gistfile1.md

##"DevOops & How I Hacked You"##

Ken Johnson @cktricky

Chris Gates @carnal0wnage

Devops Days Washington DC 12 June 2015

Devopsdays DC slides

Longer Version of the talk here:

LASCON 2014 Slide Deck

LASCON Video

###What we want you to take away from this talk###

• Don’t prioritize speed over security

• Understand devops tools’ auth model...or lack of it

• Out of date or insecure implementation can lead to pwnage

• Developers building infrastructure can be dangerous without thought and training around security

###Searching###

• Searchcode - allows you to search multiple code repos --works ok, individual site search works better
• Github Advanced Search - allows you to search GitHub repos for interesting things
  • Google hacking for GitHub
  • http://seclists.org/fulldisclosure/2013/Jun/15
  • http://blog.conviso.com.br/2013/06/github-hacking-for-fun-and-sensitive.html

###Stealing###

• .git exposed

  • https://github.com/evilpacket/DVCS-Pillage
  • https://github.com/kost/dvcs-ripper
  • http://carnal0wnage.attackresearch.com/2015/03/devooops-revision-control-git.html

• subversion

  • http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us
  • http://carnal0wnage.attackresearch.com/2015/03/devooops-revision-control-subversion.html

###Smashing###

• Hudson/Jenkins
  • Multiple Remote Code Execution (RCE) vulnerabilities over the years
  • https://wiki.jenkins-ci.org/display/SECURITY/Home
  • API token is the same as password
  • Metasploit has module to enumerate and exploit
  • https://www.pentestgeek.com/2014/06/13/hacking-jenkins-servers-with-no-password/
  • http://www.labofapenetrationtester.com/2014/06/hacking-jenkins-servers.html
  • http://zeroknock.blogspot.com/search/label/Hacking%20Jenkins

• Elasticsearch
  • No Authentication
  • Can search stored data via HTTP API
  • Update data with PUT request
  • Join an open cluster and receive all data
    • RCE prior to 1.2.0 (CVE-2014-3120)
    • RCE prior to 1.5.0* (CVE-2015-1427)

• AWS

  • Common misconfigurations

    • SSH Keys
    • Security Groups
    • VPC
    
    

• Redis

  • No encrypted communication
  • No auth by default
  • Bind to all interfaces by default
  • Remote Code Execution - http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/

###What you can do tomorrow###

• Understand that most devops tools take the approach of: “If you can talk to me I trust you”
• Its ok to empower dev/ops people to do security too
• If you have Jenkins, make sure it requires authentication
• If you have elasticsearch, upgrade
• Search github/bitbucket/google code for your sensitive information
• Update to latest versions of your devops tools
• Understand which tools are deployed in your environment and monitor for security updates
• Jenkins API key == password (protect them)
• Monitor/review code for stored passwords/api keys
• Redis require authentication && upgrade

###Devops Fails Links###

• Github/Uber/Secret Key Published
• Compromised AWS shuts down company
• Vulnerable Elasticsearch & Botnets