The last bit of @devseccon is ongoing, go join! #DSC24

Or, just watch this 🎥or read this 🧵from my talk with @csoandy. We tell war stories of 5 watershed security incidents: FluffyBunny, Operation Aurora, DigiNotar, NotPetya and SolarWinds.

These are just some of incidents that inspired us to build @getBastionZero, which eliminates single points of compromise while providing zero-trust remote access to servers, containers and clusters. 2/x

bastionzero.com Image
We start with FluffyBunny.

The attacker overwrote SSH clients with malware. And the malware steals SSH keys. And this was in 2001!

🧐This is classic example illustrates why standing credentials are bad. Because if stolen today, they can be used to attack in the future! 3/x Image
Next, we have Operation Aurora from 2009.

The attacker compromises one machine, and then moves laterally to p0wn the whole network.

What do we learn?

🧐Segment your infrastructure!

🧐Don't trust someone just because they are behind the VPN! 4/x Image
Next up is Diginotar, from 2011.

The attacker stole the Certificate Authority key from Diginotar, and started issuing fraudulent TLS certificates for Google and others.

This was a watershed moment for TLS security. 5/x Image
After Diginotar, the TLS ecosystem changed.

Certificate Authorities (CAs) were no longer trusted blindly. Technologies like Certificate Transparency were deployed.

All of this was done to limit the risk of CAs as a single point of compromise. 6/ Image
Interestingly, even today, ten years after Diginotar, there are tools for zero-trust remote access to infrastructure that rely on Certificate Authorities (CAs).

These CAS are a single point of compromise. 7/
The Diginotar incident was very inspiring to us at @getBastionZero.

We set out to learn the lessons from Diginotar, and build a tool that provides simple remote access to infrastruture without relying on a single CA that can get hacked. 8/ Image
Next up is NotPetya from 2017.

The ransomware compromised your machine if it visited the site of a hacked Ukrainian tax software.

Then, one the machine was compromised, it stole the AD admin credentials for your domain. 8/ Image
NotPetya exploited the fact that AD admin creds are usually reused across multiple machines.

So once the attacker stole the AD admin creds from one machine, it could log in as admin on many others.

And that move laterally through your infrastructure. 9/
What do we learn from NotPetya?

🧐 Don't use standing credentials.

🧐 Don't use the *same* standing credentials across all of your infrastructure.

And...

🧐 Definitely don't this with admin credentials. 10/ Image
Finally, we have SolarWinds, from late 2020.

To me, SolarWinds is super interesting, because it demonstrates some of the risks from the recent mass-movement to Single Sign On (SSO).

On one hand, SSO is great, because it eliminates standing credentials. 11/ Image
So, SSO eliminates standing credentials. Good! We learned our lesson from NotPetya and FluffyBunny!

And so, many modern zero-trust systems use SSO to control access.

What SolarWinds teaches us is: not so fast, folks. 12/ Image
In the SolarWinds incident, the attacker stole the SSO key.

So, in many way, SolarWinds is the modern day (2020) equivalent of the Diginotar incident (2021), where there is an overpowered authority whose keys get stolen. 13/ Image
What do we learn from SolarWinds?

🧐Don't rely on a single root of trust that could get compromised!

SolarWinds is another key incident that inspired our design of @getBastionZero.

BastionZero uses two independent roots of trust to control access to your infrastructure. 14/ Image
DM me on twitter or ping me on the #DSC24 slack if you'd see how BastionZero provides:

✨ Zero-trust remote access to cloud resources
✨ Eliminates single points of compromise
✨ Provides visibility into what your engineers are doing in your infrastructure.

That's it! 15/15
@threadreaderapp unroll please

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Sharon Goldberg

Sharon Goldberg Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @goldbe

28 Feb
My grandmother was one of these children.
The stories my grandmother told me about her journey never really made sense, because she travelled so far. 🧵

“The children ... went via Bukhara to Kazan and Ashkhabad (on the Iranian border), and from there to Pahlavi.”

encyclopedia.ushmm.org/content/en/art…
I know she spent a long enough time in Uzbekistan for it to figure regularly in her stories. She claimed to have learned to speak Uzbek at this time.

She lived in a hut, and it was muddy. There was not enough food. She always talked about the mud.
Read 25 tweets
26 Feb 20
Hello #NDSS20! That keynote was a ton of work to prepare, so I thought I'd squeeze some extra value of by posting key points from the talk here!

Here we go!

(For those of you at home, NDSS is one of the "big four" top-tier academic cybersecurity conferences.)

<thread>
The focus of my talk was technology transfer.

How can we align incentives in the academic community, to encourage researchers to design systems that actually get used in the real world?

This is a key question in 2020, where infosec is everywhere.

Here are two metrics that I think should matter, when judging academic infosec research.

Notice that novelty is not on this list.

I don't think the community gives enough credence to these metrics.
Read 22 tweets
1 Nov 19
Every year (since around 2012) in my network security class @BUCompSci, we’ve asked students to form groups and audit the security and privacy of a popular websites. 🕵️‍♂️

Things change from year to year. Here are my macro observations from this years projects. 👩‍🏫 1/n
@BUCompSci Almost every site my students looked at, connects to Google, Facebook, or Twitter to track users in one form or other. 🎯 2/n
HTTPS is everywhere. Mixed HTTP/HTTPS content was found on some sites, but in most cases all HTTP traffic was upgraded automatically to HTTPS. 🎉 3/n
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

:(