Hey there,
I hope you’re safe and healthy! Phew, a lot has happened since last week 😅
Oof, Current Events
I live in the Bay Area, and this past weekend I fell asleep to the sound of police sirens and helicopters. Though I’ve been very fortunate to be safe, there are many who have not been so lucky. A number of businesses within a short walking distance away have been looted and have since been boarded up for the time being.
Since the death of George Floyd, I’ve been heartened to see thousands of people across many cities protest the injustices many Americans face on a regular basis, and have for a long time. I’ve been saddened to see opportunists use the ongoing protests as cover to be violent and cause destruction.
Stay safe out there!
📜 In this newsletter...
🔗 Links:- AppSec: Tool to brute-force Java RMI interfaces for code exec, game security overview, OWASP's list of static analysis tools, a code-aware grep tool, Twitter SAST snark
- Cloud Security: Integrating AWS Security Hub with Chatbot and Slack, log all AWS API calls with Client Side Monitoring
- Kubernetes: Using Gatekeeper in Kubernetes, Pod Security Policies with OPA, using Vault with Kubernetes
- Container Security: Tool to diff containers, tool to slim containers
- Blue Team: Linux security hardening, Mozilla's SSL config generator, steps to determine if an attacker is persisting using kernel-mode drivers or firmware implants, GitHub's analysis of an open source supply chain attack targeting NetBeans users
- Red Team: Script to perform local Linux enumeration and privilege escalation checks, IDA plugin to uses DynamoRIO for instrumentation, exfiltrate data via macOS calendar alerts, Golang CLI tool to search GTFOBins and LOLBAS, an Android post-exploitation framework
- Privacy: A Chinese province wants to label citizens based on their health data, governments introducing surveillance under the veil of coronavirus control
- Politics: A discussion about economy changes + automation + the continuing rise of inequality, history blurb on the Black Panthers and the FBI's counter-intelligence program, research-based solutions to stop police violence
- OSINT: Katas for learning Shodan basics
- Misc: Pimp your terminal, Magic the Gathering is Turing Complete, tips on adopting habits to be more productive
AppSec
RMIScout: Safely and Quickly Brute-Force Java RMI Interfaces for Code Execution
Tool by Bishop Fox’s Jake Miller: “RMIScout
uses wordlist and bruteforce strategies to enumerate Java RMI functions and
exploit RMI parameter unmarshalling vulnerabilities.”
source
Game Security
A high level overview of the cheat and anti-cheat mechanisms in video games.
Source Code Analysis Tools
OWASP’s list of static analysis tools.
Semgrep: Stop grepping code
“Semgrep is an open-source tool that is like a code-aware grep: you can easily
match all calls to a certain function, match all specific function arguments
regardless of order, or find all cases where a call like A() occurs after
B().”
SAST Snark on Twitter
There were some interesting threads on Twitter about challenges people have faced
with many modern SAST tools. Some snippets:
Cloud Security
Enabling AWS Security Hub integration with AWS Chatbot
“In this post, we show you how to configure AWS Chatbot to send findings from
AWS Security Hub to Slack. AWS Chatbot is an interactive agent that makes it
easy to monitor and interact with your AWS resources in your Slack channels and
Amazon Chime chat rooms.”
Client Side Monitoring
Scott Piper gives us the heads up on an AWS
SDK feature that appears mostly undocumented outside of the SDK source code. By
setting an environment variable, all AWS API calls will be recorded. “According
to the docs, this feature is ‘available only to customers with an Enterprise
Support subscription.’ This article will discuss what this is and how we can use
aspects of it without a fancy support contract.”
Kubernetes
Using Gatekeeper in Kubernetes
“Gatekeeper allows a Kubernetes administrator to implement policies for ensuring
compliance and best practices in their cluster. It makes use of Open Policy
Agent (OPA) and is a validating admission controller. The policies are written
in the Rego language. Gatekeeper embraces Kubernetes native concepts such as
Custom Resource Definitions (CRDs) and hence the policies are managed as
kubernetes resources.”
Kubernetes Pod Security Policies with Open Policy Agent
“First I will discuss the Pod Security Policy admission controller. Then we will
see how Open Policy Agent can implement Pod Security Policies.”
“Admission Controllers are part of the kube-apiserver. They intercept requests to the Kubernetes API server before configuration is stored in cluster settings (etcd). An admission controller can be validating (one which validates the incoming request) or mutating (one which modifies the incoming request) or both.”
How to setup Vault with Kubernetes
Container Security
GoogleContainerTools/container-diff
A tool for analyzing and comparing container images along criteria including:
Docker image history, image filesystem and size, as well as apt, rpm, pip,
and npm packages.
docker-slim/docker-slim
“docker-slim will optimize and secure your containers by understanding your
application and what it needs using various analysis techniques. It will throw
away what you don’t need, reducing the attack surface of your container.” In
some cases, up to a 30x slim down, whoa.
Blue Team
Linux Security Hardening and Other Tweaks
By @blakkheim: Full disk encryption, ensure your package manager uses only HTTPS mirrors,
hardened kernel options, firewall, sudo, application sandboxing, etc.
Mozilla SSL Configuration Generator
Nifty web app that lets you select your server software (Apache, Golang, nginx,
…), how strict you want to be about cipher suites and a few other options, and
then it’ll generate a config for you. Nice!
Hardware Root of Trust — Bios and UEFI
“This article explains modern and antiquated protections which attempt to
prevent attackers who have already achieved root level access from persisting
via kernel-mode drivers or firmware implants. Much of the information comes from
the excellent Rootkits and
Bootkits book.”
“It provides a series of test steps which allow security engineers to determine
what attack vectors are available to an attacker who is looking to persist their
root level privileges beyond the capabilities provided by user-mode exploits.”
The Octopus Scanner Malware: Attacking the open source supply chain
Interesting deep dive by the GitHub SIRT team: they discovered “malware
designed to enumerate and backdoor NetBeans projects, and which uses the build
process and its resulting artifacts to spread itself. We uncovered 26 open
source projects that were backdoored by this malware and that were actively
serving backdoored code.”
Basically, the Octopus Scanners determines if the infected machine uses NetBeans, and if so, infects every JAR file built by any project. The dropper ensures local persistence and connects to the attacker’s C2 servers. The malware also infected any JAR files that were available in the project, such as dependencies—not necessarily just build artifacts.
We found four different versions of infected NetBeans projects and all but one of them, a downstream system (for example, someone who cloned an infected project), would get infected by either building from an infected repository or using any of the tainted artifacts that resulted from an infected build.
I feel like this is one of the first “interesting” attacks on open source I’ve seen. Previous instances were pretty simple and didn’t do anything neat to hide or spread. Honestly I’m surprised it’s taking this long for OSS supply chain attacks to ramp up, but maybe there’s already clever stuff out there we just don’t know about 🤔
Red Team
rebootuser/LinEnum
Script that performs a number of local Linux enumeration and privilege
escalation checks. Gathers system info, info about current users (user lists,
password policies, who has access to sudo, …), examines current (cron) jobs
and services, finds SUID/GUID files, etc.
IDA Plugin: Dynamic Data Resolver (DDR)
Cisco Talos is releasing the 1.0 beta version of an IDA that makes
reverse-engineering malware easier by using instrumentation techniques
(DynamoRIO) to resolve dynamic values at runtime from
the sample.
Exploring macOS Calendar Alerts: Part 2 – Exfiltrating data
By NCC Group’s Andy Grant: “Using a carefully
crafted calendar event, an attacker can retrieve semi-arbitrary files from a
target victim’s machine, all the victim has to do is click on the invite.”
mzfr/go-gtfo
Golang CLI tool for searching GTFOBins (a curated
list of Unix binaries that can be exploited by an attacker to bypass local
security restrictions) and LOLBAS (“living
off the land binaries and scripts”).
entynetproject/ghost
“Ghost Framework is an Android post-exploitation framework that exploits the
Android Debug Bridge to remotely access an Android device. Ghost Framework gives
you the power and convenience of remote Android device administration.” It can
be used to remotely remove the passcode of an Android device if it has been
forgotten as well as access the remote Android device shell without using
OpenSSH or other protocols.
Entynetproject appears to also have post-exploitation frameworks for Linux, PHP, iOS/macOS, and Windows
Privacy
Chinese Province Wants to Label Citizens by Their Health Rating Using Data on Their Sleep, Eating, and Exercising
“The Chinese province of Hangzhou has proposed that authorities assign a
permanent health rating to its residents, which would be based on people’s
medical records and lifestyle habits. Hangzhou’s health authority explained
that, when making the rating, it would consider indicators such as people’s
eating and drinking habits, whether they smoke and drink alcohol, how much they
exercised, and how much they slept the night before. If approved, both residents
and companies of Hangzhou will have colored health grades, with a score from 0
to 100.” Catch up, Black Mirror writers!
Safety Over Freedom: How Governments Introduce Surveillance Under Veil of Coronavirus Control
Nice overview of government surveillance under coronavirus. Also, check out this
interactive map by a Russian non-profit
showing the extent to which the governments of particular countries violate
people’s privacy.
Politics
Concise Argument and Evidence That Steven Pinker is Wrong About How Good Things Are
For the past few years, I’ve been thinking a lot about how the U.S. and other
economies have been changing. In short, I think advances in automation, AI, and
robotics, are and will continue to eliminate broad swathes of former middle
class jobs. Inequality will continue to rise, which will stoke tensions and lead
to serious turmoil (or more) unless addressed. People whose jobs have been
automated won’t just suddenly become machine learning experts or other knowledge
workers without support and training. One reason I liked Andrew Yang is because
he seemed to be one of the few politicians who grokked this massive oncoming
(/ongoing) train wreck and was actively talking about it. I was glad to see this
article by Daniel Miessler, which lays out
the reasoning behind this concern clearly and concisely. I wish more people were
talking about this.
The Black Panthers and the FBI’s Counter-Intelligence Program Tweet thread history lesson about how J. Edgar Hoover’s FBI had a secret project designed to spy on, infiltrate, and discredit every progressive activist movement, with a particular emphasis on African American civil rights leaders, especially the Black Panthers.
There’s also a
booklet
with more details, but the crazy thing is that the only reason we know this
program existed is that in 1971 a group of white activists broke into an FBI
field office in Pennsylvania, stole a bunch of documents and revealed the
existence of the then-secret COINTELPRO operation to the public.
Research-based solutions to Stop Police Violence
Interesting Twitter thread on studies about what actually decreases police
violence in practice. Some of the results may surprise you.
Also, uhhh what:
50 cities and 15 states restrict interrogations by limiting how long an officer can be interrogated, who can interrogate them, the types of questions that can be asked, and when an interrogation can take place.
41 cities and 11 states give officers under investigation access to information that civilians suspects don’t get, including 16 cities that allow officers to review all evidence against them prior to being interrogated.
“Here’s everything we know so uhh, what happened again?”
64 cities and 10 states limit disciplinary consequences for officers, for example by preventing an officer’s history of past misconduct from being considered in future cases, and/or limit the capacity of civilian oversight structures or the media to hold police accountable.
43 cities and 4 states erase records of misconduct, in some cases erasing records after 2 years or less.
OSINT
ninoseki/shodan-dojo
Katas for learning the basics of Shodan search.
Misc
Pimp My Terminal
Some tips and tricks for building an awesome terminal UX - color schemes (e.g.
gogh), useful aliases,
lsd as a better ls,
bat as a better cat, customizing bash/zsh
prompts,
zsh-autosuggestions, and
more.
Magic: The Gathering is Turing Complete
An academic paper proving that there is still good in this world, or, at least
people with a bit too much free time 🤘
Magic: The Gathering is a popular and famously complicated trading card game about magical combat. In this paper we show that optimal play in real-world Magic is at least as hard as the Halting Problem, solving a problem that has been open for a decade. To do this, we present a methodology for embedding an arbitrary Turing machine into a game of Magic such that the first player is guaranteed to win the game if and only if the Turing machine halts. Our result applies to how real Magic is played, can be achieved using standard-size tournament-legal decks, and does not rely on stochasticity or hidden information.
How a Lazy Bitch like me learned to be Productive
Getting yourself to do something beyond your routine is really hard, and we can
only do so much of that per day. The key is good habits, which, if you’re
interested in, you should absolutely read James Clear’s book Atomic
Habits,
which is excellent. Here are Madison’s three rules:
- I only make one or two habits each month.
- I do them in small quantities every single day the first month- I never push it too hard during the first 30 days, but I also do it every single day, no matter how I feel.
- I never go over my goal for the first month. So if my goal is to write for an hour daily I don’t let myself go over one hour/day for the first month. This is to give my brain some peace of mind; if I set consistent expectations with it, then even on the days when I don’t want to do my new habit, my brain knows there’s a set end time/amount that I won’t go over, and it reluctantly agrees.
By adding a couple high-quality new habits each month, in 6 months I’m virtually unrecognizable.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,Clint
@clintgibler