Upload
rob-witoff
View
275
Download
2
Embed Size (px)
Citation preview
R o b W i t o f f , D i r e c t o r
CLOUD SECURITY & USABLE PROTECTIONS FROM REAL WORLD THREATS
coinbase.com
coinbase.com
coinbase.com
coinbase.com
PRIVATE KEY PUBLIC KEY
1EBHA1ckUWzNKN7BMfDwGTx6GKEbADUozX
BITCOIN ADDRESS
coinbase.com
coinbase.com
coinbase.com
Observe Orient Decide Act
coinbase.com
VPC
IAM
NACL
SecurityGroups
RouteTable
ShareSnapshotCloudtrail
Flow Logs
DENY
Geo
Volume
Misconfiguration
Data Exfiltration
Anomalous Activity
coinbase.com
coinbase.com
coinbase.com
coinbase.com
coinbase.com
2015 Verizon Data Breach Investigations
Report
2/22 google trends search for “glibc”
2/22 google trends search for “glibc”
Friday → Weekend!
coinbase.com
“Asset Discovery”
“Digital Footprint Detection”
“Unknown Asset Indexing”
coinbase.com
coinbase.com
30 Day Project
- Automation - Codification - Knowledge Sharing - Disaster Recovery
coinbase.com
30 day plan -> impact on automation AWS Cache, Discovery & Charting
5
0
coinbase.com
coinbase.com
coinbase.com
Disclosure Feb 17, 2016_________________________________________________________________________________________________________________________
Discovery < July 13, 2015
?
“At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence
agencies”
https://www.schneier.com/blog/archives/2014/04/heartbleed.html
https://xkcd.com/1353/
Secure By $$$ Optimization -or-
Secure By Design?
https://www.washingtonpost.com/blogs/the-switch/files/2014/02/mainroom.jpg
Secure by $$$ Optimization -or-
Secure by Design
coinbase.com
coinbase.com
coinbase.com
coinbase.com
coinbase.com
coinbase.com
coinbase.com
coinbase.com
coinbase.com
coinbase.com
coinbase.com
~99% of bitcoin will never touch a routable electron
… and neither should your root MFA tokens!
coinbase.com
coinbase.com
coinbase.com
coinbase.com
coinbase.com
https://github.com/coinbase/self-service-iam
coinbase.com
Accessing User Data via Metadata Service SSRF
https://tools.ietf.org/html/rfc6890
https://tools.ietf.org/html/rfc6890
EC2 Instance
169.254.169.254
https://github.com/Crypt0s/FakeDns
Resolution #1
Resolution #2!
coinbase.com
via @Lukasa https://github.com/kennethreitz/requests/issues/2008#issuecomment-40793099
coinbase.com
coinbase.com
1.Lookup IP Address 2.Validate IP Address Against RFC 6890 3.Make Request Bound to this Validated IP Address
Making A Safe Web Request inside Your Cloud
coinbase.com
Accessing User Data 1. Metadata Service SSRF
Accessing User Data 1. Metadata Service SSRF 2. AWS API
coinbase.com
coinbase.com
11911 actions x 471 servicesPolicies Are Hard
coinbase.com
11911 actions x 471 servicesPolicies Are Hard
instanceType ebsOptimized deviceMapping
shutdownBehavior userData
coinbase.com
11911 actions x 471 servicesPolicies Are Hard
instanceType ebsOptimized deviceMapping
shutdownBehavior userData
coinbase.com
coinbase.com
ec2:Describe* ec2:DescribeInstance ec2:DescribeInstanceAttribute
Write Explicit IAM Policies
coinbase.com
Cloud Can Be Very Secure
Insight Without Access
Security Through Consensus
Security Can Empower
coinbase.com@rwitoff
Thanks!