Hey there,
I hope you’ve been doing well!
Upcoming CFPs
Cyber June’Gle Virtual Summit
Conference: June 27-28, 2020.
Call for
papers | Call for
trainers
LASCON
CFP deadline: June 30th, conference will be October 29-30.
Call for papers | Call for trainers
BlackHat EU
CFP deadline: July 20th, conference will be November 9-12.
Call for papers | Call for
trainers already closed on March 30th.
Sponsor
📢 Sr. Cloud Security Engineer @ Netflix
Netflix is looking for a Sr. Cloud Security Engineer to lead our charter on identifying and auto remediating suspicious activities in AWS. Come join us to be part of a team that strives to securely operate one of the largest AWS deployments. Apply here
Netflix’s cloud security team does some pretty cool work 👍
Check out Travis McPeak and Will Bengston’s AppSec Cali 2019 talk, Netflix’s Layered Approach to Reducing Risk of Credential Compromise, or Will’s talk Detecting Credential Compromise in AWS for details.
📜 In this newsletter...
🔗 Links:- AppSec: OWASP's component analysis page, Madhu Akula's talks, trainings, slides, and more
- Web Security: Understanding web security in Firefox, NodeJSScan v4, InQL Scanner v2, NahamCon2020 slides, the dangers of browsers' copy and paste APIs
- Cloud Security: Cloud pen test cheatsheets, denial of wallet attacks, S3 find and forget, AWS' managed artifact repository service
- Container Security: GKE kubelet TLS bootstrap privilege escalation, Kubernetes Goat, Starboard Octant plugin
- Blue Team: Open source project to speed up the creation of security vulnerability reports, walkthrough of deobfuscating a trojan's initial stager, study on how fast unsecured databases are attacked
- Red Team: A survey of recent iOS kernel exploits, PE parsing and defeating AV/EDR API hooking, find known exploits for a Windows target given its build number, a speculative execution attack that works across cores, hashcat v6
- Politics / Privacy: Facebook paid a third-party for a Tails 0day and gave it to the FBI to catch a child predator, digital security advice for journalists covering protests, many officers' personal info leaked online, China is forcibly repatriating dissidents and activists living in other countries, a former CIA officer on U.S. police culture
- Misc: Machine learning field guide,
jqplayground, interview with Marc Andreessen, graph database of related academic papers, Command & Conquer source code released, the best code is no code - Program Analysis: Facebook built a model that can translate code between C++, Java, and Python, a workshop on the state of the art in program analysis, AWS paper on integrating formal verification into the development of the AWS C Common Library
Chris Frenz on the importance of empirically measuring the effectiveness of your security controls.
AppSec
OWASP: Component Analysis
OWASP’s page on third party dependency security, Includes an overview of the
problem space and a list of tools at the bottom. H/T Julian Berton
Talks, Workshops, Trainings, Slides, Videos, Book Content
Madhu Akula released a fair amount of content
on his site, covering topics like cloud native infrastructure security,
container security, and more.
Web Security
Understanding Web Security Checks in Firefox (Part 1)
By Mozilla’s Christoph Kerschbaumer and Frederik
Braun: “This is the first part of a blog post
series that will allow you to understand how Firefox implements Web Security
fundamentals, like the Same-Origin Policy. This first post of the series covers
the architectural design, terminology, and introduces core interfaces that our
implementation of the Same-Origin Policy relies on.”
ajinabraham/nodejsscan
Ajin Abraham released v4 of NodeJSScan, the
premier open source static analysis tool for Node.js apps.
InQL Scanner v2 is out!
Major update for Doyensec’s GraphQL testing
tool: syntax highlighting and code completion, it now includes an embedded GraphiQL
server, “Send to GraphiQL” from Burp, and a tabbed editor with multi-query and
variables support.
NahamCon2020 Slides
I definitely recommend checking out Jason
Haddix’s The Bug Hunter’s Methodology v4
Recon
slides. Jason consistently gives some of my favorite talks in security -
info-packed, actionable, with tons of supporting links. They’re a great way to
quickly get up to speed about the latest and best tools in a space. Louis
Nyffenegger also gave a nicely detailed talk: JWT:
jku x5u attacking json web
tokens.
The Curious Case of Copy & Paste – on risks of pasting arbitrary content in browsers
Michał Bentkowski: Browsers expose an API that
lets you set arbitrary clipboard content from JavaScript. An attacker could use
this functionality to store an XSS payload in a victim’s clipboard, potentially
exploiting another site the victim tries to paste text into that has a WYSIWYG
editor. Browser vendors try to protect users from these attacks by sanitizing
content on pasting. This post explains 4 security issues in browsers and 5
vulnerabilities in rich editors that earned Michał $30,000.
Cloud Security
CloudPentestCheatsheets
Quick command examples and notes for each major cloud platform by Beau Bullock.
Denial of Wallet Attacks on AWS
Scott Piper describes an attack where the goal
is not to bring a site down (e.g. DDoS), but rather to run up a large server
bill. He recommends setting up a billing
alert
for when your estimated charges exceed a threshold. You can use Service
Quotas
to limit activity. The post lists a number of other interesting attacks and
recommended mitigations.
Amazon S3 Find and Forget
“A solution to handle data erasure requests from data lakes stored on Amazon S3,
for example, pursuant to GDPR”.
Software Package Management with AWS CodeArtifact
“A fully managed artifact repository service to help securely store and share
the software packages used in development, build, and deployment processes.”
Currently supports Maven and Gradle (Java), npm and yarn (Javascript),
and pip and twine (Python), with more to come.
Container Security
Introduction to GKE Kubelet TLS Bootstrap Privilege Escalation
By Rhino Security’s Jack Ganbold: “We will exploit Kubernetes’s kubelet with TLS Bootstrapping to gain cluster admin access in the GKE cluster.”
Kubernetes Goat
An intentionally vulnerable Kubernetes cluster for learning and practicing, by Madhu Akula.
Starboard Octant Plugin
“An Octant (Kubernetes workload visualizer) plugin for
Starboard (a K8s-native security
tool kit by Aqua Security) which provides visibility into vulnerability
assessment reports for Kubernetes workloads stored as custom security
resources.”
Blue Team
VULNRΞPO
“VULNRΞPO is a free open source project designed to speed up the creation of IT
Security vulnerability reports. Complete templates of issues, AES encryption,
Nessus/Burp/OpenVAS issues import, Jira export, TXT/HTML/PDF report,
attachments, automatic changelog and statistics, vulnerability assessment,
vulnerability management, secure issues sharing.”
[Zero2Auto] – Initial Stagers - From one Email to a Trojan
“This week we have discussed deobfuscating initial stagers and how to unpack
their executable payloads. And what I’ve decided to do, to practice this week
lesson is to find actual malware on any.run and unpack its entire initial
stage.”
Unsecured databases attacked 18 times per day by hackers
Researchers set up an Elasticsearch honeypot and studied what happened. It was
first attacked 8.5 hours after being deployed and was attacked twice within one
minute of being indexed by Shodan. Three dozen attacks occurred before it was
indexed by search engines, indicating that attackers are proactively scanning
for targets. In total, 175 attacks were observed over 11 days.
Red Team
A survey of recent iOS kernel exploits
By Google Project Zero’s Brandon Azad: “This post
summarizes original iOS kernel exploits from local app context targeting iOS 10
through iOS 13, focusing on the high-level exploit flow from the initial
primitive granted by the vulnerability to kernel read/write. At the end of this
post, we will briefly look at iOS kernel exploit mitigations (in both hardware
and software) and how they map onto the techniques used in the exploits.”
PE Parsing and Defeating AV/EDR API Hooks in C++
“This post covers several topics, like system calls, user-mode vs. kernel-mode,
and Windows architecture.”
Patch Checker
By deadjakk: “Enter a list of installed KBs and
select your build number to see if the system is patched against known public
Windows privilege escalation exploits.”
source.
CROSSTalk
“For the first time, we show that speculative execution enables attackers to
leak sensitive information also across cores on many Intel CPUs, bypassing all
the existing intra-core mitigations against prior speculative (or transient)
execution attacks such Spectre, Meltdown, etc.”
hashcat v6.0.0
The password cracking tool has added 51 new hash mode algorithms and a number of
other improvements.
Politics / Privacy
Facebook Helped the FBI Hack a Child Predator
A serial online harrasser of young women was so adept at covering his digital
tracks, that Facebook worked with a third-party company to develop an 0day for
the privacy-focused operating system
Tails, supposedly costing six figures.
The FBI used this 0day to unmask the man’s real IP address, which led to his
arrest. “Hernandez was so notorious within Facebook that employees considered
him the worst criminal to ever use the platform, two former employees told
Motherboard.”
Reflections
Not infrequently, I include articles in tl;dr sec that are critical of
Facebook. I’m not a fan of their track record on user privacy, and I think that
by optimizing for engagement, like Youtube and Twitter, Facebook has contributed
to the polarization in America.
That said, I happen to know that
Facebook has a team of highly talented people dedicated to finding abusers
on its platform. This team is not required by law, is purely a cost center to
Facebook, but is trying to do the Right Thing: protecting people who are
vulnerable. And I respect that.
Digital Security Advice for Journalists Covering the Protests Against Police Violence
By the EFF.
Report: Officers’ personal information leaked online
“Multiple high-ranking police officials in a number of cities, including
Washington, Atlanta, Boston and New York have had their personal information
shared on social media, including their home addresses, email addresses and
phone numbers. At least one of the police commissioners was targeted for his
alleged support of the use of tear gas to disperse protests.”
“It is not illegal to post the personal information of law enforcement officers
online, though many social media companies specifically prohibit its sharing as
part of their terms of service.”
The Disappeared
“Beijing’s policy of forcibly repatriating people it considers Chinese nationals
— some of whom are in fact citizens of other countries — appears to be
accelerating. Powerful businessmen, ex-Chinese Communist Party officials,
dissidents, and activists have all been targeted as part of what Western
intelligence officials say appears to be a large-scale campaign.”
I’m a cop. I won’t fight a ‘war’ on crime the way I fought the war on terror.
We need to change our mind-set about what it means to ‘police’ in America.
Our war on crime is producing the same fragile, anti-resilient communities in which an inevitable spark produces inevitable conflagration.
At the CIA, I worked in failed states where there was a shortage of everything but weapons and strife. We are replicating our failures abroad here at home.
Misc
jq Playground
Play with the command-line JSON processor jq in your
browser, with a helpful cheat sheet at the bottom.
The Observer Effect: Marc Andreessen
Interview with Marc Andreessen about productivity,
the value of open time/delegation, goals and systems, process, outcomes, and
bets, books, on learning and viewpoints, improvement and motivation, and his
recent ‘build’ essay.
🔥 Connected Papers: Explore connected papers in a visual graph
Super cool graph mapping of academic papers, linked by citations. Example use
cases: getting a visual overview of a new academic field, keeping up with recent
papers in your field, and discovering relevant prior and derivative works.
H/T Caleb Fenton for the link.
EA is releasing the source code for Command & Conquer: Red Alert and Tiberian Dawn
H/T Isaac Evans.
The best code is no code
“Remember, the value you provide is to solve the problem you are faced with (the
outcome), not to write code. Custom code has value, but comes with costs. It
needs to be deployed, maintained and upgraded. It has bugs. It requires a
developer to change.” It also has opportunity costs: you’re not building
something else that might be more urgent or important. Keep focus on solving the
business problem and be aware that custom code isn’t always the right answer.
Program Analysis
My heart is filled with joy that there were enough links this week to justify giving program analysis its own section 😍
Facebook’s TransCoder AI converts code from one programming language into another
Facebook has build a “neural transcompiler” that can convert code between C++,
Java, and Python. It uses unsupervised learning and was trained on 2.8 million
open source repos from GitHub and targeted translation at the function level.
“And while it wasn’t perfect — TransCoder failed to account for certain variable
types during generation, for example — it outperformed frameworks that rewrite
rules manually built using expert knowledge.” paper
Related: OpenAI demoed a model
that uses English-language comments to generate entire functions, and
researchers at Rice University created a
Bayou,
that can write its own programs by associating “intents” behind publicly
available code.
Workshop on the State Of the Art in Program Analysis
A 7 hour recording of this workshop with academics and industry. Includes some
papers as well as tool talks. See
here for the full program.
If you’ve been looking for a new show to #quaranbinge with your partner, give it
a try 😉 (You won’t believe the results in the third paper, what a twist! 😱)
How to integrate formal proofs into software development
“On AWS’ Automated
Reasoning team, we’ve
piloted several projects on integrating formal verification into the software
development process. Some involve verification at the protocol level; some
involve generating code directly from a verified specification; and some involve
verification at the code level itself.” They discuss their methodology during
development work on the AWS C Common Library, an open-source repository of
functions used by several other AWS libraries, including widely used AWS SDKs.
Their upcoming ICSE paper includes 6 key components:
- Function specification in the same language as the code - in this case,
C.
- “We have found that ease of adoption more than makes up for the loss of expressivity.”
- Declarative function specification - the verification team provides a library of functions that enables developers to write such declarative specifications in a familiar imperative language.
- Code-embedded specifications - Function preconditions and post conditions are specified inline (see below).
- A proof model that uses a familiar “unit test” syntax - Except that, rather than a sequence of concrete inputs, the user specifies a range of possible inputs. This can then automatically be converted into the type of mathematical expression that automated provers are designed to evaluate.
- Bug repair - They’ve found that one of the most effective means of selling developers on the utility of formal verification is for the verification team to not only identify bugs but provide code patches for them.
- Continuous integration - New code is scanned on checkin to provide developers with immediate feedback.
Using our methodology, one full-time verification engineer and two interns, working together with the development team, were able to specify and verify (with some assumptions) 171 entry points (points in the program where the user can input data) over nine key modules of the library.
📚 The Need for Evidence Based Security
By Chris Frenz:
Compliance needs to be viewed as a minimum baseline and not an end goal, as shooting for compliance alone is like shooting for a D grade in a class. Sure, you may pass, but you are not really doing a great job.
As security professionals we need to begin to develop ways to empirically measure what controls work to protect our environment against a given threat and what do not. Even for controls that are proven effective, we need to empirically establish that the controls were deployed properly and to an adequate level.
Sure, having that new high end next-gen AV package is great, but has it ever been tested in your environment to see what threats may be able to bypass it? For the threats that can bypass it, how effective are the other layers of controls in your environment to mitigate (e.g. network segmentation) or detect (e.g. a DNS sinkhole) the threat of a now compromised end point? Do you know how fast your staff can detect, mitigate, and otherwise respond to an incident? If you can’t concretely answer some of these questions, how do you really know how secure your environment truly is.
When your pen test or attack simulation succeeds in achieving some objective via a specific exploit, consider the broader implications, as there may be other efforts that are a better use of resources than just patching that exploit. For example, the vulnerable system may currently be used as a trivial pivot point to access critical internal resources. By making pivoting from this system harder, you are net reducing more risk, as there will always be new exploits.
Once controls are added or modified, repeat the testing and empirically determine how well the newly implemented or modified controls actually work by comparing the before and after testing metrics.
Even threats already tested against should be periodically retested for as well as changes which can negatively impact security can often be introduced into an environment over time.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,Clint
@clintgibler