A piece on “OpSec” and Events/Hackathons/Barcamps
I thought, everything that you could say has been said, about how to stay half assed secure on conferences and other nerdy events and environments. Let me tell you about some mistakes that I made. This is aimed on the half way tech savy from a half assed programmer. Please correct me in the comments if necessary
Note: Writing this from first person view just for a more readable text and reader enjoyment. I am not endorsing or engaging in hacking at community events. My point is: get your shit together. It is easy.
- Don’t bring your workbox.
Probably the Best advice, one can give here. Where is no data, there is no problem. On how many services are you connected? How many pieces of paper did you sign before you got access to X and downloaded it? I have news: The result of that signing is a cookie or other session auth thingie that you got after giving company Y’s server a username and password. That is what I may want, to start reading your email, starting virtual machines or just writing to your team that you will come out, transform to what ever your gender is NOT atm and demand to be addressed with “Your Highness” in the future. SSD Drives get big, we developers are very not doing a good job at keeping them clean. This 200GIG dump of the user table you used last time to debug that problem? Publishing modules on npm? Same thing. npm remembers logins in a session. What stops me from publishing some exploit to your users labeled v2.0.0 G?. On the other side: What does a attacker really KNOW about that computer: That you, the human, will carry it to work, where you have perfect credentials in your home network. A infection to a computer is done in a very short time and if you are working in any kind of organization that handles money: leave your shit at home. To what ip(s) ports exactly is that well crafted software of yours trying to speak? In a public network, with not only a great community, but as well, contenders on markets. Leave that shit at home, if you work in a big company, go to your security aware ADMIN, tell him where you go and let him help out. Seriously, covering the risk on your devbox might justify for a smaller, more mobile computer (macbook pro replaced by air for conference). Btw: encryption will not help you. On a event or hackathon, your box will be up and running all the time. Filesystem encryption and a long password is implied. And dont leave the box unattended. Drive by exploits, totally CSI Cyber stlye, google this shit ;) its real and it is damn cheap.
- Protocol Encryption and Auth
For all open ports and resources, of maybe your hackathon project have a username and password configured and use the S variants of protocols: https and a password for any port serving a website from your localhost. All dev servers, all REST endpoints, everything. Just don’t start a blank version of anything without auth. You are now safe from a lot of script kiddie attacks. And NO, localhost is not local. RTFM. Just make sure everything that uses IP and protocols to use usernames and passwords. Big in the Game: Redis for a remote code execution that writes to the known hosts SSH file or MongoDB with defaults with no password. Access to pgsql/mysql: data sinks open up. One just not simply Relational DB and store no data.
All normal traffic should be encrypted and send via a SSH tunnel or proxy in order to avoid the sharing of local network resources with others. Except from ports that you WANT to share (see 2.) All traffic from local network is evil. If you find a way, to deploy the thing you are working on to a online service, even better. Do that via the tunnel, and et voila. As dangerous as before, but not 100 buddies in the same network and your application has a totally different “localhost” environment there. You can even stay on pure 4G if your local legislation allows for cheap mobile web access. ;)
Do I need let everyone know that my deploy comes from docker cloud, I monitor metrics with a prometheus instance or I am a CircleCI user? I can look on both sides of the screen of your macbook: one side the stickers will tell me, the other ones the icons on the desktop or bookmarks (remember: it is a sharing thingie — you let me look at your screen). App wise: just bring what you need, make sure for easy “webaccess” with what ever the smart admin gave you. Knowing this is as effort rich as adding the tools of your choice and “CVE”. This will alarm me every time, when I might have another attempt at owning you. In general, since you brought another box, just access what you need and don’t put bigass icons in the middle of the screen of your “Outlook Express 2017” your company installed for you (the OTHER admin, who does not care as much). Opsec would contain as well, to know what you are allowed to tell others and what not. Have a good conversation with your superior or someone else from your environment. Just manage expectations here beforehand. I heard of hackathons ending up in bars and things getting funny. You better make a cut at what you are allowed to tell. No, exactly that Story … Everyone would find funny, but make sure you realize: This is not a team internal event. It’s easy to mistake easy bonding on community events for trust. Especially when I involve alcohol.
TL:TR: I am just a developer of software, but even I find myself on a nice community event, that is just accompanied by a “hostile network environment” and needs to be treated this way. As developers, we should take care for our dev boxes and their contents.
Bringing a big data bait, having services without authentication and encrypted traffic and telling everyone how to own you will not end with fun at all. 4 Ports got closed and 3 services completely deactivated during the production of this blog post.