Security – Yvan Boily

Heartbleed Cheatsheet

Heartbleed Cheatsheet:

Upgrade OpenSSL on all of your existing software
Propose projects to remove infrastructure that can’t be upgraded (if your vendors haven’t shipped a patch, get new gear)
Force users to update credentials (YMMV depending on what you do, either force a re-auth, or password resets)
Apologize to your users for not dealing with this weeks ago.

If your employer won’t let you do these four things, the next thing to do is find a new job.

Anything less would be unprofessional.

Since Jim asked, this cheat sheet is licensed under the Mozilla Public License, and I will happily license it under other suitable licenses if needed

Security in the Open, BSidesWinnipeg

I gave a talk on November 17th at BSideWinnipeg called Security In the Open. It was really fun to head back to Winnipeg for a beautiful November weekend, and catch up with some of my former colleagues!

Update: You can watch the talk on Youtube below:

Making Security Tools accessible for Developers

I gave a talk at AppSecEU 2013 on August 23rd about Minion, and talked about some of the things we are doing to make the security testing more available to the Mozilla community.

Update: You can watch the recording below:

Security @ Mozilla

I gave a talk at RMLL on July 6th on the structure and organization of the security team at Mozilla, and how we built and supported the security of websites and services across the community.

The talk can be viewed via the RMLL site, or below!

Working in security I spend a fair amount of time reviewing and looking at work other people do. Turns out when you do that for 10 years, eventually people start seeing you like this:

While some of the things I have seen make [2] me feel that way, the reality is that I have tried to spend most of my career helping people to try to do things better, not to stop them doing new and cool things.

I have lost count of the number of times someone has said in a meeting “We can’t do that, security won’t let us!” with me sitting right there! Ok, fair enough, sometimes it’s true, but most of the time we are really trying to say “Not like that!”. You need a remote access solution? Sure, but lets but that RDP service behind a VPN. Need to install a new, untested web service on our domain? Ok, but why don’t we do some testing and maybe some fuzzing on it first. You want to ship all of our employee data to that 3rd party? Lets have a chat with them first so that we can make sure their security practices are reasonable first.

If I am talking to you about a security issue and you think I just said “No”, make sure you listen the rest of the “t like that!” because I am probably trying to help you[1]!

[1] The exception to the rule is if you are talking about PHP or Perl. Then I mean no.

[2] Circa 2016, I started to come around on WordPress, as the automatic update features and PHP’s overall maturity started to improve.

#BSidesSF 2012 videos are up…

The BSidesSF 2012 videos are up on BrightTalk; you can watch my presentation below; the slides to accompany the video can also be found here.

If you have any questions about the content, feel free to contact me (my contact info is on the last slide).

Security Conferences are making me sad…

Over the course of my career I haven’t had the opportunity to attend many security conferences, for two reasons:

the organizations I worked for didn’t really support sending staff
I tend to be socially awkward, and have difficulty talking to people

When I started at Mozilla I was super excited about both attending and participating at conferences since not only could I actually attend them, but pretty much everything important that we do at Mozilla is done in the open! Since presenting and participating in security conferences would help me work on the social anxiety bit, and I would learn stuff, it was a huge win!

The conferences I attended several years ago left me inspired, excited, with a pile of ideas for problems to tackle, and tools to develop. The conferences I have attended in the last year have left me thinking “That was a really great rehash of stuff that has already been done to death, with a minor twist at the end.”

To a certain extent this is likely the result of the degree of advances in the field. Ground-breaking, revolutionary new attacks are going to become increasingly rare; you can read more about why here, but basically, IT Security and InfoSec is starting to mature as a research field. Another reason why is the increasing desire to extract direct value from security research; if it can’t be used for marketing, or sold explicitly in a vulnerability market, the it is a trade secret that can be rehashed as special consulting secret sauce. Coupled with the proliferation of security conferences of varying degree of quality, and the glut of “me too” presentations, I think this is going to get worse before it gets better (at least for offensively focused conferences)

Despite my concerns on this, I have continued to attend because I still want to build a better network; first, because sharing ideas and info is fun and cool, and second, because we have a bunch of neat open jobs, and talking to smart people about Mozillas mission and work is a great way to try to recruit people! Unfortunately this also makes me sad. At virtually every conference I have been to, it is virtually impossible for me to ‘meet people’ and ‘network’. I blame myself for this because of the reason listed above, but it is also the result of the cliquey nature of communities.

There are some exceptions to my conference malaise, and those were the BSidesSF events; even though the talks were less engaging[1] this year than they were in 2011. The BSides events were very interesting because although there were still cliques, they were easy to mix into. The groups were small, and the attitudes of people generally more positive, and everyone I spoke to was interested in chatting and getting to know people.

Rather than just complaining about it, I am going to try to do something about it. A few years ago I had the opportunity to present at a cool conference, but my employer at the time interfered. Now that Mozilla is actively promoting our mission, and supports pushing the security component, I am going to push hard to complete two distinct research projects over the next year, and aim to present the results and tools. Although either of the topics would likely be suitable for a major “mainstream” security conference such as BlackHat, RSA, (Can|Pac|Eu)Sec, I will aim to present at smaller regional conferences, or conferences that are focused on open communities such as MozCamp, OWASP, or BSides events.

My Projects

The first one builds on the Garmr tool that Mozilla released earlier this year, and will help security teams to perform low to moderate risk assessments at scale. I aim to present these application security tools at a conference in Q3 of 2012, with a tool release in late Q2 or early Q3. The focus of this tool will be implementing some the concepts and ideas I wrote about when I joined Mozilla, with the aim to enable teams to perform security work at scale.

The second one will be an attempt to combine some of the AppSensor / Attack Aware Application work that OWASP published with some really cool new technologies to take security event monitoring in a different direction. This is a joint project with another person and will not be ready until sometime in 2013.

I hope to see people at future conferences, and will continue to chip away at building a better network and meeting people, but I really hope that shifting focus can help me to recapture some of the inspiration I used to get from the security community!

[1] YMMV! Several of the talks touched on areas I have done work in the past, so there was not much new ground covered for me.

Opening Identity, BSidesSF

I gave a talk on federated identity protocols at BSidesSF last week, and again here in Vancouver yesterday. The slides for the talk can be found here

The talk can be watched online here:

Here are some other things I mentioned during the talk:

Mozilla Security AMA on Reddit

This post is cross-posted from the Mozilla Web Application Security blog.

Several members of the Mozilla Security team will participate in an AMA on reddit this morning. You can find it here!

Mozilla CTF Competition

This post is cross-posted from the Mozilla Web Application Security blog.

Announcing the Mozilla CTF hacking competition

Per the announcement during Frederik Braun’s presentation today, Mozilla will host a CTF event in January, 2012.

The Mozilla CTF will take place on January 25, 2012 (24 hours, PST). (Yes, this is a business day. Sorry)

The competition will be open for 24 hours to allow people from all over the world to participate.

Registration

This CTF is mainly aimed at the Mozilla Community and is designed to be accessible to people of all skill levels. There will be two registration phases, with the Community registration opening first. If you are a member of our community and are interested early registration, please reach out to your contacts within in Mozilla, or the CTF organizers (fbraun at mozilla.com, or yboily at mozilla.com)

Other players are still encouraged to join us, but please note that this CTF is mainly aimed at people who are new to Capture The Flags and the skill level has been adjusted accordingly.

Detailed information can be found at https://wiki.mozilla.org/Security/Events/CTF and you can watch this blog and follow @mozwebsec on twitter for updates.