• tl;dr sec
  • Posts
  • [tl;dr sec] #113 - Log4Shell, Security Metrics, Cloud Detections at Scale

[tl;dr sec] #113 - Log4Shell, Security Metrics, Cloud Detections at Scale

Resources for the vuln that's keeping you away from your family, how to do security metrics effectively, how Netflix scales cloud detections using Snare.

Author

Clint Gibler
December 15, 2021

Hey there,

I hope you’ve been doing well!

Starting a Family for the Right Reasons

I don’t have kids yet, but I’d like to at some point. Why?

  1. It’s the perfect opportunity to build your own hacking team from scratch.

  2. Blah blah watch them grow blah selflessnesss blah the future.

  3. You can do all sorts of experiments that likely wouldn’t be approved by a university’s Institutional Review Board (IRB).

Take László Polgár for example, who raised his three daughters to be chess prodigies.

I’m (mostly) kidding, I’ll be supportive of whatever makes my kids happy.

Last tl;dr sec of the year

I’m taking the next two weeks off of tl;dr sec, so you’ll have to wait until January for my snark and security links to once more travel the Internetz to reach your inbox. I know, so sad.

But, I have some really exciting things planned for next year that I can’t wait to share with you!

Could it be new, exclusive swag? In-depth articles? Hand-drawn art my 4th grade teacher gave a B- that I’m still bitter about? At least one of these is true.

By the way, is there anything you feel like tl;dr sec should be doing but isn’t? Feel free to respond directly and let me know. (Unless it’s about NFTs.)

Happy holidays! 🎄 I hope you have a chance to relax and spend quality time with loved ones.

Sponsor

📢 Bring the Security of Teleport to Your Windows Infrastructure

Big release from Teleport! Teleport 8 now supports Desktop Access giving you passwordless access to your Windows servers and desktops.

Teleport is an open-source, identity-aware, multi-protocol access proxy with an integrated certificate authority. It provides easy access to your Linux and Windows servers, Kubernetes clusters, databases, and internal applications like CI/CD, version control, and monitoring dashboards across all environments.

📜 In this newsletter...

  • AppSec: The Boring AppSec Newsletter

  • Supply Chain: Easy container image signing in GitHub Actions, an overview of binary transparency

  • Web Security: Orange Tsai's HITCON 2021 CTF challenges

  • Security Metrics: Top 4 AppSec metrics and why they're hard to measure, how Twilio does security metrics

  • Cloud Security: AWS PCI DSS CloudQuery checks, achieving least privilege with AWS IAM, how Netflix does cloud detections at scale

  • Container Security: Falco 101 course

  • Privacy: Scripts to enforce privacy and security on macOS and Windows, how to use your phone's privacy tools, how to stop Verizon from collecting your private info, Signal's E2EE group video calls now support up to 40 participants

  • Misc: E2EE CLI tool to easily send files and folders across computers, integrating Emacs with Siri shortcuts

  • Log4Shell: Various useful links and resources. Are you OK? You've got dark circles under your eyes. You should get some rest tonight. You got this.

AppSec

The Boring AppSec Newsletter
I really like this newsletter by Razorpay’s Sandesh Anand. If you’re into AppSec, definitely check it out.

The goal is to take a step away from bright shiny objects (e.g.: new 0 -day in system X) and talk about (almost) timeless topics in the field of application security (AppSec).

Supply Chain

Zero-friction “keyless signing” with Github Actions
By Chainguard’s Matt Moore. GitHub has integrated sigstore support for container image signing into the GitHub Actions starter workflow, so that developers can sign their container images by default. Companion GitHub blog post.

Binary Transparency: Building Trust in the Software Supply Chain
Great overview blog post on binary transparency: capture information about activity throughout the software production process, and create an immutable and tamper-evident record which can be viewed and verified by others. Concise descriptions about potential attacks and how they’re mitigated, with some intuitive diagrams. H/T Ryan Hurst.

Also, congrats to Chainguard for raising their $5M seed to tackle supply chain security!

Web Security

My-CTF-Web-Challenges/hitcon-ctf-2021
Orange Tsai has released the source code to the five HITCON 2021 CTF challenges he created.

Security Metrics

Like all metrics, the objective of measurement is to reduce uncertainty by analysing available data. Uncertainties such as:

1. Is our AppSec program getting better over time?

2. Are our investments in tools/people/processes yielding results (i.e. reduced risk posture)?

Security Metrics that Count
Twilio’s Harini Rangarajan and Yashvier Kosaraju describe how Twilio’s team is thinking about security metrics.

  • Jira is the source of truth of vulnerabilities and they created a vuln ticket template (business unit, vuln source and category). They do periodic data normalization using a Python script.

  • Normalized data feeds into a Google sheet that’s the data source for Google Data Studio, where they’ve created customized dashboards for different audiences (e.g. execs, team leads, ICs).

Lessons learned:

  • Metrics and visibility help drive change. “We saw teams actively take ownership of open vulnerabilities and fix them once they had seen our reports.”

  • Gamifying team activity to respond to the insights unveiled by their new security metrics helped create a healthy competition between Twilio teams, with teams competing to see who could fix the most vulnerabilities.

  • Adding new tools or data sources to the metrics dashboard can cause temporary spikes. Make it clear that security isn’t getting worse, you’re just gaining better visibility.

  • Security metrics should help identify trends of vulnerabilities present over a period of time. Are we fixing vulnerabilities faster than they are generated?

Cloud Security

Running AWS PCI DSS with CloudQuery Policies
CloudQuery policies gives you a powerful way to automate, customize, codify, and run your cloud security & compliance continuously with HCL and SQL. CloudQuery’s Yevgeny Pats describes their new AWS PCI DSS Policy, containing over 40 checks.

Achieving Least Privilege with AWS IAM
Anthony Barbieri shares a few tips and tricks on the authorization side of IAM. Topics: client side monitoring and Cloudtrail, understanding which actions support resources restrictions, policy management, and leveraging conditions.

Snaring the Bad Folks
Netflix’s Alex Bainbridge, Michael Grima, and Nick Siow describe Snare, Netflix’s Detection, Enrichment, and Response platform for handling cloud security related findings. The post includes some interesting architecture and approach choices, including:

  • Some alerts can be auto remediated, others loop in the oncall to triage.

  • By making making custom detections easy to write and tune (abstracting away plumbing), they were able to do more granular tuning and aggregation of findings, leading to an average of 73.5% reduction in false positives. This freed up time to focus on new detections and new features for Snare.

  • Integrating with Security Hub enabled them to receive all of the AWS Security findings in a normalized format and in a centralized location.

  • AWS Step Functions are used to implement DAG auto remediation logic.

Container Security

Falco 101
A free course on the runtime security tool Falco, covering its rules syntax, alerting, configuration, and more.

Privacy

Privacy.Sexy
Enforce privacy and security on Windows and MacOS. Currently includes 125 scripts covering general privacy cleanup, configuring programs or your OS, and security improvements.

How to Use Your Phone’s Privacy-Protection Tools
Tips by The New York Times’s JD Biersdorfer, including how to: restrict access to your phone’s hardware and software (Settings -> Privacy), share approximate instead of precise location info, block targeted ads, limit tracking in your browser, and block tracking pixels in emails.

Verizon might be collecting information about your browsing history, location, apps, and your contacts, all in the name of helping the company “understand your interests,” first spotted by Input. The program, which Verizon appears to automatically opt customers into, is called Verizon Custom Experience and its controls lay buried in the privacy settings on the My Verizon app.

How to build large-scale end-to-end encrypted group video calls
Signal released end-to-end encrypted group calls a year ago, which they’ve now scaled from supporting 5 participants all the way to 40.

Misc

schollz/croc
By Zack Scholl: Easily and securely send files and folders from one computer to another. End-to-end encryption using PAKE, cross-platform (Windows, Linux, Mac), allows resuming interrupted transfers, and more.

Integrating Emacs with Siri Shortcuts
Dan Petrov demos how you can automate anything in the Apple ecosystem from the comfort of your favorite OS: GNU Emacs.

Log4Shell

I don’t normally write much about individual vulnerabilities in tl;dr sec, but I feel like I’d be negligent if I didn’t at least include a few relevant Log4Shell links I came across. Apologies in advance, I’m sure you’re tired of reading about it. I know I am.

christophetd/log4shell-vulnerable-app
A sample Spring Boot web application vulnerable Log4Shell, by Christophe Tafani-Dereeper and Rayhan Ahmed.

Cybereason/Logout4Shell
Use the Log4Shell vulnerability to vaccinate a victim server against Log4Shell.

Log4Shell: Reconnaissance and post exploitation network detection
NCC Group provides Suricata network detection rules that can be used not only to detect exploitation attempts, but also indications of successful exploitation. In addition, a list of indicators of compromise (IOC’s) are provided.

Daniel Miessler’s newsletter this week nicely ties together many resources, mitigations, and analysis.

Detailed Reddit thread on Log4Shell being curated and updated by NCC Group.

This Twitter thread consolidates a bunch of links, including the best list of vulnerable software and vulnerable services, detections (jarhashes, Semgrep, YARA, Burp Suite, Nmap, etc.), and more.

Thinkst Canary describes their Log4Shell token.A Semgrep rule by Kurt Boberg and Lewis Ardern to flag potentially vulnerable code locations. One thing particularly cool about this is that they actually iterated on and published this within hours of log4shell starting to be discussed.

Blog post overview by r2c.

10 fact vs fiction points by Rob Fuller, with these nice overview diagrams:

log4jmemes.com
For when you don’t know whether to laugh or cry.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint