R o b W i t o f f , D i r e c t o r

CLOUD SECURITY & USABLE PROTECTIONS FROM REAL WORLD THREATS

coinbase.com

coinbase.com

coinbase.com

coinbase.com

Secp256k1: 32 Sun Years of Energy

coinbase.com

PRIVATE KEY PUBLIC KEY

1EBHA1ckUWzNKN7BMfDwGTx6GKEbADUozX

BITCOIN ADDRESS

coinbase.com

coinbase.com

coinbase.com

TWO TYPES OF BANKS

us them

coinbase.com

Observe Orient Decide Act

coinbase.com

VPC

IAM

NACL

SecurityGroups

RouteTable

ShareSnapshotCloudtrail

Flow Logs

DENY

Geo

Volume

Misconfiguration

Data Exfiltration

Anomalous Activity

coinbase.com

Cloudtrail S3

→Lambda

→Kinesis

→ →

coinbase.com

→

coinbase.com

→

coinbase.com

coinbase.com

coinbase.com

coinbase.com

coinbase.com

2015 Verizon Data Breach Investigations

Report

2/22 google trends search for “glibc”

2/22 google trends search for “glibc”

Friday → Weekend!

coinbase.com

“Asset Discovery”

“Digital Footprint Detection”

“Unknown Asset Indexing”

coinbase.com

Know Your Infrastructure

Patch Your Infrastructure

coinbase.com

Know Your Infrastructure

Patch Your Infrastructure

coinbase.com

coinbase.com

api

coinbase.com

30 Day Project

No Coinbase Server Lives > 30 Days

coinbase.com

www api admin

coinbase.com

30 Day Project

- Automation - Codification - Knowledge Sharing - Disaster Recovery

coinbase.com

30 day plan -> impact on automation AWS Cache, Discovery & Charting

5

0

coinbase.com

Know Your Infrastructure

Patch Your Infrastructure

coinbase.com

coinbase.com

coinbase.com

Disclosure Feb 17, 2016_________________________________________________________________________________________________________________________

Discovery < July 13, 2015

?

“At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence

agencies”

https://www.schneier.com/blog/archives/2014/04/heartbleed.html

https://xkcd.com/1353/

Secure By $$$ Optimization -or-

Secure By Design?

https://www.washingtonpost.com/blogs/the-switch/files/2014/02/mainroom.jpg

Secure by $$$ Optimization -or-

Secure by Design

coinbase.com

coinbase.com

coinbase.com

shamir secret

sharing

m-of-n

coinbase.com

multisig transaction

3-of-5

coinbase.com

coinbase.com

coinbase.com

coinbase.com

coinbase.com

coinbase.com

coinbase.com

coinbase.com

coinbase.com

~99% of bitcoin will never touch a routable electron

… and neither should your root MFA tokens!

coinbase.com

coinbase.com

coinbase.com

coinbase.com

coinbase.com

Self Service IAM

coinbase.com

Self Service IAM

coinbase.com

Self Service IAM

coinbase.com

Self Service IAM

coinbase.com

Self Service IAM

coinbase.com

Self Service IAM

coinbase.com

https://github.com/coinbase/self-service-iam

coinbase.com

coinbase.com

Cloudtrail S3 Lambda Kinesis

→ → → →

Accessing User Data via Metadata Service SSRF

https://tools.ietf.org/html/rfc6890

https://tools.ietf.org/html/rfc6890

EC2 Instance

169.254.169.254

https://github.com/Crypt0s/FakeDns

Resolution #1

Resolution #2!

coinbase.com

via @Lukasa https://github.com/kennethreitz/requests/issues/2008#issuecomment-40793099

coinbase.com

coinbase.com

1.Lookup IP Address 2.Validate IP Address Against RFC 6890 3.Make Request Bound to this Validated IP Address

Making A Safe Web Request inside Your Cloud

coinbase.com

Accessing User Data 1. Metadata Service SSRF

Accessing User Data 1. Metadata Service SSRF 2. AWS API

coinbase.com

coinbase.com

11911 actions x 471 servicesPolicies Are Hard

coinbase.com

11911 actions x 471 servicesPolicies Are Hard

instanceType ebsOptimized deviceMapping

shutdownBehavior userData

coinbase.com

11911 actions x 471 servicesPolicies Are Hard

instanceType ebsOptimized deviceMapping

shutdownBehavior userData

coinbase.com

coinbase.com

ec2:Describe* ec2:DescribeInstance ec2:DescribeInstanceAttribute

Write Explicit IAM Policies

coinbase.com

Cloud Can Be Very Secure

Insight Without Access

Security Through Consensus

Security Can Empower

coinbase.com@rwitoff

Thanks!