Hadoop Safari : Hunting For Vulnerabilities

Presented at BSidesLV 2017, July 26, 2017, 10 a.m. (55 minutes)

With the growth of data traffic and data volumetric analysis needs, "Big Data" has become one of the most popular fields in IT and many companies are currently working on this topic, by deploying Hadoop clusters, which is the current most popular Big Data framework. As every new domain in computer science, Hadoop comes (by default) with truly no security. During the past years we dug into Hadoop and tried to understand Hadoop infrastructure and security. This talks aims to present in a simple way Hadoop security issues or rather its "concepts", as well as to show the multiples vectors to attack a cluster. By vectors we mean practical vectors or to sum it up: how can you access the holy "datalake" after plugging your laptop onto the target network. Moreover, you will learn how Hadoop (in)security model was designed explaining the different security mechanisms implemented in core Hadoop services. You will also discover tools, techniques and procedures we created and consolidated to make your way to the so-called "new black gold": data. Through different examples, you will be enlightened on how these tools and methods can be easily used to get access to data, but also to get a remote system access on cluster members. Eventually and as Hadoop is the gathering of several services and projects, you will apprehend that patch management in this field is often complicated and known vulnerabilities often stay actionable for a while. LAST-MINUTE EDIT: Just a last-minute reminder for attendees: the time slot for our talk has been changed from the 25th 15:00 to the 26th 10:00. The venue is still Florentine F on the Common Ground track. POST-CONFERENCE UPDATE: Slides have been attached to this post. Video is online (https://youtu.be/B3mMTaer2is?t=5170)

Presenters:

• Mahdi Braik - Security Consultant - Wavestone
  I am a pentester for Wavestone, a consulting company. I am passionate and very interested by several topics related to infosec as web application security, exploit development and reverse engineering.
• Thomas Debize - Consultant - Wavestone
  I am a French security enthusiast and work as infosec auditor at Wavestone, a consulting company. I work on all kinds of security audits, penetration tests and incident responses. I like to git push new infosec tools (check https://github.com/maaaaz) and write some blog posts, either in the corporate blog or in infosec-specialized french magazines.

Links:

• https://bsideslv2017.sched.com/event/BNF3/hadoop-safari-hunting-for-vulnerabilities
• https://infocon.org/cons/Security BSides/BSides Las Vegas/Bsides Las Vegas 2017/Hadoop Safari Hunting For Vulnerabilities - M.mp4
• https://infocon.org/cons/Security BSides/BSides Las Vegas/Bsides Las Vegas 2017/Hadoop Safari Hunting For Vulnerabilities - M.eng.srt (subtitles)
• https://www.youtube.com/watch?v=f_9-KeZLlwg

Similar Presentations:

• Black Hat USA 2010 / Hadoop Security Design? Just Add Kerberos? Really?
• Hackfest 2017 / Hadoop safari : Hunting for vulnerabilities
• Black Hat USA 2015 / Securing Your Big Data Environment