[tl;dr sec] #106 - Least Privilege IAM, Fuzzing, Istio Scanner

Hey there,

I hope you’ve been doing well!

MacGyver Ain’t Got Nothin On Me

I had a totally different intro written and ready to go, when one of my worst fears happened…

When you do a weekly newsletter, and once you start accepting sponsors, there are certain things you start worrying about.

One thing I’ve been a bit paranoid about is that some random personal or world happening, or random chain of events occurs, that leads to me not being able to send out tl;dr sec on time.

Like if I were to get COVID-19, or a zombie apocalypse were to break out.

Yesterday, around 9:30pm, I was carrying my plate to the microwave to heat up some leftovers when I was plunged into blackness. My power had gone out. Likely due to the rain today (good job, California infrastructure).

Since I send out tl;dr sec Thursday mornings, pretty much every Wednesday I’m frantically finishing it until 10pm or 11pm.

So right now the newsletter isn’t done, and I have no power.

As I’m writing this, I’m sitting in the dark, lit only by my laptop screen and a flashing emergency light outside.

OK, how can I finish this?

• My laptop doesn’t have WiFi, because the router needs power and I have no power.

• I have a phone with cellular data, but my phone is old and the battery only lasts a few minutes when it’s not plugged in. I’m about to buy a new one but I haven’t yet.

So, I’ve plugged my phone into the laptop to charge it, and I’m using my phone to create a WiFi hotspot… that my laptop is using, like some Rube Goldberg-ian newsletter finisher of desperation.

If you receive this newsletter and see the Twitter thread at the right time, it’s because this monstrosity worked.

If you don’t, it’s because I’m dead. Or I still don’t have power.

Conference recordings

Some great conference talk recordings have dropped!

fwd:cloudsec 2021
The premier cloud security conference, by Scott Piper et al.

Objective by the Sea, v4.0
The world’s only macOS security conference, by Patrick Wardle et al.

Web Security

Cloud Metadata Dictionary useful for SSRF Testing
Useful cheatsheet from Jason Haddix.

How to speed up Burp Suite’s Turbo Intruder
Useful for finding race conditions, brute forcing passwords, or other attacks in which you need to send many requests in a short amount of time.

A Visualization of the OWASP Top 10 Over Time
A pretty neat time lapse of things that have entered, left, and changed rankings in the OWASP Top 10 over the years, by GitLab’s Wayne Haber.

Cloud Security

Designing Least Privilege AWS IAM Policies for People
LaunchDarkly’s Alex Smolen discusses how to deploy reduced privilege IAM roles without breaking user workflows. Includes a nice overview of prior work on automatic IAM policy generation from logs.

Eating the Cloud from Outside In
By Shawn Wang: “AWS is playing Chess. Cloudflare is playing Go.”

Hacking AWS end-to-end - remastered
Talk by Daniel Grzelak that Scott Piper described as:

Container Security

Remotely Access your Kubernetes Lab with Cloudflare Tunnel
In April Cloudflare announced Auditable Terminal, which gives you a fully features SSH client in your browser: you authenticate using Cloudflare Access, and can log into a computer - and get a terminal - just using a browser. In this post, Marco Lancini describes how to access your Kubernetes cluster using this approach.

Cloudflare Tunnel

Kubernetes YAML Generator
Create and customize a Kubernetes YAML config via a web UI that has useful explanatory text around various options.

Introducing Snowcat: World’s First Dedicated Security Scanner for Istio
Praetorian’s Anthony Weems, Dallas Kaman, and Michael Weber discuss Snowcat, which can obtain information about an Istio deployment and report on misconfigurations or deviations from best practices. Snowcat can be ran against static config info or from inside an Istio workload container.

Cryptography

A Graduate Course in Applied Cryptography
Free book by Stanford professor Dan Boneh and NYU professor Victor Shoup covering secret and public key cryptography, protocols, and more.

Real-World Cryptography
A practical guide to cryptography by my friend David Wong, including:

• Best practices for using cryptography

• Diagrams and explanations of cryptographic algorithms

• Identifying and fixing bad practices

• Choosing the right cryptographic tool for any problem

Blue Team

1Password’s new feature lets you safely share passwords using just a link
Psst! lets you share creds with anyone, even if they don’t have a 1Password account, by generating an expiring link that’ll give them temporary access.

Fuzzing

An Intro to Fuzzing (AKA Fuzz Testing)
Nice intro and overview by Bishop Fox’s Matt Keeley covering types of fuzzers, how fuzzing works, popular tools and their pros/cons, writing a good test harness, etc.

See also Google’s thoughts on what makes a good fuzz target.

The Challenges of Fuzzing 5G Protocols
NCC Group’s Mark Tedman and Philip Shaw discuss fuzzing 5G protocols (NGAP, GTPU, PFCP, & DIAMETER) using both proprietary and open source fuzzers (Fuzzowski, Frizzer, AFLNet). Nice overview of the trade-offs of different approaches and tooling.

SiliFuzz: Fuzzing CPUs by proxy
By Google’s Kostya Serebryany, Maxim Lifantsev, Konstantin Shtoyk, Doug Kwan, and Peter Hochschild.

Network Security

ddosify/ddosify
A high-performance load testing tool written in Golang, by Dddosify.

Politics / Privacy

VPN + Tor: Not Necessarily a Net Gain
Matt Traudt nicely walks through, depending on your threat model, the relative privacy value of using a VPN, Tor, or both. Hint: more is not better.

Trust-Busting as the Unsexy Answer to Google and Facebook
With some interesting context about the history of monopolies and antitrust outside of tech.

Facebook Restricts Staff Message Boards to Stop Leaks; Memo Gets Leaked
Facebook plans to limit access to groups related to platform safety and protecting elections to only people working in integrity-related groups. Checks former Facebook motto:

Commerce Tightens Export Controls on Items Used in Surveillance of Private Citizens and other Malicious Cyber Activities
“The United States Government opposes the misuse of technology to abuse human rights or conduct other malicious cyber activities, and these new rules will help ensure that U.S. companies are not fueling authoritarian practices.”

Image Processing

remove.bg
Automatically remove backgrounds from any image for free.

redact.photo
Free and private image redaction in your browser, by Rik Schennink.

Misc

The State Of Web Scraping in 2021
Great overview of language agnostic and language-specific tools, as well as commercial offerings, by Mihai Avram.

58 infosec acronyms for 2021 explained
Useful short definitions if you’re new to the field across networking, security, and compliance, by Krit’s Andrew Askins. H/T Mike Privette.

Midomi
Find music by singing or humming a few bars of it, powered by SoundHound.

Opiates and Social Media Are Symptoms, Not Causes
This post by Daniel Miessler resonated with me, in which he argues that addiction, social media, and other recent societal malaise is at least as much, if not more, a result of lack of meaning in people’s lives.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint