Hi there,

I hope you’ve been doing well!

Over the past few years I’ve become a big fan of musicals. Recently, I’ve felt like a part of me has been missing since BroadwaySF has delayed their season.

Fortunately, Filmed on Stage has a listing of a ton of plays and musicals you can watch online for free! They have a number of Shakespeare productions, musicals, Cirque du Soleil performances, and even Benedict Cumberbatch in Frankenstein 😍

📜 In this newsletter...

🔗 Links:
  • AppSec: Another secret-scanning tool
  • Web Security: Grokking postMessage usage in complex apps, polymorphic XSS images
  • Cloud Security: Terraform policies for CIS Benchmarks, new version of ScoutSuite, priv esc in GCP cloud build, Terraform AWS FIPS provider, tool to find violations of least privilege in your IAM policies, combining AWS Firewall Manager + VPC security groups, case study of detecting a compromised AWS key
  • Container Security: Lessons learned running Istio in production
  • Red Team: Azure AD intro for red teamers, 30 reverse engineering tips, C# password spraying tool, writing dynamic analysis-resistant malware
  • Blue Team: Virtual range to practice attacking and detection, deobfuscating the Maze malware with IDA and Python, examining Zoom's behavior using eBPF
  • Politics / Privacy: Eric Schmidt ML-splains a general, Mozilla examines the privacy of video conferencing apps
  • Misc: 15 line XML PoC to escape the iOS sandbox, OpenAI generating music, silicon root of trust project, startup offense and defense in the recession


Looks for secrets, hardcoded credentials, and dangerous functions in source code and config files. Searches by regexes, allows specifying include/exclude paths, and other useful features.

Web Security

DOM XSS in Gmail with a little help from Chrome
A useful example of grokking complicated front-end code (e.g. Gmail) using browser features and tools like postMessage-logger, to understand how different iframes communicate with each other using the postMessage API.

Gmail iFrame Origins

Researching Polymorphic Images for XSS on Google Scholar
Explorations by Doysensec in embedding XSS payloads in images that survive server-side image processing. source code

Cloud Security

Terraform Foundational Policies Library
HashiCorp announced that they’re releasing a library of 40+ controls based on the CIS Benchmarks for securing common cloud services including networking, databases, storage and compute services.

ScoutSuite 5.8.0 Released
ScoutSuite is a multi-cloud security auditing tool. This version has improved support for AWS, Azure, GCP, and OCI.

RCE to IAM Privilege Escalation in GCP Cloud Build
Abusing a feature of Cloud Build can give you access to the Cloud Build Service Account: supply Python code that’s executed during the build process, use that to exfiltrate the access token for the Cloud Build Service Account, then use that account’s additional permissions. PoC script

Terraform AWS FIPS Provider
Example Terraform providers with FIPS endpoints enabled. Useful if you’re working with the federal government and need to meet FIPS 140-2 requirements. source code

Another nifty tool from Kinnaird McQuade: “an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report with a triage worksheet.”

Use AWS Firewall Manager and VPC security groups to protect your applications hosted on EC2 instances
How to apply common security group rules, audit security groups, and detect unused and redundant rules across your AWS environment. The example walks through creating security group rules that allow SSH access only from the public IP address of the bastion host and setting a policy that prohibits any security group rules that allow SSH access from everywhere.

“When you use Firewall Manager to centrally apply a common security group, you can do things such as ensure that all Application Load Balancers only talk to Amazon CloudFront, or the SSH protocol is only allowed from specific IP ranges, or to give system administrators access to a central database.”

After you put the master set of security group rules in place, you’ll get notification of all non-compliant changes made by developers and can set policies to auto remediate any non-compliant resources.

Finding evil in AWS: A key pair to remember
Nice walkthrough by Expel on how they detected that AWS access keys had been compromised, determined the potential impact, and kicked the attacker out.

One aspect I found especially interesting is that they’ve built an orchestration framework that automatically enriches relevant data, a theme I called out in my BSidesSF 2020 talk as one way many companies are scaling their detection and response efforts. Specifically, they:

  • Use a third-party enrichment service for IPs (ipinfo.io)
  • Determine if the IAM principal historically tends to use the AWS CLI, console (UI), or the AWS SDK. In some cases manually creating an access key is atypical because infra as code (CloudFormation, Terraform) should be used instead.
  • Look for behavioral anomalies: did the principal assume any other roles? What services do they normally interact with? Did they make any interesting API calls? (e.g. calls they don’t normally make, calls that could indicate enumerating an environment).

Expel has another blog post on building a detection strategy for CloudTrail with some tips on useful signals:

Expel: Useful Cloudtrail Signals

Container Security

Everything We Learned Running Istio In Production — Part 1
HelloFresh describes their process of gradually rolling out Istio. Key points:

  • Looking at all of Istio’s features can be overwhelming, so choose a few to focus on initially.
  • At its core, Istio does 4 main things: connectivity, observability, security, and traffic control. HelloFresh decided to first focus on observability and resilience.
  • Deploying and updating config across many teams can be a lot of work, so they wrote a Helm plugin that loads centralized Helm templates and combines them with project-specific values.
  • Roll out in stages - Istio can drastically alter the intended behavior at the app level (e.g. when it injects a sidecar proxy), so make sure you don’t break things and that your control plane properly scales as you onboard more microservices.

Red Team

Azure AD Introduction for Red Teamers
“The aim of this article is to briefly present Azure AD and to explore the different attacking paths this new cloud environment offers to pentesters and red teamers.” Includes links to a number of useful tools for performing unauthenticated and authenticated recon and more. 💯 details and write-up.

Azure Application Management Overview

Guy’s 30 Reverse Engineering Tips & Tricks
Twitter thread by Guy.

“SharpHose is a C# password spraying tool designed to be fast, safe, and usable over Cobalt Strike’s execute-assembly. It provides a flexible way to interact with Active Directory using domain-joined and non-joined contexts, while also being able to target specific domains and domain controllers.”

Malware development part 2
“Previously, we’ve created basic Metasploit shellcode launcher in C++ and explored basic techniques which helped to lower detection rate of the compiled executable - payload encoding/encryption, binary signing with custom code-signing certificate and switching to x64 architecture. Now let’s dive deep into dynamic analysis and how to defend against it.”

Blue Team

Splunk Attack Range in a virtualized Ubuntu Guest VM — Guide
“The Splunk Attack Range is a project that allows anyone interested to quickly (automatically) build and deploy a whole Infrastructure stack with various software/tooling to test Cyber Attacks against vulnerable hosts, capture and send event logs from hosts, forward said event data into Splunk and even implement SOAR playbooks.”

Splunk Attack Range Architecture 1
Splunk Attack Range Architecture 2

The Many Paths Through Maze
CrowdStrike: How to “attack and deobfuscate the various obfuscations leveraged by Maze’s author” using the IDA Pro disassembler and Python.

Zooming in on Observability
Using eBPF for research and blackbox testing to determine how the Zoom Linux client actually works. “We fired up ingraind to monitor our daily Zoom ‘standup’ meeting, and decided to analyse the results in this blog post. We ended up writing some Rust code that helps us decrypt TLS traffic by instrumenting the binary using eBPF uprobes.”

Politics / Privacy

‘I Could Solve Most of Your Problems’: Eric Schmidt’s Pentagon Offensive
Interesting profile of the former Google CEO’s involvement with the U.S. military. No problem is too great to solve, with the potent combination of the right technology and characteristic Silicon Valley humility.

“You absolutely suck at machine learning,” Mr. Schmidt told General Thomas, the officer recalled. “If I got under your tent for a day, I could solve most of your problems.” General Thomas said he was so offended that he wanted to throw Mr. Schmidt out of the car, but refrained.

Mozilla examined the privacy of 15 video conferencing apps
The Mozilla researchers judged each video conferencing app by its Minimum Security Standards: Using encryption; providing security updates; requiring strong passwords; managing vulnerabilities; and featuring a privacy policy. Full report


Psychic Paper
A 15 line XML PoC to escape the iOS sandbox 🔥

Jukebox by OpenAI
“A neural net that generates music, including rudimentary singing, as raw audio in a variety of genres and artist styles. We’re releasing the model weights and code, along with a tool to explore the generated samples. Jukebox produces a wide range of music and singing styles, and generalizes to lyrics not seen during training. All the lyrics below have been co-written by a language model and OpenAI researchers.”

OpenTitan RTL synthesis with Yosys
OpenTitan is the first open source project building a transparent, high-quality reference design and integration guidelines for silicon root of trust (RoT) chips. Yosys is a free/libre and open source framework for RTL synthesis tools.”

Startup Offense and Defense in the Recession
Elad Gil presents some figures and stats demonstrating the impact of COVID-19 and its likely continued effects, as well as advice for start-ups to mitigate the damage and take best advantage of the situation.

It should take a large enterprise 3-6 months to move to remote work, understand its financial situation, plan a layoff and buying freeze, and execute it. Given that we are only a month or two into COVID, much of the damage is yet to come. This means many startups won’t see the real impact of the slow down for anywhere between a few weeks and two quarters as big enterprises figure it all out and then act.

Current U.S. Economy

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!