- tl;dr sec
- Posts
- [tl;dr sec] #12 - Killing CSRF, MITRE ATT&CK Cloud, Cache Poisoned DoS
[tl;dr sec] #12 - Killing CSRF, MITRE ATT&CK Cloud, Cache Poisoned DoS
Browser default *SameSite* cookie settings will mostly kill CSRF, and a malicious header can block any web resource served by a CDN or proxy cache.
Clint Gibler
October 30, 2019
Hey there,
I hope you've been doing well!
✈️ Traveling, Expect tl;dr sec Delays
I’ll be giving the closing keynote at DevSecCon Tel Aviv next week and then moderating a panel at DevSecCon London the week after, so it’ll likely be a few weeks before the next tl;dr sec newsletter.
If you’re going to be at either of these cons let me know, it’d be fun to meet up!
📜 In this newsletter...
Tools: HTA shell for breakout assessments, Firefox WebSocket inspector, Golang AppSec pipeline, polyglot Jupyter-esque notebook.
Web Security:
r/websecurityresearch, CSRF is dying, new vuln class: cache poisoned denial of service.Cloud security: 28 AWS IAM priv esc techniques, MITRE ATT&CK for Cloud, cloud security wiki.
Trail of Bits Fall Update: 2FA for PyPi, Docker container escapes, run KLEE on binaries, orchestrate multiple fuzzers.
Politics: Mass exodus of White House infosec team. What could go wrong? 😅
Privacy: Terms of Service; Didn't Read by EFF, awesome privacy exhibit in SF.
Misc: Global Appsec Amsterdam videos are live, Purism's secure boot process + traveling safely, Google/IBM's quantum supremacy tiff, Russian hackers hacking through Iran's espionage team's boxes.
Twitter Wisdom: DevSecOps is about enabling, awesome thread on risk and security programs.
Tools
Liam Glanfield of NCC Group released an HTA shell to assist in breakout assessments.
The Firefox DevTools Network panel now has a WebSocket inspector.
gasp-docker is a simple Golang implementation of an AppSec pipeline being built by Matt Tesauro. “It provides a way to do app testing automation by running 1 or more Docker-ified security tool against an application or its source code.”
Netflix: Open-sourcing Polynote: an IDE-inspired polyglot notebook - Last tl;dr sec we saw how the Dropbox security team leverages Jupyter notebooks in the automation they’ve built around threat detection and IR. Polynote, on the other hand, is aimed at data scientists and machine learning researchers, such as members of Netflix’s personalization and recommendation teams.
Polynote is a Jupyter notebook-esque tool in which each cell can be written in a different language with variables shared between them (whaaa?). Currently Scala, Python, and SQL are supported.
Provides IDE-like features such as interactive autocomplete and parameter hints, in-line error highlighting, and a rich text editor with LaTeX support.
Assessment Mindset by dsopas is a mindmap / checklist for methodologies (e.g. Web App Hacker’s Handbook, OWASP), checks, and tools to use during a pentest, bug bounty, or red team engagement.
Web Security
Portswigger launched r/websecurityresearch, a subreddit for high signal, top shelf web security research content.
There’s some good stuff there, like a detailed blog post on finding a Ruby 2.x universal deserialization gadget chain.
Developers: Get Ready for New SameSite=None; Secure Cookie Settings - Chrome will be changing its default handling of cookies in February 2020, which will mostly eliminate CSRF. Basically, cookies will not be sent in requests to third-party domains unless explicitly allowed by the site that set the cookie (specifically, Chrome will treat cookies that have no declared SameSite value as SameSite=Lax cookies). Firefox and Edge will be adopting the same behavior. This is a great example of how vulnerability classes can be eliminated with smart, secure defaults built into the platform 🤘
CPDoS: Cache Poisoned Denial of Service is a new class of web cache poisoning attacks in which a malicious client can block any web resource that is distributed via a CDN or hosted on proxy caches.
The page has an excellent high level overview of the various attack scenarios, illustrative diagrams, and demo videos.
This work is based on the paper Your Cache Has Fallen: Cache-Poisoned Denial-of-Service Attack, to be presented at CCS 2019.
Cloud Security
Captured some AWS keys during a pen test or bug bounty? Spencer Gietzen of Rhino Security Labs published a description of 28 AWS IAM privilege escalation techniques you can try.
MITRE ATT&CK Cloud Matrix released, which includes specific tactics for platforms including AWS, Azure, GCP, Azure AD, and Office 365. Areas covered include: initial access, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, exfiltration, and impact.
The Cloud Security Wiki has a list of blog posts and research for specific platforms as well as lists of useful tools (thanks Rory McCune).
Here are a few of the updates that I found especially interesting:
Added 2FA to Warehouse, the codebase that powers PyPI. Features a nice discussion of modern 2FA best practices and WebAuthn/TOTP. PyGotham talk
AlligatorConEU talk on “Fancy ‘privileged’ Docker container escapes”.
Henry Wildermuth built KRFAnalysis, a collection of crash triage tools for Binary Ninja.
(Background) KLEE is a neat symbolic execution tool from academia that intelligently produces high-coverage test cases by emulating LLVM bitcode in a custom runtime environment. It’s been shown to auto-generate high-coverage tests that have found bugs that have been latent for years.
Sai Vegasena ported KLEE to run on raw binaries with KLEE-Native.
Alan Cao added ensemble fuzzing to DeepState, their unit-testing framework powered by fuzzing and symbolic execution.
“Ensemble fuzzing allows testers to execute multiple fuzzers with varying heuristics in a single campaign, while maintaining an architecture for synchronizing generated input seeds across fuzzer queues.”
Politics
Ars Technica: White House kicks infosec team to curb in IT office shakeup - Senior staffer quits over ‘highly concerning’ lack of security practices.
“It is my express opinion that the remaining incumbent OCISO staff is being systematically targeted for removal from the Office of Administration,” departing White House network defense branch chief Dimitrios Vastakis wrote in the memo. The security team had seen incentive pay revoked, scope of duties cut, and access to systems and facilities reduced, Vastakis noted. Staffers’ “positions with strategic and tactical decision making authorities” had also been revoked. “In addition, habitually being hostile to incumbent OCISO staff has become a staple tactic for the new leadership… it has forced the majority of [senior civil servant] OCISO staff to resign.”
Privacy
Terms of Service; Didn’t Read is a project by the EFF and others that gives website terms and privacy policies letter grades based on how they handle your personal data. They also support a browser add-on to view the results automatically as you surf the web.
If you’re in the Bay Area, check out Exhibits at The Glass Room, a really neat art exhibit about how modern technology, your data, and privacy interact.
The Glass Room has five thematic areas bringing to life the hidden aspects of digital technologies: Deeply Personal which looks into the dark side of personal data; Invisible Labor which examines the human and environmental processes behind technologies; Trust in Us which features works on Big Tech; Big Mother which looks at the risks and rewards of technology; and Open the Box which examines the journeys that our personal data takes.
This GitHub project is an example of the types of work on display: Stealing Ur Feelings “is an augmented reality experience that reveals how your favorite apps can use facial emotion recognition technology to make decisions about your life, promote inequalities, and even destabilize American democracy. Using the AI techniques described in corporate patents, Stealing Ur Feelings learns your deepest secrets just by analyzing your face.”
Misc
The Global Appsec Amsterdam 2019 videos have been posted. Periodically vendor pitches slip in, can you catch which one made it this time? 😉
PureBoot Best Practices - Purism’s CSO, Kyle Rankin, discusses their secure boot process as well as best practices when traveling to minimize the dangers of tampering.
Quantum supremacy: the gloves are off - interesting analysis of the back-and-forth between Google and IBM regarding quantum computing capabilities.
Another example of why attribution is hard: the NSA and GCHQ issued a joint advisory saying Russian hackers had compromised an Iranian cyber-espionage group’s infrastructure, and were launching other hacking efforts from there.
TIL you can run Python web apps via standalone zip files, like a .jar or .warin Java.
Twitter Wisdom
Would love for the SecDevOps aspect of the company to not be doing the SecDevOps and rather focus on enabling the rest of engineering to do it easily.
Another great thread from Phil Venables, which I’ve edited/paraphrased a bit for brevity:
“It seems most risk and security programs focus exclusively on assessing risk, then implementing controls or taking other actions to reduce that risk.
Once the risk is at an acceptable level the focus is to keep it like that - but essentially do nothing more.
Achieving the right risk level is merely the very beginning of a more worthwhile journey that improves the way that risks are mitigated: keeping risk flat but improving the efficiency of the controls that mitigate the risk in dimensions like:
Customer experience. Improve the usability of controls - including reducing friction for the customer to sign-up for services or new features (e.g. authentication, authorization and fraud prevention).
Cost. Reduce the cost to sustain or upgrade controls and to direct those savings to other improvements - or to other risks where there is still a need to more actively implement new controls to reduce risk.
Efficiency. Optimize the arrangement of controls or reduce the number of controls implemented for each specific risk, being careful not to impact defense in depth.
Ease of continuous monitoring. Replace controls that are not amenable to continuous performance monitoring, or that don’t emit the right metrics.
Automation. Replace any manual activities progressively with automation to reduce the administrative or other maintenance load.
Adjacent benefits. Develop adjacent benefits for existing controls such as having security logging capture and synthesize more data to assist with performance monitoring, or enhance distributed recovery to not only improve resilience but to increase change windows.
Reduced negative externalities. Enhance controls to reduce impact on other risks, such as improving any trade-offs made between security, resilience and/or performance.
Bottom line: A true mark of a commercially-oriented security program is to be perpetually optimizing control performance even after risk has been reduced to the right levels.”
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,
Clint