[tl;dr sec] #64 - Kubernetes Guide, XSS for PDFs, SolarWinds FTL

Hey there,

Hope you’ve been doing well!

2020 has been tough, but we can all relax and enjoy the holidays, no matter how humble.

The Joy of #collabs

Recently I’ve been working on several blog posts with a few friends, and it’s been so fun.

Yesterday we launched tl;dr sec’s first guide on Kubernetes security, written by my bud Mark Manning. More on that below, it’s awesome.

Keep an eye out for more collaborations and guest posts from top notch people next year 😎

Break for the Holidays

I’m taking the next two weeks off for Christmas and New Years.

tl;dr sec will be roaring back to your inbox the first week of January with new found resolve – more great resources, more original content, and it’ll be hitting the gym 5 days a week, no exceptions.

AppSec

Comparing BSIMM & SAMM
Brian Glas, a contributer to OWASP SAMM, describes BSIMM has descriptive (you compare your company’s state and initiatives to what other orgs are doing) and SAMM as prescriptive (you should do these things as you increase your security posture).

“The BSIMM is not a traditional maturity model where a set of activities are repeated at multiple levels of depth and breadth—do something at level 1, do it more at level 2, do it better at level 3, and so on. Instead, the BSIMM comprises a set of unique activities, with activity levels used only to distinguish the relative frequency with which the activities are observed in organizations.

For SAMM, each of the security practices has three defined maturity levels and an implicit starting point at zero. They generally represent:
0) Implicit starting point representing the activities in the practice being unfulfilled
1) Initial understanding and ad-hoc provision of security practice
2) Increase efficiency and/or effectiveness of the security practice
3) Comprehensive mastery of the security practice at scale

Web Security

Portable Data exFiltration: XSS for PDFs
Write-up of Gareth Heyes’ Black Hat EU 2020 research.

Did you know that controlling a measly HTTP hyperlink can provide a foothold into the inner workings of a PDF? In this paper, you will learn how to use a single link to compromise the contents of a PDF and exfiltrate it to a remote server, just like a blind XSS attack.

I’ll show how you can inject PDF code to escape objects, hijack links, and even execute arbitrary JavaScript - basically XSS within the bounds of a PDF document.

Easily Identify Malicious Servers on the Internet with JARM
Salesforce’s John Althouse describes a newly released tool, JARM, an active TLS server fingerprinting tool, which can be used to:

• Quickly verify that all servers in a group have the same TLS configuration.
• Group disparate servers on the internet by configuration, identifying that a server may belong to Google vs. Salesforce vs. Apple, for example.
• Identify default applications or infrastructure.
• Identify malware command and control infrastructure and other malicious servers on the Internet.

Silas Cutler gave JARM a spin and wrote about his findings in this blog post. In short, he found that “JARM fingerprints alone are rarely (not always) unique enough to be a reliable method for clustering.”

Deep Dive into Site Isolation (Part 1)
This post by Jun Kokatsu well deserves the term “deep dive.” He describes how Site Isolation and related security features work, and walks through several bugs he found in Chrome’s implementation. See also his presentation at bugSWAT.

Site Isolation is a security feature that separates web pages from each Site to its own process. With Site Isolation, the boundary of a Site is aligned with OS-level process isolation, instead of in-process logical isolation, such as the same-origin policy.

I also found this intuition interesting (highlights are mine):

In my approach for bug hunting for Chrome, I would usually start with manual testing rather than code audit. This is because the Chrome team is generally good at code reviews. So I think that most of the logical bugs that slip through their code reviews are difficult to find by code audit. Therefore, I followed the same methodology when I began looking at Site Isolation.

Demystifying the Server Side
Ekoparty 2020 workshop (video) by Harsh Jaiswal, Rahul Maini, and Rajanish Pathak covering server-side vulnerabilities like SSRF, XXE, Remote Code Execution and reverse proxy attacks. Includes a number of interesting case studies.

XS-Leaks Wiki
Wiki by some Googlers describing and providing PoC code for how malicious websites can use side-channels to infer information about users, as well as defense mechanisms. The source is on GitHub.

Cloud Security

How To Protect Sensitive Data in Terraform
Guide by Digital Ocean: “In this tutorial, you’ll hide sensitive data in outputs during execution and store your state in a secure cloud object storage, which encrypts data at rest.”

AWS Audit Manager Simplifies Audit Preparation
Audit Manager is a new AWS service that “provides prebuilt frameworks for common industry standards and regulations, and automates the continual collection of evidence to help you in preparing for an audit.”

Semgrep for Cloud Security
Marco Lancini walks through using Semgrep for Terraform files and Kubernetes YAML, including writing new rules.

In a few hours, thanks to the official documentation and Playground, I was able to go from absolute 0 to writing my first rules.

Container Security

stealthcopter/deepce
Tool by Matthew Rollings: “Docker Enumeration, Escalation of Privileges and Container Escapes.”

Kernel privilege escalation: how Kubernetes container isolation impacts privilege escalation attacks
Kamil Potrec describes how Kubernetes container isolation impacts privilege escalation attacks, and shows using common kernel exploitation techniques to figure out how container abstractions layers can hinder one’s path to that precious root shell.

Politics / Privacy

Cloudflare’s privacy-first Web Analytics is now available for everyone
You can now use Cloudflare’s web analytics offering for free just by including a JavaScript file, even if you aren’t a customer. “Cloudflare Web Analytics does not use any client-side state, such as cookies or localStorage, to collect usage metrics. We also don’t ‘fingerprint’ individuals via their IP address, User Agent string, or any other data for the purpose of displaying analytics.

Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
Whoa, a pretty impressive supply chain attack. A reflection Twitter thread by Alex Stamos:

The overall security quality of enterprise IT products is terrible and that is the responsibility of every F500 CIO, CISO and board for creating the wrong incentives. I include myself in this.

There are dozens of companies that represent critical, systemic risk across the public and private sector and most of the “security community” has interacted with none of them. The outside pressure that has pushed consumer IT to improve does not exist for most of IT.

See also the excellent (and hilarious) Virus Bulletin keynote by Haroon Meer and Adrian Sanabria: The security products we deserve.

I Was the Homeland Security Adviser to Trump. We’re Being Hacked

The number of organizations that downloaded the corrupted update could be as many as 18,000, which includes most federal government unclassified networks and more than 425 Fortune 500 companies.

While the Russians did not have the time to gain complete control over every network they hacked, they most certainly did gain it over hundreds of them. It will take years to know for certain which networks the Russians control and which ones they just occupy.

The actual and perceived control of so many important networks could easily be used to undermine public and consumer trust in data, written communications and services. In the networks that the Russians control, they have the power to destroy or alter data, and impersonate legitimate people. Domestic and geopolitical tensions could escalate quite easily if they use their access for malign influence and misinformation — both hallmarks of Russian behavior.

OSINT / Recon

Analysis of the RECON/Attack Surface Management Space
Daniel Miessler believes this space breaks down into several overlapping areas, which will probably all merge into Attack Surface Management within ~3-6 years.

1. Attack Surface Management
2. Asset Inventory
3. Bounty Researcher Tooling
4. Discovery, Monitoring, and Alerting
5. Reporting and Remediation
6. Vulnerability Discovery and Management

In my opinion, there are meaningful differences and trade-offs if you come at this from a whitebox or blackbox perspective. Both have strengths and weaknesses, and based on some chats I’ve had with Caleb Sima, seems like companies might need both.

📚 Risk8s Business: Risk Analysis of Kubernetes Clusters

A few weeks ago I was catching up with Mark Manning. One thing led to another, and next thing I knew we had decided to write a meaty Kubernetes security guide. It happens.

I’m especially excited to share this with you because Mark is legit - he spent several years at NCC Group doing largely Kubernetes and container security projects for a wide array of clients, and he helped build out NCC Group’s Kubernetes and container practice.

The guide ramps you up on Kubernetes terms and how the pieces fit together if you’re new, then dives into how to get the lay of the land of your Kubernetes environment and how to take a measured approach to meaningfully reduce your security risk.

It’s approachable, actionable, and downright funny. Here’s a taste:

Read the guide

One more thing before I go – forgive me this self-indulgence, but if you’ve found tl;dr sec useful, I’d really appreciate you forwarding this email if there’s anyone who you think would like it, or sharing tl;dr sec on Twitter or LinkedIn. Thanks and happy holidays! 🙏 🎄

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!