Hey there,

I hope you’ve been doing well and staying healthy.

FYI: I’m going to take a week or two off from tl;dr sec after this issue.

Don’t worry, I’m fine, there’s just a few things I need to wrap up. In fact, there’s something I’ve been working on that I’m excited to share with you soon!

Poll Results: What Readers Prefer

What we learned: ~44% of readers most prefer a weekly digest with more info about links, and links with fewer details and talk summaries tied at ~28% each.

Fewer than 10% of the people who opened the email voted. For shame! 😛

📜 In this newsletter...

🔗 Links:
  • Protecting Your Home Network: Caleb Sima and Scott Helme on canaries, getting visibility into your devices, VLANs and more
  • Web Security: Stanford releases their web security course curriculum, does DNS over HTTP affect DNS rebinding?
  • AppSec: Lessons learned from running Facebook and Uber's bug bounty, run Snyk in VS Code, free book from Google on building secure systems
  • Cloud Security: Consolidated Azure security docs, gotchas in isolating networks on AWS, AWS Detective publicly available, find potential permission issues with IAM Access Analyzer, locking down IAM policies with global condition context keys, using an image release process
  • Container Security: Easily use Vault with Kubernetes, ATT&CK matrix for Kubernetes
  • Blue Team: Wirecutter's best security key for 2FA, stats from 1,3000 phishing campaigns
  • Privacy / Politics: Leaked Amazon memo details plans to smear fired warehouse organizer
  • Misc: Twitter thread on the origins of Triscuit, how Slack deploys code, trying to set fires by hacking 3D printers, bringing 4K anime to Netflix, thoughts on COVID-19's impact on higher ed

Securing Your Home Network

How I protected my home network
Caleb Sima wanted a “it just works” setup that he could plug in and forget about. He ended up setting up a honeypot (like Thinkst Canary) to detect when someone is trying to scan or do bad things on the network, and the Fingbox to give visibility into all devices on the network and kick misbehaving ones off.

Securing your home network in preparation for Working From Home
Scott Helme recommends using a good password on your WiFi network, creating a separate WiFi network for trusted devices (e.g. your laptop, phone, etc.) and a guest network (IoT, guests), using a VLAN to prevent guest network devices from talking to devices on the main network, and regularly update your hardware, as new security issues are always being reported. He uses the Unifi Security Gateway and is happy with it.

Web Security

Stanford: CS 253 Web Security
Includes videos, course slides, reading material and course assignments. For hands-on exercises, the course offers projects on writing security exploits, defending insecure web apps, and implementing emerging web standards.

  • Topics include: Principles of web security, attacks and countermeasures, the browser security model, web app vulnerabilities, injection, denial-of-service, TLS attacks, privacy, fingerprinting, same-origin policy, cross site scripting, authentication, JavaScript security, emerging threats, defense-in-depth, and techniques for writing secure code.
  • Course projects include: writing security exploits, defending insecure web apps, and implementing emerging web standards.

Impact of DNS over HTTPS (DoH) on DNS Rebinding Attacks
By NCC Group’s Roger Meyer and Gerald Doussot: DoH encrypts DNS traffic using HTTPS, which prevents ISPs, people on public WiFi, and anybody in a privileged network position from observing the traditional plaintext DNS traffic sent from the browser to the DNS server.

tl;dr: “Our results show that DoH does not prevent DNS rebinding attacks and all rebinding strategies and techniques implemented in Singularity still work, including the fast multiple answers strategy and DNS cache flooding technique that allow rebinding in just a few seconds.”

The post has a nice overview of DoH, how to configure it in Firefox and Chrome, and this neat tidbit of how to get easily get DNS results in JSON:

$ curl -H "accept: application/dns-json" \
   "https://cloudflare-dns.com/dns-query?name=nccgroup.com&type=A"

AppSec

Bug Bounty 5 years in
How to prepare, launch, and run a high quality bounty program, based on what Collin Greene learned from launching and leading the Facebook and Uber programs. Tons of great insights, a Must Read™ post if you’re interested in running bug bounty programs.

Vuln Cost: security scanner for VS Code
Snyk released a VS Code extension that will show you the known vulnerabilities in the dependencies you’re using.

Building Secure and Reliable Systems
Free 550+ page book from Google’s SRE team. Seems to have a ton of great principles and practical discussions of real challenges, and appears to be one of the most practically useful security books I’ve come across recently.

Cloud Security

Azure Security Documentation
New Microsoft site that consolidates a number of relevant resources in one place.

Isolated networks on AWS
By Scott Piper: “It is possible on AWS to have an isolated network where you cannot communicate in or out except through limited, controlled pathways. Setting something like this up has some gotchas. This post provides a CDK app to help you experiment and see these issues for yourself, with discussions of the gotchas, their mitigations, and limitations of those mitigations.”

Amazon Detective – Rapid Security Investigation and Analysis
A fully managed service that empowers users to automate the heavy lifting involved in processing large quantities of AWS log data to determine the cause and impact of a security issue.

Once enabled, Detective automatically begins distilling and organizing data from AWS Guard Duty, AWS CloudTrail, and Amazon Virtual Private Cloud Flow Logs into a graph model that summarizes the resource behaviors and interactions observed across your entire AWS environment.

Use AWS IAM Access Analyzer in AWS Organizations
Helps you understand who can access resources by analyzing permissions granted using policies for S3 buckets, IAM roles, KMS keys, Lambda functions, and SQS queues. Access Analyzer uses automated reasoning to determine all possible access paths allowed by a resource policy.

For each analyzer, you can create a zone of trust (account or an entire organization), which can help you quickly identify when resources in your organization can be accessed from outside your org. See also the re:Invent talk: Dive Deep into IAM Access Analyzer.

Fine-tuning access with AWS IAM global condition context keys
By Alex Smolen: AWS IAM policies answer the question “who gets access to what?”. AWS IAM policy conditions answer the more precise question “who gets access to what, when?”. Conditions enhance the expressive power of IAM policies by allowing authors to restrict access control by context.

This blog post describes the AWS global condition context keys (i.e. those prefixed with aws:) and their caveats. Alex describes the key points of how you can restrict by:

  • Calling service: CalledVia, CalledViaFirst, CalledViaLast and ViaAWSService, SourceAccount, SourceArn
  • Network: SourceIp, SourceVpc, SourceVpce, VpcSourceIp
  • Header: Referer, UserAgent
  • Transport: SecureTransport
  • Region: RequestedRegion
  • Request time: CurrentTime, EpochTime
  • Credential time: TokenIssueTime, MultiFactorAuthAge
  • Credential type: MultiFactorAuthPresent
  • Tag: RequestTag, ResourceTag, TagKeys
  • Principal: PrincipalAccount, PrincipalArn, PrincipalOrgID, PrincipalOrgPaths, PrincipalTag, PrincipalType, userid, username
Example request service chain with aws:CalledVia values
Example request service chain with aws:CalledVia values

Using an Image Release Process for Security Wins
Video and slides. “Through a image release process using AWS-AMI, this walkthrough will harden the security of the images used to deploy applications in a safe way without disrupting your services.”

Container Security

HashiCorp Vault: Delivering Secrets with Kubernetes
A walk through example of delivering database credentials from Vault to a Kubernetes pod using the Vault Agent Side-car Injector.

The Vault Agent Injector alters pod specifications to include Vault Agent containers that render Vault secrets to a shared memory volume using Vault Agent Templates. By rendering secrets to a shared volume, containers within the pod can consume Vault secrets without being Vault aware. Demo code

Attack matrix for Kubernetes
Microsoft created the first Kubernetes attack matrix: an ATT&CK-like matrix comprising the major techniques that are relevant to container orchestration security, with a focus on Kubernetes.

Kubernetes ATT&CK Matrix

Blue Team

The Best Security Key for Multi-Factor Authentication
Wirecutter, which does in-depth reviews of various products, just released one on physical security keys that can be used for 2FA. Result: “The Yubico YubiKey 5 Series has the best combination of compatibility, usability, and security of any key we tested.”

Crave the Data: Statistics from 1,300 Phishing Campaigns
NCC Group’s Simon Palmer describes results from Piranha, NCC Group’s phishing platform.

  • 1,300 phishing campaigns were analysed involving over 360,000 users
  • Targets in Charities were over 3 times more likely to click than the Health Sector
  • However once clicked half of all targets were likely to supply credentials, regardless of sector
  • Best case 1/10 of targets will click a link
  • Best case 1/20 of targets will supply credentials
Piranha Phishing Average Percentages

Politics / Privacy

Leaked Amazon Memo Details Plan to Smear Fired Warehouse Organizer
Amazon fired a warehouse worker after he led a walkout, motivated by a lack of protective measures against COVID-19 in the warehouse, people coming in sick due to mandatory overtime, etc. Vice obtained leaked notes from an internal meeting of Amazon leadership:

“He’s not smart, or articulate, and to the extent the press wants to focus on us versus him, we will be in a much stronger PR position than simply explaining for the umpteenth time how we’re trying to protect workers,” wrote Amazon General Counsel David Zapolsky.

“We should spend the first part of our response strongly laying out the case for why the organizer’s conduct was immoral, unacceptable, and arguably illegal, in detail, and only then follow with our usual talking points about worker safety,” Zapolsky wrote. “Make him the most interesting part of the story, and if possible make him the face of the entire union/organizing movement.”

Misc

Twitter thread about the origins of Triscuit
A fun story about when your curiosity can’t be satisified and you just have to know something. You’re welcome.

Deploys at Slack
Not really security, but an interesting overview of how Slack deploys code 10+ times a day to many servers without breaking things.

With IoT, Common Devices Pose New Threats
IoT security is generally a dumpster fire, but the perceived risk can often be low. This post by Coalfire’s Dan McInerney pursues a question (and maybe goal) that many of us have: can I cause an IoT device to start a fire/explode/etc.? “Even people with zero reverse engineering experience will be able to follow along as we try to weaponize this 3D printer into a fire bomb. Stay tuned!”

Bringing 4K and HDR to Anime at Netflix with Sol Levante
Fascinating post about the challenges in creating an anime with a digital-first workflow (vs paper), and includes details on the ecosystem around how anime is produced. The short, Sol Levante, is available on Netflix now, and to help other creators, they’re even making public the image and sound assets for Sol Levante including TIFF sequence and IMF, selected After Effects projects, ProTools sessions, animatic and storyboard, and more.

Anime Production Commitee System
Anime Production Commitee System Breakdown

Post Corona: Higher Ed
I really enjoy Scott Galloway’s newsletter, “No Mercy / No Malice.” Scott is a professor of marketing at NYU Stern who applies a critical eye to many things (often tech), with a snarky and critical wit.

Things won’t change as much as they will accelerate. While other crises reshaped the future, COVID-19 is just making the future happen faster.

We’ll see a culling among universities. Just as retail closures are accelerating from 9,500 stores in 2019 to more than 15,000 in 2020, we’re going to see dozens, maybe hundreds, of universities not reopen. In academia, we have been preying on the hopes and prayers of the middle class, offering parents the chance to check an instinctive box, giving their kids a better life, by sending them to college. We also encouraged them to borrow against their 401(k)s and take out mortgages to underwrite our shape-shifting from public servants to luxury brands. No more.

Similar to other categories, there will be a flight to quality and a concentration of power among a small number of brands.

At each university, there are 6-12 “ringers,” great teachers who are worth it. Ringers, unbounded by the geographic constraints of their campus and parent brand, will see their compensation rise 3-10x over the next decade. Administrators at the top 10 universities who have the skills to become product managers will see their comp increase. Everyone else in traditional academia will make less.

The second-greatest accretion of stakeholder value in business, behind Amazon’s entry into healthcare, will be big (and some small) tech firms partnering with a world class university to offer 80% of a traditional four-year degree for 50% of the price.

Like most industries disrupted by software, tremendous value will accrue to millions of consumers via deflation. Hundreds of thousands of jobs will vanish. And billions of shareholder value will flow to disturbingly few organizations and their stakeholders. There will also be a reshaping of priorities as we take attributes that make us most human — the discovery, empathy, and emotional growth of a campus-based liberal arts education (a luxury only the wealthy will be able to afford) — and replace them with the pursuit of vocational skills and shareholder value.

Big tech’s impending march into higher ed will bring more learning to more humans, and erode our humanity.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler @tldrsec