• tl;dr sec
  • Posts
  • [tl;dr sec] #126 - How to Review Your Company's Infrastructure, Kubernetes DFIR, Security for Start-ups

[tl;dr sec] #126 - How to Review Your Company's Infrastructure, Kubernetes DFIR, Security for Start-ups

How to review the security architecture of a multi-cloud environment and find the most critical components, responding to incidents in k8s, advice for start-ups without a security team.

Author

Clint Gibler
March 30, 2022

Hey there,

I hope you’ve been doing well!

David Attenborough on InfoSec

I reflect sometimes about InfoSec culture and the security community.

There’s definitely some cynicism and nihilism, but honestly a whole lot of support, friendliness, and positivity too.

There are a few things however that I think deserve to be skewered a bit, like naming mediocre vulnerabilities and giving them a web page, and Twitter hot takes.

This David Attenborough-esque bit on the latter by Matthew Bryant, narrated by FiveErr’s Tim Wells, is absolutely excellent.

As the initial waves of a newly-public security incident begin to ripple, a group of infosec Twitter personalities quickly begins to take notice.

Sponsor

📢 Compliance that doesn’t SOC 2 much

Let’s be honest, getting SOC 2 compliant can be a long and arduous process. But, guess what? With the right automated platform, the compliance process can actually be fast and easy. Vanta automates up to 90% of the work involved – easing the pain associated with SOC 2. Vanta put together a step by step SOC 2 compliance checklist that breaks down the process and gives you a digestible view of the road ahead.

We actually use Vanta at my day job, and we're pretty happy with it 👍

📜 In this newsletter...

  • Security for Start-ups: Advice for start-ups without a security team, GSuite security checklist for small businesses

  • AppSec: Tool to find CVE PoCs on GitHub, writing custom dev-focused Golang Semgrep rules

  • Supply Chain: Applying SLSA requirements to your GitHub Actions workflow using Sigstore, ransomware targeting Jupyter notebooks

  • Program Analysis: Coverage-based Python code fuzzer, Rust model checker

  • Cloud Security: Tool to understand and fix AWS AccessDenied errors, fantastic AWS hacks and where to find them, what to look for when reviewing a company's cloud infra

  • Container Security: Kubernetes DFIR guide

  • Red Team: Tool to decrypt Jenkins encrypted strings

  • Politics / Privacy: Why big nations lose small wars

  • Misc: Building Python projects as a single binary, a language syntax-aware diff tool, FTC sues Intuit for deceptive TurboTax ads, AI song lyric generator, use Markdown in Google docs, so you want to be a darknet drug lord

  • Humor: It's up to you to change history

  • Phone a Friend: Call one of your friends and meet up with them in person this week

Security for Startups

Early Security for Startups
Figma’s Devdatta Akhawe provides some opinionated advice for early-stage startups without a security team: how to think about security risk, product security, and compliance. The core risks to try to mitigate:

  1. Ransomware

  2. Cloud misconfiguration/leak

  3. Credential compromise via phishing, password reuse, etc.

Security checklist for small businesses
Quick tips from a Google Workspace Admin Help page on protecting accounts and settings you can enable if you use Gmail, Calendar, Drive, or Docs.

AppSec

trickest/find-gh-poc
Tool to find CVE PoCs on GitHub, by Trickest.

11 Semgrep Rules for Go Web Projects
Brian St. Pierre shows how easy it is to write custom Semgrep rules to enforce a number of code correctness, quality, and consistency properties as well as flag copy-paste errors. Tools that can support both engineering and security goals: very nice 👌

Supply Chain

Secure your software supply chain using Sigstore and GitHub actions
Marco Franssen describes how to apply SLSA requirements to your GitHub Actions workflow. The post describes using Sigstore to sign and attest Docker images, using syft to create an SBOM, and generating and attesting build provenance for the image using slsa-provenance-action.

Threat Alert: First Python Ransomware Attack Targeting Jupyter Notebooks
By Aqua Security’s Assaf Morag. tl;dr: don’t expose unauthenticated Jupyter notebooks to the Internet, an attacker can easily use that to open a shell.

Program Analysis

Rog3rSm1th/Frelatage
A coverage-based fuzzing library for Python code that aims to take advantage of the best features of other fuzzers, like AFL/AFL++ and Google’s Atheris, by @Rog3rSm1th. Also supports differential fuzzing.

The Kani Rust Verifier
A Rust verification tool based on model checking. Ensure that broad classes of problems are absent from your Rust code by writing proof harnesses, which are broadly similar to tests (especially property tests). Useful for verifying unsafe Rust code, finding panics in safe Rust, and checking user-defined assertions.

Cloud Security

Access Undenied on AWS
Ermetic’s Noam Dahan describes a cool new tool, Access Undenied, which parses AWS AccessDenied CloudTrail events, explains the reasons for them, and offers actionable least privilege fixes. See Noam’s fwd:cloudsec talk on it here and Twitter thread here.

Fantastic AWS Hacks and Where to Find Them
Slides by Datadog’s Christophe Tafani-Dereeper on getting started in AWS security, and how companies are getting hacked on AWS. Illustrated by Ashton Rodenhiser, mindmap here. Totally not confusingly, there was a BSidesSF 2020 talk with the same name.

What to look for when reviewing a company’s infrastructure
Excellent guide by Marco Lancini on a structured approach to reviewing the security architecture of a multi-cloud SaaS company and finding its most critical components. How to get up to speed in a new environment (or company) and find the biggest security risks, where to start, what questions you should ask yourself, and more. Here’s a spreadsheet with the questions you should ask.

If this stuff is your jam, I encourage you to check out Marco’s excellent cloud and container security newsletter CloudSecList.

Container Security

Digital Forensics Basics: A Practical Guide for Kubernetes DFIR
Sysdig’s Alberto Pellitteri describes how to do Digital Forensics and Incident Response on Kubernetes: isolating affected systems, imaging affected pods, extracting relevant data, and cleaning up your systems. H/T Mark Manning for sharing.

Red Team

thesubtlety/go-decrypt-jenkins
A simple tool by @thesubtlety to decrypt Jenkins encrypted strings: newer and older Jenkins password formats, decrypts files encrypted in SecretBytes tags, dumps user password hashes and tokens, and more.

Sponsor

📢 Securing Containers and Cloud for Dummies

Trying to Make Sense of Cloud and Container Security?

To develop and operate securely in the cloud requires addressing blind spots across multi-cloud infrastructure. Read this comprehensive eBook to help demystify complex cloud topics to secure your cloud and containers.

Politics / Privacy

Why Big Nations Lose Small Wars: The Politics of Asymmetric Conflict
26 page whitepaper by Andrew Mack that references a number of historical conflicts.

Misc

Tiamat
A tool simplify the process of building Python projects as a single frozen binary.

Wilfred/difftastic
A diff tool by Wilfred Hughes that understands programming language syntax. Supports >20 languages.

FTC Sues Intuit for Its Deceptive TurboTax “free” Filing Campaign
Commission seeks an immediate halt to Intuit’s deceptive ads for “free” products. My response:

These Lyrics Do Not Exist
Choose a song topic, genre, and mood, and it uses AI to generate lyrics.

Google Workspace Updates: Compose with Markdown in Google Docs on web
Huzzah! “In Google Docs, you can now select “Automatically detect Markdown” from Tools > Preferences to enable auto correcting for Markdown syntax.” Who says big companies can’t innovate!? This was only released… 16 years after Docs’ initial release. I wonder if someone who was born after Google Docs was released has made a snarky TikTok about this.

So, you want to be a darknet drug lord…
Pastebin write-up covering legal/political concerns, technical, and OPSEC.

You’ve decided that you’re bored with your cookie-cutter life of working at a no-name startup, getting paid in stock options and empty promises. You want a taste of the good life. Good for you, kid. I used to run a fairly popular hidden service (DOXBIN) that was seized by the FBI after 3 1/2 years of spreading continuous butthurt, then subsequently repossessed from the feds. Because I managed to not get raided, I’m one of the few qualified to instruct others on hidden services and security, simply because I have more real-world experience operating hidden services than the average tor user.

Humor

Phone a Friend

Overall I’d say I’m an introvert, though I can play an extrovert on TV (and streaming platforms, coughNetflixcough).

It can be easy to focus on work or side projects, and forget how energizing it is to spend time with friends.

But last weekend I hung out with my good bud Daniel Miessler (author of the excellent Unsupervised Learning newsletter), and it awesome. And then I caught up with Rachel and Evan Tobac, with whom I always spend at least 70% of the time laughing.

Send one of your friends a text or email today and find a time to meet up in person. They’ll be happy to hear from you, and you’ll be glad you did.

P.S. Apparently the exploit Evan used in the how to hack a billionaire video he found on tl;dr sec, which is pretty cool 😎 

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint