• tl;dr sec
  • Posts
  • [tl;dr sec] #103 - Cloud Security Guardrails, Lateral Movement in GitHub Orgs, AWS Memes

[tl;dr sec] #103 - Cloud Security Guardrails, Lateral Movement in GitHub Orgs, AWS Memes

Setting up strong AWS security guardrails, tool to explore lateral movement and privilege escalation in GitHub orgs, dank AWS memes from Corey Quinn.

Author

Clint Gibler
September 29, 2021

Hey there,

I hope you’ve been doing well!

Some Things Never Change

Beyond this charming song from Frozen 2, “some things never change” rung true for me this past weekend.

On Saturday I went in to San Francisco (I moved to East Bay before the pandemic) to catch up with some friends. When I was waiting in line at Tartine’s for some lemon meringue cake, I heard commotion around the corner.

There was a crowd of people chanting and marching down the street, some carrying a giant paper mache pig’s head, and at least one person wearing a shirt that read, “My food doesn’t scream.” Yes, an animal rights protest.

On Sunday, a different friend texted me a picture of a few men standing in a circle wearing masks. Well, not the type of mask you’re thinking of. Their outfits were leather masks, chains, and a not a whole lot of other clothing.

Yes, it was Folsom Street Fair, which, if you haven’t already heard of, as a responsible friend, I must politely discourage you from researching while at work.

The pandemic may have hit SF hard, but it’s still got it 😂

Sponsor

🤔 Finding web vulns that are actually interesting to fix?

For Detectify users, this happens all the time. They have access to automated hacker payloads that find undocumented security vulnerabilities, OWASP Top 10, common misconfigurations (CORS, encryption, S3 buckets etc) and things you didn’t even think were possible.

Detectify puts hacker knowledge into the hands of engineers to secure their web apps and end users. What will they find on your website?

📜 In this newsletter...

  • AppSec: Easily search for CVEs, markets DGAF about cybersecurity, security vendor overview

  • Mobile Security: Getting malicious apps on the App Store, new Android static analysis tool

  • Cloud Security: Getting persistence on Lambdas, building strong AWS security guardrails, thread of excellent AWS memes

  • Container Security: A modular Kubernetes lab, multi-purpose Docker scanning and monitoring tool

  • Supply Chain: GitOops: Bloodhound but for CI/CD pipelines, distroless builds are now SLSA 2

  • Blue Team: Tackling email spoofing and phishing with DMARC, DKIM, and SPF

  • Politics / Privacy: iOS privacy settings you should use, Chinese phones are about as secure as you'd expect, how Putin's bodyguards operate, NSA and CIA use ad blockers, the CIA's secret war plans against WikiLeaks

  • OSINT: Crawl the graph of certificate Alternate Names, tool to crawl a set of domains for endpoints, secrets, and more

  • Screen Writing: How to get your TV show on the air, writing advice from the creators of South Park

  • Misc: How open source powers modern filmmaking, learn how to pronounce words in other languages

AppSec

Un4gi/fave
By Tony West: Uses the NIST CVE database search API to search for vulnerabilities and exposures while filtering based on age, keywords, and other parameters.

Markets DGAF About Cybersecurity
Kelly Shortridge summarizes two WEIS 2021 papers that essentially argue:

  1. Trade secrets being stolen in a breach don’t affect a company’s stock price.

  2. The reputational damage of announcing a breach generally doesn’t affect a stock’s price for more than a few days.

AppSec Map
Nice overview of vendors in a bunch of verticals: SAST, DAST, pen testing, WAF, RASP, bug bounty, and more.

Mobile Security

How malware gets into the App Store and why Apple can’t stop that
After dropping three 0-days in frustration due to Apple’s responsible disclosure process, Denis Tokarev shows how easy it is to evade Apple’s App review (static and dynamic analysis), including source code on how this can be done. To be fair, fully analyzing and/or exercising app behavior is an incredibly difficult to impossible problem.

Open-sourcing Mariana Trench: Analyzing Android and Java app security in depth
Facebook’s Dominik Gabi announces Mariana Trench, a Java static analysis focused on finding security vulnerabilities in Android apps.

Cloud Security

Revisiting Lambda Persistence
Given RCE on a Lambda, Nick Frichette describes how to effectively persist your access, building on Palo Alto Networks’ Yuval Avrahami’s research. In short, execution environments can be reused across Lambda invocations, so if you can modify that, you can intercept additional invocations that come in, stealing cookies, JWTs, secrets, etc.

How To Build Strong Security Guardrails in the AWS Cloud With Minimal Effort
Lacework’s Mark Nunnikhoven walks through the process of prioritizing and building simple guardrails to help you and your team avoid misconfigurations and other common security pitfalls in AWS.

I like the flow of continuous monitoring, CloudWatch event -> Lambda to gather context -> Slack message to educate the user and/or prompt them to confirm they intended to take the action.

Corey Quinn’s thread dump of AWS memes
This epic thread was all I hoped for and more. Here are a few of my favorites. Also, this 30sec GIF is can’t-hold-in-the-laughter funny: Always remember that AWS is a True Friend to Open Source.

Container Security

Introducing k8s-lab-plz: A modular Kubernetes Lab
A modular Kubernetes lab that provides an easy and streamlined way to deploy a test cluster (on minikube or baremetal), by Marco Lancini. Already supports: Vault, ELK, Prometheus, Grafana, Kafka, and Cartography.

eliasgranderubio/dagda
By Elías Grande: “Find known vulnerabilities, trojans, viruses, malware & other malicious threats in Docker images/containers and to monitor the Docker daemon and running Docker containers for detecting anomalous activities.”

Loads CVEs and other known vulnerabilities, uses ClamAV as an antivirus engine, OWASP Dependency Check and Retire.js for analyzing dependencies, uses Sysdig Falco for monitoring Docker container behavior.

Supply Chain

ovotech/gitoops
By Alexandre Kaskasoli: GitOops helps you identify lateral movement and privilege escalation paths in GitHub organizations by abusing CI/CD pipelines and GitHub access controls. Gather info -> put it in a graph DB -> query attack paths. Like Bloodhound but for your CI/CD pipeline. Blog post 

Distroless Builds Are Now SLSA 2
A few months ago Google started signing all distroless images with cosign, allowing users to verify that they have the correct image before starting the build process. Now. each distroless image also has an associated signed provenance that includes info about how each image was built, what command was run, and what build system was used. The Tekton Pipelines associated with distroless were improved as well.

Blue Team

Tackling Email Spoofing and Phishing
Cloudflare’s Hannes Gerhart provides a nice overview of how DMARC, DKIM, and SPF can be used to protect against email spoofing and phishing. Cloudflare has also released an Email Security DNS Wizard that aims to make configuring them easy.

Politics / Privacy

The iOS 15 Privacy Settings You Should Change Right Now
Block email trackers, see what apps are accessing (e.g. photos, camera, microphone, contacts), hide your IP address, Private Relay (a VPN-like service), and more.

Analysis Of Products Made By Huawei, Xiaomi And Oneplus
The Lithuanian National Cyber Security Centre released a 32 page report of their findings analyzing several Chinese phones. They were all totally secure and had no privacy concerns 🤣🤣

  • A built-in Data module collects data about apps used and sends them to Xiaomi servers.

  • Xiaomi system apps regularly download a list of content to censor.

  • … and more! Expecting any form of privacy on a device by one of these companies is ludicrous.

How Putin’s bodyguards operate
Fascinating. How they prepare a location before Putin makes a public appearance, the background required to be one of his bodyguards, the equipment they use, and the several rings of guards, all with different purposes.

The NSA and CIA Use Ad Blockers Because Online Advertising Is So Dangerous
Their concerns are a) ads being used to serve malware and b) how the advertising process and data brokers can leverage the ecosystem to gather info on devices and by extension people, sometimes including their location.

Kidnapping, assassination and a London shoot-out: Inside the CIA’s secret war plans against WikiLeaks
This article is WILD! (Also, TIL Yahoo News still exists) After Wikileaks released Vault 7, a collection of the CIA’s hacking tools, the CIA was slightly displeased. Like, CIA director Mike Pompeo talking with Trump about kidnapping or killing Assange displeased.

And when the agency picked up intel that Russia might be preparing to sneak Assange out of the UK to Moscow, the CIA and White House began preparing for a number of scenarios, including:

…potential gun battles with Kremlin operatives on the streets of London, crashing a car into a Russian diplomatic vehicle transporting Assange and then grabbing him, and shooting out the tires of a Russian plane carrying Assange before it could take off for Moscow.

The intrigue over a potential Assange escape set off a wild scramble among rival spy services in London. American, British and Russian agencies, among others, stationed undercover operatives around the Ecuadorian Embassy. “It was beyond comical,” said the former senior official. “It got to the point where every human being in a three-block radius was working for one of the intelligence services — whether they were street sweepers or police officers or security guards.”

OSINT

lanrat/certgraph
By Ian Foster: An open source intelligence tool to crawl the graph of certificate Alternate Names. It was designed to be used for host name enumeration via SSL certificates, but it can also show you a “chain” of trust between domains and the certificates re-used between them.

edoardottt/cariddi
By @edoardottt: Take a list of domains, crawl urls and scan for endpoints, secrets, API keys, file extensions, tokens and more.

Screen Writing

How to get your TV show on the air
Sara Schaefer outlines the roughly million steps it takes to get your show picked up. Wow.

Writing Advice from Matt Stone & Trey Parker @ NYU
You should be able to connect every beat in your outline with either “therefore” or “but” - this shows causation or conflict. If “and then” is more fitting, then you have a series of unconnected events, which is not satisfying or engaging.

Misc

How open source software powers modern filmmaking
Apparently there are a number of open source formats, libraries, and tools that are popular in the screen industry.

Forvo: All the words in the world. Pronounced.
Learn how to pronounce words in other languages, as pronounced and uploaded by native speakers. The database currently contains ~6 million words in 430+ languages.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint