SlideShare a Scribd company logo

Safely Drinking from the Data Waterhose

Jan Schaumann
Jan Schaumann

An ingite talk given at DataGotham 2012 about how we extract security related events and alerts from our logs. I repeated the same talk at DevOpsDays NYC 2013.

TechnologyDesign
1 of 20
Download to read offline
Safely Drinking From The Fire Hose @jschauma Jan Schaumann Señor Network Security Engineer jschauma@etsy.com B60D A9F7 0D89 544A 7995 7D25 5A5B 4375 275F 0BB5
I <3 logs! @jschauma web logs mail logs system logs vpn logs 2 08/28/12
Log Bongzilla, aka Splunk @jschauma Logs go in… Is this how Octocat came to be? ts come ler out ri ty a secu 2 08/28/12
Splunk Alerts FTW! @jschauma YO DAWG, I HERD YOU LIKE LOGS SO I PUT SOME LOGS IN YOUR LOGS SO YOU CAN SPLUNK WHILE YOU SPLUNK 2 08/28/12
sudo make me a sandwich @jschauma 2 08/28/12
Know your patterns. @jschauma VPN Connections July 4th was a Wednesday People making up for People slacking off early last week? on a Friday, eh? 5 08/28/12
That was unexpected… @jschauma
XSS detection @jschauma Announcement of Bug Bounty program: http://is.gd/UTZ5wD code push to address reported vulnerabilities 6 08/28/12
Geolocate all the things! @jschauma 3 08/28/12
XSS detection @jschauma IP : 79.182.16.1 - bzq-79-182-16-1.red.bezeqint.net Geolocation : Even Yehuda, 02, IL Whois : *SE4-DRP*, RIPE, BEZEQINT-BROADBAND Requests : 146 Method : GET URL : /suggest_username.php?first-name=test&last-name= onerror%3Dalert(0)%3E&email=shai%40exploit.co.il 13 minutes after we announced our security bug bounty program http://is.gd/UTZ5wD Method : POST URL : /your/profile Data : u'fb_avatar_url=&gender=female&city3=&new_city= "><img src=x onerror=prompt(1);>&new_region=&new_countrycode= &new_latlon=,&city3_dup="><img src=x’ […] 6 08/28/12
SQLi detection @jschauma IP : 216.185.114.219 – unknown Geolocation : Jurong East, 00, SG Whois : ThePlanet.com Internet Services, Inc., ARIN, NET216 Requests : 20 Method : GET URL : /listing/102946830/womens-shirt-beige-tunic-womens- blouse?ref=999999.9%27+union+all+select+0x313032353438303035 36%2C0x31303235343830303536%2C0x31303235343830303536 %2C0x31303235343830303536%2C0x31303235343830303536%2 C0x31303235343830303536%2C0x31303235343830303536%2C0 x31303235343830303536%2C0x31303235343830303536%2C0x31 830303536%2C0x31303235343830303536%2C0x31303235343830 303536%2C0x31303235343830303536%2C0x31303235343830303 536+and+%27x%27%3D%27x Method : GET URL : /category/furniture?page=499999%27%20union%20 select%20unhex(hex(version()))%20 […] 6 08/28/12
Know when people can’t log in… @jschauma 2 08/28/12
High number of failed logins @jschauma Admin : <username> (<internal login>, <site login>) IP : 64.124.192.210 - 64.124.192.210.t01419-07.above.net Geolocation : Brooklyn, NY, US Whois : ETSY Inc, ARIN, NET64 # of failed logins : 13 doesn’t know what he’s doing; do not trust! Admin : jschauma (jschauma, jschauma) IP : 207.38.139.33 - 207-38-139-33.c3-0.avec-ubr2.nyr- avec.ny.cable.rcn.com Geolocation : New York, United States Whois : RCN Corporation, ARIN, NET207 # of failed logins : 16 6 08/28/12
Geolocate all the things! @jschauma 4 08/28/12
“Unexpected” login detection @jschauma Admin : <username> (<internal login>, <site login>) IP : 83.160.48.31 - a83-160-48-31.adsl.xs4all.nl Geolocation : Rotterdam, 11, NL Whois : XS4ALL Internet BV, RIPE, DEMON-NL-DSL Admin : <username> (<internal login>, <site login>) IP : 217.192.56.102 – unknown Geolocation : Zurich, 25, CH Whois : The Hub Zuerich Assoc., RIPE, THE-HUB-ZUERICH-NET Admin : <username> (<internal login>, <site login>) IP : 24.231.49.240 - unknown Geolocation : Nassau, 23, BS Whois : Cable Bahamas, ARIN, CABLEBAHAMAS-NET Admin : <username> (<internal login>, <site login>) IP : 200.49.191.120 - map120.network49.191.tigo.net.gt Geolocation : Guatemala City, 07, GT Whois : COMCEL GUATEMALA S.A., LACNIC 6 08/28/12
I said: “Please insert girder!” @jschauma
Identify scrapers. @jschauma Admin : <username> (<internal login>, <site login>) IP : 50.17.73.70 - ec2-50-17-73-70.compute-1.amazonaws.com Geolocation : Ashburn, VA, US Whois : Amazon.com, Inc., ARIN, NET50 Provider : Amazon AWS Count :7 Admin : <username> (<internal login>, <site login>) IP : 207.228.237.110 – unknown Geolocation : New York, NY, US Whois : HopOne Internet Corporation, ARIN, NET207 Provider : HopOne Count :1 6 08/28/12
Re-re-re-re-re-CAPTCHA @jschauma source=”info.log" reCAPTCHA status="incorrect" | transaction ip | where eventcount > 50 | table ip,eventcount | sort -eventcount 6 08/28/12
Of Liars and Outliers (good book, btw) @jschauma wtf happened here? Ooh, right… this: http://is.gd/fognju http://is.gd/0hRDLY http://is.gd/WxcA0r 6 08/28/12
This talk was too long! @jschauma Log it now, log it all. Geolocate all the things. Build profiles. (Creepy, I know.) Reduce false positives. (Whitelists!) Have defined reactions to all alerts. Notice the outliers. Explain them. That’s all, folks! Thanks! 2 08/28/12

Recommended

HTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of Things
HTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of ThingsHTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of Things
HTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of ThingsJesse Cravens
 
Fancy pants
Fancy pantsFancy pants
Fancy pantsJan Schaumann
 
Development is Production Too
Development is Production TooDevelopment is Production Too
Development is Production Toojgoulah
 
WCIT 2012 - Assespro Oficial Bid Book
WCIT 2012 - Assespro Oficial Bid BookWCIT 2012 - Assespro Oficial Bid Book
WCIT 2012 - Assespro Oficial Bid BookAssespro Nacional
 
April 17, 2012 CIty Council Agenda Packet
April 17, 2012 CIty Council Agenda PacketApril 17, 2012 CIty Council Agenda Packet
April 17, 2012 CIty Council Agenda PacketCity of San Angelo Texas
 
Memcached Presentation @757rb
Memcached Presentation @757rbMemcached Presentation @757rb
Memcached Presentation @757rbKen Collins
 
Gerenciamento de Backups PostgreSQL com pgbarman
Gerenciamento de Backups PostgreSQL com pgbarmanGerenciamento de Backups PostgreSQL com pgbarman
Gerenciamento de Backups PostgreSQL com pgbarmanJuliano Atanazio
 
Various hints & tips around Solution Selling (January 2014)
Various hints & tips around Solution Selling (January 2014)Various hints & tips around Solution Selling (January 2014)
Various hints & tips around Solution Selling (January 2014)Eric Van 't Hoff
 

Recommended

HTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of Things
HTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of ThingsHTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of Things
HTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of ThingsJesse Cravens
 
Fancy pants
Fancy pantsFancy pants
Fancy pantsJan Schaumann
 
Development is Production Too
Development is Production TooDevelopment is Production Too
Development is Production Toojgoulah
 
WCIT 2012 - Assespro Oficial Bid Book
WCIT 2012 - Assespro Oficial Bid BookWCIT 2012 - Assespro Oficial Bid Book
WCIT 2012 - Assespro Oficial Bid BookAssespro Nacional
 
April 17, 2012 CIty Council Agenda Packet
April 17, 2012 CIty Council Agenda PacketApril 17, 2012 CIty Council Agenda Packet
April 17, 2012 CIty Council Agenda PacketCity of San Angelo Texas
 
Memcached Presentation @757rb
Memcached Presentation @757rbMemcached Presentation @757rb
Memcached Presentation @757rbKen Collins
 
Gerenciamento de Backups PostgreSQL com pgbarman
Gerenciamento de Backups PostgreSQL com pgbarmanGerenciamento de Backups PostgreSQL com pgbarman
Gerenciamento de Backups PostgreSQL com pgbarmanJuliano Atanazio
 
Various hints & tips around Solution Selling (January 2014)
Various hints & tips around Solution Selling (January 2014)Various hints & tips around Solution Selling (January 2014)
Various hints & tips around Solution Selling (January 2014)Eric Van 't Hoff
 
PGP for Smarties
PGP for SmartiesPGP for Smarties
PGP for SmartiesJan Schaumann
 
Marco Hogewoning -XS4all
Marco Hogewoning -XS4allMarco Hogewoning -XS4all
Marco Hogewoning -XS4allIPv6 Summit 2010
 
Simple Log Analysis and Trending
Simple Log Analysis and TrendingSimple Log Analysis and Trending
Simple Log Analysis and TrendingMike Brittain
 
12-Step Program for Scaling Web Applications on PostgreSQL
12-Step Program for Scaling Web Applications on PostgreSQL12-Step Program for Scaling Web Applications on PostgreSQL
12-Step Program for Scaling Web Applications on PostgreSQLKonstantin Gredeskoul
 
Ipv6 basics
Ipv6 basicsIpv6 basics
Ipv6 basicsJan Schaumann
 
英文 Rc heli
英文 Rc heli英文 Rc heli
英文 Rc helitiffanysrc
 
Scaling postgres
Scaling postgresScaling postgres
Scaling postgresDenish Patel
 
Cybersecurity nl
Cybersecurity nlCybersecurity nl
Cybersecurity nlMark Johnson
 
Scaling Etsy: What Went Wrong, What Went Right
Scaling Etsy: What Went Wrong, What Went RightScaling Etsy: What Went Wrong, What Went Right
Scaling Etsy: What Went Wrong, What Went RightRoss Snyder
 
4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)Djuwarsjah Linnus
 
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...Ben Kilmer
 
Talk talk talk 2
Talk talk talk 2Talk talk talk 2
Talk talk talk 2Trần Thanh Hảo
 
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQLFrom Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQLKonstantin Gredeskoul
 
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)LiGhT ArOhL
 
Etsy Case Study
Etsy Case StudyEtsy Case Study
Etsy Case StudySlideShare
 
88 Gibraltar i-remit collection procedure
88 Gibraltar i-remit collection procedure88 Gibraltar i-remit collection procedure
88 Gibraltar i-remit collection procedure88gibraltar
 
Design for Continuous Experimentation
Design for Continuous ExperimentationDesign for Continuous Experimentation
Design for Continuous ExperimentationDan McKinley
 
Netflix marketing plan
Netflix marketing plan Netflix marketing plan
Netflix marketing plan Evelyne Otto
 
The Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageThe Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageJan Schaumann
 
OpSec101
OpSec101OpSec101
OpSec101Jan Schaumann
 
Know Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat ModelingKnow Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat ModelingJan Schaumann
 
Crazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might WorkCrazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might WorkJan Schaumann
 

More Related Content

Viewers also liked

Simple Log Analysis and Trending
Simple Log Analysis and TrendingSimple Log Analysis and Trending
Simple Log Analysis and TrendingMike Brittain
 
12-Step Program for Scaling Web Applications on PostgreSQL
12-Step Program for Scaling Web Applications on PostgreSQL12-Step Program for Scaling Web Applications on PostgreSQL
12-Step Program for Scaling Web Applications on PostgreSQLKonstantin Gredeskoul
 
英文 Rc heli
英文 Rc heli英文 Rc heli
英文 Rc helitiffanysrc
 
Scaling Etsy: What Went Wrong, What Went Right
Scaling Etsy: What Went Wrong, What Went RightScaling Etsy: What Went Wrong, What Went Right
Scaling Etsy: What Went Wrong, What Went RightRoss Snyder
 
4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)Djuwarsjah Linnus
 
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...Ben Kilmer
 
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQLFrom Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQLKonstantin Gredeskoul
 
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)LiGhT ArOhL
 
Etsy Case Study
Etsy Case StudyEtsy Case Study
Etsy Case StudySlideShare
 
88 Gibraltar i-remit collection procedure
88 Gibraltar i-remit collection procedure88 Gibraltar i-remit collection procedure
88 Gibraltar i-remit collection procedure88gibraltar
 
Design for Continuous Experimentation
Design for Continuous ExperimentationDesign for Continuous Experimentation
Design for Continuous ExperimentationDan McKinley
 
Netflix marketing plan
Netflix marketing plan Netflix marketing plan
Netflix marketing plan Evelyne Otto
 

Viewers also liked (18)

PGP for Smarties
PGP for SmartiesPGP for Smarties
PGP for Smarties
 
Marco Hogewoning -XS4all
Marco Hogewoning -XS4allMarco Hogewoning -XS4all
Marco Hogewoning -XS4all
 
Simple Log Analysis and Trending
Simple Log Analysis and TrendingSimple Log Analysis and Trending
Simple Log Analysis and Trending
 
12-Step Program for Scaling Web Applications on PostgreSQL
12-Step Program for Scaling Web Applications on PostgreSQL12-Step Program for Scaling Web Applications on PostgreSQL
12-Step Program for Scaling Web Applications on PostgreSQL
 
Ipv6 basics
Ipv6 basicsIpv6 basics
Ipv6 basics
 
英文 Rc heli
英文 Rc heli英文 Rc heli
英文 Rc heli
 
Scaling postgres
Scaling postgresScaling postgres
Scaling postgres
 
Cybersecurity nl
Cybersecurity nlCybersecurity nl
Cybersecurity nl
 
Scaling Etsy: What Went Wrong, What Went Right
Scaling Etsy: What Went Wrong, What Went RightScaling Etsy: What Went Wrong, What Went Right
Scaling Etsy: What Went Wrong, What Went Right
 
4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)
 
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
 
Talk talk talk 2
Talk talk talk 2Talk talk talk 2
Talk talk talk 2
 
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQLFrom Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
 
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
 
Etsy Case Study
Etsy Case StudyEtsy Case Study
Etsy Case Study
 
88 Gibraltar i-remit collection procedure
88 Gibraltar i-remit collection procedure88 Gibraltar i-remit collection procedure
88 Gibraltar i-remit collection procedure
 
Design for Continuous Experimentation
Design for Continuous ExperimentationDesign for Continuous Experimentation
Design for Continuous Experimentation
 
Netflix marketing plan
Netflix marketing plan Netflix marketing plan
Netflix marketing plan
 

More from Jan Schaumann

The Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageThe Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageJan Schaumann
 
Know Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat ModelingKnow Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat ModelingJan Schaumann
 
Crazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might WorkCrazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might WorkJan Schaumann
 
It's the people, stupid.
It's the people, stupid.It's the people, stupid.
It's the people, stupid.Jan Schaumann
 
Semper Ubi Sub Ubi - Things They Don't Teach You In School
Semper Ubi Sub Ubi - Things They Don't Teach You In SchoolSemper Ubi Sub Ubi - Things They Don't Teach You In School
Semper Ubi Sub Ubi - Things They Don't Teach You In SchoolJan Schaumann
 
Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)Jan Schaumann
 
Primum non nocere - Ethical Obligations in Internet Operations
Primum non nocere - Ethical Obligations in Internet OperationsPrimum non nocere - Ethical Obligations in Internet Operations
Primum non nocere - Ethical Obligations in Internet OperationsJan Schaumann
 
Protecting Data in Untrusted Locations
Protecting Data in Untrusted LocationsProtecting Data in Untrusted Locations
Protecting Data in Untrusted LocationsJan Schaumann
 
Headless Host Scanning
Headless Host ScanningHeadless Host Scanning
Headless Host ScanningJan Schaumann
 
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load BalancingL3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load BalancingJan Schaumann
 
Building better tools
Building better toolsBuilding better tools
Building better toolsJan Schaumann
 

More from Jan Schaumann (15)

The Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageThe Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS Baggage
 
OpSec101
OpSec101OpSec101
OpSec101
 
Know Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat ModelingKnow Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat Modeling
 
Crazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might WorkCrazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might Work
 
It's the people, stupid.
It's the people, stupid.It's the people, stupid.
It's the people, stupid.
 
Semper Ubi Sub Ubi - Things They Don't Teach You In School
Semper Ubi Sub Ubi - Things They Don't Teach You In SchoolSemper Ubi Sub Ubi - Things They Don't Teach You In School
Semper Ubi Sub Ubi - Things They Don't Teach You In School
 
Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)
 
Defense at Scale
Defense at ScaleDefense at Scale
Defense at Scale
 
Primum non nocere - Ethical Obligations in Internet Operations
Primum non nocere - Ethical Obligations in Internet OperationsPrimum non nocere - Ethical Obligations in Internet Operations
Primum non nocere - Ethical Obligations in Internet Operations
 
Protecting Data in Untrusted Locations
Protecting Data in Untrusted LocationsProtecting Data in Untrusted Locations
Protecting Data in Untrusted Locations
 
Headless Host Scanning
Headless Host ScanningHeadless Host Scanning
Headless Host Scanning
 
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load BalancingL3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing
 
Building better tools
Building better toolsBuilding better tools
Building better tools
 
Useless use of *
Useless use of *Useless use of *
Useless use of *
 
DST @ Yahoo!
DST @ Yahoo!DST @ Yahoo!
DST @ Yahoo!
 

Recently uploaded

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 

Recently uploaded (20)

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 

Safely Drinking from the Data Waterhose

  • 1. Safely Drinking From The Fire Hose @jschauma Jan Schaumann Señor Network Security Engineer jschauma@etsy.com B60D A9F7 0D89 544A 7995 7D25 5A5B 4375 275F 0BB5
  • 2. I <3 logs! @jschauma web logs mail logs system logs vpn logs 2 08/28/12
  • 3. Log Bongzilla, aka Splunk @jschauma Logs go in… Is this how Octocat came to be? ts come ler out ri ty a secu 2 08/28/12
  • 4. Splunk Alerts FTW! @jschauma YO DAWG, I HERD YOU LIKE LOGS SO I PUT SOME LOGS IN YOUR LOGS SO YOU CAN SPLUNK WHILE YOU SPLUNK 2 08/28/12
  • 5. sudo make me a sandwich @jschauma 2 08/28/12
  • 6. Know your patterns. @jschauma VPN Connections July 4th was a Wednesday People making up for People slacking off early last week? on a Friday, eh? 5 08/28/12
  • 8. XSS detection @jschauma Announcement of Bug Bounty program: http://is.gd/UTZ5wD code push to address reported vulnerabilities 6 08/28/12
  • 9. Geolocate all the things! @jschauma 3 08/28/12
  • 10. XSS detection @jschauma IP : 79.182.16.1 - bzq-79-182-16-1.red.bezeqint.net Geolocation : Even Yehuda, 02, IL Whois : *SE4-DRP*, RIPE, BEZEQINT-BROADBAND Requests : 146 Method : GET URL : /suggest_username.php?first-name=test&last-name= onerror%3Dalert(0)%3E&email=shai%40exploit.co.il 13 minutes after we announced our security bug bounty program http://is.gd/UTZ5wD Method : POST URL : /your/profile Data : u'fb_avatar_url=&gender=female&city3=&new_city= "><img src=x onerror=prompt(1);>&new_region=&new_countrycode= &new_latlon=,&city3_dup="><img src=x’ […] 6 08/28/12
  • 11. SQLi detection @jschauma IP : 216.185.114.219 – unknown Geolocation : Jurong East, 00, SG Whois : ThePlanet.com Internet Services, Inc., ARIN, NET216 Requests : 20 Method : GET URL : /listing/102946830/womens-shirt-beige-tunic-womens- blouse?ref=999999.9%27+union+all+select+0x313032353438303035 36%2C0x31303235343830303536%2C0x31303235343830303536 %2C0x31303235343830303536%2C0x31303235343830303536%2 C0x31303235343830303536%2C0x31303235343830303536%2C0 x31303235343830303536%2C0x31303235343830303536%2C0x31 830303536%2C0x31303235343830303536%2C0x31303235343830 303536%2C0x31303235343830303536%2C0x31303235343830303 536+and+%27x%27%3D%27x Method : GET URL : /category/furniture?page=499999%27%20union%20 select%20unhex(hex(version()))%20 […] 6 08/28/12
  • 12. Know when people can’t log in… @jschauma 2 08/28/12
  • 13. High number of failed logins @jschauma Admin : <username> (<internal login>, <site login>) IP : 64.124.192.210 - 64.124.192.210.t01419-07.above.net Geolocation : Brooklyn, NY, US Whois : ETSY Inc, ARIN, NET64 # of failed logins : 13 doesn’t know what he’s doing; do not trust! Admin : jschauma (jschauma, jschauma) IP : 207.38.139.33 - 207-38-139-33.c3-0.avec-ubr2.nyr- avec.ny.cable.rcn.com Geolocation : New York, United States Whois : RCN Corporation, ARIN, NET207 # of failed logins : 16 6 08/28/12
  • 14. Geolocate all the things! @jschauma 4 08/28/12
  • 15. “Unexpected” login detection @jschauma Admin : <username> (<internal login>, <site login>) IP : 83.160.48.31 - a83-160-48-31.adsl.xs4all.nl Geolocation : Rotterdam, 11, NL Whois : XS4ALL Internet BV, RIPE, DEMON-NL-DSL Admin : <username> (<internal login>, <site login>) IP : 217.192.56.102 – unknown Geolocation : Zurich, 25, CH Whois : The Hub Zuerich Assoc., RIPE, THE-HUB-ZUERICH-NET Admin : <username> (<internal login>, <site login>) IP : 24.231.49.240 - unknown Geolocation : Nassau, 23, BS Whois : Cable Bahamas, ARIN, CABLEBAHAMAS-NET Admin : <username> (<internal login>, <site login>) IP : 200.49.191.120 - map120.network49.191.tigo.net.gt Geolocation : Guatemala City, 07, GT Whois : COMCEL GUATEMALA S.A., LACNIC 6 08/28/12
  • 16. I said: “Please insert girder!” @jschauma
  • 17. Identify scrapers. @jschauma Admin : <username> (<internal login>, <site login>) IP : 50.17.73.70 - ec2-50-17-73-70.compute-1.amazonaws.com Geolocation : Ashburn, VA, US Whois : Amazon.com, Inc., ARIN, NET50 Provider : Amazon AWS Count :7 Admin : <username> (<internal login>, <site login>) IP : 207.228.237.110 – unknown Geolocation : New York, NY, US Whois : HopOne Internet Corporation, ARIN, NET207 Provider : HopOne Count :1 6 08/28/12
  • 18. Re-re-re-re-re-CAPTCHA @jschauma source=”info.log" reCAPTCHA status="incorrect" | transaction ip | where eventcount > 50 | table ip,eventcount | sort -eventcount 6 08/28/12
  • 19. Of Liars and Outliers (good book, btw) @jschauma wtf happened here? Ooh, right… this: http://is.gd/fognju http://is.gd/0hRDLY http://is.gd/WxcA0r 6 08/28/12
  • 20. This talk was too long! @jschauma Log it now, log it all. Geolocate all the things. Build profiles. (Creepy, I know.) Reduce false positives. (Whitelists!) Have defined reactions to all alerts. Notice the outliers. Explain them. That’s all, folks! Thanks! 2 08/28/12