[tl;dr sec] #171 - AppSec and CloudSec Resilience, Audit Logs Wall of Shame, Compromised Cloud to Kubernetes Takeover
Building an effective AppSec and CloudSec program, vendors that don't prioritize high quality audit logs, tactics to go from a compromised cloud resource to taking over a Kubernetes cluster.
I hope you’ve been doing well!
Bingo with Flair
97% of Bingo games in America happen in a retirement home (Source: I just made this up).
Well, in this week on #PeakBayArea- I recently attended drag bingo, led by two dressed up, enthusiastic hosts.
To give you a flavor of it, they’d periodically ask, “OK, who’s close?” To which the expected response was, if you had almost won:
Drag bingo makes me think that if there was a San Francisco-specific Shark Tank (Tofu Tank?), I feel like you could buzzword-Bingo win by combining existing things with an SF-resonant term, like:
Drag + auctioneer
Yoga + flea market
Vegan + bull fighting
If you’re starting one of these, I’m ready to invest.
Also, I’m giving a webinar soon with the awesome Jim Manico, more details below.
📢 Build resilience and ensure business continuity with Cloudflare
Economic uncertainty and an evolving threat landscape pose risk to organizations of every size. Ensure business continuity by harnessing Cloudflare's global network, designed to make everything connected to the Internet secure, private, fast, and reliable.
Cloudflare offers comprehensive application security, network security, and Zero Trust in a single, easy-to-use platform.
Not sure where to start? Give our recommendation engine a try and customize for your specific needs.
Cloudflare has been building a number of pretty neat security features and products. And if you haven’t already seen it, I enjoyed this post on how Cloudflare prevented a targeted phishing scam and used it to improve how their products could have detected it earlier.
📜 In this newsletter...
Blue Team: Audit Logs Wall of Shame
AppSec: Learning Semgrep, a demo OIDC token issuer, vuln downloader from NIST, first.org and CISA, a counter OWASP open letter, how to achieve application and cloud security resilience
Webinar: How to Prevent Broken Access Control: I'm giving a webinar with Jim Manico
Web Security: SQL injection tips, headless Chrome is now hard to fingerprint, building a Chrome extension that steals everything, Burp Suite traffic -> sequence diagram extension
Cloud Security: Access API Gateway with Cognito User Pools an d Okta OpenIC Connect federation, cloud drift detection, monitor and query IAM resources at scale, data exfiltration with native AWS S3 features, lateral movement from compromised cloud resource to Kubernetes cluster takeover
Container Security: Managed Kubernetes security considerations, under-documented k8s security tips, exploring containers as processes
Machine Learning: Chatbase, Artificial Intelligence Risk Management Framework, ChatGPT 'Breakouts', how to access ChatGPT via voice command, bypassing bank voice authN with an AI-generated voice
Misc: Impressive balance feat, hilarious ad, Jack Altman on great leaders, Paul Graham on the best new ideas, Google's challenges
Audit Logs Wall of Shame
A list of vendors that don’t prioritize high-quality, widely-available audit logs for security and operations teams. Some nice 🌶️, let’s see if it influences company behavior.
📢 Start Secure, Stay Secure!
Cloud misconfiguration is the third highest cause of security breaches.
Misconfigurations are easier to prevent than to fix. Developers report it can take days to weeks to provision infrastructure, and it shouldn't!
Creating a win-win is possible. Where developers get the cloud infrastructure they need faster than they can get a coffee break. The best part – it's built on a library of golden patterns and protected by guardrails. Netflix Information Security teams call these solutions paved roads.
Resourcely offers cloud infrastructure paved roads as a service.
I’m a huge fan of the “secure by default” approach and the Resourcely team. Disclosure: that’s why I invested in them.
By @Trinitor: Downloads Information from NIST (CVSS), first.org (EPSS), and CISA (Exploited Vulnerabilities) and combines them into one list. Reports from vulnerability scanners like OpenVAS can be enriched with this information to prioritize remediation.
How to Achieve Application & Cloud Security Resilience
By James Chiappetta and Dor Zusman: overview of the different kids of automated security scanning tools, where to perform comprehensive vs targeted scans, building a high quality detection set, the art of root cause analysis/deduplication/attribution, and useful metrics for quantifying AppSec program resiliency. Great overall post on how to think about things.
Webinar: How to Prevent Broken Access Control
I’m thrilled to announce I’m joining my friend and awesome keynote speaker / secure code trainer Jim Manico to give a webinar on OWASP Top 10 (2021) #1 - Broken Access Control.
We’ll walk through some access control best practices and how to continuously check for access control bugs and prevent them from entering in CI.
When: March 15, 10am PT
Where: Free, register here
Hope to see you there!
SQL Injection tip from Tib3rius
Their “break and repair” method: append a ‘ or “ to a valid param value. If the response changes, replace the ‘ or “ with each of these in turn: ‘ ‘, ‘||’, ‘+’. If you get the original response back, you likely have SQLi.
New headless Chrome has been released and has a near-perfect browser fingerprint
DataDome’s Antoine Vastel explores the changes introduced by the recently released new headless Chrome and its impact on bot detection engines, particularly in those ones based on browser fingerprint signals. Antoine compares the old and new headless Chrome fingerprints, highlighting the differences that could be exploited by attackers.
Let’s build a Chrome extension that steals everything
Matt Frisbie explores the edges of what’s possible with Chrome extension and the extent of what a malicious Chrome extension can do without alerting the user, even with the recent Manifest v3 changes. Retrieve all cookies, all browser history, screenshot pages, track browsing activity in real time, observe all traffic from every tab, build a keylogger, and more.
Introducing Proxy Enriched Sequence Diagrams (PESD)
Doyensec’s Francesco Lacerenza releases PESD, a Burp Suite extension to visualize web traffic in a way that facilitates analysis and reporting in scenarios with complex functional flows. It supports syntax and metadata extension via templates (current templates: OAuth2 / OpenID Connect, SAML SSO), uses MermaidJS for the visualization, and the templates enable testers to identify uncommon implementations (which might indicate a bug).
An example of accessing Amazon API Gateway with Amazon Cognito User Pools and Okta OpenID Connect Federation.
Cloud drift detection: How to resolve out-of-state changes
Bridgecrew’s Guy Eisenkot on how a cloud environment can drift from what’s specified in infrastructure as code, responding to drift, and shares useful tools:
driftctl - open source CLI that can warn on infrastructure drift in Terraform and AWS
Kubediff - shows the differences between your running configuration and your version-controlled Kubernetes configuration
AWS supports ad hoc CloudFormation drift detection from the Console, CLI, or from your own code.
How to monitor and query IAM resources at scale
AWS’ Michael Chan and Joshua Du Lac share best practices for efficiently testing and querying AWS IAM APIs, including understanding the IAM control and data plane, monitoring and responding to changes in IAM resources across entire accounts, and more.
Part 2 covers the API throttling behavior of IAM and the AWS Security Token Service and how you can effectively plan your usage of them.
Data exfiltration with native AWS S3 features
Ben Leembruggen explores various legitimate S3 features that can be used for data exfiltration (S3 data replication, object ACLs, and S3 Access Points), highlighting the limitations of native AWS logging and monitoring tools, and suggestions on how to detect such exfiltration attempts.
Lateral movement risks in the cloud - Part 3: from compromised cloud resource to Kubernetes cluster takeover
Wiz’s Lior Sonntag outlines several lateral movement techniques from cloud environments to managed Kubernetes clusters, including exploiting IAM cloud keys, kubeconfig files, and container registry images. 3 best practices to reduce your clusters’ attack surfaces: avoid storing long-term cloud keys in workloads, remove kubeconfig files from publicly exposed workloads, and restrict access to container registries.
To DIY or Not to DIY; Key Kubernetes Security Considerations
KSOC discusses the security concerns solved by managed Kubernetes (e.g. control plane availability, data backups and recovery, patching and vuln management, cluster authentication) and some security surprises of managed Kubernetes (cloud providers have privileged access to your environment and might have vulnerabilities), so that you can decide what makes sense for your org.
Under-documented Kubernetes Security Tips
RENCI’s Mac Chaffee provides some tips for enhancing the security of a Kubernetes cluster, such as segregation of duties, treating it carefully like RCE as a Service, implementing an intrusion detection system, and having an incident management plan, among others, overall emphasizing the importance of understanding the depth of Kubernetes security.
Container security fundamentals: Exploring containers as processes
Datadog’s Rory McCune demonstrates that containers are processes, shows using Linux tools to observe and interact with containers (ps, read info like environment variables from /proc/PID or write to the container’s filesystem), and explores what this means for securing container environments.
Build an AI chatbot trained on your data.
How to Access ChatGPT via Voice Command (Using Siri)
Baller post by Daniel Miessler on creating a shortcut on your iPhone so you can send arbitrary requests to GPT-3 and get responses read to you. Also see the companion video.
How I Broke Into a Bank Account With an AI-Generated Voice
Joseph Cox was able to create an AI replica of his voice using ElevenLabs that successfully bypassed his bank’s voice authentication. I’ll take “Attacks Anyone Should Have Foreseen If They Were Half Paying Attention” for $800 Alex.
Plank + bowls balancing act
This is one of the most ridiculous feats of balance and coordination I have ever seen. Unbelievable. It starts great, and keeps getting better.
Go Kentik Today
I’m not sure if this observability product video is serious or joking, but I love it nonetheless.
The maze is in the mouse
Detailed reflections by Praveen Seshadri, whose company was acquired by Google, and has left after 3 years.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!