• tl;dr sec
  • Posts
  • [tl;dr sec] #181 - Awesome CloudSec Labs, Red Team Infra in 2023, Privilege Escalation in EKS

[tl;dr sec] #181 - Awesome CloudSec Labs, Red Team Infra in 2023, Privilege Escalation in EKS

Free cloud-native security learning labs, the essential components for modern robust red teaming infra, how to privesc from a compromised EKS pod and defeat Kubernetes NodeRestriction.

Author

Clint Gibler
May 11, 2023

Hey there,

I hope you’ve been doing well!

Life Advice from VCs

This week I found myself at a dinner with a few VCs, founders, and other tech folks.

The conversation ranged from strangest start-up pitch (one founder who, wanting to remain anonymous, entered and remained in a mask throughout their pitch) to the origin of IPA beers.

At one point the conversation turned to relationship and life advice. Most of these will likely ring true, but I bet The Last One Will Shock You™.

  • ✅ Be with someone who makes the boring day-to-day stuff fun (e.g. grocery shopping or laundry).

  • ❌ If you meet your partner’s friends and you don’t like any of them. Who your partner chooses to spend time with is indicative of who they are, and you’re going to have to spend time with their friends.

  • ✅ If your partner has a close relationship with their parents and received a lot of love growing up.

  • In life, Happiness = Expectations / Reality

Finally, this incredibly friendly Brazilian woman shared some advice that I hope you never have to use:

If someone asks you where you want to get kidnapped, Brazil or the U.S., definitely choose Brazil.

Why? Kidnapping in Brazil is purely economic, you’re going to exchange some money then get out fine.

In the U.S., it’s going to be about emotion, and the person may have some sort of mental illness, and you may end up… *chopping motions with hands*.

There you have it- never let it be said that tl;dr sec doesn’t also give you practical street smarts 😂

Sponsor

 📢 5 best practices for securing Kubernetes runtime workloads

A comprehensive Kubernetes security strategy requires a defense-in-depth approach that is able to detect attacks in-progress, unusual behavior, and attempts to exploit misconfigurations or vulnerabilities in running clusters.

While hardening Kubernetes workload configuration or Kubernetes Role-Based Access Controls (RBAC) is a necessary best practice, it’s just the tip of the iceberg when securing Kubernetes clusters.

Learn best practices for securing Kubernetes runtime workloads in this article by Lacework®, the leader in cloud security that keeps you secure from code to cloud.

📜 In this newsletter...

  • AppSec: Catching XXE bugs in Java with Semgrep taint labels, Mitigating Risky PRs with Monocle Risk Advisor

  • Web Security: AngularJS gadget to bypass CSP in Piwik PRO, the dangers of not specifying the right Content-Type

  • Cloud Security: AWS Nitro System API & Security Claims, An Adventure in Google Cloud threat detection, The Service Mesh Landscape, Awesome CloudSec Labs, My Love/Hate Relationship with Cloud Custodian

  • Container Security: K8s operator for creating temporary resources, PrivEsc in EKS

  • Blue Team: You can now use passkeys on your personal Google Account, Living Off The Land Drivers, Tailscale now supports network flow logs and log streaming

  • Red Team: Building a Red Team Infrastructure in 2023, Introducing resocks - An Encrypted Back-Connect SOCKS Proxy for Network Pivoting

  • Politics / Privacy: Chinese hackers outnumber FBI cyber agents by 'at least 50 to 1'

  • Machine Learning: How to build a tool-using agent with LangChain, Hackers are increasingly using ChatGPT lures to spread malware on Facebook, FTC Chair says she’s on alert for AI violating antitrust or consumer protection laws, Google "We Have No Moat, And Neither Does OpenAI", The Spherical Cow of ML Security

  • Misc: The best picket signs of the Hollywood writers' strike, the best five books on any topic, eBPF for beginners

AppSec

Catching XXE bugs in Java with Semgrep taint labels
Great detailed video by Pieter De Cremer. See also Pieter’s videos:

Mitigating Risky Pull Requests with Monocle Risk
Advisor David Trejo discusses how Chime has introduced guardrails and security control checks in their GitHub PR workflow in a tool called Monocle Risk Advisor. Risk Advisor makes it easy for their auditors to track deviations from controls, and these are tracked as tickets in Jira. OPA is used to implement checks.

Sponsor

 📢 Tailscale, a frustratingly simple VPN 

Tailscale is the simple and secure way to build and manage your team’s network.

We handle network configurations on your behalf to navigate firewalls and routers, so you don’t need to hassle with manual configuration or port forwarding. Authenticating is effortless with SSO, and Tailscale enables roaming so teammates stay connected wherever they go, even if they switch between Wi-Fi and cell networks.

Plus, you can get started in minutes. Just install and authenticate Tailscale on two or more devices, and you’re ready to roll.

Web Security

Ambushed by AngularJS: a hidden CSP bypass in Piwik PRO
PortSwigger’s Gareth Heyes discusses an AngularJS gadget that could be exploited as a CSP bypass in Piwik PRO, which could be turned into XSS if chained with an HTML injection.

Odoo: Get your Content Type right, or else!
Dennis Brinkrolf and Thomas Chauchefoin from Sonar Source discuss the security implications of the Content-Type header returned by web applications and discuss an XSS discovered in Odoo that resulted from a misconfigured Content-Type header set on an API endpoint.

Cloud Security

AWS Nitro System API & Security Claims
NCC’s John Redford has released a public report on an architecture review conducted on the AWS Nitro System design.

An Adventure in Google Cloud threat detection
DataDog’s Martin McCloskey and Day Johnson share common threats and exploits in Google Cloud, including techniques known to be used by threat actors (e.g. the creation or use of service account keys outside of Google Cloud) as well as likely techniques, such as data extraction via Google Cloud SQL or the creation of a privileged service account.

The Service Mesh Landscape
A comparison of various service meshes, including Linkerd, Istio, Consul, NGINX service mesh, and Network Service Mesh.

iknowjason/Awesome-CloudSec-Labs
Free cloud native security learning labs, including CTF, self-hosted workshops, guided vulnerability labs, and research labs, by SANS’s Jason Ostrom.

My Love/Hate Relationship with Cloud Custodian
Chandrapal Badshah writes about his experience using Cloud Custodian, a rules engine for cloud security, cost optimization, and governance. Chandrapal highlights its ability to detect misconfigurations in near-real-time or at periodic intervals and auto-mitigate those issues thanks to the customizable detection rules engine, while remaining cost-effective.

Areas for improvement: lack of documentation and its difficult to create custom notification messages.

Container Security

NCCloud/mayfly
A Kubernetes operator that enables you to create temporary resources on the cluster that will expire after a certain period of time, by NCC Group.

Privilege escalation in AWS Elastic Kubernetes Service (EKS)
Calif’s An Trinh on achieving privilege escalation from a compromised pod in EKS and how to defeat Kubernetes NodeRestriction, a security mechanism enabled by default on all EKS versions.

Sponsored Tool

 📢 Salesforce Community site data leaks persist. Is your Salesforce instance secure?

Krebs on Security reported that significant Salesforce data leaks have exposed numerous customers’ sensitive data hosted in Salesforce Community websites. Since Krebs shared his findings, AppOmni Labs has noted a 300+% spike in threat activity on Salesforce Community sites and other major SaaS apps.

To help keep Salesforce data secure, AppOmni has launched a free Salesforce Community Cloud Scanner. AppOmni will evaluate your Salesforce instances for misconfigurations and data exposure risks, reveal if the recently disclosed issues are present, and provide clear steps for remediation.

Blue Team

So long passwords, thanks for all the phish
Google’s Arnar Birgisson and Diana K. Smetters announce that you can now use passkeys on your personal Google Account, a more secure and convenient alternative to passwords and two-step verification. You can sign in by unlocking your computer or mobile device with your fingerprint, face recognition or a local PIN.

Living Off The Land Drivers
Michael Haag announces the LOLDrivers project, which aims to consolidate vulnerable and malicious Windows drivers that can be used by adversaries to bypass security controls into a single location.

Announcing network flow logs and log streaming
Tailscale’s Pouyan Aminian and Jairo Camacho announce the release of network flow logs, a new Tailscale feature that records metadata about your network traffic to assist you in monitoring network activity in your tailnet, identifying threats, investigating security incidents, troubleshooting network issues, and maintaining compliance with your network security policies.

Red Team

Building a Red Team Infrastructure in 2023
Secure Systems Engineering GMBH’s André Tschapeller explores the essential components needed for robust red teaming infrastructure. André provides an overview of the system as a whole then dives into each separate element, including the C2 infrastructure, HTTPS and DNS redirectors, and using GoPhish in conjunction with a postfix redirector for the phishing server.

Introducing resocks - An Encrypted Back-Connect SOCKS Proxy for Network Pivoting
RedTeam Pentesting unveils their new tool: Resocks, a reverse/back-connect SOCK5 proxy tunnel that enables users to route traffic through an otherwise inaccessible system while ensuring the traffic is encrypted. Resocks uses mTLS and generates certificates based on a connection key to guarantee secure communication.

Politics / Privacy

China has stolen more personal and corporate data from the U.S. than all other nations combined.

“A key part of the Chinese government’s multi-pronged strategy to lie, to cheat and to steal their way to surpassing us as the global superpower in cyber.”

 

Machine Learning

How to build a tool-using agent with LangChain
Jupyter notebook walkthrough by OpenAI on using LangChain to augment an OpenAI model with access to external tools using an agent approach: allow it to do chain of reasoning, search the Internet for answers, retain a memory of the conversation and use it as context for subsequent steps, or reference a custom knowledge base using a vectorstore like Pinecone.

Hackers are increasingly using ChatGPT lures to spread malware on Facebook
Meta has seen threat actors create malicious browser extensions available in official web stores that claim to offer ChatGPT-based tools, then they’d promote these malicious extensions on social media and through sponsored search results to trick people into downloading malware.

The Federal Trade Commission is on alert for the ways that rapidly advancing artificial intelligence could be used to violate antitrust and consumer protection laws it’s charged with enforcing, Chair Lina Khan wrote in a New York Times op-ed on Wednesday.

 

Google “We Have No Moat, And Neither Does OpenAI”
Fascinating leaked internal Google document claims open source AI will outcompete Google and OpenAI. Very much worth reading. The timeline at the bottom is quite neat to see the pace of innovation.

Open-source models are faster, more customizable, more private, and pound-for-pound more capable. They are doing things with $100 and 13B params that we struggle with at $10M and 540B. And they are doing so in weeks, not months.

The barrier to entry for training and experimentation has dropped from the total output of a major research organization to one person, an evening, and a beefy laptop.

 

The Spherical Cow of ML Security
Sven Cattell shares his perspective on managing risks in a Machine Learning model, including:

  1. Measuring and externally auditing the model’s efficacy guarantees.

  2. Real-world challenges include difficulties in accurately measuring the efficacy of the ML, addressing sampling bias, and guarding against privacy issues or model theft.

  3. Theoretical challenges, such as adversarial examples.

Misc

Five Books
The best five books on a variety of topics, selected by experts in those areas, ranging from food to AI, science fiction, thrillers, history, and more.

lizrice/ebpf-beginners
Slides, videos, and code examples for learning eBPF, by Liz Rice.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint