• tl;dr sec
  • Posts
  • [tl;dr sec] #140 - AppSec, Building AWS Security Guardrails, Linux eBPF Rootkit

[tl;dr sec] #140 - AppSec, Building AWS Security Guardrails, Linux eBPF Rootkit

Security at start-ups and SAST program building, preventing classes of cloud vulnerabilities with guardrails, a Linux eBPF rootkit with a backdoor, C2, library injection, and more.

Author

Clint Gibler
July 06, 2022

Hey there,

I hope you’ve been doing well!

Cross-cultural Teams

One thing I love about where I work is that we have a varied group of super sharp people from all over the world.

This leads to neat things like a colleague from Belgium (Pieter De Cremer) teaching you about 8 different types of waffles, or colleagues from France or Italy sharing local customs.

But communication can also be challenging amongst people with different native languages, cultures, and background experiences.

We’re still working on it, but I have found translation guides like the following useful:

If you know of any other valuable cross-culture communication guides, feel free to let me know!

Sponsor

📢 Get the 2022 State of API Security Report

Do you have visibility into your organization's API attack surface? If you experienced an API security incident last year, you're not alone. 95% of organizations have had API security problems. Industry-leading research from Salt Security examines how companies secure APIs, the challenges they face, and how their API security strategies are evolving. Download the State of API Security report to benchmark yourself and improve API security for your company.

📜 In this newsletter...

  • Bug Bounty: Scoping/running a bug bounty program, secrets of automation kings

  • Web Security: Tool to bypass 40X protected pages, abusing Cloudflare Workers

  • AppSec: Jeevan Singh on security for early-stage start-ups and self-service threat modeling, 1Password VS Code extension, learnings from 5 years of tech start-up code audits, building a SAST program at Razorpay's scale

  • Cloud Security: Open cloud vulnerability and security issue database, check your AWS perimeter with Steampipe, building AWS security guardrails

  • Container Security: Tool integration platform for Kubernetes, finding exposed Kubernetes clusters on the Internet

  • eBPF: Bypassing eBPF-based security enforcement tools, a Linux eBPF rootkit

  • Network Security: A fully offensive framework to the 802.11 networks and protocols, a port scanner shootout

  • Politics / Privacy: Data privacy concerns after Roe decision, security and privacy tips for people seeking an abortion, how mercenary hackers sway litigation battles, two Americas

  • Misc: SQL database you can use like git, things you should know about databases, OKRs were a psyop from Google to slow down potential early stage competitors

Bug Bounty

Some great threads by my bud Jason Haddix.

A masterclass in scoping/running a bug bounty program
Jason walks through why Yahoo and the Paranoids have one of the best bug bounty programs.

Secrets of automation-kings in bug bounty
Finding 1day (or 1month) web exploits that haven’t made their into scanners yet can make you big money.

Web Security

laluka/bypass-url-parser
Tool by @TheLaluka that attempts to bypass 40X protected pages using a variety of tricks.

MitM at the Edge: Abusing Cloudflare Workers
Christophe Tafani-Dereeper discusses how an attacker compromising a Cloudflare account can abuse Workers to establish persistence and exfiltrate sensitive data. If you’re familiar with Cloudflare Workers, this is really just using intended functionality (programmatically reading/rewriting HTTP requests and responses) for malicious purposes. Christophe discusses stealing authorization tokens and cookies, injecting malicious JavaScript, and more.

AppSec

SecuriTEA & Crumpets - Episode 19 - Jeevan Singh
Lewis Ardern interviews Segment’s Jeevan Singh about Jeevan’s career, security activities for early-stage start-ups, and self-service threat modeling, which Jeevan spoke about at BSidesSF 2022.

Introducing 1Password for Visual Studio Code
1Password’s Jody Heavener describes a new open source VS Code extension that can detect secrets in code, save them to 1Password with a click, and swap it with a reference to that secret.

Learnings from 5 years of tech startup code audits
FiscalNote’s Ken Kantzer shares insights from auditing a number of Series A/B start-ups. H/T Lewis Ardern. Some highlights:

  • Simple Outperformed Smart - The start-ups they audited who followed a Keep It Simple approach are the ones doing the best years later.

  • Secure-by-default features in frameworks and infrastructure massively improved security.

  • Never deserialize untrusted data - “Almost every case we saw where a server was deserializing a client object and parsing it led to a horrible exploit.”

  • Quick turnarounds on fixing vulnerabilities usually correlated with general engineering operational excellence.

  • Almost no one got JWT tokens and webhooks right on the first try.

Building a SAST program at Razorpay’s scale
Razorpay’s Sandesh Anand and Libin Babu provide a great overview of how to choose the right SAST tool for your company, how to set up effective scanning, “selling” it to your developer counterparts, and more.

To sell SAST internally:

  1. Find early adopters

  2. Advertise success, fix failures

  3. Track progress in public

Like most engineering teams, we also use internal libraries, coding guidelines, and unique one-off solutions. No SAST tool can provide rules specific to our practices out-of-the-box.

We realised that providing a phenomenal custom rule engine will make it easy for us to build rules that meet coverage requirements and turn off rules that produce a high rate of false positives.

While investigating a potential security defect, we wanted a tool to quickly scan a large repo (think millions of lines of code). Most tools we knew of were either commercial (there was no time to go through procurement) or did not work well on large code bases.

We then came across r2c’s Semgrep. It took us less than an hour to install the CLI version of the tool, run a scan and get desired results. This blew our minds and we started digging deeper into the tool.

Cloud Security

The Open Cloud Vulnerability & Security Issue Database
Building on Scott Piper work, Wiz’s Amitai Cohen and Alon and Scott have created a nice website that lists cloud vulnerabilities and cloud security provider security issues and allows searching and filtering.

turbot/steampipe-mod-aws-perimeter
An AWS perimeter checking tool that can be used to look for resources that are publicly accessible, shared with untrusted accounts, have insecure network configurations, and more, by Steampipe.

Building AWS Security Guardrails
Kinnaird McQuade joins Ashish Rajan on the Cloud Security Podcast to discussing building AWS security guardrails that prevent classes of bugs, scaling guardrails, the difference between preventative and detective security controls, and more.

Container Security

devtron-labs/devtron
A tool integration platform for Kubernetes, by Devtron Labs. Devtron helps you deploy, observe, manage & debug existing Helm apps in all your clusters via an intutive web interface.

Let’s talk about Kubernetes on the Internet
Rory McCune discusses Kubernetes’ network attack surface, some tricks for identifying Kubernetes clusters based on their responses to basic requests, and uses Shodan to examine what information is visible on the Internet relating to exposed Kubernetes services.

eBPF

Bypassing eBPF-based Security Enforcement Tools
Form3’s Daniel Teixeira walks through using Tetragon, an open-source eBPF-based security observability and runtime enforcement tool, Tetragon policy limitations, and a number of ways to bypass I/O system call monitoring.

h3xduck/TripleCross
A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities, by Marcos S. Bajo for his Bachelor’s thesis at UC3M. Nice overview thread by Marcos’ advisor Juan Tapiador here.

Sponsor

📢 Delete ¾ of a Redis Container and Reduce Vulnerable Code

It turns out there is a huge amount of unused code in the Bitnami distribution—and this is a common problem for all of the popular container images. By shrinking Redis using RapidFort, 66% of known vulnerabilities were removed. Contribute to the community in GitHub.

Network Security

D3Ext/WEF
By @D3Ext: A fully offensive framework to the 802.11 networks and protocols with different types of attacks for WPA/WPA2 and WEP, automated hash cracking, bluetooth hacking and much more.

Port Scanner Shootout
@s0cm0nkeysec goes into detail about port scanning techniques, tools, and tests that will help you better understand which tools are best for the different types of port scanning tasks you may have. They test nmap, masscan, naabu, and rustscan.

Politics / Privacy

EXPLAINER: Data privacy concerns emerge after Roe decision
The article lists several examples of women being indicted on murder charges for suspicion of getting an abortion, and their Internet search history was included as evidence. Data brokers also let you buy location info, income brackets, and more for ~$160. Personally, I don’t want this type of info being sold at all, let alone for that cheap.

It’s all possible because federal law — specifically, HIPAA, the 1996 Health Insurance Portability and Accountability Act — protects the privacy of medical files at your doctor’s office, but not any information that third-party apps or tech companies collect about you. This is also true if an app that collects your data shares it with a third party that might abuse it.

How mercenary hackers sway litigation battles
This one is wild. Companies and individuals are using hacker for hires to target their opponents in court cases to compromise email accounts and gather other sensitive internal documents to gain leverage in the case.

See also Countering hack-for-hire groups, by Google’s Threat Analysis Group’s Shane Huntley.

The US’s terminal conflict will be an internal one, fought between people who only see America’s flaws and those who pretend they don’t exist. And of course, both are wrong.

Misc

dolthub/dolt
By DoltHub: Dolt is a SQL database that you can fork, clone, branch, merge, push and pull just like a git repository.

Things You Should Know About Databases
1Password’s Mahdi Yusuf covers everything you should understand about RDBMS indexes, touching briefly on transactions and isolation levels and how they can impact your reasoning about specific transactions.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint