Hey there!
I hope you’re doing well. If you’re based out of the US, I hope you had a relaxing Memorial Day weekend.
Indexing Your Brain
Like a normal person with reasonable hobbies and work-life balance, I spent some
time during the extended weekend to relax, hang out with friends, reach inner
enlightenment, reflect on how I consume, store, and reference info I find
useful.
I spend probably tens of hours a week reading articles, watching talks, reviewing slides, etc., and I feel like I’m not making the most of it. I’m not storing my notes in a way that makes them easily searchable or discoverable later, in the right context.
Apparently there’s even a name for this, Personal Knowledge Management (PKM).
If you’ve put some thought into optimizing how you ingest, distill, and then store info for later use, feel free to email me some details about your workflow, I’d love to hear about it.
Expect more on this later 😎
📜 In this newsletter...
🔗 Links:- Mobile Security: Disabling SSL pinning on iOS 12
- Web Security: Unexploitable XSS labs by Portswigger
- Cloud Security: 2020 AWS security maturity roadmap, S3 security challenges, 163 AWS services in 1 sentence each, CloudGoat walkthrough, control the naming of individual IAM role sessions, new course on AWS security, identity, and compliance, a vulnerable by design Terraform training project
- Container Security: Amazon EKS security best practices guide, too to find vulnerabilities in Docker images and monitor them for anomalous activities, GitHub action to scan Docker images for OS and application vulnerabilities
- Blue Team: An Elasticsearch honeypot, Docker image for continuously testing Elastalert rules, analysis of the 2020 Verizon Data Breach Report
- Red Team: Easily spin up your infra for bug bounty and pen testing, walkthrough of exploiting a purposefully vulnerable driver, a tool to generate statically undetectable binary payloads, a red team maturity model, SOCKS5 or TCP tunnels from a reverse connection over TLS, SOCKS over RDP
- Fuzzing: Vrankenfuzz and differential crypto fuzzing, fuzzing the Windows kernel, better vulnerability discovery from fuzzing seems to require exponentially more resources
- Politics / Privacy: 35 VPN services compared, the facial recognition world map, Zoom's E2E encryption proposal, Mozilla's pro-privacy incubator, China is targeting COVID-19 research organization
- OSINT: Find sensitive data in screenshots
- Misc: The formally verified seL4 microkernel, your private Reddit RSS feeds, marriage counseling with capitalism, other non pandemic things to worry about, the 4th great unlock
Mobile Security
How SSL Kill Switch works on iOS 12
This post describes the updates Alban Diquet
made to his tool SSL Kill
Switch, a blackbox tool for
disabling SSL pinning in iOS apps, in order to add support for iOS 12.
Web Security
Documenting the impossible: Unexploitable XSS labs
Portswigger has put together a list of examples of risky behavior in which they can’t quite
pop a sweet, sweet alert() on. Solve them for much glory!
Cloud Security
AWS Security Maturity Roadmap 2020
Awesome, practical guide by Scott Piper
on increasing your AWS security maturity over time, broken down into concrete
steps. Definitely worth reading. Also, congrats to Marco
Lancini and
CloudSecList for getting a shout-out as a great
resource. Well earned! 🙌 (tl;dr sec got called out too 😎)
S3 Game
A series of S3-related security challenges, like flaws.cloud.
163 AWS Services in 1 Sentence Each
Joshua Thijssen - you sir, are a gentleman and a scholar 🙏
Attacking CloudGoat 2
A step-by-step walkthrough of CloudGoat 2.0 (a “vulnerable by design” AWS
deployment tool) scenarios by Appsecco.
Easily control the naming of individual IAM role sessions
“AWS IAM now has a new sts:RoleSessionName condition element for the AWS
Security Token Service (STS), that makes it easy for AWS account administrators
to control the naming of individual IAM role sessions. You can now use the new
condition to control how IAM principals and applications name their role
sessions when they assume an IAM role, and rely on the role session name to
easily track their actions when viewing AWS CloudTrail logs.”
Getting Started with AWS Security, Identity, and Compliance
A new 3 hour course that covers key services used in identity and access
management, detective controls, infrastructure protection, and data protection
categories. Including: IAM, Cognito, Directory Service, GuardDuty, Security Hub,
Macie, AWS WAF, AWS Shield, Key Management Services (KMS), Certification
Manager, Secrets Manager, Config, and the AWS Well-Architected Tool.
TerraGoat, a vulnerable-by-design Terraform training project
“Terragoat (source code) is a
vulnerable-by-design Terraform project designed to give devops engineers a place
to learn how to identifying misconfigured infrastructure as code modules and
test infrastructure code without polluting their own professional AWS account.”
Checkov can be used via pre-commit
hooks or linters to find errors before they’re pushed. Terragoat include issues
like:
- Ensure all data stored in an RDS bucket is not publicly accessible
- Ensure no hardcoded AWS access key and secret key exists in EC2 user data
- Ensure no security groups allow ingress from 0.0.0.0:0 to port 22
- Ensure no hardcoded AWS access key and secret key exists in lambda environment
- S3 Bucket has an ACL defined, which allows public READ access
- and many, many more!
Container Security
Introducing the Amazon EKS Best Practices Guide for Security
“The guide covers a broad range of topics including pod security, network
security, incident response, and compliance. Each section includes an overview
of key concepts, followed by specific recommendations and recommended tools for
enhancing the security of your EKS clusters.” See the guide
here or on
GitHub.
eliasgranderubio/dagda
Elías Grande: “A tool to perform static analysis of known vulnerabilities in Docker
images/containers and to monitor running Docker containers for detecting
anomalous activities.” Loads CVEs and other known vulnerabilities, uses OWASP
Dependency Check and
Retire.js for analyzing dependencies,
uses Sysdig Falco for monitoring Docker
container behavior.
Azure/container-scan
A GitHub Action to help you scan your Docker image for vulnerabilities. Uses
Trivy to detect vulnerabilities in OS
packages (e.g. Alpine, RHEL, …) and application dependencies (Bundler, npm,
…). Uses dockle, a container linter,
to identify when you haven’t followed certain best practices when building an
image or you’re not following CIS Benchmark checkpoints.
Blue Team
ElasticPot
“A honeypot simulating a vulnerable Elasticsearch server opened to the
Internet.”
Open source continuous integration for Elastalert rules
“A Docker image that can be used to continously test Elastalert rules against
Elasticsearch data, to verify that new rules and edits to existing rules work as
expected” by Feroz Salam.
Analysis of the 2020 Verizon Data Breach Report
Some excellent key take-aways from Daniel
Miessler (see full report
here):
- This year, they looked at 3,950 breaches and 157,525 incidents— 32,002 of which qualified to be analyzed by them
- 45% of breaches involved Hacking. Errors were causal events in 22% of breaches
- 70% were perpetrated by external actors (30% involved insiders).
- The top actor was by far Organized Crime, at 55%
- Nation-state, end-user, and system admins each took around 10% of the actor pool
- The top 2 breach threat actions were Phishing and Use of Stolen Creds.
- Within hacking, web applications accounted for over 95% of breaches. Over 80% involved using brute force or stolen creds
- Breaches that take days or less are rising, while those taking months or more are declining
Red Team
pry0cc/axiom
Neat tool by NaviSec Delta’s Ben Bidmead: “A set of
utilities for managing a small dynamic infrastructure on Digital Ocean for bug
bounty and pentesting. Run axiom-init and watch as a new instance is created
in under 2 minutes containing everything you could ever want or need to run your
reconnaissance for your pentest, catch a shell in netcat, or VPN through.” Also
check out his blog for solid posts on OSINT, privilege
escalation, a reverse shell reference, and more.
One ring (zero) to rule them all
“Endpoint Detection and Response (EDR) is starting to rear its head in more and
more environments, constraining and making post exploitation activities more
difficult for operators. I expect over the next year or two, we will see kernel
land shenanigans become more mainstream and no longer just Techniques, Tactics
and Procedures (TTPs) of APTs and advanced red teams.” This post walks through
exploiting each of the vulnerabilities in the HackSys Extreme Vulnerable
Driver.
EgeBalci/sgn
“SGN is a polymorphic binary encoder for offensive security purposes such as
generating statically undetectable binary payloads. It uses an additive feedback
loop to encode given binary instructions.”
A Red Team Maturity Model
“A model to reference when gauging Red Team maturity, as well as set goals and
provide guidance when building internal Red Teams.”
sysdream/ligolo
A simple and lightweight tool for establishing SOCKS5 or TCP tunnels from a
reverse connection over TLS. “Comparable to Meterpreter with Autoroute +
Socks4a, but more stable and faster.”
Tool Release – Socks Over RDP
Tool by NCC Group’s Balazs Bucsay: “Just like
SSH, upon connection a SOCKS Proxy is created on the client site, which can be
used to proxy everything over the existing RDP connection.”
source
Fuzzing
vfuzz
In tl;dr sec 021 I
called out a whitepaper about a nifty sounding fuzzer called Vrankenfuzz, which
has now been open sourced.
The author, Guido Vranken, has also released
cryptofuzz, a fuzzer that’s used
differential fuzzing (basically, compare the outputs of two programs
implementing the same thing, differing output => bugs) to find over 50 bugs in
various crypto libraries.
Bugs on the Windshield: Fuzzing the Windows Kernel
In previous research,
Netanel Ben-Simon and Yoav
Alon used WinAFL to fuzz user-space applications
running on Windows, and found over 50 vulnerabilities in Adobe Reader and
Microsoft Edge. They then decided to target the Windows kernel.
They initially considered kAFL, a research fuzzer that leverages AFL style fuzzing to attack OS kernels, but quickly found that a syscall fuzzer could reach a bigger attack surface, so they went with syzkaller. Overall, they found 8 vulnerabilities, DoS bugs and deadlocks in the Windows 10 Kernel. See their OffensiveCon20 talk for more details.
Fuzzing: On the Exponential Cost of Vulnerability Discovery
FSE 2020 paper by Marcel Böhme and Brandon Falk:
We present counterintuitive results for the scalability of fuzzing. Given the same non-deterministic fuzzer, finding the same bugs linearly faster requires linearly more machines. Yet, finding linearly more bugs in the same time requires exponentially more machines. Similarly, with exponentially more machines, we can cover the same code exponentially faster, but uncovered code only linearly faster. In other words, re-discovering the same vulnerabilities (or achieving the same coverage) is cheap but finding new vulnerabilities (or achieving more coverage) is expensive. This holds even under the simplifying assumption of no parallelization overhead.
We derive these observations from over four CPU years worth of fuzzing campaigns involving almost three hundred open source programs, two state-of-the-art greybox fuzzers, four measures of code coverage, and two measures of vulnerability discovery. We provide a probabilistic analysis and conduct simulation experiments to explain this phenomenon.
Politics / Privacy
VPN Report 2020 – 35 Services
Lengthy report by AV Comparatives comparing 35 VPN services across features like
supported protocols (OpenVPN, PPTP, SOCKS, SSH, …), their logging policies,
pricing, tests if they’ll leak your IP if the VPN drops, and more.
Smile, You’re On Camera: The Facial Recognition World Map
Zoom End-to-End Encryption Whitepaper
A 25 page public proposal for implementing E2E encryption in Zoom.
Mozilla’s Fix-The-Internet Incubator
“We’re looking to invest in people, projects, and technologies that shape the
internet and have a positive impact without having to only worry about the
bottom line. Privacy over profit. No Shareholders. No data for sale.”
FBI: People’s Republic of China (PRC) Targeting of COVID-19 Research Organizations
“These actors have been observed attempting to identify and illicitly obtain
valuable IP and public health data related to vaccines,
treatments, and testing from networks and personnel affiliated with
COVID-19-related research. “
OSINT
utkusen/shotlooter
By Utku Sen: Finds sensitive data inside the
screenshots that are uploaded to https://prnt.sc/ (via the LightShot software)
by applying OCR and image processing methods.
Misc
The seL4 Microkernel
“seL4 is a high-assurance, high-performance operating system microkernel. It is
unique because of its comprehensive formal verification, without compromising
performance. It is meant to be used as a trustworthy foundation for building
safety- and security-critical systems. seL4’s implementation is formally
(mathematically) proven correct (bug-free) against its specification and has
been proved to enforce strong security properties”
Reddit Private RSS Feeds
“Get listings of your content (personalized front page, message panel, saved
listing, etc.) without having to deal with cookies or other auth.” Thanks
Daniel Miessler for the tip.
We Need To Talk: Marriage Counseling with Capitalism Itself
A beautifully illustrated philosophical discussion about Humanity, Capitalism,
and post-Capitalism, framed as a counseling session.
Experts Knew a Pandemic Was Coming. Here’s What They’re Worried About Next.
In case COVID-19 has you in an overly cheery mood, here’s a detailed discussion
of other crises, that are also feasible, that we may be even less prepared for.
Also 😖:
Every year, the intelligence community releases the Worldwide Threat Assessment—a distillation of worrisome global trends, risks, problem spots and emerging perils. But this year, the public hearing on the assessment, usually held in January or February, was canceled, evidently because intelligence leaders, who usually testify in a rare open hearing together, were worried their comments would aggravate President Donald Trump. And the government has not yet publicly released a 2020 threat report.
In the last 20 years, there have been three unlocks in the business world that have created over $500 billion in shareholder value. I believe the fourth was revealed last week.
👉 Amazon investing in at-home Covid tests, plasma donors, PPE equipment, distancing, additional compensation, and protocols to adapt to a new world.
Great strategy cuts a swath between market conditions and a firm’s assets. Put more simply, strategy is a firm’s answer to the following question:
What can we do that is really hard?
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,Clint
@clintgibler