 

    Any new audit tools created from this? 

 

Brad geesaman “Hacking and Hardening Kubernetes Clusters by Example [I] - Brad Geesaman, Symantec   https://www.youtube.com/watch?v=vTgQLzeBfRU

 

Aaron Small: 

https://cloud.google.com/blog/products/gcp/precious-cargo-securing-containers-with-kubernetes-engine-18 

https://cloud.google.com/blog/products/gcp/exploring-container-security-running-a-tight-ship-with-kubernetes-engine-1-10

https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster 

 

CNCF:  https://www.youtube.com/watch?v=90kZRyPcRZw 

 

Findings:

   

 

Scope for testing:

        Source code review (what languages did they have to review?)

            Golang, shell, ...

 

Networking (discuss the networking *internal* *external*

Cryptography (TLS, data stores)

AuthN/AuthZ 

RBAC (which roles were tested? Just admin/non-admin *best practice is no admin/least priv*)

Secrets

Namespace traversals

Namespace claims

 

Methodology:

 

Setup a bunch of environments?

    Primarily set up a single environment IIRC

    Combination of code audit and active ?fuzzing?

        What does one fuzz on a K8s environment?

Tested with latest alpha or production versions?

    Version 1.13 or 1.14 - version locked at whatever was current - K8S releases a new version every 3 months, so this is a challenge and means we have to keep auditing.

Tested mulitple different types of k8s implementations?

    Tested primarily against kubespray (https://github.com/kubernetes-sigs/kubespray)

 

Bug Bounty program:

https://github.com/kubernetes/community/blob/master/contributors/guide/bug-bounty.md

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 


Download here!

Friday, September 6, 2019

the last Derbycon Brakesec podcast


This evening, we all came together to spend a bit of time talking about the final Derbycon. We talk to Mic Douglas about his 9 Derbycon appearances, Gary Rimar (piano player Extraordinare) talks about @litmoose's talk on how to tell C-Levels that their applications aren't good.

 

We also got asked about how the show came about, and how we found each other.

 

**Apologies for the echo in some parts... I did what I could to clean it up, but we were too close and the mics got a bit overzealous...**


Download here!