[tl;dr sec] #19 - Epic Post Next Week, Beyond Beyond Corp, Cloud Security Tools

tl;dr sec is a newsletter about AppSec and scaling security, automated bug finding, conference talk and paper summaries, and useful links from around the web. You can subscribe here and see past issues here.

Hey there,

I hope you had an awesome holiday break and New Years, and that you’re not too sore from going to the gym every day since Jan 1.

One Christmas tradition my family has, that I’m fond of, is that my siblings and I pick up a live Christmas and then set it up in our living room. Per tradition, my mom asks us, “Hey, get a nice sized tree, maybe 7 - 8 feet, not like last year.”

And per tradition, my siblings and I pick up a tree that’s at least 10 - 12 feet tall.

(For reference, I'm 6 ft tall)

This issue is a bit longer than most, as I took a few weeks off and there’s much to catch up on.

  NCC Con

This week I’m at NCC Con in San Diego, an annual internal-only conference NCC Group holds where security consultants from all over gather to give trainings, present research they’ve done, and talk shop over beverages (like orange juice).

It’s neat to see the early stages of research that will later be presented on major stages like BlackHat and DEF CON. Definitely one of my favorite events all year.

  🎁 Epic Post Next Week

I’ve been working hard for the past few months on one of the more ambitious writing projects I’ve ever tried to tackle. It’s taken me a few hundred hours, and I’m not aware of any post quite like it.

I hope you like it! If you do, I’d greatly appreciate your help in sharing it with any friends/colleagues who you think would find it useful 🙏

I’m not going to say what it’s about, but it relates to some upcoming events…

📜 In this newsletter...

🔗 Links:

• Getting into Security: Tanya Janca on the various roles in security, John Opdenakker's list of useful learning resources

• Cloud Security: AWS IAM analyzer, 21 AWS PrivEsc techniques, Docker wrapper for AWS tools, demystifying AssumeRole and sts:ExternalId, Adopting AWS VPC Endpoints at Square

• Securing Terraform & CloudFormation Scripts: Several tools that will scan Terraform or CloudFormation scripts for insecure configurations

• Beyond Beyond Corp: Google BeyondProd whitepaper + overview by Maya Kaczorowski, whitepaper on how Google does code provenance, NCSC's zero trust architecture design principles

• Programming: Computer Science from the Bottom Up, Rosettagit: solutions to the same task in many languages

• Tools: Imperva's automatic API attack tool, PathAuditor: detect unsafe path access patterns, awesome-hacking GitHub repo

• Misc: Dive into Deep Learning, 100 Worst Ed-Tech Debacles of the Decade, On Linux’s Random Number Generation, WebAuthn.guide

• Privacy: NYT on what's possible with location data from millions of phones, big data is big business in China

• Politics: Mike Bloomberg's anti-Cambridge Analytica, Chinese ambassador pressured Denmark to adopt Huawei's 5G

• Twitter on Work Culture: Thoughts from Dino Dai Zovi and Tobi Lutke, the CEO of Shopify

🔗 Links

  Getting into Security

Jobs in Information Security (InfoSec)Tanya Janca concisely describes a long list of security roles in beginner-friendly terms.

Some useful application security resourcesJohn Opdenakker describes how he got into security, different types of resources that are useful in learning security, and a great list of blogs, online training, podcasts, conferences, and newsletters.

  Cloud Security

AWS IAM Access AnalyzerIAM Access Analyzer aims at making it easy to check that your policies provide only the intended access to resources. After enabling it in the Console, IAM Access Analyzer will continuously analyze permissions granted using policies associated with your S3 buckets, KMS keys, SQS queues, IAM roles, and Lambda functions. “…uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.” Currently free! 

Investigating PrivEsc Methods in AWSBishop Fox’s Gerben Kleijn provides a description, lists the requirements, and gives an example of 21 different AWS privilege escalation techniques, based on some great work by Spencer Gietzen. 

AWS Security Toolbox (AST)Docker container that wraps several AWS security tools: awscli, CloudMapper, CloudTracker, prowler, ScoutSuite, PMapper, and Enumerate-IAM. 

Demystifying AWS’ AssumeRole and sts:ExternalIdBy NCC Group’s Rennie deGraaf:

Adopting AWS VPC Endpoints at SquareSquare describes how they use VPC endpoints to access AWS services without giving the VPC resources direct Internet connectivity, and ensure only their own resources are accessed, with a Shared VPC model.

  Securing Terraform & CloudFormation Scripts

Here are several tools that will scan Terraform or CloudFormation scripts for insecure configurations.

liamg/tfsec - “Static analysis powered security scanner for your terraform code.”

bridgecrewio/checkov - “Prevent cloud misconfigurations during build time.”

cesar-rodriguez/terrascan - “Collection of security and best practice test for static code analysis of terraform templates”

nozaq/terraform-aws-secure-baseline - “Terraform module to set up your AWS account with the secure baseline configuration based on CIS Amazon Web Services Foundations.”

Skyscanner/cfripper - “Lambda function to “rip apart” a CloudFormation template and check it for security compliance.”

stelligent/cfn_nag - “Linting tool for CloudFormation templates” 

Beyond Beyond Corp

BeyondProd: How Google moved from perimeter-based to cloud-native security

Read the full whitepaper here.

Maya Kaczorowski, a Google PM in container security, shared a great summary thread on Twitter:

Binary Authorization for Borg: how Google verifies code provenance and implements code identity

Zero trust architecture design principlesAlpha release from the UK government’s National Cyber Security Centre (NCSC). View the detailed write-ups in the repo on GitHub.

  Programming

Computer Science from the Bottom UpGeneral Unix and C, computer architecture, OS, processes, virtual memory, compilation toolchains, dynamic linking, etc.

RosettaGitPresents “solutions to the same task in as many different programming languages as possible. It demonstrates how languages are similar and different and can help you learn new approaches to solving problems.” 

Tools

imperva/automatic-api-attack-toolTakes an API specification as input and creates a series of attacks based on the specification. No human intervention needed, but it can be extended if there are particular types of attacks you’d like to do. 

Detecting unsafe path access patterns with PathAuditorTool from Google to find file access related vulnerabilities. “PathAuditor is a shared library that can be loaded into processes using LD_PRELOAD. It then hooks all filesystem related libc functions and checks if the access is safe. For that, we traverse the path and check if any component could be replaced by an unprivileged user, for example if a directory is user-writable.” Source code on GitHub 

Hack-with-Github/Awesome-HackingA collection of various awesome lists for hackers, pentesters and security researchers. Links to various awesome-<topic> repos on GitHub on topics like asset discovery, fuzzing, bug bounty, and more. 

Misc

Dive into Deep LearningAn interactive deep learning book with code, math, and discussions, based on the NumPy interface.

The 100 Worst Ed-Tech Debacles of the Decade

On Linux’s Random Number GenerationNCC Group’s Thomas Pornin gives some interesting details about how random number generation on Linux works and its history. If you’re into crypto, I’d highly recommend checking out Thomas’ work, as he’s brilliant.

WebAuthn.guideIt’s still early stages but WebAuthn seems to be picking up steam. This page has a nice overview and a bunch of code examples.

  Privacy

How to Track President TrumpArticle by the NY Times Privacy Project on the impact of services that aggregate and sell location data. They obtained a dataset with more than 50 billion location pings from the phones of more than 12 million people in the US, consisting of a random sample from 2016 and 2017. The page has some neat (😅) visualizations of people going about their day.

Share with Friends Who Have “Nothing to Hide”If you’re in security, you’re probably well aware of the dangers and implications of location data. One thing I think this article did really well is explaining in a non technical way all the bad things that could be done with this data, like determining the identities of government officials working in sensitive roles (e.g. tracking people from the Pentagon or other buildings to their homes), blackmail and extortion (affairs, visits to Planned Parenthood, etc.), help with social engineering, kidnapping, and more.This is a good article to bookmark to share with friends or relatives who don’t think aggregating location data is a big deal.

Creepy or convenient? Big data is big business in ChinaA woman saw her friend’s face on a “traffic violator exposure screen,” which uses cameras set up at intersections that automatically detect pedestrians and cyclists running red lights or committing other traffic violations. The images are matched with local authority databases to identify the individual, and their face appears on the monitor within five minutes. It is said that over 95% of wrongdoers can be identified. Violators are contacted by police and fined.

  Politics

Mike Bloomberg is plowing millions of $ into a secretive tech firmThe company is called Hawkfish, and it provides “digital ad services, including content creation, ad placement and analytics.” Bloomberg started Hawkfish to be a counteracting force in how effectively Trump and Republicans used digital platforms and social media better than Democats in 2016. Bloomberg has already spent at least $13 million on Facebook and Google spots and said he plans to spend over $100 million on anti-Trump digital ads. Hawkfish will be working to support Democrats in a variety of elections, not just Bloomberg’s campaign, and the team includes former Facebook and Foursquare executives. Since any regulation of political ads or limitations on voter targeting seems unlikely, “if you can’t beat’em, join ‘em” ¯_(ツ)_/¯

Banned recording reveals China ambassador threatened Faroese leader at secret meetingChina’s ambassador to Denmark threatened the Faroese prime minister that a trade agreement with China would not be signed unless they signed a 5G contract with Huawei. This “marks the first (public) instance where the Chinese government has linked access to China’s huge market to Huawei being awarded contracts for 5G networks in Europe. Huawei has publicly stated that it is a private company with no ties to the Chinese state.” This is unsurprising, of course there are strong ties between the Chinese government and most large Chinese companies, this has been shown again and again.

  Twitter on Work Culture

There were a number of people on Twitter talking about work/life balance, career advancement, and tradeoffs. It was interesting to read, as it’s something I struggle with too.

Here are a few snippets, let me know if there were any others you found useful.

Dino Dai Zovi:

From Tobi Lutke, the CEO of Shopify:

✉️ Wrapping UpHave questions, comments, or feedback? Just reply directly, I'd love to hear from you.If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them🙏Thanks for reading!Cheers,Clint@clintgibler | @programanalysis