[tl;dr sec] #138 - Career Resources, Finding Secrets at Scale, Fuzzing
Finding cybersecurity jobs and adding value, secrets from front end web apps and Docker Hub, fuzzing VirtualBox, contributing to OSS-Fuzz, tool to improve fuzzing coverage.
I hope you’ve been doing well!
‘Tats by Thiel™
My bud Isaac Evans recently overheard the following, and it’s too good not to share.
Isaac was walking to meet some colleagues and I for happy hour, when he heard this exchange:
They were potentially on a date. Or at least, I like to think so 🤣
Also, I recently overheard a different guy telling the girl he was walking with:
You know, just normal San Francisco stuff.
📢 Influence developer behavior and build security across the SDLC
The issue of making security accessible, easy, and natural for developers while improving security throughout the SDLC continues to be at the forefront of our conversations. From Eric Ellett’s talk at BSides SF around Embracing Risk Responsibly to Jim Manico’s upcoming keynote at LocoMocoSec on The History of Application Security.
Tromzo is tackling the issues of simplifying security at every step of application development by providing:
Centralized software asset visibility
Workflow automation to scale remediation across the SDLC
Security guardrails for policies and controls in CI/CD
Customizable dashboards for security accountability across engineering
📜 In this newsletter...
AppSec: Semgrep rules for Java entry points and security issues
Web Security: SVG SSRF cheatsheet, list of ways to get RCE on various apps
Career: Jason Haddix's guide to finding cybersecurity jobs, Dave Kennedy on the skills shortage in security, Wes Kao on how to add value
Secrets: Finding secrets leaked by web app frontends, CLI secret finding tool, looking for TLS private keys on Docker Hub
Cloud Cost Reduction: Tiny CLI tool to save costs in dev environments when you're asleep, 12-step guide to AWS cost optimization
Cloud Security: Resoto, escalating AWS privs with CloudTrail logs
Container Security: A Linux designed for Kubernetes, network monitoring and Zeek for threat detection in k8s
Fuzzing: How to fuzz VirtualBox network device drivers, lessons learned integrating 100+ open source projects with OSS-Fuzz, a new tool to improve fuzzing coverage
Politics / Privacy: (In a twist that should surprise exactly no one) US TikTok user data has been repeatedly accessed from China, what it means that the U.S. is conducting offensive cyber operations against Russia
Misc: RSAC labeled a super-spreader event, people not liking Jira, iOS 16 will support creating 3D floor plans using LiDAR, deep dive into spending $200,000 on biohacking
Elttam’s Ben Cambourne shares Semgrep rules on Java entry points and security issues in Jackson, Spring Remoting, and Struts DMI. It’s always neat seeing more and more security consulting firms using Semgrep on engagements 🙂
By Woven Planet’s Allan Wirth: A cheatsheet for exploiting server-side SVG processors, which can potentially be vulnerable to SSRF, LFI, XSS, or RCE because of the rich feature set of SVG.
By Podalirius: A list of techniques to achieve Remote Code Execution on various apps, including CMS (Joomla, Wordpress), LMS (Moodle), frameworks (JBoss, Tomcat), and other (GiTea, Jenkins).
A hackers guide to FINDING cybersecurity jobs
Jason Haddix shares some tips on finding opportunities, including normal methods (Zip Recruiter, LinkedIn, Indeed), quarterly Reddit hiring threads, conference hiring boards, Marcus Carey’s Twitter hiring threads, and more.
Dave Kennedy’s thread on the “skills shortage” in security
Newcomers aren’t being given a chance to get started, as most jobs require a few years of experience. I think this overlaps a lot with the themes from Jackie Bow’s BSidesSF keynote.
Millions Of Secrets Exposed Via Web Application Frontend
They found ~1.2M secrets: Stripe, reCAPTCHA, Google Cloud, AWS, Google OAuth, Facebook, and more.
CLI tool by GitGuardian that can detect more than 300 types of secrets, though it’s unclear how “open source” it is, as it uses their public API to scan and detect potential secrets. I need to review the source more to know what its doing where.
I’m not sure when ggshield was open sourced, but similar to how businesses compete on prices and features, I wonder if the choice to open source ggshield was in part a response to Truffle Security open sourcing their TruffleHog v3. Maybe it already was, I’m not sure of the timelines, but competitive pressure to open source tools is a neat idea to me.
How to: Look for TLS private keys on Docker Hub
Detectify’s Alfred Berg describes using the Docker API to examine environment variables and commands used to create Docker images to look for secrets. Note that if you add a file and then remove it in a later step, it can still be recovered, similar to with git.
Alfred found 1,551 certificates that had a matching private key that were found in certificate transparency logs on crt.sh and 671 unique AWS access keys. He also uploaded two Docker images with canary AWS keys, neither have been used in a month. Most secrets were uploaded from an individual developers’ account, not the company’s official Docker Hub account.
Cloud Cost Reduction
A 12-step guide to AWS cost optimisation
Using this approach, FreeAgent has already cut their AWS spend by 50%, and they estimate they can save another 30% a year by implementing further efficiencies.
🔍 Search Infrastructure: Resoto maps out your cloud infrastructure in a graph and provides a simple search syntax.
📊 Generate Reports: Keeps track of and reports infrastructure changes over time, making it easy to audit resource usage and cleanup.
🤖 Automate Tasks: Tedious tasks like rule enforcement, resource tagging, and cleanup can be automated using jobs.
Using CloudTrail to Pivot to AWS Accounts
If you’re doing a cloud pen test and you have low privilege AWS creds, Bishop Fox’s Gerben Kleijn describes how you can escalate privileges by examining CloudTrail assumeRole events to learn other AWS accounts you can pivot to.
By Sidero Labs: Linux designed for Kubernetes – secure, immutable, and minimal. Supports cloud platforms, bare metal, and virtualization platforms, and all system management is done via an API: no SSH, shell or console.
Network Monitoring and Zeek for Threat Detection in Kubernetes
4-part blog series by Corelight on how to use network monitoring and open source Zeek for threat detection in Kubernetes environments. This lets you generate security-centric data from network traffic to complement visibility from container agents and audit logs. Also: using sidecars to sniff and tunnel traffic, a real-world example of detecting malicious traffic between containers, and more.
📢 AppOmni's SaaS Security Checklist outlines the 7 key components of SaaS security
Whether you’re creating a new SaaS security program or want to improve, AppOmni's SaaS Security Checklist can help. It outlines 7 key components of SaaS security, including configuration management and always-on monitoring, based on AppOmni’s experience working with hundreds of security teams.
Introduction to VirtualBox security research
Doyensec’s Norbert Szetei introduces VirtualBox research and explains how to build a coverage-based fuzzer, focusing on the emulated network device drivers.
Fuzzing 100+ open source projects with OSS-Fuzz
ADA Logics’s David Korczynski and Adam Korczynski describe their lessons learned in integrating >100 open source projects into Google’s OSS-Fuzz, which resulted in more than 2,000 issues being reported, 1,300 of which are verified and fixed, 559 of those being security-relevant bugs.
Introducing Fuzz Introspector, an OpenSSF Tool to Improve Fuzzing Coverage
By Google’s Oliver Chang and Navid Emamdoost and ADA Logics’s David Korczynski and Adam Korczynski. Initial release of Fuzz Introspector, a tool to identify fuzzing coverage blockers. It currently supports C/C++ projects and provides for each project:
Politics / Privacy
US TikTok User Data Has Been Repeatedly Accessed From China, Leaked Audio Shows
In addition to the data accessed, what about being able to control the algorithm that influences what people see? What sort of influence could this have over Americans’ commercial, cultural, or political behavior? Much I imagine.
What It Means that the U.S. Is Conducting Offensive Cyber Operations Against Russia
Gen. Paul Nakasone’s remarks this month about offensive operations against Russia caused a stir. Kim Zetter goes into what that means.
“Real opinions from real people about a project management system which unfortunately is also real.”
iOS 16 ‘RoomPlan’ API creates 3D floor plans using LiDAR
iOS 16 contains a new API that uses LiDAR to allow you to quickly scan a room and create 3D floor plans. Sounds neat.
I’m 32 and spent $200k on biohacking. Became calmer, thinner, extroverted, healthier & happier.
However deep you think the author is going to go based on the title… he goes deeper. tl;dr sec is explicitly not endorsing anything in this post, but it is interesting to read what someone thinks who has spent an inordinate amount of time on this.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!