[tl;dr sec] #106 - Least Privilege IAM, Fuzzing, Istio Scanner
Designing least privilege AWS IAM policies for people, fuzzing 5G and CPUs by proxy, the first security scanner for Istio.
I hope you’ve been doing well!
MacGyver Ain’t Got Nothin On Me
I had a totally different intro written and ready to go, when one of my worst fears happened…
When you do a weekly newsletter, and once you start accepting sponsors, there are certain things you start worrying about.
One thing I’ve been a bit paranoid about is that some random personal or world happening, or random chain of events occurs, that leads to me not being able to send out tl;dr sec on time.
Like if I were to get COVID-19, or a zombie apocalypse were to break out.
Yesterday, around 9:30pm, I was carrying my plate to the microwave to heat up some leftovers when I was plunged into blackness. My power had gone out. Likely due to the rain today (good job, California infrastructure).
Since I send out tl;dr sec Thursday mornings, pretty much every Wednesday I’m frantically finishing it until 10pm or 11pm.
So right now the newsletter isn’t done, and I have no power.
As I’m writing this, I’m sitting in the dark, lit only by my laptop screen and a flashing emergency light outside.
OK, how can I finish this?
My laptop doesn’t have WiFi, because the router needs power and I have no power.
I have a phone with cellular data, but my phone is old and the battery only lasts a few minutes when it’s not plugged in. I’m about to buy a new one but I haven’t yet.
So, I’ve plugged my phone into the laptop to charge it, and I’m using my phone to create a WiFi hotspot… that my laptop is using, like some Rube Goldberg-ian newsletter finisher of desperation.
If you receive this newsletter and see the Twitter thread at the right time, it’s because this monstrosity worked.
If you don’t, it’s because I’m dead. Or I still don’t have power.
📢 So what happens when you build a team of only senior hackers?
IncludeSec is the go-to when you want more than a check-the-box penetration test. An all senior team that is going to find the vulns others can’t. Accepting a limited number of new clients for 2022.
With a curated client list IncludeSec explicitly does not work with big finance and Fortune 500 companies, focusing exclusively on tech companies working on cutting edge tech from 1 person to a half million head count.
Silicon Valley’s biggest and brightest go to IncludeSec for mobile/web apps/cryptography/IoT/embedded/hardware when they want the highest level of security assurance for internal & external software. What vulns did your last assessment miss?
📜 In this newsletter...
Conference recordings: Videos from fwd:cloudsec and Objective by the Sea
Web Security: Cloud metadata for SSRF testing, speeding up Burp's Turbo Intruder, visualizing the OWASP Top 10 over time
Cloud Security: Designing least privilege AWS IAM policies for people, Cloudflare cloud offering maneuverings, hacking AWS end-to-end
Container Security: Remotely access Kubernetes via a terminal in your browser, k8s YAML generator, a security scanner for Istio
Cryptography: Free graduate course book from Dan Boneh and Victor Shoup, Real-World Cryptography by David Wong
Blue Team: Easily share passwords with 1Password via link
Fuzzing: Intro to fuzzing, the challenges of fuzzing 5G protocols, fuzzing CPUs by proxy
Network Security: A high-performance load testing tool
Politics / Privacy: VPN + Tor is not necessarily better, could trust-busting help with Google and Facebook, Facebook restricts who can access integrity message boards, U.S. government tightens export controls on surveillance technology
Image Processing: Automatically remove backgrounds from images, image redaction in your browser
Misc: The state of web scraping in 2021, 57 infosec acronyms explained, find music by singing or humming it, opiates and social media are symptoms
Some great conference talk recordings have dropped!
How to speed up Burp Suite’s Turbo Intruder
Useful for finding race conditions, brute forcing passwords, or other attacks in which you need to send many requests in a short amount of time.
Designing Least Privilege AWS IAM Policies for People
LaunchDarkly’s Alex Smolen discusses how to deploy reduced privilege IAM roles without breaking user workflows. Includes a nice overview of prior work on automatic IAM policy generation from logs.
Remotely Access your Kubernetes Lab with Cloudflare Tunnel
In April Cloudflare announced Auditable Terminal, which gives you a fully features SSH client in your browser: you authenticate using Cloudflare Access, and can log into a computer - and get a terminal - just using a browser. In this post, Marco Lancini describes how to access your Kubernetes cluster using this approach.
Kubernetes YAML Generator
Create and customize a Kubernetes YAML config via a web UI that has useful explanatory text around various options.
Introducing Snowcat: World’s First Dedicated Security Scanner for Istio
Praetorian’s Anthony Weems, Dallas Kaman, and Michael Weber discuss Snowcat, which can obtain information about an Istio deployment and report on misconfigurations or deviations from best practices. Snowcat can be ran against static config info or from inside an Istio workload container.
Best practices for using cryptography
Diagrams and explanations of cryptographic algorithms
Identifying and fixing bad practices
Choosing the right cryptographic tool for any problem
1Password’s new feature lets you safely share passwords using just a link
Psst! lets you share creds with anyone, even if they don’t have a 1Password account, by generating an expiring link that’ll give them temporary access.
An Intro to Fuzzing (AKA Fuzz Testing)
Nice intro and overview by Bishop Fox’s Matt Keeley covering types of fuzzers, how fuzzing works, popular tools and their pros/cons, writing a good test harness, etc.
See also Google’s thoughts on what makes a good fuzz target.
The Challenges of Fuzzing 5G Protocols
NCC Group’s Mark Tedman and Philip Shaw discuss fuzzing 5G protocols (NGAP, GTPU, PFCP, & DIAMETER) using both proprietary and open source fuzzers (Fuzzowski, Frizzer, AFLNet). Nice overview of the trade-offs of different approaches and tooling.
Politics / Privacy
Trust-Busting as the Unsexy Answer to Google and Facebook
With some interesting context about the history of monopolies and antitrust outside of tech.
Facebook Restricts Staff Message Boards to Stop Leaks; Memo Gets Leaked
Facebook plans to limit access to groups related to platform safety and protecting elections to only people working in integrity-related groups. Checks former Facebook motto:
Commerce Tightens Export Controls on Items Used in Surveillance of Private Citizens and other Malicious Cyber Activities
“The United States Government opposes the misuse of technology to abuse human rights or conduct other malicious cyber activities, and these new rules will help ensure that U.S. companies are not fueling authoritarian practices.”
Automatically remove backgrounds from any image for free.
Find music by singing or humming a few bars of it, powered by SoundHound.
Opiates and Social Media Are Symptoms, Not Causes
This post by Daniel Miessler resonated with me, in which he argues that addiction, social media, and other recent societal malaise is at least as much, if not more, a result of lack of meaning in people’s lives.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!