Hey there,
I hope you’ve been doing well!
A bunch of people signed up this week, so I just wanted to say hi 👋
Welcome, I’m glad you’re here! You’re among friends.
Srsly Risky Biz
You’ve probably already heard of the widely popular Risky Biz podcast, but did you know there’s also a Risky Biz newsletter written by Brett Winterford?! 🤯
I like how it often takes a topic or theme and then nicely collects a broad swathe of relevant supporting links into one place for easy review, and then ties it together with Brett’s analysis and some jokes and wordplay. Example: Ransom payouts spell trouble for insurers.
If you enjoy long form content about security and privacy-related current events, check it out!
Over 5,000 Subscribers, Giving Back
Recently tl;dr sec surpassed 5,000 subscribers, which is crazy! 🚀
I’ve been reflecting on how lucky I feel to get to do something I love (read too much security content) and share it.
I’m in such a fortunate position, so I want to give back.
I know there are a lot of people in the U.S. right now who are food insecure, so I posted on LinkedIn and Twitter that I’ll donate $1 to Feeding America’s Coronavirus Response fund for every like, re-tweet, or share over the next week.
If you’d like to contribute as well, you can do so here.
Here’s to a better 2021!
Sponsor
📢 RASP that works.
Sqreen helps security leaders protect their applications, APIs and microservices from data breaches. As opposed to traditional solutions that monitor requests at the network level, Sqreen's next-gen RASP analyzes how each request is executed at the application level to identify and block malicious user behavior, not just malicious IPs. Join the 800+ organizations who have deployed Sqreen's RASP in Production.
Learn more and schedule a demo📜 In this newsletter...
🔗 Links:- AppSec: Bypassing signature checks with Electron, SANS Virtual Summits are free, writing custom static analysis rules in Brakeman and Semgrep
- Web Security: Bypassing JavaScript encryption walkthrough and lab, glossary of blind SSRF chains
- Cloud Security: How AWS Lambda manages security, creating least privilege custom roles in GCP, OpenID proxy for static sites hosted in S3
- Container Security: Worst case scenarios when creating overly permissioned Kubernetes pods
- Politics / Privacy: North Korea is targeting security researchers
- OSINT / Recon: Automating internal threat intelligence and inventory, primer for @TomNomNom's recon tools
- Misc: Fauci in slow motion in all his glory, fraud reports are higher without shared beers and can SEC rules tackle a range of problems?
- Twitter: Scott Piper has strong opinions on cast irons, InfoSec awareness sea shanty by Rachel Tobac
AppSec
A ‘Novel’ Way to Bypass Executable Signature Checks with Electron
Parsia Hakimian gives an overview of
analyzing the attack surface of app update mechanisms on Windows, including 6
relevant bugs. He then demonstrates how to bypass signature checks using signed
Electron binaries and backdoored app.asars.
SANS Virtual Summits FREE in 2021
Nice, usually SANS stuff is $$$.
Custom Static Analysis Rules Showdown: Brakeman vs. Semgrep
So you’re doing a code review and you find some code base-specific pattern that
likely indicates a bug (e.g. authn/authz). You’d like to search for this code
pattern across thousands of files, but because this pattern is unique to this code
base, no SAST tool is going to have a rule for it out of the box. This is the
perfect opportunity for writing a custom rule.
Include Security’s Jason Kielpinski walks through his experiences writing custom rules in both Brakeman and Semgrep.
Web Security
Client Side Encryption Bypass Part-1
This article by Sameer Bhatt gives a nice
example of why you can never trust client side code (e.g. JavaScript). If you’re
testing an app that’s trying to obscure its parameters and server responses:
- First find where the logic is implemented.
- You can do this via the Developer tools and
Ctrl+f-ing for potentially relevant function names, or inspecting DOM elements and looking foronClickor other registered callbacks.
- You can do this via the Developer tools and
- Then set breakpoints, step through the code, and modify it as necessary; after all, it’s running in your browser 😉
Sameer also includes a Docker image practice
lab.
A Glossary of Blind SSRF Chains
Blind SSRF is when you can cause a server to make a
request to an arbitrary URL but you can’t see the result. Assetnote co-founder Shubham Shah presents a
cheatsheet of high impact blind SSRF targets including
Elasticsearch, Weblogic, Hashicorp Consul, Structs, Confluence, Jira, Jenkins,
Docker, and many more. Other tips include “SSRF canaries,” using DNS and AltDNS to
find internal hosts, and side channel leaks. (GitHub repo)
Cloud Security
Security Overview of AWS Lambda
20 page PDF by Amazon on how Lambda
manages security: process sandboxes, microkernel, hypervisors, how to monitor and
audit Lambda functions, and more. H/T Mark
Manning for sharing.
Google Cloud IAM Custom Role and Permissions Debugging Tricks
Darkbit’s Brad Geesaman describes
the process of creating a custom GCP IAM role to follow least privilege,
including using the IAM Policy Troubleshooter.
wolfeidau/website-openid-proxy
By Mark Wolfe: “This service provides OpenID
authenticated access to a static website hosted in an S3 bucket,” using AWS API
Gateway HTTP APIs, powered by AWS Lambda.
Container Security
Bad Pods: Kubernetes Pod Privilege Escalation
What are the risks associated with overly permissive pod creation in Kubernetes?
Bishop Fox’s Seth Art describes eight insecure
pod configurations and the corresponding methods to perform privilege
escalation:
- Allowing everything;
- Privileged and hostPid;
- Privileged, hostPath, HostPid, hostNetwork, or hostIPC only
- Nothing allowed
See this repo for a collection of manifests that map to these configs.
Politics / Privacy
New campaign targeting security researchers
Google’s Threat Analysis Group has identified an ongoing campaign targeting
security researchers working on vulnerability research and development at
different companies and organizations, likely a government-backed entity based
in North Korea. They set up fake social media accounts and security research
blogs to build trust, and then compromise targets via sharing a backdoored
Visual Studio Project or just from visiting the threat actor’s blog (on a fully
patched and up-to-date Windows 10 + Chrome browser). Yikes!
WARNING! I can confirm this is true and I got hit by @z0x55g who sent me a Windows kernel PoC trigger. The vulnerability was real and complex to trigger. Fortunately I only ran it in VM.. in the end the VMDK I was using was actually corrupted and non-bootable, so it self-imploded https://t.co/dvdCWsZyne
— Richard Johnson (@richinseattle) January 26, 2021
OSINT / Recon
cloud-sniper/dagobah
An open source tool to automate the internal threat intelligence generation,
inventory collection and compliance check from different AWS resources.
A @TomNomNom Recon Tools Primer
Great overview by Daniel Miessler of
useful tools by Tom Hudson that follow the Unix
philosophy of doing one thing well. See my summary of Daniel’s Mechanizing the
Methodology talk for
more details on the power of this approach.
- gf - Easily
grepfor security-sensitive things - httprobe - Given a list of domains, finds the ones listening on web ports
- unfurl - Easily break down URLs into discrete pieces (e.g. domain, path, URL paraters, etc.) for further processing
- meg - Quickly checks a list of interesting
pathsacross a set ofdomains - anew - Adds the contents of an input stream to the output, but only if it’s new
- waybackurls - Finds archived URLs for a domain
Misc
Fauci steps up to the podium
In slow motion, with some hyped up entrance music. I couldn’t help but laugh.
Fraud Is No Fun Without Friends
H/T Jon Oberheide for sending me this link.
Apparently the SEC has received 31% more tips alleging white-collar malfeasance
this year, potentially due to remote work removing the office culture glue that
might normalize bending the rules.
Separately, the article also makes the interesting argument that SEC rules that mandate more disclosure could have a positive impact on areas ranging from global warming and corporate diversity to political donations. I don’t have enough context to know if this is possible or a good idea, but it’s interesting.
If you want to stop global warming, you make fossil-fuel companies disclose much more about the risks of global warming, you sue coal and oil companies for being too blasé (in their securities disclosure!) about climate change, you make rules requiring banks and mutual funds to consider long-term climate risks in their investing and financing decisions…
I've reached 10K followers 🎉
— Scott Piper (@0xdabbad00) January 20, 2021
I can afford to lose some, so I finally gotta say it, some of you baby your cast iron too much. Seasoning doesn't matter. Just cook with more butter. I don't clean with soap, but I would or even an angle grinder if needed. It's made to take abuse.
I treat my cast iron like a t2.micro with no privileges I just spun up in an empty personal sandbox account: sudo pip install anything. You treat yours like a privileged EC2 in prod that hasn't been rebooted in years with no backups. :P
— Scott Piper (@0xdabbad00) January 20, 2021
I did not expect to see an InfoSec sea shanty from my friend Rachel Tobac, but I did, and it made my day 🤣
To reach the ~youth~ we're going to have to make infosec sea shanties, aren't we? Guess so!
— Rachel Tobac (@RachelTobac) January 22, 2021
Behold the tale of kid who reuses their passwords & ends up pwn'd, then learns how to stay safe. We're on a mission to encourage unique passwords stored in a password manager with MFA on. pic.twitter.com/QDL9cjUOiC
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,Clint
@clintgibler