Hey,

Phew, if you also attended some combination of BSidesSF and RSA, I hope your travel home was uneventful, you’ve been catching up on rest, and are coronavirus-free.

Media

BSidesSF and RSA

Some quick reflections on last week, more to come.

Highlights

  • tl;dr sec stickers came just in the nick of time. Gave away >200 of them.
    • Let me know if you want some, I’m considering mailing them to people.
  • I gave 3 talks in 2 days across BSidesSF and RSA. Nice Twitter thread about our DevSecOps panel by Tanya here.
  • I caught up with some people I only knew from online interactions- it was great, and I didn’t wake up in a bathtub full of ice with only one kidney.
  • Heard Jon Oberheide speak about founding Duo, and had an awesome chat with Haroon Meer about infosec talks, research, and keynotes. Look for notes on both over the next few weeks.
  • Ate delicious banana bread from someone’s backpack at BSidesSF.

Verily, I Secure Thee

“…did you start your talk doing a part of Hamlet’s monologue?” Dev asked me, referring to my AppSec Cali talk. “Yep,” I replied.

It turns out we’re both big fans of Shakespeare and classic literature, so we’ve decided to do a Shakespeare themed security talk at some point, so stay tuned 😂

How to 10X Your Security

My BSidesSF talk was an updated and improved version of my AppSec Cali talk.

Core Changes
  • I cut and modified a few slides to make the talk easier to follow.
  • Added more details about continuous scanning and static analysis, moved dynamic analysis (and fuzzing) content to backup slides.
  • The "Continuous Compliance" and "Quantifying Risk" sections were also moved to backup slides, streamlined "Apply" slides at the end - actionable things to do in the near, medium, and longer term.
  • Added even more relevant links to backup slides as well as a few new topics that I couldn't fit into the main talk. Added a backup slide index to make navigating the slides easier.

There are still more improvements I was planning to make to the backup slides, but at some point one must rest one’s weary head and acknowledge that things are sufficient. For now.

You can 👉 see my updated slides here 👈

How to 10X Your Company's Security - Post
Oh also, my talk was drawn live by an incredibly talented artist. This was really neat, I’ve never had this done before.

📜 In this newsletter...

🔗 Links:
  • Web Security: SSRF lab, find Jinja2 templates that aren't autoescaped, DOM clobbering updates, API security tips
  • Cloud Security: Hacking Cognito misconfigurations, ALB authentication with GSuite SAML + Cognito, accessing Secret Manager from Terraform, using aws:CalledVia condition key for least priv actions
  • Container Security: Walkthrough of real-world Kubernetes threats, CloudSploit supports GCP, disambiguating what "container security" means, Istio network security gotchas
  • Red Team: Detailed Shodan guide, dynamic and scalable red team C2 infrastructure, malware evasion technique encyclopedia
  • Politics / Privacy: Republican mega-donor buys Twitter stock and wants Dorsey out, app that'll tell you what info IoT devices around you collect, NYT and John Opdenakker on controlling your online exposure
  • Misc: Having the right metrics for AI is fundamentally hard, Node library to automate Chromium/Firefox/Webkit, whitepaper on microcontroller readback protection (bypasses and defenses)

Web Security

Lab: SSRF with whitelist-based input filter
Web Security Academy lab based on Orange Tsai’s research on breaking URL parsers.

Bento check: Flask template files that aren’t autoescaped by default
Apparently Jinja2 only autoescapes templates ending in .html, .htm, .xml and .xhtml when using render_template(). If you use render_template() with another extension, like .txt, .jinja2, etc., you may be vulnerable to XSS. Nice post by r2c on creating a check for this bad pattern and running it against 715 open source Flask apps on GitHub. Get this and other checks with bento.

DOM Clobbering strikes back
From Portswigger’s Gareth Heyes: “As classic client-side vulnerabilities like XSS and CSRF get patched, CSP’d and SameSite’d into oblivion, niche attack techniques like DOM Clobbering are becoming ever more relevant. In this post, I’m going to quickly introduce DOM Clobbering, expand on my original research with some new techniques, and share two interactive labs so you can try the techniques out for yourself.”

“DOM clobbering is a technique in which you inject HTML into a page to manipulate the DOM and ultimately change the behavior of JavaScript on the page. DOM clobbering is particularly useful in cases where XSS is not possible, but you can control some HTML on a page where the attributes id or name are whitelisted by the HTML filter. The most common form of DOM clobbering uses an anchor element to overwrite a global variable, which is then used by the application in an unsafe way, such as generating a dynamic script URL.”

31 Tips — API Security & Pentesting
Tips on authorization, authentication, CSRF, data exposuure, DoS, injection, mass assigngment, tools, and what to do if you get stuck during a pen test.

Cloud Security

Hacking AWS Cognito Misconfigurations
Case study: Target application had a login page and no sign up feature exposed, Cognito was misconfigured to allow sign up of new users, sign up and login to obtain AWS temporary token for authenticated Identities, AWS token had access to Lambda functions -> privilege escalation.

ALB authentication with G Suite SAML using Cognito
Post by Alex Smolen on how he tried to get Cognito to play nicely with G Suite SAML for ALB authentication. There ended up being an encoding issue, but this seems like a really promising way to “zero trust”-ify APIs in AWS. gsuite-saml-cognito source code

Accessing Secret Manager from Terraform
Post by Seth Vargo on how to access Secret Manager, Google Cloud’s service for storing API keys, passwords, certificates, and other sensitive data, from Terraform. Source code here.

How to define least-privileged permissions for actions called by AWS services
“IAM now includes condition keys to make it easier to grant only the minimum level of access necessary for IAM principals (users and roles) and AWS services to take those actions. Using the aws:CalledVia condition key, you can create distinct access rules for the actions performed by your IAM principals, and for the subsequent actions taken by AWS services on your behalf.” The post gives a walkthrough of how to secure access to a database managed in Amazon Athena behind a VPC: how to grant access to execute queries in Athena without granting direct access to dependent services such as S3, and how you can use aws:CalledVia to prevent access to your databases from outside your private networks.

Container Security

Deep Dive into Real-World Kubernetes Threats
Companion blog post by NCC Group’s Mark Manning that extends his “Command and KubeCTL: Real-World Kubernetes Security for Pentesters” Shmoocon 2020 talk. I saw an early version of this at NCC Con, and I really appreciated how it doesn’t just present a number of ideas, but instead presents key concepts in a walkthrough/scenario-based way, as if you were actively trying to gain control of a cluster. slides, demo code

Announcing General Availability of CloudSploit by Aqua for GCP
“Compliance support now includes mapping of CloudSploit’s library of GCP plug-ins to PCI-DSS and HIPAA requirements, to provide individual, actionable policy checks to help detect compliance violations across GCP accounts.” CloudSploit by Aqua’s library of GCP plug-ins are also mapped to the popular CIS Benchmark controls.

Container Security – Nobody Knows What It Means But It’s Provocative
Capsule8’s Kelly Shortridge wrote an excellent disambiguation of “container security,” breaking it into 3 core areas: build, ship, and run, corresponding to the phases of a typical software development lifecycle. For each area, she describes the primary features of solutions, their benefits and downsides, and some representative OSS tools and vendors. Super useful post 💯

A Survey of Istio’s Network Security Features
Detailed blog post by NCC Group’s Jack Leadford on some uninituitive subtleties in Istio’s behavior, on topics including IPv6, mutual TLS (fun fact: there are edge cases in which it’s not enforced), restricting egress traffic, and more. Every section has thorough reproduction steps for demonstrating the behavior locally. Nice!

Red Team

Shodan Pentesting Guide
Lengthy guide to the CLI commands, website, language client libraries, search query syntax, and more.

Introduction To Modern Routing For Red Team Infrastructure - using Traefik, Metasploit, Covenant and Docker
“We want to deploy a more evolved red teaming infrastructure that can dynamically create routes to our C2 Docker containers, instead of manually editing a configuration file every time we want a new route from our reverse-proxy. We also want it to be easy to scale, and easy to monitor… Traefik will enable us to easily manage dynamic routes, and deploy C2 containers with smooth forwarding to our payloads and session handlers… Once done, we’ll have an elastic reverse-proxy, functional routes to two different C2 containers with payloads and handlers, and the knowledge to summon many more at will. And a nice route monitoring UI.”

Check Point Research: Evasion Techniques
A malware evasion encyclopedia, which contains over 50 techniques used by various malware to detect virtualized and sandboxed environments.

Politics / Privacy

Republican mega-donor buys stake in Twitter and seeks to oust Jack Dorsey
In October, Twitter announced a ban on political advertising, due to its influence and manipulation potential when used by politicians. Paul Singer, a billionnaire and Republican mega-donor, has purchased a stake in Twitter and is purportedly seeking to oust Dorsey.

What the Hell Is That Device, and Is It Spying on You? This App Might Have the Answer
Researchers at Carnegie Mellon University have released a beta of an app, The Internet of Things (IoT) Assistant, which will scan any unidentified IOT nearby, tell you what they do, and guide you toward the ability to opt out of data collection (assuming such an option exists). The app “relies on a database compiled by volunteers, cybersecurity experts, and companies trying to simplify compliance with new privacy legislation like the California Consumer Privacy Act (CCPA) or Europe’s General Data Protection Regulation (GDPR).”

How to Dox Yourself on the Internet
Article on the NYT’s “step-by-step guide to finding and removing your personal information from the Internet.” Some useful context in the post, and see here for a series of Google docs detailing the NYT’s program consisting of repeatable steps that can be taken to clean up one’s online footprint.

How to control your online exposure
Post by John Opdenakker on several ways to find public information about you, having it removed, and setting Google alerts to learn when new info about you is published.

Misc

The Problem with Metrics is a Fundamental Problem for AI
Thanks Jon Hawes for the heads up on this paper.

Optimizing a given metric is a central aspect of most current AI approaches, yet overemphasizing metrics leads to manipulation, gaming, a myopic focus on short-term goals, and other unexpected negative consequences. This poses a fundamental contradiction for AI development. Through a series of real-world case studies, we look at various aspects of where metrics go wrong in practice and aspects of how our online environment and current business practices are exacerbating these failures. Finally, we propose a framework towards mitigating the harms caused by overemphasis of metrics within AI by: (1) using a slate of metrics to get a fuller and more nuanced picture, (2) combining metrics with qualitative accounts, and (3) involving a range of stakeholders, including those who will be most impacted.

microsoft / playwright
Node library to automate Chromium, Firefox and WebKit with a single API. Supports Linux, macOS, and Windows as well as headless browsing. For a similar project, see puppeteer.

Microcontroller Readback Protection: Bypasses and Defense
Whitepaper by NCC Group’s Sultan Qasim Khan: “Microcontrollers commonly include features to prevent the readout of sensitive information in internal storage. Such features are commonly referred to as readback protection or readout protection. This paper describes common readback protection implementation flaws, discusses techniques that can be used to defeat readback protection, and provides guidance to implement effective readback protection.”

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler @tldrsec