Operations security - SyPy Dec 2014 (Sydney Python users)

Post on 09-Jul-2015

165 views 1 download


Operations security - opsec - with some Python related tips

Transcript of Operations security - SyPy Dec 2014 (Sydney Python users)

OPSEC - operations security

Mikko Ohtamaa SyPy / Sydney / Dec 2014




Background Team security User security Infrastructure security

Person-to-person Bitcoin exchange

Bitcoin users are high value targets

Team security

Encrypt devices: computers AND phones !

Two-factor authentication on inbox and site admin !

Google 2FA account incidents: https://ello.co/gb/post/knOWk-qeTqfSpJ6f8-arCQ



Password manager (KeePassX) SSH keys, tied to your computer login

User security

Passwords are dead

Password stealing attacks by keylogging and cache reading malware

Strong passwords give only limited additional protection

Login attempt throttling

Threshold logins per IP: script kiddie

Threshold per username: spearhead brute force

Threshold all logins per minute: botnet attack



Two-factor authentication for your users

Time-Based One-Time Password Algorithm

TOTP a.k.a Google Authenticator, RFC 6238 Does not require Google account.!OSS apps available

Tic toc keycodes generated by a mobile app

HMAC-Based One-Time Password Algorithm

HOTP, RFC 4226 a.k.a. paper codes, one time pad

Common in EU banking, unheard in some countries

SMS Yubikey

As a service: authy.org

For Django: https://github.com/miohtama/


Third factor

Users accidentally give out their credentials

Recycled passwords (blackmarket) Phishing (Google Adwords first link stealing) !

Phishers may get two-factor codes too

Third factor parameters

Identify web browser (permacookie)

Identify the country of IP address

The reputation of IP address (botnet, Tor, VPS)

IP address whitelist


"Tinfoil never too tight" attacks

Trojan kits with Bitcoin sites "autosteal"

Browser add-ons modifying payment data in-fly

Android and iOS malware

SMS capture attacks

Malicious Tor exit nodes



Infrastructure security

fail2banDaemon blocking IPs by continuous log file analysis

(e.g. Apache, SSH, custom application logs)

Attack mitigation as a service proxies: cloudflare.net Whitehat bounty programs: crowdcurity.com Known bad IPs: projecthoneypot.org !

Hosting provider and physical attacks

Store databases and logs on encrypted partition (LUKS)

Backups as encrypted only: duplicity, GPG

Server-to-server connections: SSH, VPN

Virtual machines are always unsafe


Server security monitoring

Log server, FSS (forward secure sealed) logs Intrusion detection (OSSEC)

Firewalling !



opensourcehacker.com Open Source Hacker

