Hey there,

Next week’s issue may be a bit light due to the upcoming madness of BSidesSF and RSA. I’ll be at both, so hope to see you there!

Provided my animal sacrifices have appeased the shipping gods, I’ll have tl;dr sec stickers to hand out! 🎉🎁 So for the first time shown publicly, here’s our mascot:

tl;dr sec robot

Local Events: BSidesSF and RSA

BSidesSF will be this Saturday, Feb 22, through Monday, Feb 24. Good talks, great people, affordable- I highly recommend attending.

An important RSA tradition is visiting the vendor hall and gathering more swag than you can carry, winning buzzword bingo by reading security startup marketing collateral, and networking with professional colleagues over copious free food and beverages at vendor parties. See here for a website and a Twitter handle that list RSA parties.

Monday, Feb 24

Panel: Lessons Learned from the DevSecOps Trenches
BSidesSF: From 1:30pm - 2:20pm I’ll be moderating a panel with my awesome buds Zane Lackey of Signal Sciences, Astha Singhal of Netflix, Doug DePerry of Datadog, and Justine Osborne of Apple.

How to 10X Your Company’s Security (Without a Series D
BSidesSF: After a luxurious 70 min break, from 3:30pm - 4:20pm I’ll then give a solo talk about modern AppSec best practices and how companies have effectively scaled their security, pulling from over 50 conference talks and countless blog posts, open source tools, and in-person conversations. This will be an updated and improved version of my AppSec Cali 2020 talk.

Tuesday, Feb 25

From 9:00am to 1:30pm there’s a mini fuzzing conference at The Pearl in the Dogpatch. Presentations from some impressive people in the fuzzing world, likely worth attending.

DevSecOps State of the Union
RSA: 2:20pm - 3:10pm in Moscone West 3024 I’ll again be talking about effectively scaling security. Apparently people care about this topic, who’d have thought? 🙂

📜 In this newsletter...

🔗 Links:
  • Cloud / Container Security: Escalating privs/stealing secrets in GCP, running Parliament on Terraform files, finding exposed EBS volumes, automating AWS security responses
  • Side Channel Shenanigans: Exfiltrating data using screen brightnes, interacting with voice assistants using ultrasonic waves
  • Pen Testing / Red Team: BloodHound 3.0, pivot cheatsheet, network data manipulation examples, C# post-exploitation library, polyglot shell, OSINT tools, finding attackers using canaries
  • Web Security: Stateful fuzzer for finding IDORs in Swagger APIs, REing client side encryption, Portswigger's 2019 top 10 hacking techniques
  • Writing: Two short, practical writing guides
  • Politics / Privacy: Federal agencies buying commercial cellphone info for immigration enforcement, Amazon's data on you
  • Programming: Reflections on Haskell, teaching CS to kids, and how you don't need a master plan to have a great career, just get started on something that interests you

Cloud / Container Security

How to escalate privileges and steal secrets in GCP
Lengthy blog post that introduces several tools targeting GCP environments: gcp_firewall_enum: generate targeted port scans for Compute Instances exposed to the internet, gcp_enum: most of the enumeration commands in this blog, consolidated to a single script, and gcp_misc: various tools for attacking GCP environments.

In this tutorial, we will do a very deep-dive into manual post-exploitation tactics and techniques for GCP. The specific scenario we are addressing here is the compromise of a single Linux-based virtual machine running within the Compute Engine offering. The goal is to elevate local privileges to a root account, compromise other systems within the same Google Cloud Project, break out of that project into others, and even hop the fence over to G Suite if possible.

rdkls / tf-parliament
By default, Parliament runs only on JSON IAM policies, not Terraform files. This utility parses your Terraform, finds aws_iam_policy_document elements, generates resulting IAM policy document strings, and runs Parliament on them. (Thx Claus Houmann for the heads up)

Dufflebag: Uncovering Secrets in Exposed EBS Volumes
As I mentioned in tl;dr sec #6, Bishop Fox’s Ben Morris gave a DEF CON 2019 talk on how he built a tool that found a number of publicly exposed AWS EBS volumes (i.e. virtual hard drives). This blog post has some nice additional details, a video of the tool in action, and the source code is now on GitHub.

Automated Response and Remediation with AWS Security Hub

AWS Security Hub is a service that gives you aggregated visibility into your security and compliance status across multiple AWS accounts. In addition to consuming findings from Amazon services and integrated partners, Security Hub gives you the option to create custom actions, which allow a customer to manually invoke a specific response or remediation action on a specific finding. You can send custom actions to Amazon CloudWatch Events as a specific event pattern, allowing you to create a CloudWatch Events rule that listens for these actions and sends them to a target service, such as a Lambda function or Amazon SQS queue.

By creating custom actions mapped to specific finding type and by developing a corresponding Lambda function for that custom action, you can achieve targeted, automated remediation for these findings.

In this blog post, I’ll show you how to build custom actions, CloudWatch Event rules, and Lambda functions for a dozen targeted actions that can help you remediate CIS AWS Foundations Benchmark-related compliance findings. I’ll also cover use cases for sending findings to an issue management system and for automating security patching.

AWS Security Hub: Solution Architecture Overview

Where Security is Headed 🚀
As I called out in my AppSec Cali 2020 slides, I think defining invariants about your code and cloud environment, things that must always or never be true, is an incredibly powerful approach. I see some companies starting to do this now, and I think it’s going to be a much bigger thing in the future.

Side Channel Shenanigans

Exfiltrating Data from Air-Gapped Computers Using Screen Brightness
By researchers at Israel’s Ben Gurion University.

SurfingAttack: Interactive Hidden Attack on Voice Assistants Using Ultrasonic Guided Wave

SurfingAttack exploits ultrasonic guided wave propagating through solid-material tables to attack voice control systems. By leveraging the unique properties of acoustic transmission in solid materials, we design a new attack called SurfingAttack that would enable multiple rounds of interactions between the voice-controlled device and the attacker over a longer distance and without the need to be in line-of-sight. By completing the interaction loop of inaudible sound attack, SurfingAttack enables new attack scenarios, such as hijacking a mobile Short Message Service (SMS) passcode, making ghost fraud calls without owners’ knowledge, etc.

Pen Testing / Red Team

Introducing BloodHound 3.0
Given an Active Directory environment, BloodHound represents your assets and their privileges in graph form and then finds potential attack paths to get domain admin. This version contains three new attack primitives (GMSA control, OU control, and SID history) as well as performance and quality of life improvements.

A Pivot Cheatsheet for Pentesters
How to set up a practice environment and 4 pivot techniques: SSH and proxychains, meterpreter and SOCKS proxy, ncat or netcat relay, or installing local tools.

Network data manipulation on the fly
Walkthrough of performing a few common network-related tasks useful on pen tests/red teams using maproxy, including creating a simple bidirectional proxy, data modification, creating a simple phishing web page, and messing with Ethernet/IP.

Staying # and Bringing Covert Injection Tradecraft to .NET
BlueHatIL 2020 talk by The Wover and Ruben Boonen on SharpSploit, a .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers.

llamasoft / polyshell
A script that’s simultaneously valid in Bash, Windows Batch, and PowerShell, which makes it useful for pen testing, as it will run on most systems without you needing to make a target-specific payload. PolyShell is specifically designed to be deliverable via input injection using a USB Rubby Ducky, MalDuino, or similar devices.

Week in OSINT #2020–06
Satellite imagery, OSINT_Spider, custom search engines, Google Analytics ID reverse lookup, view LinkedIn profile without being logged in, OSINT bookmarks, Yuleak - search for (sub)domains, IP addresses, onion addresses and other indicators for a provided domain/IP.

Birding Guide: Detect Attackers without Breaking the Bank
46 page PDF from Haroon Meer’s team at Thinkst Canary on tips and tricks for using canaries to catch bad people on your network. Covers a bunch of topics, including using canaries in SCADA/PLC contexts, office file tokens, inbox traps, AWS API key tokens, detecting cloned websites, Google Drive, MSSQL, web image, QR code, redirect, and Windows Directory tokens.

Web Security

Automated IDOR Discovery through Stateful Swagger Fuzzing
Great blog post by Yelp on a tool they built, fuzz-lightyear (🤣👏), that can identify broken access controls (i.e. insecure direct object reference vulns, or IDORs), using stateful Swagger fuzzing. fuzz-lightyear can be integrated into your CI pipeline to give consistent, automatic test coverage as your web apps and microservices evolve. Basically since Swagger became a thing I’d been expecting a tool like this, and had been surprised it didn’t already exist. I haven’t played with fuzz-lightyear yet, but it seems well done.

The post goes into to some nice details about their approach and thought process, and links an interesting academic paper from Microsoft Research that describes how their stateful REST API fuzzer found new bugs in several deployed production Azure and Office-365 cloud services. (Thx Dmitry Sotnikov for the heads up)

Fuzz Lightyear: IDOR Diagram
Detecting IDOR in a hypothetical sequence of requests

Reverse engineering Blind’s API and client side encryption
Nice example walkthrough of figuring out how to reverse/bypass client side encryption in JavaScript.

Portswigger’s Top 10 web hacking techniques of 2019
Portswigger’s annual round up is always worth reading to get a pulse on some of the most novel/impactful web security research that’s happened recently.


Learning Technical Writing: Using the Engineering Method
22 page PDF on building a writing group from a Tufts University professor. I like that it focuses on specific, actionable advice and principles and includes a number of example practice exercises.

Essay Writing Guide
25 page Google Doc by Jordan Petersen on writing.

Politics / Privacy

Federal Agencies Use Cellphone Location Data for Immigration Enforcement

The Trump administration has bought access to a commercial database that maps the movements of millions of cellphones in America and is using it for immigration and border enforcement, according to people familiar with the matter and documents reviewed by The Wall Street Journal.

Why Amazon knows so much about you
BBC article on the history of Amazon’s obsession with customer data, some details on what’s currently collected, discussion of implications and potential future directions this could head.


Functional Programming Languages and the Pursuit of Laziness with Dr. Simon Peyton Jones
Dr. Simon Peyton Jones is a former academic, now programming language researcher at Microsoft Research. In this interview, he discusses a bit of history behind functional programming and Haskell, teaching practical algorithmic thinking to schoolchildren, and more.

Dr. Jones is brilliant and has had quite the career, so I found the following inspiring, or at least heartening. (emphasis mine)

I never had a long-term research plan. I never had a, “Oh, here are the 3 big things I’m going to do with my life and I’m on this 20-year trajectory to do it.” I was always just doing the next thing. So, I, I’m not really a very long-range planner. But I did have hold of one idea, this functional programming idea. I didn’t know how it would turn out. But I just found it fascinating.

So, I would suggest to younger people, just start with something.

I remember when I started as a researcher at the University College, London, I didn’t have a PhD. My head of department gave me some time off to do research. But I had no idea what to do. So, I just sat there with a sharp pencil and a blank sheet of paper, hoping for great ideas to come, which of course they didn’t.

And then my colleague, John Washbrook, he said to me, “Simon, just do something. Anything. No matter how humble and simple. Just start something.” And so, I did. I wrote a little parser generator for a functional language called SASL. And that eventually turned into a research paper, as it happened.

So, the wonderful thing about computer science is you can start almost anything, it’ll turn into something interesting. Don’t be too worried, just get started on something that interests you.

#wisdom #inspiration
Or, as the modern day philosopher, Shia LaBeouf, once said, “Just Do It!

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!