• tl;dr sec
  • Posts
  • [tl;dr sec] #144 - Hacker Summer Camp, Building ProdSec from Scratch, IAM-Deescalate

[tl;dr sec] #144 - Hacker Summer Camp, Building ProdSec from Scratch, IAM-Deescalate

How to stay healthy and get the most out of Vegas this year, how to build a ProdSec program from scratch, tool to mitigate privilege escalation risks in AWS.

Author

Clint Gibler
August 03, 2022

Hey there,

I hope you’ve been doing well!

InfoSec ❤️ Musicals

If you’re a regular tl;dr sec reader, you probably know I love InfoSec.

And musicals.

So you can imagine my joy upon seeing that Rachel Tobac and co have released a set of musical (and spoken) security awareness videos.

We wanted original (non parody) music & to cover genres all over the map: retro pop, 90s hip hop, alt rock, stadium country, electro-dance, hard rock, etc.

So we then found super talented folks from American Idol, VH1/MTV, Viral Tik Tok songwriters to make that dream happen.

She’s living my dream 😍 Awesome.

I love seeing people in security sharing their creative side.

As Jackie Bow said in her BSidesSF 2022 talk: you can be a great security professional and still have hobbies that have nothing to do with security. You contain multitudes ✊

r2c at DEF CON

If you’re going to be in Vegas for DEF CON, feel free to come say hi to some of my awesome colleagues!

Sponsor

📢 The Top Five Myths in API Security

Think your WAF and API gateways have you protected from API attacks? Think your APIs are protected by your Cloud provider? It's time to take another look. As many organizations experience API security incidents, security leaders are learning traditional approaches and assumptions do not protect against the new forms of attacks. The Top 5 Myths in API Security white paper from Salt Security helps you understand what might be putting your critical data at risk.

📜 In this newsletter...

  • Hacker Summer Camp: A calendar and guide to the week, digital and personal self-care, effective face masks

  • AppSec: Building a Product Security program from scratch, building an AppSec pipeline for continuous visibility, exploiting GitHub Actions on open source projects, CVSS score deep dive

  • Cost-Related: Programmatically delete AWS resources based on allowlist and TTL, cross-cloud cost allocation models for k8s workloads, a serverless cost optimization bot, exploring AWS costs beyond the service level

  • Cloud Security: fwd:cloudsec 2022 playlist, AWS term glossary, a tool to reduce the risk of privilege escalation

  • Container Security: Admission controller that can enforce policy based on verifiable supply-chain metadata from cosign, the Kubernetes networking guide

  • Blue Team: Threat hunting in Okta logs, an analysis of Twitch's internal security tools, a new UEFI firmware rootkit

  • Politics / Privacy: Why Corey Quinn doesn't like One Medical's acquisition, an Amazonified One Medical may be too convenient to resist, Amazon might bring useful competition to the healthcare industry, Ring shares doorbell data with police without user consent

  • Misc: Curated list of static site generators, SQLite extension for querying HTML elements, get NFTs for getting a good night's sleep, life is not short

Hacker Summer Camp

“Hacker Summer Camp” is what many use to refer to the combined week of Blackhat, DEF CON, BSidesLV, and the Diana Initiative.

Jason Haddix’s Hacker Summer Camp Calendar and Guide
Nice concise overview about what’s happening each day.

Digital and Personal Self-Care at #hackersummersamp - “New Normalish” Edition
Bugcrowd’s Casey John Ellis on how to get the most out of Hacker Summer Camp and how to stay safe digitally and physically. Lots of solid basics, and also a few neat tips I hadn’t thought of before.

Face masks for DEFCON
obert Graham tested a number of masks efficacy, for upcoming events like DEF CON. tl;dr: throw out your old cloth/surgical masks and get behind-the-head (instead of behind-the-ear) N95 masks that fit well, like the 3M Aura N95.

AppSec

Building a Product Security program from scratch
Thirty Madison’s Anshuman Bhartiya covers what it means to be the founding ProdSec/AppSec engineer, understanding the organization (risk appetite and priorities), building relationships, understanding prior vulnerabilities, leaning into secure defaults, and more.

Building an AppSec Pipeline for Continuous Visibility
Chargebee’s Nikhil Mittal describes their approach to building an application security pipeline for continuous security scanning, using free and open-source tools for SAST (Semgrep), SCA (OWASP Dependency Check), Secrets Scanning (Gitleaks), and SBOM generation (CycloneDx).

All of Chargebee’s security solutions are deployed as independent containers on AWS ECR so they can be pulled directly from ECR to integrate into any workflows or can be used locally by developers. All of the tool results go to a DefectDojo dashboard via a Lambda function.

Exploiting GitHub Actions on open source projects
Tinder’s Tinder’s Rojan Rijal, Johnny Nipper, and Tinder’s Tanner Emek made an automation script (gh-workflow-auditor) that detects and flags vulnerable GitHub Actions. The script helped identify vulnerabilities that allowed write access in popular open-source projects such as Elastic’s Logstash. They share common security risks in GitHub Actions, their approach to detecting them, and their recommendations to mitigate vulnerabilities in GitHub Actions.

See also Protect Your GitHub Actions with Semgrep by r2c’s Grayson Hardaway, which to be honest I feel like discusses this topic in more detail, and also includes a demo repository for testing the attacks.

Further, the Tinder tool seems to mostly use regexes for its detection logic, vs Semgrep’s native YAML support and ability to extract, parse, and analyze nested languages (e.g. Bash in GitHub Actions. See Extract Mode docs for more details).

A closer look at CVSS scores
If you’ve been longing for a detailed treatise on CVSS (how it works, an analysis of the distribution of potential vs actual vulnerability ratings, critiques from a variety of sources), this is it. Shopify’s Jacques Chester deconstructs CVSSv3.1, looking at the data and how the calculation works, and then zooms out to look at CVSS in a broader context: other critiques, other scoring systems, and what the future holds.

See also Jacques’ SupplyChain Security Con talk How Do We Rank Project Risk? and released tool: SEER (Security Expert Elicitation of Risks), a prototype tool for security experts to provide estimates of risk for open source software.

servian/aws-auto-cleanup
Programmatically delete AWS resources based on an allowlist and time to live (TTL) settings, by Servian.

kubecost/opencost
Cross-cloud cost allocation models for Kubernetes workloads, by OpenCost. OpenCost models give teams visibility into current and historical Kubernetes spend and resource allocation. These models provide cost transparency in Kubernetes environments that support multiple applications, teams, departments, etc.

cremich/cdk-bill-bot
By Christian Bonzelet: The serverless cost optimization bot. This Construct Library provides L2 and L3 constructs for resources to build AWS Cost and Usage reports using the AWS Cloud Development Kit (CDK).

Exploring AWS Costs Beyond the Service Level
Post by Honeycomb’s Ben Hartshorne on using a derived column to directly connect individual customer experiences to the cost of providing that service with AWS Lambda. By leveraging these tools, they can better understand when their product is used in costly ways, and also provide tooling to better analyze and understand the cost effects of configuration changes.

Cloud Security

fwd:cloudsec 2022
YouTube playlist is now live! Some excellent talks, as always.

AWS glossary
Hundreds of AWS product names and terms, described in a sentence or two, by Amazon.

IAM-Deescalate: An Open Source Tool to Help Users Reduce the Risk of Privilege Escalation
Palo Alto Networks Jay Chen describes IAM-Deescalate, a tool to mitigate privilege escalation risks in AWS. It first identifies the users and roles with privilege escalation risks using PMapper.

For each risky principal, IAM-Deescalate calculates a minimal set of permissions granted to this principal that can be revoked to eliminate the risks. IAM-Deescalate inserts an inline policy to explicitly deny the risky permissions that could allow the principal to escalate to administrator privilege.

Sponsor

📢 Faraday: Continuous testing, Continuous Security

Nowadays, the rise of cloud services and digital transformation have made system development much more agile. Updates are frequent, and attack surfaces are much more dynamic.

Testing continuously looks pretty much like the activities we see from attackers. At Faraday we accelerated this process by integrating our Red Team expertise into our vulnerability management platform. Providing a fast and efficient service of Continuous Security.

Container Security

sigstore/policy-controller
An admission controller that can be used to enforce policy on a Kubernetes cluster based on verifiable supply-chain metadata from cosign.

The Kubernetes Networking Guide
Guide by Michael Kashin providing an overview of various Kubernetes networking components with a specific focus on exactly how they implement the required functionality. Structure: the Kubernetes network model, CNI, services, ingress & egress, network policies, IPv6, DNS, and hands-on exercises.

Blue Team

Threat hunting in Okta logs
Twilio’s David French shares some threat hunting and security monitoring tips to help defensive practitioners protect their Okta environments from attack. Tips:

Twitch Internal Security Tools: In-depth Analysis of the Leaked Twitch Security Tools
In the fall of 2021, Twitch suffered a data breach that included source code, internal databases, and more. FullHunt’s Mazin Ahmed reviewed the source code, configurations, build config process, and everything that became public knowledge due to the breach.

In this post, Mazin analyzes >120 internal security tools used by Twitch’s security program and tags them based on use case, services, and category. An interesting glimpse into a company’s security program.

CosmicStrand: the discovery of a sophisticated UEFI firmware rootkit
Kaspersky researchers describe a previously unknown UEFI firmware rootkit: because these are so low level, they’re difficult to detect, and persist even if the operating system is reinstalled or or the user replaces the machine’s hard drive entirely. They attribute it to an unknown Chinese-speaking threat actor, and believe it’s been in the wild since 2016. That’s 12 years without being discovered, yikes.

Politics / Privacy

An Amazonified One Medical may be too convenient for customers to resist
Amazon’s One Medical purchase is unlikely to deter consumers and employers from the service, experts said.” Corey is also quoted:

“When you have 1.4 million employees, you can’t guarantee that anything has never happened,” Quinn said. “I don’t particularly want the notes from my therapy appointments being something that anyone at Amazon has access to.”

 

No Mercy / No Malice: Prime Health
Prof Galloway believes Amazon’s competition would bring positive change to the healthcare industry.

The U.S. healthcare industry is a wounded 7-ton seal, drifting aimlessly, bleeding into the sea. Predators are circling. The blood in the water is unearned margin: price increases, relative to inflation, without a concomitant improvement in quality. Amazon is the lurking megalodon, its 11-foot jaws and 7-inch teeth the largest in history.

One Medical operates a digital health / physical office hybrid business, but you still have to pick up medication from the pharmacy. The obvious upgrade is to have your Paxlovid delivered within hours of a remote consultation. This is Amazon’s core competence — it will happen. Speed and convenience will be so differentiated in healthcare, it will feel alien.

I predicted Amazon would get into healthcare several years ago. Why? For the same reason Apple is getting into auto: not because it wants to, but because it has to. Amazon stock’s price-to-earnings ratio is 56 — more than double Walmart’s. For the company to maintain its share price, it needs to add a quarter of a trillion dollars in topline revenue over the next five years. It won’t find this kind of revenue in white-label fashion or smart home sales. It has to enter a gargantuan market that lacks scale, operational expertise, and facility with data.

The Amazon company responded to an inquiry from US Senator Ed Markey (D-Mass.), confirming that there have been 11 cases in 2022 where Ring complied with police “emergency” requests. In each case, Ring handed over private recordings, including video and audio, without letting users know that police had access to—and potentially downloaded—their data.

Just as there are few regulations on how police use private surveillance technologies, there is also not much data about whether the controversial partnership between police and tech companies is making communities safer. However, it has become undeniable that police view video doorbell technology as a free law enforcement tool, even partnering with Ring in the past to install doorbells in communities for that purpose.

See also the thread by Ry Crist:

“There is no process for a judge or the device owner to determine whether there actually was an emergency,” notes the EFF. “There will always be temptation for police to use it for increasingly less urgent situations.”

Misc

myles/awesome-static-generators
A curated list of static web site generators.

asg017/sqlite-html
A SQLite extension for querying, manipulating, and creating HTML elements.

Sleepagotchi
“Free NFTs every morning- get 1 free NFT after you wake up, 2 if you slept well.” At least this web3 app rewards healthy behavior before they inevitably either rugpull or lose your money.

Life Is Not Short
dkb writes a fictional but realistic interview with Seneca based on Seneca’s essay “On The Shortness Of Life.”

Everyone complains about how short life is, but that perspective is broken. Life is not short. The real issue is that we waste so much of it.

Life is long enough for you to achieve your wildest dreams. You’re just so busy wasting it that you get to the end without living much of it.

The most surprising thing is that you wouldn’t let anyone steal your property, but you consistently let people steal your time, which is infinitely more valuable.

You act like a mortal in all that you fear, and an immortal in all that you desire.

You should live your life intentionally, instead of having your time stolen from you little by little. You should organize each day as if it were your last, so that you neither need to long for nor fear the next day.

There’s one thing you can do to extend your life. By studying the philosophies of those who came before you, you absorb their experiences. Every philosophy book you read, you’re adding the author’s lifespan to yours.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint