I hope you had an awesome holiday break and New Years, and that you’re not too sore from going to the gym every day since Jan 1.
One Christmas tradition my family has, that I’m fond of, is that my siblings and I pick up a live Christmas and then set it up in our living room. Per tradition, my mom asks us, “Hey, get a nice sized tree, maybe 7 - 8 feet, not like last year.”
And per tradition, my siblings and I pick up a tree that’s at least 10 - 12 feet tall.
This issue is a bit longer than most, as I took a few weeks off and there’s much to catch up on.
This week I’m at NCC Con in San Diego, an annual internal-only conference NCC Group holds where security consultants from all over gather to give trainings, present research they’ve done, and talk shop over beverages (like orange juice).
It’s neat to see the early stages of research that will later be presented on major stages like BlackHat and DEF CON. Definitely one of my favorite events all year.
🎁 Epic Post Next Week
I’ve been working hard for the past few months on one of the more ambitious writing projects I’ve ever tried to tackle. It’s taken me a few hundred hours, and I’m not aware of any post quite like it.
I hope you like it! If you do, I’d greatly appreciate your help in sharing it with any friends/colleagues who you think would find it useful 🙏
I’m not going to say what it’s about, but it relates to some upcoming events…
📜 In this newsletter...🔗 Links:
- Getting into Security: Tanya Janca on the various roles in security, John Opdenakker's list of useful learning resources
- Cloud Security: AWS IAM analyzer, 21 AWS PrivEsc techniques, Docker wrapper for AWS tools, demystifying
sts:ExternalId, Adopting AWS VPC Endpoints at Square
- Securing Terraform & CloudFormation Scripts: Several tools that will scan Terraform or CloudFormation scripts for insecure configurations
- Beyond Beyond Corp: Google BeyondProd whitepaper + overview by Maya Kaczorowski, whitepaper on how Google does code provenance, NCSC's zero trust architecture design principles
- Programming: Computer Science from the Bottom Up, Rosettagit: solutions to the same task in many languages
- Tools: Imperva's automatic API attack tool, PathAuditor: detect unsafe path access patterns, awesome-hacking GitHub repo
- Misc: Dive into Deep Learning, 100 Worst Ed-Tech Debacles of the Decade, On Linux’s Random Number Generation, WebAuthn.guide
- Privacy: NYT on what's possible with location data from millions of phones, big data is big business in China
- Politics: Mike Bloomberg's anti-Cambridge Analytica, Chinese ambassador pressured Denmark to adopt Huawei's 5G
- Twitter on Work Culture: Thoughts from Dino Dai Zovi and Tobi Lutke, the CEO of Shopify
Getting into Security
Some useful application security resources
John Opdenakker describes how he got into security, different types of resources that are useful in learning security, and a great list of blogs, online training, podcasts, conferences, and newsletters.
AWS IAM Access Analyzer
IAM Access Analyzer aims at making it easy to check that your policies provide only the intended access to resources. After enabling it in the Console, IAM Access Analyzer will continuously analyze permissions granted using policies associated with your S3 buckets, KMS keys, SQS queues, IAM roles, and Lambda functions. “…uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.” Currently free!
Investigating PrivEsc Methods in AWS
Bishop Fox’s Gerben Kleijn provides a description, lists the requirements, and gives an example of 21 different AWS privilege escalation techniques, based on some great work by Spencer Gietzen.
AWS Security Toolbox (AST)
Docker container that wraps several AWS security tools: awscli, CloudMapper, CloudTracker, prowler, ScoutSuite, PMapper, and Enumerate-IAM.
Demystifying AWS’ AssumeRole and sts:ExternalId
By NCC Group’s Rennie deGraaf:
Amazon Web Services’
AssumeRoleoperation accepts an optional parameter called “
sts:ExternalId” which is intended to mitigate certain types of attacks. However, both the attacks that
sts:ExternalIdmitigates and how to properly use it are widely misunderstood, resulting in large numbers of vulnerable AWS-based applications. This post aims to describe what
std:ExternalIddoes, when to use it, and how to use it.
Adopting AWS VPC Endpoints at Square
Square describes how they use VPC endpoints to access AWS services without giving the VPC resources direct Internet connectivity, and ensure only their own resources are accessed, with a Shared VPC model.
Securing Terraform & CloudFormation Scripts
Here are several tools that will scan Terraform or CloudFormation scripts for insecure configurations.
liamg/tfsec - “Static analysis powered security scanner for your terraform code.”
bridgecrewio/checkov - “Prevent cloud misconfigurations during build time.”
cesar-rodriguez/terrascan - “Collection of security and best practice test for static code analysis of terraform templates”
nozaq/terraform-aws-secure-baseline - “Terraform module to set up your AWS account with the secure baseline configuration based on CIS Amazon Web Services Foundations.”
Skyscanner/cfripper - “Lambda function to “rip apart” a CloudFormation template and check it for security compliance.”
stelligent/cfn_nag - “Linting tool for CloudFormation templates”
Beyond Beyond Corp
BeyondCorp applied zero-trust principles to define corporate network access. At the same time, we also applied these principles to how we connect machines, workloads, and services. The result is BeyondProd.
In BeyondProd, we developed and optimized for the following security principles:
- Protection of the network at the edge
- No inherent mutual trust between services
- Trusted machines running code with known provenance
- Choke points for consistent policy enforcement across services, for example, ensuring authorized data access
- Simple, automated, and standardized change rollout, and
- Isolation between workloads
Read the full whitepaper here.
Maya Kaczorowski, a Google PM in container security, shared a great summary thread on Twitter:
BeyondProd is not a particular tool, but a model. It’s a realization, like in BeyondCorp, that corp security doesn’t end at the perimeter.
Service trust should depend on code provenance and service identity, not the location in the production network, like IP address.
The first big difference when using containers is due to scheduling. You can’t rely on IP addresses or host names for security. You need service identity.
Since containers are meant to be redeployed when a change occurs, you need an easy way to manage rollouts - and this also gives you a choke point.
You can actually verify and enforce what ends up in your environment, at deployment time. That’s kind of awesome.
Once you know what’s running in your environment, you can restrict how services communicate and interact, based on the service identity, and more strongly isolate workloads.
Google published a paper about two years ago on interservice communication: Application Layer Transport Security.
For developers, the best part is that these security controls are built directly into the tools they use. You can address security issues earlier, when it’s less costly, and do so in a standardized and consistent way.
You can’t make a change to cloud-native (containers, microservices) in your infrastructure, without also changing your dev practices. (You’re missing the point, and missing out on the security benefits.)
TL;DR: Moving to a cloud-native infrastructure let Google meet stronger security principles. BeyondProd assumes no trust between services, isolation between workloads, verified deployments, and centralized policy management.
In this whitepaper we describe Google’s code review process, its provenance, and the need for enforcement mechanisms. We focus on the development of a specific enforcement check - Binary Authorization for Borg (BAB). The goal of BAB is to reduce insider risk by ensuring that production software deployed at Google is properly reviewed and authorized, particularly if that code has the ability to access user data.
Computer Science from the Bottom Up
General Unix and C, computer architecture, OS, processes, virtual memory, compilation toolchains, dynamic linking, etc.
Presents “solutions to the same task in as many different programming languages as possible. It demonstrates how languages are similar and different and can help you learn new approaches to solving problems.”
Takes an API specification as input and creates a series of attacks based on the specification. No human intervention needed, but it can be extended if there are particular types of attacks you’d like to do.
Detecting unsafe path access patterns with PathAuditor
Tool from Google to find file access related vulnerabilities. “PathAuditor is a shared library that can be loaded into processes using LD_PRELOAD. It then hooks all filesystem related libc functions and checks if the access is safe. For that, we traverse the path and check if any component could be replaced by an unprivileged user, for example if a directory is user-writable.” Source code on GitHub
A collection of various awesome lists for hackers, pentesters and security researchers. Links to various
awesome-<topic> repos on GitHub on topics like
asset discovery, fuzzing, bug bounty, and more.
Dive into Deep Learning
An interactive deep learning book with code, math, and discussions, based on the NumPy interface.
On Linux’s Random Number Generation
NCC Group’s Thomas Pornin gives some interesting details about how random number generation on Linux works and its history. If you’re into crypto, I’d highly recommend checking out Thomas’ work, as he’s brilliant.
Notwithstanding its flaws, the entropy depletion theory got its followers early on, and was adamantly maintained by some big names in Linux kernel development, mostly because it is quite hard to admit to other people, and to oneself, that one might have got something wrong.
It’s still early stages but WebAuthn seems to be picking up steam. This page has a nice overview and a bunch of code examples.
The Web Authentication API (also known as WebAuthn) is a specification written by the W3C and FIDO. The API allows servers to register and authenticate users using public key cryptography instead of a password, using strong identifiers now built into devices, like Windows Hello or Apple’s Touch ID.
How to Track President Trump
Article by the NY Times Privacy Project on the impact of services that aggregate and sell location data. They obtained a dataset with more than 50 billion location pings from the phones of more than 12 million people in the US, consisting of a random sample from 2016 and 2017. The page has some neat (😅) visualizations of people going about their day.
Location data could become a powerful political tool, exposing the private lives of wealthy elites who prefer to adopt a more egalitarian persona. It is not difficult to imagine efforts to undermine a political campaign by exposing travels through private airports or visits to expensive restaurants and luxurious spas.
Share with Friends Who Have “Nothing to Hide”
If you’re in security, you’re probably well aware of the dangers and implications of location data. One thing I think this article did really well is explaining in a non technical way all the bad things that could be done with this data, like determining the identities of government officials working in sensitive roles (e.g. tracking people from the Pentagon or other buildings to their homes), blackmail and extortion (affairs, visits to Planned Parenthood, etc.), help with social engineering, kidnapping, and more.
This is a good article to bookmark to share with friends or relatives who don’t think aggregating location data is a big deal.
Creepy or convenient? Big data is big business in China
A woman saw her friend’s face on a “traffic violator exposure screen,” which uses cameras set up at intersections that automatically detect pedestrians and cyclists running red lights or committing other traffic violations. The images are matched with local authority databases to identify the individual, and their face appears on the monitor within five minutes. It is said that over 95% of wrongdoers can be identified. Violators are contacted by police and fined.
“If we combine their shopping and call records with various surveillance camera images and analyze the data, we can identify, to a certain degree, who has deep connections with the person in question,” a company representative said. “There are privacy issues with this, so we haven’t put it into practice, but from a technical standpoint, it’s quite possible,” the representative added with a smile.
Images of pedestrians captured on cameras on busy streets are analyzed by artificial intelligence systems. These are compared with a database of wanted suspects, and if there is a match, police are immediately notified. … It has been used to arrest more than 10,000 people in over 5,000 crimes by September 2018.
Mike Bloomberg is plowing millions of $ into a secretive tech firm
The company is called Hawkfish, and it provides “digital ad services, including content creation, ad placement and analytics.” Bloomberg started Hawkfish to be a counteracting force in how effectively Trump and Republicans used digital platforms and social media better than Democats in 2016. Bloomberg has already spent at least $13 million on Facebook and Google spots and said he plans to spend over $100 million on anti-Trump digital ads. Hawkfish will be working to support Democrats in a variety of elections, not just Bloomberg’s campaign, and the team includes former Facebook and Foursquare executives. Since any regulation of political ads or limitations on voter targeting seems unlikely, “if you can’t beat’em, join ‘em” ¯_(ツ)_/¯
Banned recording reveals China ambassador threatened Faroese leader at secret meeting
China’s ambassador to Denmark threatened the Faroese prime minister that a trade agreement with China would not be signed unless they signed a 5G contract with Huawei. This “marks the first (public) instance where the Chinese government has linked access to China’s huge market to Huawei being awarded contracts for 5G networks in Europe. Huawei has publicly stated that it is a private company with no ties to the Chinese state.” This is unsurprising, of course there are strong ties between the Chinese government and most large Chinese companies, this has been shown again and again.
Twitter on Work Culture
There were a number of people on Twitter talking about work/life balance, career advancement, and tradeoffs. It was interesting to read, as it’s something I struggle with too.
Here are a few snippets, let me know if there were any others you found useful.
I did years of overwork, for the security community (e.g. presos, trainings, books in personal time), as an employee, and as a founder. It came at a cost from other important parts of a healthy, normal life. I still have to work, but now strive for balance.
For years, my hobby was doing all of things that I’m known for and 99% was outside of work hours and independent of my actual job. I got to speak around the world, meet a bunch of awesome people, and had a blast. But I had more friends around world than in the city I lived in.
Working my tail off for small companies or companies that I founded also came at similar personal life costs. Every book I wrote and company I founded left a failed relationship in its wake. People brag about their hustle on Twitter, but rarely talk about the true costs.
Looking back, there were some painful and expensive lessons along the way, but you can’t predict what will be a good investment of time. Either way, life’s too short to spend any of it around toxic people or in toxic situations.
From Tobi Lutke, the CEO of Shopify:
Shopify grew up very far from the primary places where people build companies. For its founders, this company was our first real Job. If the startup ecosystem is a Darwinian struggle for survival, Ottawa is the Galapagos islands.
I’ve never worked through a night. The only times I worked more than 40 hours in a week was when I had the burning desire to do so.
For creative work, you can’t cheat. My believe is that there are 5 creative hours in everyone’s day. All I ask of people at Shopify is that 4 of those are channeled into the company.
We are not moist robots. We are people and people are awesome. What’s even better than people are teams. Friends, that go on journeys doing difficult things.
When I hire someone at Shopify we can make the assumption that we work together for a decade. There are a lot of things that changes. And most of Shopify’s advantage comes from there. For example:
The value equation changes entirely. In some places average tenure is only 18 months. Yes, you might want to work everyone 80 hours to make that work. On-boarding is expensive so you skip it. You need value day 1. The relationship is exploitative.
We don’t need that. We can hire on future potential and help people get there quickly. Junior employees are put together with seasoned vets and sometimes coaches to help them get there. We are all on the same side of the table and want the same.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!Cheers,