• tl;dr sec
  • Posts
  • [tl;dr sec] #106 - Least Privilege IAM, Fuzzing, Istio Scanner

[tl;dr sec] #106 - Least Privilege IAM, Fuzzing, Istio Scanner

Designing least privilege AWS IAM policies for people, fuzzing 5G and CPUs by proxy, the first security scanner for Istio.

Hey there,

I hope you’ve been doing well!

MacGyver Ain’t Got Nothin On Me

I had a totally different intro written and ready to go, when one of my worst fears happened…

When you do a weekly newsletter, and once you start accepting sponsors, there are certain things you start worrying about.

One thing I’ve been a bit paranoid about is that some random personal or world happening, or random chain of events occurs, that leads to me not being able to send out tl;dr sec on time.

Like if I were to get COVID-19, or a zombie apocalypse were to break out.

Yesterday, around 9:30pm, I was carrying my plate to the microwave to heat up some leftovers when I was plunged into blackness. My power had gone out. Likely due to the rain today (good job, California infrastructure).

Since I send out tl;dr sec Thursday mornings, pretty much every Wednesday I’m frantically finishing it until 10pm or 11pm.

So right now the newsletter isn’t done, and I have no power.

As I’m writing this, I’m sitting in the dark, lit only by my laptop screen and a flashing emergency light outside.

OK, how can I finish this?

  • My laptop doesn’t have WiFi, because the router needs power and I have no power.

  • I have a phone with cellular data, but my phone is old and the battery only lasts a few minutes when it’s not plugged in. I’m about to buy a new one but I haven’t yet.

So, I’ve plugged my phone into the laptop to charge it, and I’m using my phone to create a WiFi hotspot… that my laptop is using, like some Rube Goldberg-ian newsletter finisher of desperation.

If you receive this newsletter and see the Twitter thread at the right time, it’s because this monstrosity worked.

If you don’t, it’s because I’m dead. Or I still don’t have power.


📢 So what happens when you build a team of only senior hackers?

IncludeSec is the go-to when you want more than a check-the-box penetration test. An all senior team that is going to find the vulns others can’t. Accepting a limited number of new clients for 2022.

With a curated client list IncludeSec explicitly does not work with big finance and Fortune 500 companies, focusing exclusively on tech companies working on cutting edge tech from 1 person to a half million head count.

Silicon Valley’s biggest and brightest go to IncludeSec for mobile/web apps/cryptography/IoT/embedded/hardware when they want the highest level of security assurance for internal & external software. What vulns did your last assessment miss?

📜 In this newsletter...

  • Conference recordings: Videos from fwd:cloudsec and Objective by the Sea

  • Web Security: Cloud metadata for SSRF testing, speeding up Burp's Turbo Intruder, visualizing the OWASP Top 10 over time

  • Cloud Security: Designing least privilege AWS IAM policies for people, Cloudflare cloud offering maneuverings, hacking AWS end-to-end

  • Container Security: Remotely access Kubernetes via a terminal in your browser, k8s YAML generator, a security scanner for Istio

  • Cryptography: Free graduate course book from Dan Boneh and Victor Shoup, Real-World Cryptography by David Wong

  • Blue Team: Easily share passwords with 1Password via link

  • Fuzzing: Intro to fuzzing, the challenges of fuzzing 5G protocols, fuzzing CPUs by proxy

  • Network Security: A high-performance load testing tool

  • Politics / Privacy: VPN + Tor is not necessarily better, could trust-busting help with Google and Facebook, Facebook restricts who can access integrity message boards, U.S. government tightens export controls on surveillance technology

  • Image Processing: Automatically remove backgrounds from images, image redaction in your browser

  • Misc: The state of web scraping in 2021, 57 infosec acronyms explained, find music by singing or humming it, opiates and social media are symptoms

Conference recordings

Some great conference talk recordings have dropped!

fwd:cloudsec 2021
The premier cloud security conference, by Scott Piper et al.

Objective by the Sea, v4.0
The world’s only macOS security conference, by Patrick Wardle et al.

Web Security

How to speed up Burp Suite’s Turbo Intruder
Useful for finding race conditions, brute forcing passwords, or other attacks in which you need to send many requests in a short amount of time.

A Visualization of the OWASP Top 10 Over Time
A pretty neat time lapse of things that have entered, left, and changed rankings in the OWASP Top 10 over the years, by GitLab’s Wayne Haber.

Cloud Security

Designing Least Privilege AWS IAM Policies for People
LaunchDarkly’s Alex Smolen discusses how to deploy reduced privilege IAM roles without breaking user workflows. Includes a nice overview of prior work on automatic IAM policy generation from logs.

Eating the Cloud from Outside In
By Shawn Wang: “AWS is playing Chess. Cloudflare is playing Go.”

In 2016, @dagrz gave one of the greatest cloud security talks ever, filled with new techniques that have been rediscovered repeatedly in the years since. I’ve remastered it from video obtained from an audience member and the slide deck.

Container Security

Remotely Access your Kubernetes Lab with Cloudflare Tunnel
In April Cloudflare announced Auditable Terminal, which gives you a fully features SSH client in your browser: you authenticate using Cloudflare Access, and can log into a computer - and get a terminal - just using a browser. In this post, Marco Lancini describes how to access your Kubernetes cluster using this approach.

Cloudflare Tunnel

Kubernetes YAML Generator
Create and customize a Kubernetes YAML config via a web UI that has useful explanatory text around various options.

Introducing Snowcat: World’s First Dedicated Security Scanner for Istio
Praetorian’s Anthony Weems, Dallas Kaman, and Michael Weber discuss Snowcat, which can obtain information about an Istio deployment and report on misconfigurations or deviations from best practices. Snowcat can be ran against static config info or from inside an Istio workload container.


A Graduate Course in Applied Cryptography
Free book by Stanford professor Dan Boneh and NYU professor Victor Shoup covering secret and public key cryptography, protocols, and more.

Real-World Cryptography
A practical guide to cryptography by my friend David Wong, including:

  • Best practices for using cryptography

  • Diagrams and explanations of cryptographic algorithms

  • Identifying and fixing bad practices

  • Choosing the right cryptographic tool for any problem

Blue Team

1Password’s new feature lets you safely share passwords using just a link
Psst! lets you share creds with anyone, even if they don’t have a 1Password account, by generating an expiring link that’ll give them temporary access.


An Intro to Fuzzing (AKA Fuzz Testing)
Nice intro and overview by Bishop Fox’s Matt Keeley covering types of fuzzers, how fuzzing works, popular tools and their pros/cons, writing a good test harness, etc.

See also Google’s thoughts on what makes a good fuzz target.

The Challenges of Fuzzing 5G Protocols
NCC Group’s Mark Tedman and Philip Shaw discuss fuzzing 5G protocols (NGAP, GTPU, PFCP, & DIAMETER) using both proprietary and open source fuzzers (Fuzzowski, Frizzer, AFLNet). Nice overview of the trade-offs of different approaches and tooling.

SiliFuzz: Fuzzing CPUs by proxy
By Google’s Kostya Serebryany, Maxim Lifantsev, Konstantin Shtoyk, Doug Kwan, and Peter Hochschild.

We present SiliFuzz, a work-in-progress system that finds CPU defects by fuzzing software proxies, like CPU simulators or disassemblers, and then executing the accumulated test inputs (known as the corpus) on actual CPUs on a large scale.

About 45% of SiliFuzz findings are unique and have not been previously identified by any other tool or automation available to us.

Network Security

A high-performance load testing tool written in Golang, by Dddosify.

Politics / Privacy

VPN + Tor: Not Necessarily a Net Gain
Matt Traudt nicely walks through, depending on your threat model, the relative privacy value of using a VPN, Tor, or both. Hint: more is not better.

Trust-Busting as the Unsexy Answer to Google and Facebook
With some interesting context about the history of monopolies and antitrust outside of tech.

Facebook Restricts Staff Message Boards to Stop Leaks; Memo Gets Leaked
Facebook plans to limit access to groups related to platform safety and protecting elections to only people working in integrity-related groups. Checks former Facebook motto:

“To give people the power to share and make the world more open and connected, unless it increases accountability.”

Commerce Tightens Export Controls on Items Used in Surveillance of Private Citizens and other Malicious Cyber Activities
“The United States Government opposes the misuse of technology to abuse human rights or conduct other malicious cyber activities, and these new rules will help ensure that U.S. companies are not fueling authoritarian practices.”

Image Processing

Automatically remove backgrounds from any image for free.

Free and private image redaction in your browser, by Rik Schennink.


The State Of Web Scraping in 2021
Great overview of language agnostic and language-specific tools, as well as commercial offerings, by Mihai Avram.

58 infosec acronyms for 2021 explained
Useful short definitions if you’re new to the field across networking, security, and compliance, by Krit’s Andrew Askins. H/T Mike Privette.

Find music by singing or humming a few bars of it, powered by SoundHound.

Opiates and Social Media Are Symptoms, Not Causes
This post by Daniel Miessler resonated with me, in which he argues that addiction, social media, and other recent societal malaise is at least as much, if not more, a result of lack of meaning in people’s lives.

Basically, my model is that a lack of meaning, direction, and strong social ties causes depression, and that depression then opens the door to addictions such as drugs and social media.

The opposite of addiction isn’t sobriety – it’s connection. -Johann Hari

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!