[tl;dr sec] #125 - Hacking a Billionaire, Automating Incident Response in AWS, Exploiting/Hardening GitHub Actions

Hey there,

I hope you’ve been doing well!

A Taxing Season

Alright, I’m going to rant for a second, apologies.

Every tax season I get quite frustrated. I don’t mind paying taxes, the government does a lot of important things, like public education and ensuring most food doesn’t poison you.

What frustrates me is how complicated it is.

It’s like a freshman undergrad who has only done Matlab before was tasked to write a system in Perl, and then now everyone has to use it.

Clean encapsulation? LOL, this API returns UTF-7 unstructured text in a single blob, and every rand(100) calls returns a slap in the face.

Tech, for all of its (many) flaws, does so much better at abstractions. You can search all of the world’s information in a fraction of a second, from a device that fits in your pocket, using only your voice.

Proposal: all lawmakers and companies benefitting from tax code complexity from here on out can’t use DNS, they have to use direct IPs. And type out each HTTP request by hand. And manually chunk those HTTP requests into sizes that fit into TCP packets, correctly numbering each packet.

Then maybe they’d feel what it’s like when you push accidental complexity onto users 😤 

🔥 Semgrep Community Meetup Next Wednesday

Want to hear about the latest and greatest in Semgrep?

Then come check out our community meetup next week.

Agenda:

• I’ll be speaking about some current trends in security.

• Community members will share cool things they’ve been doing with Semgrep.

• We’ll share some new features - capturing developer feedback and advanced analysis features like taint mode.

• A preview of Semgrep’s upcoming roadmap.

Check out the Eventbrite here.

Hope to see you there!

Conferences

RVAsec 2022
A Richmond, VA-based security conference whose CFP is open until March 31st. If you have an idea in mind, feel free to email [email protected] for feedback.

Supply Chain

4 supply chain risks in Terraform and how to prevent them with Checkov
By Barak Schoster.

1. Leaking secrets using Terraform HTTP data blocks

2. Arbitrary code execution using a Terraform external data source

3. Not using immutable modules

4. Using old versions of misconfigured modules

AppSec

Reading RFCs for bug bounty hunters
Great post by EdOverflow.

• Check out the “Security Considerations” section.

• Review outdated RFCs (“Obsoleted by:” link).

• Use Rfcdiff to diff outdated RFCs.

• Review “Errata” for potential implementation mistakes.

GitHub

How we found vulnerabilities in GitHub Actions CI/CD pipelines
Cycode’s Alex Ilgayev describes vulnerable patterns in GitHub Actions that can lead to an attacker being able to steal secrets, inject code, etc., as well as mitigations. The post has some great details on exploiting these weaknesses in practice.

For more on how/why these vulnerabilities occur and how to find them, see Grayson Hardaway’s blog post here, which also includes a demo repo to practice on and open source Semgrep rules to find these issues in your GitHub Actions.

Automagically Auditing GitHub (Actions) Security using OpenSSF Scorecards
Jamie Tanna walks through setting up the OpenSSF’s Scorecard GitHub Action and the common GitHub repo settings and GitHub Action security issues you may see it raise.

Mobile Security

Hardening Signal
Short guide on settings and practices to harden your use of Signal, which is in my opinion the best privacy-focused messaging app.

Applying Zero Trust Principles to Enterprise Mobility
~20 page PDF by CISA on mobile security tools and technologies in relation to Zero Trust principles.

Web Security

d4rckh/vaf
A cross-platform web fuzzer written in Nim by @d4rckh. Custom wordlists, fuzz any part of the URL as well as POST data, and more.

cyprosecurity/API-SecurityEmpire
Infosec mind maps by Momen Eldawakhly and Lucas Lundgren covering recon on APIs, attacking RESTful and SOAP APIs, and attacking GraphQL.

Cloud Security

awslabs/aws-automated-incident-response-and-forensics
A framework that aims to facilitate automated steps for incident response and forensics based on the AWS Incident Response White Paper.

Tag an EC2 instance with a SecurityIncidentStatus value of Analyze, and a Lambda will trigger that automatically starts isolation and memory/disk acquisition, and ends with giving the instance a no INBOUND/OUTBOUND security group and with an IAM role that disallows all access.

Centrally Managed Identity for AWS
Carta’s Uttej Badwane describes how they migrated from a handful of legacy AWS accounts to moving them under a newly created master AWS account which was configured to use AWS SSO <=> Okta for identity, with SCIM configured. “The main objective was to handle the traditional IAM identity for multiple accounts with time based access for console & CLI.”

If you haven’t heard of SCIM, it’s basically a way to keep users in sync between your identity provider and many other systems (vs manually onboarding/offboarding/updating). Pretty cool.

Container Security

NSA, CISA release Kubernetes Hardening Guidance
Updated ~66 page technical report on recommendations to harden Kubernetes systems.

Blue Team

claroty/arya
By Claroty: Given a YARA rule, Arya can generate pseudo-malicious files meant to trigger it. Useful for testing your detection sensors such as AV or EDR.

The Mitten Mac: Tools
Several neat macOS tools by Jamf’s Jaron Bradley:

• TrueTree: an incident response tool for building a pstree like output on macOS.

• ESFPlayground: a tool that lets you print out the events of the Apple Endpoint Security Framework as they happen in real time.

SansShell: A Non-Interactive Local Host Agent
Snowflake’s Aaron Joyner, Jon Allie, and James Chacon announce the release of SansShell, a way to define complex server management actions in code and selectively expose those actions to remote clients. Each action is subject to an authorization policy that can limit access based on the caller, the type of action, and the content of the request

Network Security

ancat/egrets
A proof of concept tool that uses eBPF, raw sockets, and kprobes to monitor egress traffic, by @ancat.

Misc

It Was Easy to Hack a Billionaire
SocialProof Security’s Rachel Tobac successfully socially engineers and phishes Jeffrey Katzenberg, co-founder and former CEO of Dreamworks Animation. For the technical details on the hack, see Evan Tobac’s thread. Jeffrey was… not pleased 🤣 

Meet Avenue Q’s Puppet Wrangler
Some interesting behind the scenes. Man, what a good musical.

Merlin Bird ID
Mobile app to help you identify thousands of birds based on appearance or their song.

OEC Tradle
Guess a country based on their exports.

These are Netflix’s Most Popular Shows (According to Netflix)

• TV shows account for ~75% of viewing.

• TV shows tend to stay in the top 10 a lot longer than movies.

• The average Netflix hit disappears after two weeks or less.

• Less than one-quarter of all shows stay in the top 10 for more than four weeks.

Why We Listen to Music With Lyrics We Don’t Understand

My version of another quote from the post:

Are advertisers going to infiltrate our dreams?
Major brands like Coors, Microsoft and Burger King are researching how they can have you dream of their products. Cool, that seems like something they should be allowed to do. With so many smart devices in homes these days, it’s possible that sounds or messages could be played to you in your sleep without you even knowing it. It’s unclear how effective these approaches would be in practice though.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint