- tl;dr sec
- Posts
- [tl;dr sec] #171 - AppSec and CloudSec Resilience, Audit Logs Wall of Shame, Compromised Cloud to Kubernetes Takeover
[tl;dr sec] #171 - AppSec and CloudSec Resilience, Audit Logs Wall of Shame, Compromised Cloud to Kubernetes Takeover
Building an effective AppSec and CloudSec program, vendors that don't prioritize high quality audit logs, tactics to go from a compromised cloud resource to taking over a Kubernetes cluster.
Hey there,
I hope you’ve been doing well!
Bingo with Flair
97% of Bingo games in America happen in a retirement home (Source: I just made this up).
Well, in this week on #PeakBayArea- I recently attended drag bingo, led by two dressed up, enthusiastic hosts.
To give you a flavor of it, they’d periodically ask, “OK, who’s close?” To which the expected response was, if you had almost won:
I’m soooo cloooose!
Drag bingo makes me think that if there was a San Francisco-specific Shark Tank (Tofu Tank?), I feel like you could buzzword-Bingo win by combining existing things with an SF-resonant term, like:
Drag + auctioneer
Yoga + flea market
Vegan + bull fighting
If you’re starting one of these, I’m ready to invest.
Also, I’m giving a webinar soon with the awesome Jim Manico, more details below.
Sponsor
📢 Build resilience and ensure business continuity with Cloudflare
Economic uncertainty and an evolving threat landscape pose risk to organizations of every size. Ensure business continuity by harnessing Cloudflare's global network, designed to make everything connected to the Internet secure, private, fast, and reliable.
Cloudflare offers comprehensive application security, network security, and Zero Trust in a single, easy-to-use platform.
Not sure where to start? Give our recommendation engine a try and customize for your specific needs.
Cloudflare has been building a number of pretty neat security features and products. And if you haven’t already seen it, I enjoyed this post on how Cloudflare prevented a targeted phishing scam and used it to improve how their products could have detected it earlier.
📜 In this newsletter...
Blue Team: Audit Logs Wall of Shame
AppSec: Learning Semgrep, a demo OIDC token issuer, vuln downloader from NIST, first.org and CISA, a counter OWASP open letter, how to achieve application and cloud security resilience
Webinar: How to Prevent Broken Access Control: I'm giving a webinar with Jim Manico
Web Security: SQL injection tips, headless Chrome is now hard to fingerprint, building a Chrome extension that steals everything, Burp Suite traffic -> sequence diagram extension
Cloud Security: Access API Gateway with Cognito User Pools an d Okta OpenIC Connect federation, cloud drift detection, monitor and query IAM resources at scale, data exfiltration with native AWS S3 features, lateral movement from compromised cloud resource to Kubernetes cluster takeover
Container Security: Managed Kubernetes security considerations, under-documented k8s security tips, exploring containers as processes
Machine Learning: Chatbase, Artificial Intelligence Risk Management Framework, ChatGPT 'Breakouts', how to access ChatGPT via voice command, bypassing bank voice authN with an AI-generated voice
Misc: Impressive balance feat, hilarious ad, Jack Altman on great leaders, Paul Graham on the best new ideas, Google's challenges
Blue Team
Audit Logs Wall of Shame
A list of vendors that don’t prioritize high-quality, widely-available audit logs for security and operations teams. Some nice 🌶️, let’s see if it influences company behavior.
Sponsor
📢 Start Secure, Stay Secure!
Cloud misconfiguration is the third highest cause of security breaches.
Misconfigurations are easier to prevent than to fix. Developers report it can take days to weeks to provision infrastructure, and it shouldn't!
Creating a win-win is possible. Where developers get the cloud infrastructure they need faster than they can get a coffee break. The best part – it's built on a library of golden patterns and protected by guardrails. Netflix Information Security teams call these solutions paved roads.
Resourcely offers cloud infrastructure paved roads as a service.
I’m a huge fan of the “secure by default” approach and the Resourcely team. Disclosure: that’s why I invested in them.
AppSec
Learning Semgrep
A frank take by Yahoo’s Joe Rozner on getting up to speed using Semgrep for bug hunting.
chainguard-dev/justtrustme
By Chainguard: A demo/testing OIDC token issuer. It will accept any claims as query parameters and mint valid OIDC tokens with them.
trinitor/CVE-Vulnerability-Information-Downloader
By @Trinitor: Downloads Information from NIST (CVSS), first.org (EPSS), and CISA (Exploited Vulnerabilities) and combines them into one list. Reports from vulnerability scanners like OpenVAS can be enriched with this information to prioritize remediation.
The (de)Evolution of OWASP
Response letter by security OG and mentor to yours truly John Steven to this open letter to OWASP. I think public, polite discussions like these are healthy for a community.
OWASP has enabled brilliant but inexperienced contributors to achieve global reach and impact because starting, evangelizing, and collaborating on projects is nearly zero friction.
Without rehashing history, I’ll put forth that the best solutions and direction in OWASP hasn’t always come from elected leadership. Cheat sheets and ASVS are examples of where grass-roots alternatives to centrally endorsed efforts have provided essential direction change and transformative value. The community has continued to cultivate efforts like these because they have proven valuable to consumers.
OWASP’s strengths rely on inclusiveness and decentralization.
How to Achieve Application & Cloud Security Resilience
By James Chiappetta and Dor Zusman: overview of the different kids of automated security scanning tools, where to perform comprehensive vs targeted scans, building a high quality detection set, the art of root cause analysis/deduplication/attribution, and useful metrics for quantifying AppSec program resiliency. Great overall post on how to think about things.
Webinar: How to Prevent Broken Access Control
I’m thrilled to announce I’m joining my friend and awesome keynote speaker / secure code trainer Jim Manico to give a webinar on OWASP Top 10 (2021) #1 - Broken Access Control.
We’ll walk through some access control best practices and how to continuously check for access control bugs and prevent them from entering in CI.
When: March 15, 10am PT
Where: Free, register here
Hope to see you there!
Web Security
SQL Injection tip from Tib3rius
Their “break and repair” method: append a ‘ or “ to a valid param value. If the response changes, replace the ‘ or “ with each of these in turn: ‘ ‘, ‘||’, ‘+’. If you get the original response back, you likely have SQLi.
New headless Chrome has been released and has a near-perfect browser fingerprint
DataDome’s Antoine Vastel explores the changes introduced by the recently released new headless Chrome and its impact on bot detection engines, particularly in those ones based on browser fingerprint signals. Antoine compares the old and new headless Chrome fingerprints, highlighting the differences that could be exploited by attackers.
Let’s build a Chrome extension that steals everything
Matt Frisbie explores the edges of what’s possible with Chrome extension and the extent of what a malicious Chrome extension can do without alerting the user, even with the recent Manifest v3 changes. Retrieve all cookies, all browser history, screenshot pages, track browsing activity in real time, observe all traffic from every tab, build a keylogger, and more.
Introducing Proxy Enriched Sequence Diagrams (PESD)
Doyensec’s Francesco Lacerenza releases PESD, a Burp Suite extension to visualize web traffic in a way that facilitates analysis and reporting in scenarios with complex functional flows. It supports syntax and metadata extension via templates (current templates: OAuth2 / OpenID Connect, SAML SSO), uses MermaidJS for the visualization, and the templates enable testers to identify uncommon implementations (which might indicate a bug).
Cloud Security
aws-samples/aws-cognito-okta-federation
An example of accessing Amazon API Gateway with Amazon Cognito User Pools and Okta OpenID Connect Federation.
Cloud drift detection: How to resolve out-of-state changes
Bridgecrew’s Guy Eisenkot on how a cloud environment can drift from what’s specified in infrastructure as code, responding to drift, and shares useful tools:
driftctl - open source CLI that can warn on infrastructure drift in Terraform and AWS
Kubediff - shows the differences between your running configuration and your version-controlled Kubernetes configuration
AWS supports ad hoc CloudFormation drift detection from the Console, CLI, or from your own code.
How to monitor and query IAM resources at scale
AWS’ Michael Chan and Joshua Du Lac share best practices for efficiently testing and querying AWS IAM APIs, including understanding the IAM control and data plane, monitoring and responding to changes in IAM resources across entire accounts, and more.
Part 2 covers the API throttling behavior of IAM and the AWS Security Token Service and how you can effectively plan your usage of them.
Data exfiltration with native AWS S3 features
Ben Leembruggen explores various legitimate S3 features that can be used for data exfiltration (S3 data replication, object ACLs, and S3 Access Points), highlighting the limitations of native AWS logging and monitoring tools, and suggestions on how to detect such exfiltration attempts.
Lateral movement risks in the cloud - Part 3: from compromised cloud resource to Kubernetes cluster takeover
Wiz’s Lior Sonntag outlines several lateral movement techniques from cloud environments to managed Kubernetes clusters, including exploiting IAM cloud keys, kubeconfig files, and container registry images. 3 best practices to reduce your clusters’ attack surfaces: avoid storing long-term cloud keys in workloads, remove kubeconfig files from publicly exposed workloads, and restrict access to container registries.
Container Security
To DIY or Not to DIY; Key Kubernetes Security Considerations
KSOC discusses the security concerns solved by managed Kubernetes (e.g. control plane availability, data backups and recovery, patching and vuln management, cluster authentication) and some security surprises of managed Kubernetes (cloud providers have privileged access to your environment and might have vulnerabilities), so that you can decide what makes sense for your org.
Under-documented Kubernetes Security Tips
RENCI’s Mac Chaffee provides some tips for enhancing the security of a Kubernetes cluster, such as segregation of duties, treating it carefully like RCE as a Service, implementing an intrusion detection system, and having an incident management plan, among others, overall emphasizing the importance of understanding the depth of Kubernetes security.
Container security fundamentals: Exploring containers as processes
Datadog’s Rory McCune demonstrates that containers are processes, shows using Linux tools to observe and interact with containers (ps, read info like environment variables from /proc/PID or write to the container’s filesystem), and explores what this means for securing container environments.
Machine Learning
Chatbase
Build an AI chatbot trained on your data.
Artificial Intelligence Risk Management Framework
48 page PDF by NIST.
ChatGPT ‘Breakouts’
Prompts to bypass the ChatGPT restrictions OpenAI tries to put in place.See also jailbreakchat.com/ for more. H/T Ashley Jones for sharing!
How to Access ChatGPT via Voice Command (Using Siri)
Baller post by Daniel Miessler on creating a shortcut on your iPhone so you can send arbitrary requests to GPT-3 and get responses read to you. Also see the companion video.
How I Broke Into a Bank Account With an AI-Generated Voice
Joseph Cox was able to create an AI replica of his voice using ElevenLabs that successfully bypassed his bank’s voice authentication. I’ll take “Attacks Anyone Should Have Foreseen If They Were Half Paying Attention” for $800 Alex.
Misc
Plank + bowls balancing act
This is one of the most ridiculous feats of balance and coordination I have ever seen. Unbelievable. It starts great, and keeps getting better.
Go Kentik Today
I’m not sure if this observability product video is serious or joking, but I love it nonetheless.
I’ve never met a truly great leader who isn’t a long term optimist, a source rather than a sink of energy, and a believer that they have agency to control their environment. These aren’t sufficient but I think they are necessary.
So it’s stupid to require people who want to do new things to enumerate the benefits beforehand. The best you can do is choose smart people and then trust their intuitions about what’s worth exploring.
Managers would like to be able to rely on something more solid than a smart person saying “this could be big,” but that’s not how ideas work. There is nothing more solid.
The maze is in the mouse
Detailed reflections by Praveen Seshadri, whose company was acquired by Google, and has left after 3 years.
Google has 175,000+ capable and well-compensated employees who get very little done quarter over quarter, year over year. Like mice, they are trapped in a maze of approvals, launch processes, legal reviews, performance reviews, exec reviews, documents, meetings, bug reports, triage, OKRs, H1 plans followed by H2 plans, all-hands summits, and inevitable reorgs. The mice are regularly fed their “cheese” (promotions, bonuses, fancy food, fancier perks) and despite many wanting to experience personal satisfaction and impact from their work, the system trains them to quell these inappropriate desires and learn what it actually means to be “Googley” — just don’t rock the boat. As Deepak Malhotra put it in his excellent business fable, at some point the problem is no longer that the mouse is in a maze. The problem is that “the maze is in the mouse”.
Google has four core cultural problems. They are all the natural consequences of having a money-printing machine called “Ads” that has kept growing relentlessly every year, hiding all other sins.
(1) no mission, (2) no urgency, (3) delusions of exceptionalism, (4) mismanagement.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,
Clint