• tl;dr sec
  • Posts
  • [tl;dr sec] #155 - Understanding IAM, Autogenerate Art from Blog Post, Attacking Closed DNS Resolvers

[tl;dr sec] #155 - Understanding IAM, Autogenerate Art from Blog Post, Attacking Closed DNS Resolvers

Understanding AWS permission boundaries and IAM policy evaluation, use ML to create art for your blog post based on its text, taking over your infrastructure Kaminsky style.

Author

Clint Gibler
October 19, 2022

Hey there,

I hope you’ve been doing well!

Saving the World 🦸

This week, on #PeakBayArea.

Even more than making money or being profitable, it’s key for Bay Area tech companies to have a grand vision.

Regardless of if you’re getting third world kids clean water, or more likely improving ad targeting, it’s essential to disrupt, and as Silicon Valley rightly skewered, make the world a better place.

But it’s not just tech companies that need to Be The Change. It’s everyone.

Does your milk provide calcium and other healthy vitamins and minerals?

Weak. You gotta get on this milk that embodies environmental leadership or directly fights climate change, as you drink it!!

Sponsor

📢 2022 Cloud-Native Threats

As organizations move to cloud, cyberattackers have followed. While motives haven’t changed, techniques have - cryptojacking, supply chain threats and geopolitical hacktivism.

Did you know that for a cryptojacker to make $1, it costs the victim $53 in cloud bills?

Read Sysdig’s blog for more insights and analysis on:

  • Notorious cloud adversary: TeamTNT

  • Supply chain attacks against containers

  • Geopolitical conflict influences on attacker behavior

📜 In this newsletter...

  • AppSec: How to plan an SMS migration, you can brute force version 1 GUIDs, write Semgrep rules to quickly verify ideas

  • Web Security: Generate an API client from OpenAPI, open source API security platform, DNS attacks on closed resolvers

  • Cloud Security: Clean up unused AWS access keys, compute cost calculator, AWS permission boundaries for dummies, diving deeply into IAM policy evaluation

  • Blue Team: Cloned website canarytoken, on trust and transparency in detection, stopping vulnerable driver attacks

  • Politics / Privacy: Kanye buys Parler, UK spy chief says China's tech manipulations threaten all

  • Machine Learning: GitHub Copilot lawsuit, prompt engineering resources, public database of AI generated images, Google project to generate video from text, automatically generate AI art using your own blog content, Microsoft product to use AI for social media graphics

  • Misc: Super Mario Bros movie, meme search engine, archery tag, a vision for OWASP's future

AppSec

How to plan an SMS MFA migration that affects thousands of users
Twilio’s Jordan Kohl describes how they handled a tricky migration, including dealing with an external API and constantly changing production database, in a way that doesn’t lock out users.

In GUID We Trust
Intruder’s Daniel Thatcher describes how you can brute force version 1 GUIDs if you know the approximate time the GUID was generated, as well as the node ID and clock sequence of the generating system. When GUIDs are used for password resets, this could be used for account takeover for example.

Daniel also released a tool to help with this attack and a CTF challenge to practice on.

Semgrep: Writing quick rules to verify ideas
GitLab’s Dominic Couture makes the case for using Semgrep for quickly writing disposable rules to validate an idea when reviewing code. Specifically, finding GET routes that contain state-changing functionality (frameworks often don’t protect against this by default). Using this approach, he found and reported a real CSRF issue in Kibana!

What I’m lookin for here are path: "something" patterns inside a router.get(...) call so I will express that in semgrep terms. The semgrep code is very close to the sentence I just wrote!

Web Security

Kiota
A CLI tool for generating an API client to call any OpenAPI described API. The goal is to eliminate the need to take a dependency on a different API SDK for every API that you need to call. Kiota API clients provide a strongly typed experience with all the features you expect from a high quality API SDK, but without having to learn a new library for every HTTP API.

metlo-labs/metlo
An open-source API security platform, by Metlo.

  • Endpoint Discovery - Scans network traffic and creates an inventory of every API endpoint.

  • Sensitive Data Scanning - Each endpoint is scanned for PII data and given a risk score.

  • Vulnerability Discovery - Get alerts for issues like unauthenticated endpoints returning sensitive data, no HSTS headers, PII data in URL params, Open API spec diffs, and more.

Melting the DNS Iceberg: Taking over your infrastructure Kaminsky style
SEC Consult’s Timo Longin and Clemens Stockenreitner describe attacking closed DNS resolvers, which you can reach using SPF, DKIM, and DMARC. Tool release: DNS-Analysis-Server.

By analyzing closed DNS resolvers on the Internet, we found numerous ISPs and hosting providers that are vulnerable to trivial Kaminsky attacks. This allows an attacker to manipulate the DNS name resolution of thousands of systems. As a consequence, e-mail redirections, account takeovers and even the compromise of entire systems may be possible.

Cloud Security

tuladhar/cleanup-aws-access-keys
A cloud security tool to search and clean up unused AWS access keys, written in Go, by Puru Tuladhar.

Compute Cost Calculator
By Eric Wastl: Find the lowest price of compute resources from different AWS services given some criteria, like RAM or CPUs.

AWS Permission Boundaries for Dummies
Great overview by FireMon’s Rich Mogull.

TL;DR: Regular IAM policies let you do things, but can also stop you from doing things. Permission boundaries only stop you from doing things. You mostly use them to let someone administer some IAM stuff but not so much IAM stuff that they can escalate privileges (for themselves or someone else). They are a failsafe. If you let someone manage IAM in an account and don’t want them to be able to escalate privileges, you almost always need a permission boundary!

Diving Deeply into IAM Policy Evaluation
Ermetic’s Noam Dahan provides a great overview of the AWS re:Inforce session by AWS Sr. Solutions Architect Matt Luttrell and AWS Sr. Software Engineer for IAM Access Analyzer Dan Peebles. The talk delves into some of AWS IAM’s most arcane edge cases – and why they behave as they do. The session took a deep dive into AWS IAM internal evaluation mechanisms never shared before and revealed a new model for representing the AWS permission evaluation process. So many GIFs of flow charts 😆

Sponsor

📢 Drop that Cloud Zero for a Cloud Hero!

We at Permiso love our bold statements and definitely our 90s references (can you guess it?). Do you have an army of cloud heros building detections and responding to cloud breaches in your environment? If so, then we’re not the solution for you!

However, if you need help from experts who know how to find “evil” in cloud, we’re your Cloud Heros! If you don’t believe us, just check out our research and disclosures on our blog to get a glimpse of our unique insights and why we’re the Cloud Heros for you! We’re also offering a free Cloud Compromise Assessment with no strings attached (except maybe talking to one of our CEOs!). If you just want to reminisce about the 90s, that’s fair game too!

Blue Team

Cloned Website Token
By Thinkst Canary: Place this canary token within the JavaScript of your websites and it notifies you if someone clones your site and hosts it on another domain, which is often done in targeted phishing attacks.

On Trust and Transparency in Detection
Interesting reflections by Anton Chuvakin and Oliver Rochford on the history and future of detection logic being transparent, explainability vs understandability, accuracy, and more.

Stopping Vulnerable Driver Attacks
Ransomware actors are leveraging vulnerable drivers to tamper with endpoint security products. Elastic’s Joe Desimone describes how Elastic Security has released 65 YARA rules to detect vulnerable driver abuse.

Elastic Security in 8.4 adds another powerful tool that can be used to identify suspicious drivers. This is the “New Terms” rule type, which can be used to create an alert when a term (driver hash, signer, version, internal file name, etc) is observed for the first time.

This empowers security teams to quickly surface unusual drivers the first time they’re seen in their environment. This supports a detection opportunity for even previously unknown vulnerable drivers or other driver-based adversary tradecraft.

Politics / Privacy

Ye, formerly known as Kanye West, to acquire Parler platform
Kanye was recently booted from Twitter for antisemitic comments. Also, is this real life?

China is using its financial and scientific muscle to manipulate technologies in a manner that risks global security, Britain’s top cyber spy will say on Tuesday, warning that Beijing’s actions could represent “a huge threat to us all.”

In a speech, Jeremy Fleming, director of the GCHQ spy agency, will say that the Chinese leadership was seeking to use technologies such as digital currencies and its Beidou satellite navigation network to tighten its grip over its citizens at home, while spreading its influence abroad.

Machine Learning

GitHub Copilot investigation
Description of a lawsuit being filed against GitHub Copilot, claiming it violates its legal duties to open-source authors and end users.

Maybe you don’t mind if GitHub Copilot used your open-source code without asking. But how will you feel if Copilot erases your open-source community?

sw-yx/prompt-eng
Shawn Wang shares a ton of resources for prompt engineering on (mostly) Stable Diffusion, DALL-E 2, and Midjourney.

Arthub.ai
Explore AI generated designs, images, art and prompts by top community artists and designers. Some seriously cool photos.

Imagen Video
New release from the Google Research, Brain Team, that generates video based on a text description.

Generate AI Art Using Your Own Writing
Super cool post by Daniel Miessler that describes how to take the text of a blog post, auto-summarize it into a prompt (for DALL-E 2, Stable Diffusion, Midjourney), and then use the prompt to generate art for the post. Such a neat read.

Microsoft Designer - Create stunning designs in a flash
New product by Microsoft aimed at making it easier to create graphics for social media and other everyday uses, powered by DALL-E 2. You can generate a totally custom image, or start from a template or stock image, add your own content (photo, logo, messaging), and more.

Also, everybody needs to relax sometimes.

Misc

FindThatMeme
Search millions of memes from across the web in seconds. You can search by text in the meme, or by providing a meme you want to find similar memes to.

Archery Tag
Last week I called out DodgeBow, and lamented that it’s only in Montreal. Soon after, Rami McCarthy let me know about Archery Tag, which appears to be a similar idea, with many more locations!

My Manifesto for the OWASP Board Election
Mark Curphey paints an interesting picture for where OWASP could head. I’m not endorsing (or not endorsing) these points, but in general, I like people dreaming big. Mark recommends:

  • Changing the funding model - instead of running mostly on personal membership fees, raise money from large corporate sponsors and government grants, like the CNCF and OSSF.

  • Creating an OWASP Investment Fund - Invest like a VC in companies built around OWASP projects.

  • Clarify the mission statement, reduce beaucracy, clarify community values, and more.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint