[tl;dr sec] #131 - Compromising Read-Only Containers, Finding 0days in Enterprise Software, Evading Industry Leading EDR

Hey there,

I hope you’ve been doing well!

Upcoming Speaking

I’ve very excited to be speaking at a few events over the next few months. Feel free to come say hi! I’ll be carrying bountiful stickers to share 😀

First, I’m giving a workshop at BSidesSF on June 4th on Finding Bugs and Scaling Your Security Program with Semgrep. Unfortunately I think it’s already sold out, but I’m seeing if I can get more space.

My colleagues Colleen and Grayson are also speaking at BSidesSF on The power of guardrails: How to slash your risk of XSS in half on some really cool research we did on actually measuring quantitatively, in practice what many of us intuitively believe: that secure defaults / secure “guardrails” / “paved road” practices are very high leverage security team pursuits.

Second, I’m speaking at LocoMocoSec on June 29th on a methodology for embracing and rolling out secure guardrails in your company to kill bug classes.

I’ve gotten a sign from the universe that these are all going to be good.

How do I know? I was walking around Lake Merritt recently, wearing one of my BSidesSF t-shirts, and a random guy I passed started freestyle rapping about it, “Yo check it, it’s the- the- B-B-B-BSides, BSides, …” True story 🤣

Conferences

fwd:cloudsec CFP
fwd:cloudsec is probably the best cloud security conference, well worth submitting and/or attending. Round One closes April 22nd, Round 2 closes May 22nd.

Diana Initiative: CFP
The Diana Initiative is a great con that emphasizes having a diverse speaker line-up. First round closes April 25th, second round closes May 30th. They’re also hosting a CTF. H/T Nicole Schwartz.

DEF CON Skytalks CFP
Closes May 31, rolling acceptances starting the first week of May.

Cryptography

I love conference roundups!

Themes from Real World Crypto 2022
Trail of Bits’s William Woodruff summarizes several talks and their key takeaways. Major themes:

1. Trusted hardware isn’t so trustworthy

2. Security tooling is still too difficult to use

3. Side channels everywhere

4. LANGSEC in cryptographic contexts

Real World Cryptography Conference 2022
NCC Group’s Marie-Sarah Lacharite et al share summaries of 9 RWC talks. One that seems particularly interesting to me is “An Evaluation of the Risks of Client-Side Scanning.” As more systems begin using end-to-end encryption, the law enforcement community is concerned about their lack of visibility. How can we balance privacy/not backdooring everything with catching criminals?

Java Decompilers

Useful if you don’t have Java source code, only the .jar. You can also do Android .apk -> dex2jar -> Java decompiler to examine Android apps.

• cfr

• JD / JD-GUI

• procyon

AppSec

atsign-foundation/sshnoports
By The @ Company: A way to SSH to a remote Linux host/device without that device having any open ports (not even 22) on external interfaces. All network connectivity is outbound and you don’t need to know the target’s IP address.

Finding 0days in Enterprise Software
Slides from Assetnote’s Shubham Shah’s NahamCon talk. Nice walkthrough of taking apart proprietary software, auditing complex code bases, mapping attack surface, chaining vulnerabilities, finding variants, and more.

Web Security

silentsignal/SemGWT
Extracting GWT RPC method information from generated JavaScript using Semgrep, by Silent Signal.

Cloud Security

CloudGoat goes Serverless: A walkthrough of Vulnerable Lambda Functions
A walkthrough by Rhino Security Labs of the new vulnerable_lambda scenario in the CloudGoat pentest training tool.

How to control access to AWS resources based on AWS account, OU, or organization
New IAM condition keys to make it simpler to control access across org boundaries: aws:ResourceOrgID, aws:ResourceOrgPaths, and aws:ResourceAccount.

Implementing Cloud Governance as a Code using Cloud Custodian
InfraCloud’s Alok Maurya describes how to use Cloud Custodian auto-detect and remediate noncompliant resources. For example, deleting old EBS snapshots, stopping EC2 instances that aren’t running approved AMIs, changing any allowing of ALL on port 22 to just the VPN IP, and a few Kubernetes-related examples.

Container Security

doitintl/kube-no-trouble
Easily check your Kubernetes clusters for use of deprecated APIs, by DoiT International.

Compromising Read-Only Containers with Fileless Malware
Sysdig’s Nicholas Lang describes how to attack a container with a read-only root filesystem, and gives an example of attacking an in-memory data store (Redis) with fileless malware that executes in-memory.

Basically the trick is to use shm / tmpfs which lets you create a mounted file system that uses virtual memory instead of a persistent storage device. You can download your malware or shellcode to tmpfs and then execute it from there.

Politics / Privacy

DODC/turncoat
A tool for or enumerating Telegram Bot secret messages.

Mental Health Apps | Privacy & security guide
Mozilla did a study and found mental health apps have worse privacy protections than most other types of apps. Prayer apps also had poor privacy standards, the team found. Overview of the findings by The Verge.

Google now lets you request the removal of personal contact information from search results
You can now request the removal of personal contact information, such as a phone number, email address or physical address. Prior to this expansion, the policy mainly covered information that would let other people steal your identity or money, such as banking and credit card details.

Facebook Doesn’t Know What It Does With Your Data, Or Where It Goes: Leaked Document

Inside Industry 100 - the on-loan CTO
NCC Group’s Ollie Whitehouse shares his experiences on i100, a program that brings industry staff into NCSC teams on a part-time basis to enhance collaboration between UK government and industry on cyber security. I think public/private partnerships for the purpose of keeping everyone safer is great.

I had the privilege of working with Ollie for a few years at NCC Group, and we’ve hung out a few times in person. He’s one of the sharpest security professionals I’ve ever met, and I highly recommend checking out anything he’s involved with. Also, if you want a weekly APT/malware-focused detailed summary, check out his Blue Purple newsletter.

Red Team

pwn1sher/frostbyte
By Sudheer Varma: A POC project that combines different defense evasion techniques to build better red team payloads. “The idea is to embed an encrypted shellcode stub into a known signed executable and still manage to keep it signed like how the Zloader malware did.”

A blueprint for evading industry leading endpoint protection in 2022
Vincent Van Mieghem shares 12 techniques that can allow you to execute malicious shellcode without getting flagged by industry leading EDR tools, like CrowdStrike and Microsoft Defender for Endpoint.

Misc

ByteChek is moving to a 4-day work week!
ByteChek’s AJ Yawn describes how by focusing on deep work and removing distractions, he’s found ByteChek can both be a better place to work for employees and more productive.

The codes of comic books
Technically a “comic” is a set of pictures in sequence that tells a story. This virtual “exhibit” by Google Arts & Culture walks through the history of comics, going back to 1842. Learn about the origin of why comic book pages are divided into boxes and more.

Redactle
A daily browser game where the user tries to determine the subject of a random obfuscated Wikipedia article, chosen from Wikipedia’s 10,000 Vital Articles. H/T Maya Kaczorowski.

The Complete Guide to Warding Off Junk Mail
How to stop receiving the junk mail you probably don’t care about: redit card, loan, mortgage and insurance junk mail, catalogs, coupons and marketing offers, etc.

Impossible Physics: Meet NASA’s Design for a Warp Drive Ship
“A number of scientists are currently researching the feasibility of warp drive (and EMdrive and a number of other modes of faster than light travel); however, most think that such forms of space travel simply aren’t viable, thanks to the fundamental physics of our universe.” Here’s a model of a ship that moves faster than light by deforming spacetime around it:

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint