[tl;dr sec] #110 - From What to How in Cybersecurity, Detection Engineering for Kubernetes, Fuzzing

Hey there,

I hope you’ve been doing well!

No tl;dr sec next week 🦃

I’m taking a week off. I hope you eat some good food and enjoy time with loved ones!

And please don’t publish too much great security work next week, so I can relax 😅

Burning Man: The Musical

There are few things in life that give me as much joy as finding something new that is #PeakBayArea.

Like a vegan butcher shop in Berkeley, or goat yoga.

So you can imagine my delight when I discovered that a musical was made about burners vs the nouveau riche technocrats coming in to privatize Burning Man. Which was… created by a Google employee.

I saw a local showing last Saturday, and I’ve got to say: I thought it was excellent!

The writing was funny, the acting was good (legit people from Broadway!), and there were plenty of inside baseball tech jokes. It also has some quite catchy songs, for example, about a Stanford grad wanting to pitch his autonomous vehicle start-up to investors, to praying to the demo gods, welcome to the polyamory camp, and more.

When times get me down,
When I’m about to drown,
I look at the wall, to the tech gods

You can check it out for free on Amazon Prime, or other streaming sites.

Awesome work, Matt Werner and team!

AppSec

How to avoid leaking your customer’s source code with GitHub apps
Roadie’s Brian Fletcher describes six ways to authenticate with GitHub APIs and their appropriateness for frontend vs backend code, and then some potentially dangerous subtleties. Brian outlines a vulnerability they found and reported in a handful of major SaaS products, which would have allowed us to access other GitHub organizations.

gabrie30/ghorg
By Jay Gabriels: Quickly clone an entire org/users repositories into one directory. Supports GitHub, GitLab, Bitbucket, and more.

See also all-repos by Anthony Sottile, which makes it easy to clone all your repositories and apply sweeping changes.

From What to How in Cybersecurity: Self Care, Culture, and Strategy
Great BSidesRDU 2021 keynote by former Netflix VP of Security Jason Chan on self care, security being an infinite game, making strategic bets, and more. I highly recommend watching, it’s now on my (evergrowing 😅) list of talks to summarize.

Also check out Laksh Raghavan’s thoughts on it here:

…from John May’s blogpost “… we are betting on developing easy-to-use, secure-by-default design patterns for our engineers to use versus putting resources into extensive security reviews.”

Dissolve, don’t solve!

With the right engineering investments made in “secure building blocks”, everyone can go fast! Security and velocity don’t have to be zero-sum games.

Instead of “solving” for better SLAs for security reviews, they dissolved the problem. Keeps your developers focused on building great products rather than worrying about security!

Cloud Security

aidansteele/cloudkey
“No need for IAM users when we have Yubikeys.” Tool by Aidan Steele that uses the “card authentication” slot on a Yubikey to store a TLS certificate and private key. See Aidan’s thread on why there’s no need for AWS IAM users today.

Do not use AWS CloudFormation
Greg Swallow argues that CloudFormation is strictly worse than Terraform: it has extra indirection and is harder to debug, Terraform has a rich set of data sources and makes transforming data is a breeze, Terraform is much faster, CloudFormation’s async nature requires polling logic, Terraform is portable across providers, and more.

Well, That Escalated Quickly
AfterPay’s Dorien Koelemeijer describes Cloud Cover, a tool they built to enable developers to move quickly but also with least IAM privilege, using Okta, permissions defined in a git repo, and more. Neat approach.

See also:

• Netflix: ConsoleMe: A Central Control Plane for AWS Permissions and Access
• FollowAnalytics: Achieving least-privilege with Repokid, Aardvark and ConsoleMe
• Segment: Secure access to 100 AWS accounts.

Container Security

Scanning Millions of Publicly Exposed Docker Containers
RedHunt Labs scanned over 6 million unique public repos on Docker Hub and found:

• 6/10 of the top base images were built more than a year ago. Thus, any vulnerability that got patched since then won’t be in the base image.
• The most common secret type was username/password to clone git repos.
• Top 5 exposures in Docker images: hard-coded secrets, copying sensitive config files to the Docker image, adding the entire git repo, including paid/proprietary software licenses, setting default credentials for apps.
  
  

Entry Level Kubernetes Certification to Help Advance Cloud Careers
New certification exam from CNCF and The Linux Foundation will test basic knowledge of Kubernetes and cloud native architectures.

Detection Engineering for Kubernetes clusters
NCC Group’s Ben Lister and Kane Ryans discuss the novel detection rules they have created around how privilege escalation is achieved within a Kubernetes cluster, to better enable security operations teams to monitor security-related events on Kubernetes clusters and defend them in real-world use.

The other concept that is useful when approaching detection engineering is “knowing where we can win”. This is the idea that for any given environment/system/technology there will be areas where defenders have a natural advantage. This may be because the logging is better, the attacker is forced into doing something, or there is a limited number of options for an attacker.

Fuzzing

Nyx-Net: Network Fuzzing with Incremental Snapshots
A fast full-VM snapshot fuzzer for complex network based targets, by Sergej Schumilo and Cornelius Aschermann. Nyx-Net can fuzz a wide range of targets spanning servers, clients, games, and even Firefox’s IPC interface. It’s built upon kAFL, Redqueen and Nyx. The source code has been released, academic paper with more details here, and see this fuzzer speed run Super Mario here.

BLACKSMITH: Scalable Rowhammering in the Frequency Domain
H/T Marcel Böhme: “Fuzzing DRAM to discover rowhammer vulns. Works on 100% of today’s PC-DDR4 devices they tested, even when the Target Row Refresh (TRR) mitigation was enabled.” IEEE S&P 2022 paper.

Supply Chain

SupplyChainSecurityCon - Talk Recordings Now Available
By the Continuous Delivery Foundation (CDF). Talks covering SBOMs, digital signatures, SLSA, getting started with supply chain security, and more.

probot/dco
By Probot: A GitHub App that enforces the Developer Certificate of Origin (DCO) on Pull Requests, requiring all commit messages to contain the Signed-off-by line with an email address that matches the commit author.

chughes757/SecureSoftwareSupplyChain
A consolidation of Secure Software Supply Chain resources, such as talks, whitepapers, conferences and more, by Chris Hughes.

Blue Team

Practical Security Recommendations for Start-ups with Limited Budgets
By Alex Chapman: use a password manager and 2FA, develop with modern frameworks, configure an edge security service, enable HTTP security headers, apply security patches, backup user data and source code, centralize all logging, have a bug bounty program, service containerization, and deploy canary tokens.

Cybersecurity Incident & Vulnerability Response Playbooks
By CISA. Includes an incident response (preparation) checklist in the appendices.

SSH

Simple SSH Security
Harm Aarts describes several quick steps to harden your SSH config: disable logging in via password, remove weak prime numbers, and allow only strong cyphers.

jtesta/ssh-audit
An SSH server & client auditing tool: banner, key exchange, encryption, mac, compression, compatibility, security, etc., by Positron Security’s Joe Testa.

Hardening your client SSH config file
An example .ssh/config with modern sane defaults by Ben Montour.

Red Team

LOTS Project - Living Off Trusted Sites
By @mrd0x: Attackers are using popular legitimate domains when conducting phishing, C&C, exfiltration and downloading tools to evade detection. This list of websites allow attackers to use their domain or subdomain.

Misc

How to estimate legal costs from a data breach
Interesting overview by Ryan McGeehan, based on 150 data breach settlements he reviewed. Areas: disclosure complexity, multiple litigators, litigation probability, discovery costs, settlement costs, trial costs, regulation, and indemnification. H/T Ryan Naraine.

Web Skills
A visual overview of useful skills to learn as a web developer, by Andreas Mehlsen.

Merriam-Webster: Time Traveler
See when a word was first used in print.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!