[tl;dr sec] #125 - Hacking a Billionaire, Automating Incident Response in AWS, Exploiting/Hardening GitHub Actions
Rachel and Evan Tobac vs. Jeffrey Katzenberg, a framework for automatically isolating an EC2 instance and gathering what you need, attacking and hardening GitHub Actions and repos.
I hope you’ve been doing well!
A Taxing Season
Alright, I’m going to rant for a second, apologies.
Every tax season I get quite frustrated. I don’t mind paying taxes, the government does a lot of important things, like public education and ensuring most food doesn’t poison you.
What frustrates me is how complicated it is.
It’s like a freshman undergrad who has only done Matlab before was tasked to write a system in Perl, and then now everyone has to use it.
Clean encapsulation? LOL, this API returns UTF-7 unstructured text in a single blob, and every rand(100) calls returns a slap in the face.
Tech, for all of its (many) flaws, does so much better at abstractions. You can search all of the world’s information in a fraction of a second, from a device that fits in your pocket, using only your voice.
Proposal: all lawmakers and companies benefitting from tax code complexity from here on out can’t use DNS, they have to use direct IPs. And type out each HTTP request by hand. And manually chunk those HTTP requests into sizes that fit into TCP packets, correctly numbering each packet.
Then maybe they’d feel what it’s like when you push accidental complexity onto users 😤
🔥 Semgrep Community Meetup Next Wednesday
Want to hear about the latest and greatest in Semgrep?
Then come check out our community meetup next week.
I’ll be speaking about some current trends in security.
Community members will share cool things they’ve been doing with Semgrep.
We’ll share some new features - capturing developer feedback and advanced analysis features like taint mode.
A preview of Semgrep’s upcoming roadmap.
Check out the Eventbrite here.
Hope to see you there!
📢 Detect, investigate, and respond to threats across your applications, networks, and infrastructure
Datadog Security Monitoring is part of the Datadog Cloud Security Platform enabling DevOps and Security teams to collaborate together in a single pane of glass to protect an organization's production environment from outside security threats.
In Datadog's Security Monitoring product brief, learn the best practices for securing your environment from attacks. You will learn how to solve cloud complexity challenges with threat detection tools, detect and analyze security threats and deploy turnkey detection rules mapped to the MITRE ATT&CK framework.
📜 In this newsletter...
Conferences: RVAsec CFP is open
Supply Chain: 4 supply chain risks in Terraform and how to prevent them
AppSec: Reading RFCs for bug bounty hunters
GitHub: Finding and exploiting vulnerable GitHub Actions, auditing GitHub (Actions) security using OpenSSF Scorecards
Mobile Security: Hardening Signal, applying zero trust to enterprise mobile security
Web Security: Cross-platform web fuzzer, infosec mind maps
Cloud Security: Automating IR in AWS, centrally managed identity for AWS
Container Security: Updated Kubernetes hardening guide from NSA and CISA
Blue Team: Autogenerate pseudo-malicious files from YARA, IR-related macOS tools, manage servers via a non-interactive local host agent
Network Security: Tool that uses eBPF to monitor egress traffic
Misc: Hacking a billionnaire, Avenue Q puppet wrangling, mobile app to identify birds, guess a country based on their exports, Netflix's most popular shows, why we listen to music with lyrics we don't understand, advertisers want to infiltrate your dreams
Leaking secrets using Terraform HTTP data blocks
Arbitrary code execution using a Terraform external data source
Not using immutable modules
Using old versions of misconfigured modules
Check out the “Security Considerations” section.
Review outdated RFCs (“Obsoleted by:” link).
Use Rfcdiff to diff outdated RFCs.
Review “Errata” for potential implementation mistakes.
How we found vulnerabilities in GitHub Actions CI/CD pipelines
Cycode’s Alex Ilgayev describes vulnerable patterns in GitHub Actions that can lead to an attacker being able to steal secrets, inject code, etc., as well as mitigations. The post has some great details on exploiting these weaknesses in practice.
For more on how/why these vulnerabilities occur and how to find them, see Grayson Hardaway’s blog post here, which also includes a demo repo to practice on and open source Semgrep rules to find these issues in your GitHub Actions.
Automagically Auditing GitHub (Actions) Security using OpenSSF Scorecards
Jamie Tanna walks through setting up the OpenSSF’s Scorecard GitHub Action and the common GitHub repo settings and GitHub Action security issues you may see it raise.
Short guide on settings and practices to harden your use of Signal, which is in my opinion the best privacy-focused messaging app.
Applying Zero Trust Principles to Enterprise Mobility
~20 page PDF by CISA on mobile security tools and technologies in relation to Zero Trust principles.
A framework that aims to facilitate automated steps for incident response and forensics based on the AWS Incident Response White Paper.
Tag an EC2 instance with a SecurityIncidentStatus value of Analyze, and a Lambda will trigger that automatically starts isolation and memory/disk acquisition, and ends with giving the instance a no INBOUND/OUTBOUND security group and with an IAM role that disallows all access.
Centrally Managed Identity for AWS
Carta’s Uttej Badwane describes how they migrated from a handful of legacy AWS accounts to moving them under a newly created master AWS account which was configured to use AWS SSO <=> Okta for identity, with SCIM configured. “The main objective was to handle the traditional IAM identity for multiple accounts with time based access for console & CLI.”
If you haven’t heard of SCIM, it’s basically a way to keep users in sync between your identity provider and many other systems (vs manually onboarding/offboarding/updating). Pretty cool.
TrueTree: an incident response tool for building a pstree like output on macOS.
ESFPlayground: a tool that lets you print out the events of the Apple Endpoint Security Framework as they happen in real time.
SansShell: A Non-Interactive Local Host Agent
Snowflake’s Aaron Joyner, Jon Allie, and James Chacon announce the release of SansShell, a way to define complex server management actions in code and selectively expose those actions to remote clients. Each action is subject to an authorization policy that can limit access based on the caller, the type of action, and the content of the request
📢 Why Single Sign On Sucks
Discover why SSO is such a pain and how different authentication architectures make it hard to achieve a true single sign-on nirvana. At Teleport we think the secret lies with certificate authorities and client certificates -- a path towards a seamless SSO experience.
It Was Easy to Hack a Billionaire
SocialProof Security’s Rachel Tobac successfully socially engineers and phishes Jeffrey Katzenberg, co-founder and former CEO of Dreamworks Animation. For the technical details on the hack, see Evan Tobac’s thread. Jeffrey was… not pleased 🤣
Meet Avenue Q’s Puppet Wrangler
Some interesting behind the scenes. Man, what a good musical.
Merlin Bird ID
Mobile app to help you identify thousands of birds based on appearance or their song.
Guess a country based on their exports.
TV shows account for ~75% of viewing.
TV shows tend to stay in the top 10 a lot longer than movies.
The average Netflix hit disappears after two weeks or less.
Less than one-quarter of all shows stay in the top 10 for more than four weeks.
My version of another quote from the post:
Are advertisers going to infiltrate our dreams?
Major brands like Coors, Microsoft and Burger King are researching how they can have you dream of their products. Cool, that seems like something they should be allowed to do. With so many smart devices in homes these days, it’s possible that sounds or messages could be played to you in your sleep without you even knowing it. It’s unclear how effective these approaches would be in practice though.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!