• tl;dr sec
  • Posts
  • [tl;dr sec] #224 - Google on BeyondCorp, Threat Modeling, AWS Cross-Account Attacks

[tl;dr sec] #224 - Google on BeyondCorp, Threat Modeling, AWS Cross-Account Attacks

Google's zero trust lessons learned, threat modeling with HCL and LLMs, identifying cross-account IAM attack paths

Hey there,

I hope you’ve been doing well!

🤯 50,000 Readers

tl;dr sec has reached a milestone that’s honestly like 10X more than I ever imagined.

From the bottom of my heart, thanks for reading, and for all of the kind words and encouragement that’s helped me keep going these 5 years 🙏 

It’s a privilege to get to share people’s awesome research with you every week, and I’m as committed as ever to ensuring tl;dr sec will always be an excellent use of your time.

I’ve been working on growing tl;dr sec for a long time, and I was reflecting as this milestone neared. One Alex Hormozi quote has stuck with me:

“You’ve already achieved goals you said would make you happy.”

Yikes. While milestones are exciting, I’ve found happiness from them to be fleeting. The joy is in crafting what I personally feel to be a really great issue.

I’ve been intentionally investing more quality time with friends, being vulnerable and discussing topics important to us. And that has been very gratifying.

Have you already achieved goals you said would make you happy? 🤔 Are you happy? (Obligatory Bo Burnham)


📣 Email security with less noise and more signal

Sophisticated attackers continually refine their approach to evade detection. But while methods change, objectives remain constant.

That’s why Material Security maps coverage to objectives to create more durable detections based on a unique combination of threat intelligence, observed attacks, and AI/ML-powered logic. Stay ahead of email threats like credential theft, malware/ransomware, and fraud / business email compromise with one API-based solution for advanced threat detection, insider risk protection, and incident response automation.

I was grabbing coffee with Material’s co-founder/CEO (Abhishek Agrawal) the other day, and the features he described sounded pretty rad 👌 


By Christian Frichot: Document threat models using HCL, HashiCorp’s Configuration Language.

Inherent Threats- Clarifying a property of threats: Are they inherent to the system?
New whitepaper by Adam Shostack on examining if a given threat is accidental, a result of trade-offs, or inherent to a system, as that impacts how you handle it. When a threat is tied to the essence of a system, protective measures can’t be perfect or complete, so you need to invest more in detective and responsive controls.

Deobfuscating / Unminifying Obfuscated Web App Code
A gist from Glenn Grant, covering all sort of helpful topics around deobfuscating JavaScript, which is crucial for black box testing web applications. It links out to tools like wakaru and webcrack. Also contains PoCs, web tools, and more.

How Twilio Segment proactively protects customer’s API tokens
Sal Olivares walks through two features Segment's Security Features Team built to protect customer API tokens. The first is a standard implementation of GitHub and GitLab secret scanning, with automated revocation. The second enhances customer security around offboarded users by alerting admins to "orphaned" tokens. See also Sal’s BSidesSF 2023 talk.

What I like about this post is some of the discussion of decision making (i.e reviewing prevalence of revocation by GitHub’s secret scanning partners) and how it highlights tracking metrics (25% of orphaned tokens were deleted after 1st notification). I've been noticing more companies spinning up similar Security Feature teams, Segment was early to the trend!

Unveiling the Server-Side Prototype Pollution Gadgets Scanner
Doyensec's Raúl Miján launches a new Burp Suite Plugin for detecting and exploiting server-side prototype pollution (a JavaScript vulnerability where an attacker can add arbitrary properties to global object prototypes, which may later be handled unsafely by the application). The plugin takes a JSON object from a request and tries using a predefined set of gadgets to poison all possible fields.

One improvement over alternatives is that this new plugin reverts the modifications made during the detection process, preserving the application's integrity and stability.


📣Why modernize your infrastructure access? The analysts have weighed in…

Watch a webinar replay featuring Melinda Marks, Practice Director of Enterprise Strategy Group, Ev Kontsevoy (CEO), and Aleksandr Klizhentas (CTO) of Teleport to learn about: 

  • Current data breach and PAM landscapes that point to the need for modern access architecture

  • What modern access is, and how it hardens infrastructure security by eliminating common attack vectors and improving engineer productivity

  • How built-in policy governance delivers powerful, real-time insights for security pros to stop threat actors in their tracks

Identity, access control, and least privilege are all key, love the discussion 👍️ 

Cloud Security

IAMGraph: Mapping Cross Account Attack Paths in AWS Environments
WithSecure's Aleksi Kallio's new tool identifies cross-account IAM attack paths in AWS by modelling the relevant IAM configurations in a Neo4j graph database and analyzing relevant IAM policies with IAMSpy (an IAM SMT solver) to find effective assume-role paths.

Announcing ‘Cirrus’ – New Opensource Tool to Combat Google Cloud Incident Response Challenges
Syngia's Itay Angi breaks down Cirrus, a tool that leverages Google API client libraries to aggregate logs across GCP components as well as Google Workspace (or Cloud Identity).

Cloudgrappler - An Open-Source Threat Detection Tool for Cloud Environments
Permiso's Andi Ahmeti took Cado Security's cloudgrep, and built a tool to easily scan your logs for tactics, techniques, and procedures (TTPs). Cloudgrappler supports AWS and Azure, and comes prepackaged with a set of intel-based detections for cloud threat actors. For example, flagging use of Cloudshell as a potential TTP for LUCR3.

Container Security

A Kubectl plugin that can detect if any of your workloads or manifest files are mounting the docker.sock volume. Context: an attacker could use docker.sock to escape the container.

Using Tailscale for persistence
Rory McCune breaks down how Tailscale could be used for stealthy persistence in a Kubernetes cluster. Covers either using the ctr CLI to run with Containerd, or just dropping a static Kubernetes manifest in /etc/kubernetes/manifests and letting Kubelet handle restarting the pod.

Supply Chain

A GitHub Action to suggest removal of non-organization members from CODEOWNERS files. Great for removing people’s access, for example, when they leave your company.

Poisoned Pipeline Execution Attacks: A Look at CI-CD Environments
Friend of the newsletter Bishop Fox’s Sebastian Guerrero shares a nice overview of poisoned pipeline execution (PPE), when an attacker can inject malicious code into the build process, covering direct, indirect, and public PPE, as well as mitigations.

Blue Team

Unfiltered: Measuring Cloud-based Email Filtering Bypasses
Did you know third-party email filtering services (like Proofpoint, Barracuda) can be bypassed if the email hosting provider is not configured to only accept messages that arrive from the email filtering service?

In this academic paper, the authors scanned ~1600 com and edu domains with filtering services, and found 80% could be bypassed. It also diagnoses the reasons for the prevalence of this issue: the ad hoc architecture required for email filtering, the problematic separation of concerns, poor documentation, potential reliability impact from "failing closed," and the fundamental reliance on source IP address integrity. By Sumanth Rao, Stefan Savage, et al.

BeyondCorp and the long tail of Zero Trust
BeyondCorp is Google's model of a perimeter-less network, with continuous user- and device-based authentication and authorization. After the initial rollout, management support for migrating workflows and users to BeyondCorp waned, leading to underfunded development of long tail solutions. This resulted in a growing population of users segregated into coarse groups, whose needs became increasingly opaque to the BeyondCorp team.

This article walks through their experience addressing these gaps, with some very portable takeaways, like:

  • When ambient privilege exists, expect systems and users to become dependent on it.

  • Controlling and ultimately removing overly broad security exceptions requires investment in Security Engineering, support, change management, SRE, and program management. The "wait it out" strategy (hoping teams update or change their infrastructure) won't create full-scale change.

  • Be pragmatic and prepared to migrate to intermediate solutions with a clear path forward, or make trade-offs among different policies to ensure business continuity.

  • Communicate clear deadlines and provide a standardized escalation process that rolls up to the project sponsor.

Red Team

By Hal Brodigan et al: an open-source Ruby toolkit for security research and development. Ronin also allows for the rapid development and distribution of code, exploits, payloads, etc, via third party git repos.

Bluetooth Security Assessment Methodology
TarLogic has released BSAM: an open-source guide to security evaluation of Bluetooth devices, covering 36 controls. They also published BlueSpy, a PoC exploit for devices failing BSAM-PA-05: Pairing without user interaction. BlueSky automates connecting to devices with "JustWorks" enabled, which allows for eavesdropping.

Identity Providers for RedTeamers
Adam Chester walks through attacks against IdPs, mostly post-compromise and by abusing features. Covers:

  • LogonUserW hooking to grab plain-text credentials off an endpoint

  • Agent Spoofing to extract credentials while on an external network

  • Kerberos Authentication to pivot from an endpoint to SSO

  • Stealthy Okta FastPass abuse

AI + Security

Deepfakes from Argil.ai of Mark Zuckerberg, Marc Andreessen, Obama
As if we weren’t having difficulties already about the truth around certain events…

Unredacting an email from Elon to Ilya
Thread by Rohan Pandey on a character-count constrained (tries to match up the length of the blacked out regions) decoding algorithm for Llama2-13B. See also Bishop Fox’s Dan Petro’s blog post (and tool) on unredacting pixelated text.

Leveraging LLMs for Threat Modeling - Claude 3 Opus vs GPT-4
Marcin Niemiec adds another installment to his series. In this post, the threat modeling capabilities of both models are tested on four forms of analysis: high-level security design review, threat modeling, security-related acceptance criteria and review of architecture.

Both models outperform their predecessors, and Claude 3 Opus slightly outperformed GPT-4 in identifying threats and adhering to instructions. I appreciate the structured evaluation used here, and Marcin's consistency in revisiting this topic as models evolve.

Small Language Models for Application Security - Beyond ChatGPT
I love this LASCON 2023 talk by Louis Barrett (slides), covering an overview of applications of LLMs, a proposed scale for how advanced a given system using a language model is, applying LLMs to AppSec domains (design reviews, threat modeling, code review, vulnerability management), and tactical advice on which local model to choose based on your use case.

This is one of my favorite talks so far in this space, given both the breadth and depth, highly recommend checking it out 🔥 


Convert potentially dangerous documents into safe PDFs
By Micah Lee, Dangerzone uses sandboxed Linux containers to defang potentially malicious documents via a series of conversions.

The first container takes the document, uses LibreOffice or GraphicsMagick to convert it to a PDF, then turns that PDF into a PNG and extracts the RGB pixel data. The second container then picks up that pixel data, runs OCR to generate searchable text, and converts back to a PDF.

A set of security vulnerabilities in dormakaba’s Saflok electronic RFID locks, impacting >3M hotel locks in 131 countries. Exploits issues in Dormakaba's encryption, as well as the well known flaws of MIFARE Classic RFID cards. Also covered in Wired: Hackers Found a Way to Open Any of 3 Million Hotel Keycard Locks in Seconds. Research by: Lennert Wouters, Ian Carroll, rqu, BusesCanFly, Sam Curry, sshell, and Will Caruana.


✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!