[tl;dr sec] #195 - Kubernetes Exposed, SBOMs, Elastic's Vuln Management

Hacker Summer Camp

This year was my first time in Vegas since the pandemic, and I even managed to survive BSidesLV through DEF CON. I hope you did too 😅 

With the help of many friends, I managed to hand out ~300 t-shirts and >1,000 stickers. If you didn’t get one, stay tuned, I’m working on it.

A few moments that stood out:

• Getting polygraphed by Zack Allen (who writes the excellent Detection Engineering newsletter) the first time we ever met.

  • Apparently the Tor badge had a small lie detector/polygraph hardware attached to it.

• Meeting other podcast and newsletter nerds for the first time in person- shout-out to Tromzo and Miscreants for making it happen.

• Attending an Aussie party and watching Louis from PentesterLab make an American hop 4 times like a kangaroo to become an “honorary Australian.”

• Caleb Sima managing to lose the t-shirt I gave him in literally the two hours between my seeing him at different events 🤣 

If you attended, I hope your Hacker Summer Camp was memorable and safe!

Developers and Security are Friends Day 

FYI there’s an upcoming free full-day training for developers and security folks interested in application, product, and cloud security.

September 5th in Austin, Texas.

Featuring Jim Manico, James Wickett, Reddit’s Matt Johansen, Cloudflare’s Sri Pulla, Netflix’s Esha Kanekar, and many more!

Sponsor

📣 Opal, scalable identity security

Opal is designed to give teams the building blocks for identity-first security: view authorization paths, manage risk, and seamlessly apply intelligent policies built to grow with your organization.

They are built from the ground up to synthesize the data needed to construct and monitor all of your company’s access – from a single pane of glass.

Opal is used by best-in-class security teams today, such as Blend, Databricks, Drata, Figma, Scale AI, and more. There is no one-size-fits-all when it comes to access, but they provide the foundation to scale least privilege the right way.

📜 In this newsletter…

• AppSec: Tool to run CodeQL at scale, a walkthrough of 👈️ , Semgrep for Prometheus queries

• Web Security: Burp extension to encode and fuzz custom Protobuf messages

• Cloud Security: Tool for AWS subnet observability, hacking GitHub AWS integrations again, AWS security monitoring in 2023

• Container Security: Survey of exposed Kubernetes clusters in the wild

• Supply Chain: SBOM query language tool, protobom (a format-neutral SBOM representation), limitations of using SBOMs for vulnerability response, BlackHat talk on trust in the software supply chain

• Blue Team: TTPForge, how Elastic uses Elastic for vuln management, monitoring Vault at scale

• Red Team: Collection of Chrome sandbox escape PoCs, collection of vulnerable WordPress plugins, memory corruption in JS engines tutorial

• Politics / Privacy: Chrome extension to monitor other extensions’ network calls

• Machine Learning + Security: U.S. gov’t AI competition, managing risk for apps leveraging 3rd party LLMs

• OSINT / Recon: Tool to discover URLs associated with a domain

• Misc: BlackHat USA vendor announcement overview, hacking card-shuffling machines

AppSec

GitHubSecurityLab/gh-mrva
A tool to ease running CodeQL queries at scale by Alvaro Muñoz.

Finding Vulnerabilities with MRVA CodeQL
Maiky discusses scanning many repos at scale using GitHub's CodeQL, using either a built-in list of top 1K repos or a custom built list using GitHub Code Search for repos that have specific functionality you're targeting. Maiky demonstrates this approach for finding server-side template injection in Ruby and unsafe deserialization in Python.

Guardrails for PromQL using Semgrep
Aiven’s Michael Hoffmann is a Site Reliability Engineer who recently added support for PromQL to Semgrep, a query language for Prometheus, the open-source CNCF monitoring system. Michael walks through how you can “extract” PrompQL from YAML files and then run analyze the PromQL with Semgrep to enforce best practices or find bugs.

Semgrep’s Extract mode let’s you do the same thing with JavaScript in HTML, Bash in Docker files or YAML, etc. Neat to see Semgrep solving developer/SRE challenges, not just security 💪 

Web Security

ProtoBurp: Encode and Fuzz Custom Protobuf Messages in Burp Suite
Dillon Franke announces ProtoBurp, a new Burp extension to help encode and fuzz Protobuf messages. Automatically convert JSON data into a Protobuf message based on a provided protobuf definition file → fuzz inputs using Burp’s Repeater and Intruder, as well as proxy traffic from other tools (e.g. sqlmap).

Sponsor

📣 Zenbleed: What you need to know about the latest vulnerability targeting AMD Zen CPUs allowing arbitrary reading of data from any cloud workload sharing the same CPU core

Named “Zenbleed” (CVE-2023-20593) by its reporter/discoverer Tavis Ormandy, this new vulnerability primarily targets AMD Zen CPUs and has the potential to cause substantial damage, much like previous CPU vulnerabilities such as Spectre and Meltdown. The Lacework Labs cloud security research team breaks down this new vulnerability in our latest blog article.

Cloud Security

Introducing Subnet-Watcher: Observability for your AWS Subnets
Victor Grenu announces Subnet-Watcher, an open source tool that lets you automatically check your subnets for various metrics, including the number of available IP addresses, the number of Elastic Network Interfaces (ENI) available in the VPC, etc. and take action if specified conditions aren’t met.

Hacking Github AWS integrations again
Daniel Grzelak writes about how misconfigured AWS <> GitHub OIDC can accidentally allow any GitHub Action to assume the role. Daniel discusses how to validate if an IAM role is vulnerable and how to find roles at scale to test (GH Archive for historical, GitHub public events feed, for real time).

Daniel excellently links to related work and and has a very fun tone- this is a solid example of a great blog post 👌

AWS Security Monitoring in 2023: Untangle the chaos
Cloudonaut's Michael Wittig writes about recommendations for implementing an effective security monitoring strategy in AWS. Michael introduces a structured approach, categorizing key AWS services into three fundamental groups: sources of information, best practices, and anomaly detection and aggregation. Includes an 👌 overview image.

Container Security

Kubernetes Exposed: One Yaml away from Disaster
AquaSec's Michael Katchinskiy and Assaf Morag found Kubernetes clusters belonging to more than 350 organizations, openly accessible and largely unprotected. They discovered the clusters using Shodan, and the two primary misconfigurations they found were: allowing anonymous access with privileges and running the kubectl proxy with certain arguments that lead to unknowingly exposing the cluster to the Internet.

Supply Chain

chainguard-dev/bomshell
By Chainguard's Adolfo García: A Software Bill Of Materials (SBOM) query language and associated utilities to work with data in any format.

Can Protobom end the SBOM format wars?
Adolfo García Veytia and John Speed Meyers announce protobom, an open source tool that offers a format-neutral representation of SBOM package and file data and the ability to translate this data between popular SBOM formats.

Why lcamtuf is not a fan of using SBOMs for vulnerability response
tl;dr: diverts resources, doesn't capture mode of use / exposure to untrusted inputs (leads to false positives), SBOM may not include implicit & transitive dependencies.

Reflections on Trust in the Software Supply Chain
BlackHat talk (slides) by Jeremy Long on the current state of software supply chain security, what SLSA, SBOMs, and code signing do and don’t get you, and a PoC malicious build-time dependency that injects a backdoor. This occurs before code signing happens, so from that point of view, all looks well.

Blue Team

facebookincubator/TTPForge
By Jayson Grace, Alek, and Sam Manzer: A framework created by Meta's Purple Team to facilitate the development, automation, and execution of Tactics, Techniques and Procedures (TTPs).

How InfoSec uses the Elastic Stack for vulnerability management
Elastic's Clement Fouque writes about how the Elastic Stack can be utilized as a data management platform for vulnerability management. Clement outlines the three main components of their vulnerability management architecture and explains how to automate the process of retrieving, enriching, and sharing scan results with different teams.

HashiCorp Vault observability: Monitoring Vault at scale
HashiCorp's JD Goins and Justin Barlow share strategies for architecting a comprehensive Vault monitoring approach, including log analysis, telemetry analysis, and API and synthetic monitoring.

Red Team

allpaca/chrome-sbx-db
By allpaca: A collection of Chrome Sandbox Escape POCs/exploits for learning.

onhexgroup/Vulnerable-WordPress
By onhexgroup: A collection of vulnerable WordPress plugins updated monthly that can be used for Nuclei template development, exploit development, or learning purposes.

Attacking JS engines: Fundamentals for understanding memory corruption crashes
Tempest's Pedro Guerra Lourenço discusses the basic concepts of browser exploitation, focusing on Firefox's JavaScript engine, SpiderMonkey. Pedro also outlines concepts including heaps, garbage collectors, JIT compilers, and in-memory structures.

Politics / Privacy

dnakov/little-rat
A Chrome extension to monitor other extensions' network calls, by Daniel Nakov.

Machine Learning + Security

Biden-⁠Harris Administration Launches Artificial Intelligence Cyber Challenge to Protect America’s Critical Software
A two year competition launched to use AI to protect important U.S. software. Led by DARPA, collaboration with top AI companies (Anthropic, Google, Microsoft, and OpenAI), $20 million in prizes.

A framework to securely use LLMs in companies - Part 2: Managing risk
Sandesh Anand continues his series, this time focusing on managing risk for applications leveraging 3rd party LLMs, either as public or private SaaS. Recommendations to consider: using an LLM gateway to route traffic, regular auditing/testing of implemented solutions, or adding a monitoring layer to monitor LLM usage.

Misc

Quicklinks

• KRAZAM - AI Boyfriend

• Tech Fighter Turbo - Mock up of Street Fighter but for tech leaders

• DEF CON WiFi Rick Rolling You

• Rapid7 will lay off 18% of its workforce (>400 global employees).

  • HackerOne last week announced plans to lay off 12% of its workforce.

  • Bishop Fox laid off around 50 employees (13%) in May

• Nuanced mega thread by Esther Crawford on time at Twitter before and after Elon. Fascinating.

Black Hat USA 2023 – Announcements Summary
Nice post by Eduard Kovacs summarizing some of the announcements made by vendors at Black Hat USA 2023, including new products and services, updates to existing offerings, reports, and other initiatives.

Hackers Rig Casino Card-Shuffling Machines for ‘Full Control’ Cheating
IOActive’s Joseph Tartaro, Enrique Nissim and Ethan Shackelford presented at BlackHat various security issues discovered in card shuffling machines, including accessing an internal camera inside the Deckmate 2 shuffler to learn the exact deck order—and the hand of every player at a poker table.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler