• tl;dr sec
  • Posts
  • [tl;dr sec] #137 - Malicious Terraform, How GitHub uses Dependabot, Democratizing Security Detection

[tl;dr sec] #137 - Malicious Terraform, How GitHub uses Dependabot, Democratizing Security Detection

How to defend against malicious Terraform, great tips from GitHub on effectively rolling out security tooling, and Palantir on building a scalable detection and response team.

Hey there,

I hope you’ve been doing well!

Undefeated

Like seemingly most people who attended BSidesSF and/or RSA, I’ve come down with a bit of cold. Fortunately, it hasn’t been that bad and I’ve tested negatively for COVID.

Random shower thought: as long as you’re still alive, your body has had a 100% success rate at defeating every single virus and bacteria that’s tried to attack you.

That’s impressive. Meanwhile, we’re all impressed at computer systems that have 5 9’s of reliability.

Fifth tl;dr sec Sponsor Acquired

DJ Khaled voice: Another one!

Randori, an attack surface management (ASM) and offensive cyber security provider, was acquired by IBM for an undisclosed amount. Congrats!

Hadestown

If you’re like me, you’re probably subscribed to this newsletter because you like musicals.

If you live in the Bay Area, consider checking out Hadestown at BroadwaySF, which won eight 2019 Tony Awards, including Best Musical.

HADESTOWN intertwines two mythic tales — that of young dreamers Orpheus and Eurydice, and that of King Hades and his wife Persephone — as it invites you on a hell-raising journey to the underworld and back.

Here’s the original cast performing “Wait For Me”, guaranteed to get you turnt up, and “All I’ve Ever Known” to make you melt a bit. *Subtly wipes away a solitary, manly hacker tear*

Sponsor

📢 The Top Five Myths in API Security

Think your WAF and API gateways have you protected from API attacks? Think your APIs are protected by your Cloud provider? It's time to take another look. As many organizations experience API security incidents, security leaders are learning traditional approaches and assumptions do not protect against the new forms of attacks. The Top 5 Myths in API Security white paper from Salt Security helps you understand what might be putting your critical data at risk.

📜 In this newsletter...

  • Mobile Security: Awesome iOS security, mobile forensic and network traffic analysis platform

  • Database Security: Making JDB attacks brilliant again, Apache Pinot SQLi and RCE cheat sheet

  • Cryptography: Remote timing attacks on constant-time crypto code + a new vuln logo

  • Cloud Security: Cloud Security Engineer book, some unintuitive aspects of SCPs, AWS threat simulation and detection, securing cloud services against squatting attacks, the philosphy of prevention

  • CI/CD: CDK construct to create ephemeral self-hosted GitHub runners in your AWS account

  • Supply Chain: How SUSE is preparing for SLSA L4, examining malicious Terraform modules and providers, NPM domain checker, how GitHub uses Dependabot

  • Blue Team: Democratizing security detection

  • Red Team: Time travel debugging IDA plugin

  • Politics / Privacy: Bluetooth signals can be fingerprinted to track smartphones

  • Misc: Watercolor basics, pizza order rap, what should you do with your options during a downturn?, sheet music encryption, spicy takes on Gartner's Magic Quandrant for Application Performance Monitoring and Observability, revenue-valuation multiples for 3 Israeli start-ups

Mobile Security

Cy-clon3/awesome-ios-security
A collection of awesome tools, books, courses, blog posts, and cool stuff about iOS application security and penetration testing, by @Cyclon3.

PiRogue tool suite
By Esther: An open-source tool suite that provides a comprehensive mobile forensic and network traffic analysis platform targeting Android and iOS, IoT devices that are connected to mobile apps, and in general any device using WiFi to connect to the Internet.

Database Security

Make JDBC Attacks Brilliant Again II
@pyn3rd gave a “Make JDBC Attacks Brilliant Again” talk at HITB Singapore 2021 (slides). This blog post goes into PostgreSQL and demonstrates popping calculators left and right.

Apache Pinot SQLi & RCE Cheat Sheet
Doyensec’s Ben Caller shows how a classic SQL injection bug in a Pinot-backed (an Apache database platform) API can be escalated to Remote Code Execution, and then discusses post-exploitation.

Pinot trusts anyone who can query the database to also execute code on the Server, as root 😲. This feature gaping security hole is enabled by default in all released versions of Apache Pinot.

Cryptography

Hertzbleed Attack
Riccardo Paccagnella, Yingchen Wang et al describe a way to mount remote timing attacks on constant-time cryptographic code running on modern x86 processors by targeting dynamic frequency scaling.

Cloud Security

The CloudSec Engineer
I’m a big fan of Marco Lancini and his newsletter, CloudSecList, so I’m excited to see that he’s writing a book about how to enter cloud security, establish yourself, and thrive in the cloud security industry as an individual contributor. Sign up on this site for free samples and updates.

A Deep Dive into Temporal’s Access Control Strategy in AWS
Temporal’s Brandon Sherman describes how they were trying to secure their cloud environment via segmented AWS accounts, and how the behavior of Service Control Policies was unintuitive.

sbasu7241/AWS-Threat-Simulation-and-Detection
A walkthrough of using Datadog’s Stratus Red Team in an AWS account, monitoring using CloudTrail and CloudWatch and ingesting those logics into SumoLogic for further analysis.

Securing Cloud Services against Squatting Attacks
Penn State’s Eric Pauley and Patrick McDaniel discuss cloud squatting attacks (for example, when IP addresses are reused across tenants), the impact, and potential solutions. In their research, they received real-time location data, PII (virtually anything on a driver’s license or government document), and web tracking data and browsing history from different organizations.

The Philosophy of Prevention
Chris Farris shares some great examples of the real world challenges in trying to prevent or auto-remediate cloud security issues.

Prevention via Service Control Policy must be limited to security invariants, but even then, prevention is limited by the granularity of IAM Actions and the availability of the necessary Condition keys.

Auto-remediation only works to fix high security and low operational risk misconfigurations and only where a simple and operationally safe action can be taken.

Every requirement of a security team on the business is like a tax. It slows things down and makes us less competitive. If you can’t articulate the risk, you don’t understand the risk, and if you don’t understand the risk, you’re engaging in security theater and taxing the business for no real gain.

Except in a few small pockets or the organization cloud security never moved beyond a basic vulnerability management function. Where pocket did move beyond a VM function it was the teams that moved to auto-remediation and GuardRails, not CloudSec.

CI/CD

CloudSnorkel/cdk-github-runners
By CloudSnorkel’s Amir Szekely: Use this CDK construct to create ephemeral self-hosted GitHub runners on-demand inside your AWS account. Supports CodeBuild, Fargate and Lambda.

Supply Chain

SLSA: Securing the Software Supply Chain
SUSE’s Marcus Meissner and Jana Jaeger provide a detailed breakdown of how SUSE is preparing for SLSA L4 compliance.

Terraform as part of the software supply chain, Part 1 - Modules and Providers
Part one of a three-part series by GitLab’s Joern Schneeweisz examining the supply chain aspects of Terraform, discussing malicious Terraform modules and providers and recommendations on securing the process of running Terraform against modules and providers gone rogue.

firefart/npmdomainchecker
By Christian Mehlmauer: Checks every maintainer from every package in the NPM registry for unregistered domains or unregistered MX records on those domains. If a domain is unregistered you can grab the domain and initiate a password reset on the account if it has no 2 factor auth enabled.

How we use Dependabot to secure GitHub
A two-part story by Phil Turnbull about how GitHub’s Product Security Engineering team rolled out Dependabot internally to track vulnerable dependencies, and how GitHub tracks and prioritizes technical debt. This is an excellent post about effectively rolling out any security tooling at a company and integrating into existing engineering orgs and processes, great read.

We use a number of guiding principles when evaluating tools and designing a rollout plan. For example, Does the security benefit of this new process outweigh the impact on engineering teams? How do we roll this out incrementally and gather feedback? What are our expectations for engineers, and how do we clearly communicate these expectations?

We aimed to answer, clearly and succinctly, the most important questions in our communications: What are we doing? Why are we doing this? When are we doing this? Lastly, what do I need to do

Sponsor

📢 Access and Security Trade-Offs for DevSecOps Teams

How to stay secure while your team ships at scale. This tech paper by Teleport looks at recent advancements in access technologies available to reduce the tension between engineering and DevSecOps teams.

Blue Team

Democratizing Security Detection
Palantir shares their learnings on scaling their detection program through democratization of security alerts and provide actionable detection strategies that should be considered in most environments. They have a team of <10 responsible for monitoring, alert triage, and incident response for over 3,000 employees and contractors. Tons of great detail and examples in this post.

Red Team

airbus-cert/ttddbg
An IDA plugin that adds a new debugger which supports loading Time Travel Debugging traces generated using WinDBG Preview. By Airbus CERT’s Sylvain Peyrefitte, Simon Garrelou, and Arioch.

Politics / Privacy

Researchers Find Bluetooth Signals Can be Fingerprinted to Track Smartphones
UC San Diego researchers found (paper) that Bluetooth signals can be fingerprinted to track smartphones (and therefore, individuals). The trick is imperfections in the Bluetooth chipset hardware introduced during the manufacturing process, resulting in a “unique physical-layer fingerprint.”

Misc

tombetthauser/watercolor-basics
Basic tips for developing an open-ended everyday watercolor practice.

The Greatest Pizza Order Ever
An amusing pizza order rap.

What Should You Do With Your Options During a Downturn?
Compound’s Adam Keesling provides some useful perspective on how to think about if you should exercise your options, walks through several example scenarios and the actions you could or might want to take. See also Stock Options 101.

Kenn White on Sheet Music Encryption
“What a wild story. Soviet-era dissidents & exiled jewish expats were able to smuggle information in & out of country thanks to U.S. saxophonist Merryl Goldberg, who came up with an ingenious encryption scheme using sheet music.” More details in the thread by Kenn White.

Israel’s most overvalued cybersecurity startups exposed
Using previously undisclosed figures, The Information has calculated the revenue-valuation multiples for several companies.

  • Wiz: Multiple of 150 on revenue

  • Axonius: Multiple of 87 on revenue

  • Snyk: Muliple of 85 on revenue

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

/

Thanks for reading!

Cheers,

Clint