• tl;dr sec
  • Posts
  • [tl;dr sec] #156 - Hipster History of CORS, Serverless Security Event Data Pipelines, Evaluating Container Attack Detection

[tl;dr sec] #156 - Hipster History of CORS, Serverless Security Event Data Pipelines, Evaluating Container Attack Detection

Dev's hilarious and useful history of the Internet and browser security, new toolkit from Brex to easily normalize and enrich security event data, additional Kubernetes attack methods and evaluating Falco.

Author

Clint Gibler
October 26, 2022

Hey there,

I hope you’ve been doing well!

Humor

Last week, I teased tech companies and the Bay Area in general for having grandiose, “change the world” visions.

A reader (thanks Ben), read this as climate change denial, or at least criticizing people trying to make a difference.

Writing tl;dr sec, it’s easy to forget sometimes that you might not know my humor and worldview, having not (yet) met me in person (#TLDRsecCon2023).

While I like to playfully tease about SF and Bay Area things, it’s like when you tease a sibling: there’s an underlying love and respect that’s always there.

To be candid for a moment, outsiders may scoff at the naivety of some tech or Bay Area companies’ vision, but I’ve rarely met more genuine, caring people who do want to do the right thing, and actually make the world a better place.

And I find that inspiring, and I would never want that to change.

So get out there all you changemakers and make a difference.

I believe in you, and I know you will ✊

Retreats back into too-cool-ironically-detached stage persona

Sponsor

📢 Free: Dastardly, from Burp Suite

Coming very soon, Dastardly, from Burp Suite is a free, lightweight web application security scanner for your CI/CD pipeline. Check for seven security issues you care about, in ten minutes or less - all with the extreme accuracy provided by DAST. Dastardly uses the tried and trusted Burp Scanner that sits at the heart of Burp Suite - and can cut through modern web applications like SPAs with ease.

PortSwigger consistently puts out some of the best web security research and learning resources, this will be something to check out! 🔥

📜 In this newsletter...

  • AppSec: Detecting text4shell, fine-grained personal access tokens for GitHub, Semgrep rules for Kotlin, open-source runtime code analysis tool

  • Web Security: API security checklist, bypassing CSP, HTTP/3 connection contamination, a hipster history of CORS

  • Cloud Security: Tool to get valuable info about of CloudTrail, the danger of falling to system role in the AWS SDK client, how to list all resources in your AWS account, lateral network layer movement risks in the cloud and how to prevent them, why cloud finance is broken and ineffective

  • Container Security: Tool to analyze the certificate authorities your container trusts, evaluating Falco's attack detection

  • Blue Team: Easily spin up a fully containerized Elastic stack, tool to capture volatile data from a system, new toolkit to build scalable security event data pipelines

  • Misc: Colorize black and white photos, we become what we behold, an image and video meme maker, Harry Potter with guns, the history of the "Pitch Perfect" riff-off scene, why mirrors can freak us out, hacking a reporter via reused passwords

AppSec

jfrog/text4shell-tools
Tool by JFrog that determines if your code is using the commons-text library and if you’re using any vulnerable functions from it.

Introducing fine-grained personal access tokens for GitHub
GitHub announces a new type of personal access token in Public Beta. Fine-grained personal access tokens give developers granular control over the permissions and repository access they grant to a PAT (choose from over 50 granular permissions). Organization administrators can set approval policies and have full visibility for tokens that access organization resources.

Semgrep rules for Kotlin security assessment
Federico Dotta has released a number of Semgrep rules for assessing Kotlin projects, mainly looking for potential SQL injection, as well as some for Android, to quickly identify WebView functionality so you can inspect their security configuration.

AppMap
An open-source runtime code analysis tool with support for Ruby, Java, Python, Javascript. AppMap records code execution traces, collecting information about how your code works and what it does. Then it presents this information as interactive diagrams that you can search and navigate. In the diagrams, you can see exactly how functions, web services, data stores, security, I/O, and dependent services all work together when application code runs.

Web Security

shieldfy/API-Security-Checklist
A checklist of important security countermeasures when designing, testing, and releasing an API. Topics: authentication, JWT, OAuth, access, input, processing, output, CI/CD.

CSP and Bypasses
Shubham Chaskar provides an overview of CSP and popular directives, and then describes how to bypass a number of unsafe policies (unsafe eval, unsafe inline, JSONP callback, CSP injection, fixed nonce, file upload, AngularJS, etc.).

HTTP/3 connection contamination: an upcoming threat?
Portswigger’s James Kettle shows how first-request routing also enables a client-side, browser-based attack called HTTP connection contamination. This technique works on systems running HTTP/2, and is likely to become a greater threat with the advent of HTTP/3.

Be aware that while wildcard TLS certificates have never been ideal, HTTP/3 means a compromised server with a wildcard certificate can now be used to attack sibling domains without an active MITM.

A Hipster History of CORS
Excellent Strange Loop 2022 talk by Figma’s Devdatta Akhawe that’s both funny and a great history of the Internet and browser security. Highly recommend.

My hope is that you leave this talk understanding why things are the way they are and you get less angry at CORS errors and live a happier life :)

Sponsor

📢 Put software supply chain security on autopilot

🚨Pop quiz🚨

Question: Software supply chain security should accomplish which of the following?

Answer:

  1. Result in effective security implementation across your development ecosystem

  2. Help free up the DevOps team by automating risk mitigation

  3. Keep developers happy and focused on building

  4. All of the above!

Arnica builds DevOps security tools to align to the development lifecycle, not disrupt it

Cloud Security

flosell/trailscraper
By Thoughtworks’s Florian Sellmayr: A command-line tool to get valuable information out of AWS CloudTrail and a general purpose toolbox for working with IAM policies.

The Danger of Falling to System Role in AWS SDK Client
Doyensec’s Mohamed Ouad and Francesco Lacerenza introduce “CloudSecTidbits”, a series covering bugs when the cloud infrastructure is properly configured, but the web application fails to use the services correctly. Awesome topic.

In this post, they describe how code edge cases + the way the AWS SDK client resolves which credentials to use can potentially allow an attacker to access sensitive internal data. See the Terraform lab here.

How to list all resources in your AWS account
welldone.cloud’s Michael Kirchner shows the many possible (but still incomplete) answers to this simple question, and a new tool, aws-list-resources, that uses the new Cloud Control API “List” operation.

Lateral movement risks in the cloud and how to prevent them – Part 1: the network layer (VPC)
Wiz’s Lior Sonntag discusses lateral movement as it pertains to the cloud’s network layer (VPC), attacker tactics, techniques, and procedures (TTPs), and outlines 5 best practices to reduce the risk of lateral movement in the VPC and between VPCs.

“Our findings show that approximately 58% of cloud environments have at least one publicly exposed workload with a cleartext long-term cloud key stored in it, whereas about 35% of cloud environments feature at least one publicly exposed workload with a cleartext private SSH key.”

Why Cloud Finance Is Broken and Ineffective
Duckbill Group’s Mike Julian argues that cost management is primarily an engineering problem, not a financial problem. Architectural choices are the primary driver of cloud costs, not things you left on. Recommendations:

1. (Acknowledge) Architecture and costs are the same thing.

2. Work to better understand how your architecture impacts your costs and how your specific cost drivers behave. The majority of your efforts should be on understanding cost drivers instead of RI/SP management and identifying idle resources.

3. Build processes into your engineering release cycles for ongoing cost optimization efforts. A little bit of time spent every week will have much better results than a lot of effort every quarter.

Container Security

Announcing Jetstack Paranoia: A New Open Source Tool for Container Image Security
Jetstack’s James Laverack announces Paranoia a tool to analyze and export trust bundles (e.g., “ca-certificates”) from container images. These certificates identify the certificate authorities that your container trusts when establishing TLS connections, so this allows you to determine if your containers are trusting known compromised CAs. Paranoia can also be run in your build pipeline to verify that your containers do or do not contain specific certificates.

Restructuring the Kubernetes Threat Matrix and Evaluating Attack Detection by Falco
Mercari’s Hiroki Akamatsu proposes some additional attack methods missing from Microsoft’s Threat matrix for Kubernetes (in green), discusses evaluating Falco detection evasion methods and countermeasures, contributing new detection rules to Falco, and understanding the effectiveness and limitations of Falco attack detection.

Blue Team

peasead/elastic-container
By Elastic’s Andrew Pease, @DefSecSentinel, and Derek Ditch. Stand up a 100% containerized Elastic stack, TLS secured, with Elasticsearch, Kibana, Fleet, and the Detection Engine all pre-configured, enabled and ready to use, within minutes.

cado-security/varc
By Cado Security: Collects a snapshot of volatile data from a system, which is useful when investigating an incident. Data captured includes: running processes and what network connections they are making, the memory of running processes, netstat data of active connections, and the contents of open files (e.g running binaries). Works across operating systems (Windows, Linux, macOS) and cloud environments, Docker, Kubernetes and serverless.

Announcing Substation
Brex’s Josh Liburdi et al announce Substation, an open source toolkit for creating highly configurable, no maintenance (serverless), and cost-efficient data pipelines. Substation solves a problem that every security team has, but few may recognize — the need to normalize, correlate, and enrich their security event data at scale. H/T my bud Jessica Rozhin for sharing this with me.

Misc

Palette.fm
Free tool to colorize black and white photos.

We Become What We Behold
A game about news cycles, vicious cycles, infinite cycles.

Piñata Farms
The best meme generator and meme maker for video & image memes.

Harry Potter with Guns
Someone replaced wands and magic in Harry Potter with guns. The “winguardian leviosa” scene kills me. H/T Bence Nagy for this gem.

‘Pitch Perfect’ Riff-Off Scene - An Oral History Behind the Scenes on Its 10-Year Anniversary
Interesting backstory on such a good scene. Future goal: organize and/or participate in an infosec acapella or rap battle riff-off. One day.

In 2010, Giovanni Caputo published the first description of what’s become known as the strange-face illusion. He showed that when people stare into a mirror under low lighting, they will often see their faces warp and change. Some watch their own facial features distort, while others see the visages of deceased loved ones or even monsters. (Subsequent experiments have shown that you don’t even need a mirror for the strange-face illusion to occur; you can also focus on another person’s face, or even a mask.)

“Our visual experiences are constructed in our mind, and they don’t directly represent what we’re trying to see.”

Rachel and Evan Tobac hacks CNN’s Donie O’Sullivan Again
Last time Rachel did it through service provider call centers, this time she used the easiest method: reused passwords found in data breaches. Nice entry level explanation for the non-technical.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint