[tl;dr sec] #171 - AppSec and CloudSec Resilience, Audit Logs Wall of Shame, Compromised Cloud to Kubernetes Takeover

Hey there,

I hope you’ve been doing well!

Bingo with Flair

97% of Bingo games in America happen in a retirement home (Source: I just made this up).

Well, in this week on #PeakBayArea- I recently attended drag bingo, led by two dressed up, enthusiastic hosts.

To give you a flavor of it, they’d periodically ask, “OK, who’s close?” To which the expected response was, if you had almost won:

Drag bingo makes me think that if there was a San Francisco-specific Shark Tank (Tofu Tank?), I feel like you could buzzword-Bingo win by combining existing things with an SF-resonant term, like:

• Drag + auctioneer

• Yoga + flea market

• Vegan + bull fighting

If you’re starting one of these, I’m ready to invest.

Also, I’m giving a webinar soon with the awesome Jim Manico, more details below.

Cloudflare has been building a number of pretty neat security features and products. And if you haven’t already seen it, I enjoyed this post on how Cloudflare prevented a targeted phishing scam and used it to improve how their products could have detected it earlier.

Blue Team

Audit Logs Wall of Shame
A list of vendors that don’t prioritize high-quality, widely-available audit logs for security and operations teams. Some nice 🌶️, let’s see if it influences company behavior.

I’m a huge fan of the “secure by default” approach and the Resourcely team. Disclosure: that’s why I invested in them.

AppSec

Learning Semgrep
A frank take by Yahoo’s Joe Rozner on getting up to speed using Semgrep for bug hunting.

chainguard-dev/justtrustme
By Chainguard: A demo/testing OIDC token issuer. It will accept any claims as query parameters and mint valid OIDC tokens with them.

trinitor/CVE-Vulnerability-Information-Downloader
By @Trinitor: Downloads Information from NIST (CVSS), first.org (EPSS), and CISA (Exploited Vulnerabilities) and combines them into one list. Reports from vulnerability scanners like OpenVAS can be enriched with this information to prioritize remediation.

The (de)Evolution of OWASP
Response letter by security OG and mentor to yours truly John Steven to this open letter to OWASP. I think public, polite discussions like these are healthy for a community.

How to Achieve Application & Cloud Security Resilience
By James Chiappetta and Dor Zusman: overview of the different kids of automated security scanning tools, where to perform comprehensive vs targeted scans, building a high quality detection set, the art of root cause analysis/deduplication/attribution, and useful metrics for quantifying AppSec program resiliency. Great overall post on how to think about things.

Webinar: How to Prevent Broken Access Control

I’m thrilled to announce I’m joining my friend and awesome keynote speaker / secure code trainer Jim Manico to give a webinar on OWASP Top 10 (2021) #1 - Broken Access Control.

We’ll walk through some access control best practices and how to continuously check for access control bugs and prevent them from entering in CI.

When: March 15, 10am PT

Where: Free, register here

Hope to see you there!

Web Security

SQL Injection tip from Tib3rius
Their “break and repair” method: append a ‘ or “ to a valid param value. If the response changes, replace the ‘ or “ with each of these in turn: ‘ ‘, ‘||’, ‘+’. If you get the original response back, you likely have SQLi.

New headless Chrome has been released and has a near-perfect browser fingerprint
DataDome’s Antoine Vastel explores the changes introduced by the recently released new headless Chrome and its impact on bot detection engines, particularly in those ones based on browser fingerprint signals. Antoine compares the old and new headless Chrome fingerprints, highlighting the differences that could be exploited by attackers.

Let’s build a Chrome extension that steals everything
Matt Frisbie explores the edges of what’s possible with Chrome extension and the extent of what a malicious Chrome extension can do without alerting the user, even with the recent Manifest v3 changes. Retrieve all cookies, all browser history, screenshot pages, track browsing activity in real time, observe all traffic from every tab, build a keylogger, and more.

Introducing Proxy Enriched Sequence Diagrams (PESD)
Doyensec’s Francesco Lacerenza releases PESD, a Burp Suite extension to visualize web traffic in a way that facilitates analysis and reporting in scenarios with complex functional flows. It supports syntax and metadata extension via templates (current templates: OAuth2 / OpenID Connect, SAML SSO), uses MermaidJS for the visualization, and the templates enable testers to identify uncommon implementations (which might indicate a bug).

Cloud Security

aws-samples/aws-cognito-okta-federation
An example of accessing Amazon API Gateway with Amazon Cognito User Pools and Okta OpenID Connect Federation.

Cloud drift detection: How to resolve out-of-state changes
Bridgecrew’s Guy Eisenkot on how a cloud environment can drift from what’s specified in infrastructure as code, responding to drift, and shares useful tools:

• driftctl - open source CLI that can warn on infrastructure drift in Terraform and AWS

• Kubediff - shows the differences between your running configuration and your version-controlled Kubernetes configuration

• AWS supports ad hoc CloudFormation drift detection from the Console, CLI, or from your own code.

How to monitor and query IAM resources at scale
AWS’ Michael Chan and Joshua Du Lac share best practices for efficiently testing and querying AWS IAM APIs, including understanding the IAM control and data plane, monitoring and responding to changes in IAM resources across entire accounts, and more.

Part 2 covers the API throttling behavior of IAM and the AWS Security Token Service and how you can effectively plan your usage of them.

Data exfiltration with native AWS S3 features
Ben Leembruggen explores various legitimate S3 features that can be used for data exfiltration (S3 data replication, object ACLs, and S3 Access Points), highlighting the limitations of native AWS logging and monitoring tools, and suggestions on how to detect such exfiltration attempts.

Lateral movement risks in the cloud - Part 3: from compromised cloud resource to Kubernetes cluster takeover
Wiz’s Lior Sonntag outlines several lateral movement techniques from cloud environments to managed Kubernetes clusters, including exploiting IAM cloud keys, kubeconfig files, and container registry images. 3 best practices to reduce your clusters’ attack surfaces: avoid storing long-term cloud keys in workloads, remove kubeconfig files from publicly exposed workloads, and restrict access to container registries.

Container Security

To DIY or Not to DIY; Key Kubernetes Security Considerations
KSOC discusses the security concerns solved by managed Kubernetes (e.g. control plane availability, data backups and recovery, patching and vuln management, cluster authentication) and some security surprises of managed Kubernetes (cloud providers have privileged access to your environment and might have vulnerabilities), so that you can decide what makes sense for your org.

Under-documented Kubernetes Security Tips
RENCI’s Mac Chaffee provides some tips for enhancing the security of a Kubernetes cluster, such as segregation of duties, treating it carefully like RCE as a Service, implementing an intrusion detection system, and having an incident management plan, among others, overall emphasizing the importance of understanding the depth of Kubernetes security.

Container security fundamentals: Exploring containers as processes
Datadog’s Rory McCune demonstrates that containers are processes, shows using Linux tools to observe and interact with containers (ps, read info like environment variables from /proc/PID or write to the container’s filesystem), and explores what this means for securing container environments.

Machine Learning

Chatbase
Build an AI chatbot trained on your data.

Artificial Intelligence Risk Management Framework
48 page PDF by NIST.

ChatGPT ‘Breakouts’
Prompts to bypass the ChatGPT restrictions OpenAI tries to put in place.See also jailbreakchat.com/ for more. H/T Ashley Jones for sharing!

How to Access ChatGPT via Voice Command (Using Siri)
Baller post by Daniel Miessler on creating a shortcut on your iPhone so you can send arbitrary requests to GPT-3 and get responses read to you. Also see the companion video.

How I Broke Into a Bank Account With an AI-Generated Voice
Joseph Cox was able to create an AI replica of his voice using ElevenLabs that successfully bypassed his bank’s voice authentication. I’ll take “Attacks Anyone Should Have Foreseen If They Were Half Paying Attention” for $800 Alex.

Misc

Plank + bowls balancing act
This is one of the most ridiculous feats of balance and coordination I have ever seen. Unbelievable. It starts great, and keeps getting better.

Go Kentik Today
I’m not sure if this observability product video is serious or joking, but I love it nonetheless.

Jack Altman on great leaders

Paul Graham: The best new ideas always have unanticipated benefits

The maze is in the mouse
Detailed reflections by Praveen Seshadri, whose company was acquired by Google, and has left after 3 years.

✉️ Wrapping Up 

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint