##"DevOops & How I Hacked You"##
Ken Johnson @cktricky
Chris Gates @carnal0wnage
Devops Days Washington DC 12 June 2015
Longer Version of the talk here:
###What we want you to take away from this talk###
-
Don’t prioritize speed over security
-
Understand devops tools’ auth model...or lack of it
-
Out of date or insecure implementation can lead to pwnage
-
Developers building infrastructure can be dangerous without thought and training around security
###Searching###
- Searchcode - allows you to search multiple code repos --works ok, individual site search works better
- Github Advanced Search - allows you to search GitHub repos for interesting things
###Stealing###
-
.git exposed
-
subversion
###Smashing###
- Hudson/Jenkins
- Multiple Remote Code Execution (RCE) vulnerabilities over the years
- https://wiki.jenkins-ci.org/display/SECURITY/Home
- API token is the same as password
- Metasploit has module to enumerate and exploit
- https://www.pentestgeek.com/2014/06/13/hacking-jenkins-servers-with-no-password/
- http://www.labofapenetrationtester.com/2014/06/hacking-jenkins-servers.html
- http://zeroknock.blogspot.com/search/label/Hacking%20Jenkins
- Elasticsearch
- No Authentication
- Can search stored data via HTTP API
- Update data with PUT request
- Join an open cluster and receive all data
- RCE prior to 1.2.0 (CVE-2014-3120)
- RCE prior to 1.5.0* (CVE-2015-1427)
-
AWS
-
Common misconfigurations
- SSH Keys
- Security Groups
- VPC
-
-
Redis
- No encrypted communication
- No auth by default
- Bind to all interfaces by default
- Remote Code Execution - http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/
###What you can do tomorrow###
- Understand that most devops tools take the approach of: “If you can talk to me I trust you”
- Its ok to empower dev/ops people to do security too
- If you have Jenkins, make sure it requires authentication
- If you have elasticsearch, upgrade
- Search github/bitbucket/google code for your sensitive information
- Update to latest versions of your devops tools
- Understand which tools are deployed in your environment and monitor for security updates
- Jenkins API key == password (protect them)
- Monitor/review code for stored passwords/api keys
- Redis require authentication && upgrade
###Devops Fails Links###