• tl;dr sec
  • Posts
  • [tl;dr sec] #138 - Career Resources, Finding Secrets at Scale, Fuzzing

[tl;dr sec] #138 - Career Resources, Finding Secrets at Scale, Fuzzing

Finding cybersecurity jobs and adding value, secrets from front end web apps and Docker Hub, fuzzing VirtualBox, contributing to OSS-Fuzz, tool to improve fuzzing coverage.

Author

Clint Gibler
June 22, 2022

Hey there,

I hope you’ve been doing well!

‘Tats by Thiel™

My bud Isaac Evans recently overheard the following, and it’s too good not to share.

Isaac was walking to meet some colleagues and I for happy hour, when he heard this exchange:

Girl: “I love Founders Fund. Peter Thiel paid for this tattoo.” (lifts up pants and points to ankle)

Guy: “Wait, really?”

Girl: “Well, I mean Founders Fund paid me, which paid for it.”

They were potentially on a date. Or at least, I like to think so 🤣

Also, I recently overheard a different guy telling the girl he was walking with:

“So yeah, I was finally able to fully open my heart chakra, and now I feel so much better.”

You know, just normal San Francisco stuff.

Sponsor

📢 Influence developer behavior and build security across the SDLC

The issue of making security accessible, easy, and natural for developers while improving security throughout the SDLC continues to be at the forefront of our conversations. From Eric Ellett’s talk at BSides SF around Embracing Risk Responsibly to Jim Manico’s upcoming keynote at LocoMocoSec on The History of Application Security.

Tromzo is tackling the issues of simplifying security at every step of application development by providing:

  • Centralized software asset visibility

  • Workflow automation to scale remediation across the SDLC

  • Security guardrails for policies and controls in CI/CD

  • Customizable dashboards for security accountability across engineering

📜 In this newsletter...

  • AppSec: Semgrep rules for Java entry points and security issues

  • Web Security: SVG SSRF cheatsheet, list of ways to get RCE on various apps

  • Career: Jason Haddix's guide to finding cybersecurity jobs, Dave Kennedy on the skills shortage in security, Wes Kao on how to add value

  • Secrets: Finding secrets leaked by web app frontends, CLI secret finding tool, looking for TLS private keys on Docker Hub

  • Cloud Cost Reduction: Tiny CLI tool to save costs in dev environments when you're asleep, 12-step guide to AWS cost optimization

  • Cloud Security: Resoto, escalating AWS privs with CloudTrail logs

  • Container Security: A Linux designed for Kubernetes, network monitoring and Zeek for threat detection in k8s

  • Fuzzing: How to fuzz VirtualBox network device drivers, lessons learned integrating 100+ open source projects with OSS-Fuzz, a new tool to improve fuzzing coverage

  • Politics / Privacy: (In a twist that should surprise exactly no one) US TikTok user data has been repeatedly accessed from China, what it means that the U.S. is conducting offensive cyber operations against Russia

  • Misc: RSAC labeled a super-spreader event, people not liking Jira, iOS 16 will support creating 3D floor plans using LiDAR, deep dive into spending $200,000 on biohacking

AppSec

elttam/semgrep-rules
Elttam’s Ben Cambourne shares Semgrep rules on Java entry points and security issues in Jackson, Spring Remoting, and Struts DMI. It’s always neat seeing more and more security consulting firms using Semgrep on engagements 🙂

Web Security

allanlw/svg-cheatsheet
By Woven Planet’s Allan Wirth: A cheatsheet for exploiting server-side SVG processors, which can potentially be vulnerable to SSRF, LFI, XSS, or RCE because of the rich feature set of SVG.

p0dalirius/Awesome-RCE-techniques
By Podalirius: A list of techniques to achieve Remote Code Execution on various apps, including CMS (Joomla, Wordpress), LMS (Moodle), frameworks (JBoss, Tomcat), and other (GiTea, Jenkins).

Career

A hackers guide to FINDING cybersecurity jobs
Jason Haddix shares some tips on finding opportunities, including normal methods (Zip Recruiter, LinkedIn, Indeed), quarterly Reddit hiring threads, conference hiring boards, Marcus Carey’s Twitter hiring threads, and more.

Dave Kennedy’s thread on the “skills shortage” in security
Newcomers aren’t being given a chance to get started, as most jobs require a few years of experience. I think this overlaps a lot with the themes from Jackie Bow’s BSidesSF keynote.

Secrets

Millions Of Secrets Exposed Via Web Application Frontend
RedHunt Labs’ Pinaki describes a study they did scanning the Alexa Top 1M and 500M using a tool (HTTPLoot) that looks for secrets in HTML and client-side JavaScript, and can automatically crawl a site, fill out forms, and try to trigger error/debug pages, which can often leak secrets as well.

They found ~1.2M secrets: Stripe, reCAPTCHA, Google Cloud, AWS, Google OAuth, Facebook, and more.

GitGuardian/ggshield
CLI tool by GitGuardian that can detect more than 300 types of secrets, though it’s unclear how “open source” it is, as it uses their public API to scan and detect potential secrets. I need to review the source more to know what its doing where.

I’m not sure when ggshield was open sourced, but similar to how businesses compete on prices and features, I wonder if the choice to open source ggshield was in part a response to Truffle Security open sourcing their TruffleHog v3. Maybe it already was, I’m not sure of the timelines, but competitive pressure to open source tools is a neat idea to me.

How to: Look for TLS private keys on Docker Hub
Detectify’s Alfred Berg describes using the Docker API to examine environment variables and commands used to create Docker images to look for secrets. Note that if you add a file and then remove it in a later step, it can still be recovered, similar to with git.

Alfred found 1,551 certificates that had a matching private key that were found in certificate transparency logs on crt.sh and 671 unique AWS access keys. He also uploaded two Docker images with canary AWS keys, neither have been used in a month. Most secrets were uploaded from an individual developers’ account, not the company’s official Docker Hub account.

Cloud Cost Reduction

aramalipoor/aws-cost-saver
A tiny CLI tool to help save costs in development environments when you’re asleep and don’t need them, by Aram Alipoor.

A 12-step guide to AWS cost optimisation
Using this approach, FreeAgent has already cut their AWS spend by 50%, and they estimate they can save another 30% a year by implementing further efficiencies.

Cloud Security

  • 🔍 Search Infrastructure: Resoto maps out your cloud infrastructure in a graph and provides a simple search syntax.

  • 📊 Generate Reports: Keeps track of and reports infrastructure changes over time, making it easy to audit resource usage and cleanup.

  • 🤖 Automate Tasks: Tedious tasks like rule enforcement, resource tagging, and cleanup can be automated using jobs.

Using CloudTrail to Pivot to AWS Accounts
If you’re doing a cloud pen test and you have low privilege AWS creds, Bishop Fox’s Gerben Kleijn describes how you can escalate privileges by examining CloudTrail assumeRole events to learn other AWS accounts you can pivot to.

Container Security

Talos Linux
By Sidero Labs: Linux designed for Kubernetes – secure, immutable, and minimal. Supports cloud platforms, bare metal, and virtualization platforms, and all system management is done via an API: no SSH, shell or console.

Network Monitoring and Zeek for Threat Detection in Kubernetes
4-part blog series by Corelight on how to use network monitoring and open source Zeek for threat detection in Kubernetes environments. This lets you generate security-centric data from network traffic to complement visibility from container agents and audit logs. Also: using sidecars to sniff and tunnel traffic, a real-world example of detecting malicious traffic between containers, and more.

Sponsor

📢 AppOmni's SaaS Security Checklist outlines the 7 key components of SaaS security

Whether you’re creating a new SaaS security program or want to improve, AppOmni's SaaS Security Checklist can help. It outlines 7 key components of SaaS security, including configuration management and always-on monitoring, based on AppOmni’s experience working with hundreds of security teams.

Fuzzing

Introduction to VirtualBox security research
Doyensec’s Norbert Szetei introduces VirtualBox research and explains how to build a coverage-based fuzzer, focusing on the emulated network device drivers.

Fuzzing 100+ open source projects with OSS-Fuzz
ADA Logics’s David Korczynski and Adam Korczynski describe their lessons learned in integrating >100 open source projects into Google’s OSS-Fuzz, which resulted in more than 2,000 issues being reported, 1,300 of which are verified and fixed, 559 of those being security-relevant bugs.

Introducing Fuzz Introspector, an OpenSSF Tool to Improve Fuzzing Coverage
By Google’s Oliver Chang and Navid Emamdoost and ADA Logics’s David Korczynski and Adam Korczynski. Initial release of Fuzz Introspector, a tool to identify fuzzing coverage blockers. It currently supports C/C++ projects and provides for each project:

• a detailed overview of all functions in the projects, including their coverage, reachability and complexity;

• a statically extracted call-tree overview overlayed with runtime coverage information for each fuzz target along with a blocker table to pinpoint roadblocks for each fuzz target;

• a list of suggested optimal fuzz targets that can be added to increase coverage.

Politics / Privacy

US TikTok User Data Has Been Repeatedly Accessed From China, Leaked Audio Shows
In addition to the data accessed, what about being able to control the algorithm that influences what people see? What sort of influence could this have over Americans’ commercial, cultural, or political behavior? Much I imagine.

“I feel like with these tools, there’s some backdoor to access user data in almost all of them,” said an external auditor hired to help TikTok close off Chinese access to sensitive information, like Americans’ birthdays and phone numbers.

What It Means that the U.S. Is Conducting Offensive Cyber Operations Against Russia
Gen. Paul Nakasone’s remarks this month about offensive operations against Russia caused a stir. Kim Zetter goes into what that means.

Misc

According to one very informal Twitter poll with 820 votes at the time of writing, 20.6 percent of attendees said they caught the coronavirus at RSAC, while 39.5 percent said they escaped COVID-free. However, 39.9 percent said they were unsure, for whatever that means.

ifuckinghatejira.com
“Real opinions from real people about a project management system which unfortunately is also real.”

iOS 16 ‘RoomPlan’ API creates 3D floor plans using LiDAR
iOS 16 contains a new API that uses LiDAR to allow you to quickly scan a room and create 3D floor plans. Sounds neat.

I’m 32 and spent $200k on biohacking. Became calmer, thinner, extroverted, healthier & happier.
However deep you think the author is going to go based on the title… he goes deeper. tl;dr sec is explicitly not endorsing anything in this post, but it is interesting to read what someone thinks who has spent an inordinate amount of time on this.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint