We Love Containers: Exploits, Surprises, and Security

you ready yeah everyone can hear me yes hey we're all set so thank you for this warm introduction this is actually - this is actually a really big deal for me to be here so I'm gonna just tell that story really fast I was living here ten years ago in Yerushalayim Grady housewife so we were running a software firm and I was like you know we were hacking and stuff but I really didn't leave the house much and I always also extremely shy so I would see the things going on and Tel Aviv from my little house speaking my Shabbat bread you know in a float and I like wanted to be here so badly and I just didn't know how to

make that happen like at all I was so shy I wouldn't even tweet and it was yeah like I made my account and I did nothing with it and I had this dream that someday that would be different for me and ten years later you know it was like a big journey took me through Silicon Valley first I overcame the shyness and started to do more stuff and eventually got to a place where I can be here not just like going to meet up and hanging out but actually sharing some stuff with you so this is like really exciting day for me so thank you

of all the things I've done recently this is really closest to my heart so thank you besides Aliyev let's get into it we are here today talking about containers exploits surprises and security my name is ELISA chevensky and for a bet I thought I would be a developer advocate and this talk was like prepackaged for all of that you know and it was a lot more corporate and a lot of the people who talk about kubernetes talk about containers are beholden to the companies that they work with I'm a hauled in to Soho token labs my 22 year old co-founder who is like a really badass hacker and it's not going to be mad if I say some things about

kubernetes or about docker so I'm really excited about this talk because there aren't that many people on the circuit talking about kubernetes and docker who can really like say these things that we need to say so I'm really stoked about that I think that's special oh I'm sorry the UI on this is a little different than I expected I'm not seeing what you're seeing on my screen software is eating the world Marc Andresen famously said that in 2011 okay fair that was true but containers are now eating software that's me saying that in 2018 yeah it's cool how fast things change and containers are really cool so I'm gonna talk a little bit about them I'm

gonna talk a little [ __ ] about them but containers are they're very cool but the problem is insecure defaults are also eating your containers they're eating your AWS instances and that's a problem so let's talk a bit about containers just to start let's talk about the promises that they make to us start with docker what is docker does anyone in the audience want to tell me what is docker truth that's fair anyone else it's a sea group okay well they claim that they're the world's leading containerization platform I'd argue that may or may not be true anymore but it's okay that they see that their promise is also security they also say that they say that you can

deliver applications safer across the entire lifecycle with built-in security capabilities and configurations out of the box just launch docker and you're done that's the promise out of the box that sounds really good right like just launched it Security's done I'm a regular developer I don't have to think about it too much so we're we are gonna hold them accountable on that cuz it's really not true very recently just a few days ago in fact I only heard about it from one of the other speakers last night a series of malicious crits are jacking files that were stored on docker hub have been downloaded more than 5 million times over the last year used to mine over a $90,000 worth of Manero

and that's docker hope that looks really official right like they're scanning what's there and they're making sure that you're not downloading malware right like I have kind of enterprise-e expectations about a site that's also promoting docker con so high level because I'm gonna publish the slides later like here's the timeline around docker hub and zooming in the registry was created in 2017 on the first complaint very soon after lots and lots and lots of complaints and very recently it's basically like a crypto mining botnet so here's a quote from one of the blogs that did a good job of encapsulating this for ordinary users just pulling a docker image from docker hub is like pulling arbitrary binary

data from somewhere executing it hope for the best so yeah optimism right optimism is a beautiful thing but maybe less optimism in our software development and so I originally thought this talk would really be a lot about docker because container started with docker and docker so important Dockers being used so widely but the truth is here we are docker is dead from my friend Chris who did some excellent talks in the States so yeah we're gonna stop a docker I've said my piece about it because docker as a company just doesn't have the future that we would hope that it has and if you want to talk to you about the like economics of making open-source project sustainable

I'm absolutely a hundred percent here to think and talk about that and I really respect with Dockers trying to do but kubernetes came in and ate their lunch they didn't really have a business model one of the cofounders left and so that's my explanation to you for why the rest of the talk is like not about docker despite being about containers so you know here's to having a business model please have a business model so you can stay in business docker is dead so we're gonna talk about kubernetes now what does kubernetes alright from the audience to shout it out what does kubernetes yeah it's an Orchestrator that's like the best summation what else is kubernetes

insecure by default yes well then you just summarize my talk I can get off stage you want to come up anyone else do I see hands or that shot of whiskey took its toll you're a little blurry all right so according to google kubernetes is the industry-leading open source container Orchestrator which powers kubernetes engine so that's true that's a true statement and that statement is fine and the promise is that kubernetes can in theory be like really terrific security so this diagram isn't like the best for you to view from your seats but it basically shows some of the defense-in-depth that's possible with containers and with kubernetes and when configured properly it's a really powerful tool so I think kubernetes is

really cool for big companies that can do the configurations and can support it and one of those companies is Google the Google cloud website is really informative containers at Google a better way to develop and deploy applications Google has gone so far as to say that it is the Google way from Gmail to YouTube to search everything at Google runs in containers and they operate an unprecedented two billion containers a week so like that's a lot so that's the like containers are eating software right like it's really taking over it's very interesting and we need more security people diving into containers designing cryptocurrency now so like someone come up and do this instead of me next year here's the

problem with kubernetes the sea is benchmarks is a very long list it's just so much to do the configuration it is not secure out of the box and by the way these CIS benchmarks they're very thorough and they did a good job and like thank you CIS benchmarks but this is not prioritized and so it's just you know your list of 300 things that you have to do it's a lot it's a lot for like a two-person team my team's two people I don't think we're gonna do this and I really want to show up here today and talk to you about fancy exploits cuz you're kind of fancy hackers and I'm a fancy girl it's true so I advise to get

fancy and talk about like Spector and meltdown which by the way like came about through like Matt blazes research facility that's funded by like the DoD and like this just ended up as like a weird outgrowth of that funding just like hooray for like weird academic research yeah right so I really want to talk to you about fancy exploits for her I'm just gonna talk about the oldies but goodies good Ole Miss configuration because that's what's actually going on here this is my favorite slide because it's a container that's on fire it's a trash fire it's a container trash fire because kubernetes has so many attack vectors and they just don't have to be that way this is a choice this is

a design choice made by the people at kubernetes who are people at Google who have decided this is how they want to do the software so you know you love trash you get a trash fire I love trash you love insecure by defaults you love trash it's trash right it's trash heaven secure default default should be secure but it's not just me right like say something or like do you agree let me know if you agree yeah it should be secure by default so I used to go into this a lot harder and kind of take on the individual person at Google who's been like contributing to this I think more than other people publicly but I

was approached by Red Hat and they're like you need to do a sit down and like not be so me and I'm like okay because you know I think what happened is kubernetes they didn't think that it would be used in production that explains a lot doesn't it cuz you know there does it Google there like so many projects at Google and they're all moonshots if they're not like making money from ads and so people just do stuff and they don't think that it's going to like eat the world and so kubernetes is catching up now on security like so many things it's this thing after the fact so my hope is that me like really taking them on at some

other events a bit too much has communicated that the security community is watching me care about those and in the meantime we can have some fun with it I'm a little new to containers admittedly and so this isn't my original research this is like really cool stuff that I found and I really want to share with you and then you go and what do you do with it is not my business you're responsible adults I trust you you look like trustworthy so we're used to taking very strong measures just that two more minutes oh wow I misinterpreted the timing by a lot let's go really fast two more minutes all right so here are people fighting over the

clusters here's the Tesla hack we're gonna do this in super fast motion and then I'm gonna put it on the website it says 1218 here I thought it was still 12:30 my apologies there so the hackers are doing a very good job of hiding themselves and here's what I really want to show you I'm glad that you appreciate this so here's a bunch of things that are insecure by default someone commenting on github is there a CV for this and the folks from Google are saying it's a Mis configuration not a CV II thanks it's fine and here's showdown so this is what I think you're gonna love you can just type in kubernetes master and you can

just find all the vulnerable kubernetes instances and you know here's some common vulnerabilities that you can look for on showed in there are a lot of security problems and they're just known this is the problem that they're known you look at etcd and they say this feature is off by default to preserve backwards compatibility so you know the authentication was a completely open system anyone with access the API could change the keys you know we're gonna leave this insecure for backwards compatibility no big deal so you know here's some information on the port it leaks all kinds of passwords and here are the vulnerabilities to look for and here's what you type in to showdown

let's keep going it smells that I like Claire OS is good anything made by kubernetes is actually pretty good cout bench is good here's what you get for output hep-c oh very good and they're hiring and they're remote that's good money in Israel yeah you want jobs in America you come to me and let's wrap this up there's so much here I love this slide a round of applause for me because we you know I'm not shy anymore

and here's my contact info because there's just so much here so like DME or email me or find me on Facebook or on LinkedIn and we can talk like all the container stuff or really like any hacker things that you want and like seriously it's a dream for me that I'm here at besides Televi if this is like clearly the gem of cyber week so let's give it up for them Lisa thank you so much that was amazing and very fast so thank you once again to Alyssa for coming all the way to join us [Applause]