- tl;dr sec
- Posts
- [tl;dr sec] #24 - BSidesSF/RSA, tl;dr sec Mascot, REST API Fuzzing, AWS Auto-remediation
[tl;dr sec] #24 - BSidesSF/RSA, tl;dr sec Mascot, REST API Fuzzing, AWS Auto-remediation
I'm speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
Clint Gibler
February 20, 2020
Hey there,
Next week's issue may be a bit light due to the upcoming madness of BSidesSF and RSA. I'll be at both, so hope to see you there!
Provided my animal sacrifices have appeased the shipping gods, I'll have tl;dr sec stickers to hand out! šš So for the first time shown publicly, here's our mascot:
Local Events: BSidesSF and RSA
BSidesSF will be this Saturday, Feb 22, through Monday, Feb 24. Good talks, great people, affordable- I highly recommend attending.
An important RSA tradition is visiting the vendor hall and gathering more swag than you can carry, winning buzzword bingo by reading security startup marketing collateral, and networking with professional colleagues over copious free food and beverages at vendor parties. See here for a website and a Twitter handle that list RSA parties.
Monday, Feb 24
Panel: Lessons Learned from the DevSecOps TrenchesBSidesSF: From 1:30pm - 2:20pm Iāll be moderating a panel with my awesome buds Zane Lackey of Signal Sciences, Astha Singhal of Netflix, Doug DePerry of Datadog, and Justine Osborne of Apple.
How to 10X Your Companyās Security (Without a Series DBSidesSF: After a luxurious 70 min break, from 3:30pm - 4:20pm Iāll then give a solo talk about modern AppSec best practices and how companies have effectively scaled their security, pulling from over 50 conference talks and countless blog posts, open source tools, and in-person conversations. This will be an updated and improved version of my AppSec Cali 2020 talk.
Tuesday, Feb 25
FuzzConFrom 9:00am to 1:30pm thereās a mini fuzzing conference at The Pearl in the Dogpatch. Presentations from some impressive people in the fuzzing world, likely worth attending.
DevSecOps State of the UnionRSA: 2:20pm - 3:10pm in Moscone West 3024 Iāll again be talking about effectively scaling security. Apparently people care about this topic, whoād have thought? š
š In this newsletter...
š Links:
Cloud / Container Security: Escalating privs/stealing secrets in GCP, running Parliament on Terraform files, finding exposed EBS volumes, automating AWS security responses
Side Channel Shenanigans: Exfiltrating data using screen brightnes, interacting with voice assistants using ultrasonic waves
Pen Testing / Red Team: BloodHound 3.0, pivot cheatsheet, network data manipulation examples, C# post-exploitation library, polyglot shell, OSINT tools, finding attackers using canaries
Web Security: Stateful fuzzer for finding IDORs in Swagger APIs, REing client side encryption, Portswigger's 2019 top 10 hacking techniques
Writing: Two short, practical writing guides
Politics / Privacy: Federal agencies buying commercial cellphone info for immigration enforcement, Amazon's data on you
Programming: Reflections on Haskell, teaching CS to kids, and how you don't need a master plan to have a great career, just get started on something that interests you
Cloud / Container Security
How to escalate privileges and steal secrets in GCPLengthy blog post that introduces several tools targeting GCP environments: gcp_firewall_enum: generate targeted port scans for Compute Instances exposed to the internet, gcp_enum: most of the enumeration commands in this blog, consolidated to a single script, and gcp_misc: various tools for attacking GCP environments.
In this tutorial, we will do a very deep-dive into manual post-exploitation tactics and techniques for GCP. The specific scenario we are addressing here is the compromise of a single Linux-based virtual machine running within the Compute Engine offering. The goal is to elevate local privileges to a root account, compromise other systems within the same Google Cloud Project, break out of that project into others, and even hop the fence over to G Suite if possible.
rdkls / tf-parliament
By default, Parliament runs only on JSON IAM policies, not Terraform files. This utility parses your Terraform, finds aws_iam_policy_document elements, generates resulting IAM policy document strings, and runs Parliament on them. (Thx Claus Houmann for the heads up)
Dufflebag: Uncovering Secrets in Exposed EBS Volumes
As I mentioned in tl;dr sec #6, Bishop Foxās Ben Morris gave a DEF CON 2019 talk on how he built a tool that found a number of publicly exposed AWS EBS volumes (i.e. virtual hard drives). This blog post has some nice additional details, a video of the tool in action, and the source code is now on GitHub.
AWS Security Hub is a service that gives you aggregated visibility into your security and compliance status across multiple AWS accounts. In addition to consuming findings from Amazon services and integrated partners, Security Hub gives you the option to create custom actions, which allow a customer to manually invoke a specific response or remediation action on a specific finding. You can send custom actions to Amazon CloudWatch Events as a specific event pattern, allowing you to create a CloudWatch Events rule that listens for these actions and sends them to a target service, such as a Lambda function or Amazon SQS queue.
By creating custom actions mapped to specific finding type and by developing a corresponding Lambda function for that custom action, you can achieve targeted, automated remediation for these findings.
In this blog post, Iāll show you how to build custom actions, CloudWatch Event rules, and Lambda functions for a dozen targeted actions that can help you remediate CIS AWS Foundations Benchmark-related compliance findings. Iāll also cover use cases for sending findings to an issue management system and for automating security patching.
Where Security is Headed šAs I called out in my AppSec Cali 2020 slides, I think defining invariants about your code and cloud environment, things that must always or never be true, is an incredibly powerful approach. I see some companies starting to do this now, and I think itās going to be a much bigger thing in the future.
Side Channel Shenanigans
Exfiltrating Data from Air-Gapped Computers Using Screen Brightness
By researchers at Israelās Ben Gurion University.
SurfingAttack exploits ultrasonic guided wave propagating through solid-material tables to attack voice control systems. By leveraging the unique properties of acoustic transmission in solid materials, we design a new attack called SurfingAttack that would enable multiple rounds of interactions between the voice-controlled device and the attacker over a longer distance and without the need to be in line-of-sight. By completing the interaction loop of inaudible sound attack, SurfingAttack enables new attack scenarios, such as hijacking a mobile Short Message Service (SMS) passcode, making ghost fraud calls without ownersā knowledge, etc.
Pen Testing / Red Team
Introducing BloodHound 3.0
Given an Active Directory environment, BloodHound represents your assets and their privileges in graph form and then finds potential attack paths to get domain admin. This version contains three new attack primitives (GMSA control, OU control, and SID history) as well as performance and quality of life improvements.
A Pivot Cheatsheet for Pentesters
How to set up a practice environment and 4 pivot techniques: SSH and proxychains, meterpreter and SOCKS proxy, ncat or netcat relay, or installing local tools.
Network data manipulation on the fly
Walkthrough of performing a few common network-related tasks useful on pen tests/red teams using maproxy, including creating a simple bidirectional proxy, data modification, creating a simple phishing web page, and messing with Ethernet/IP.
Staying # and Bringing Covert Injection Tradecraft to .NET
BlueHatIL 2020 talk by The Wover and Ruben Boonen on SharpSploit, a .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers.
llamasoft / polyshellA script thatās simultaneously valid in Bash, Windows Batch, and PowerShell, which makes it useful for pen testing, as it will run on most systems without you needing to make a target-specific payload. PolyShell is specifically designed to be deliverable via input injection using a USB Rubby Ducky, MalDuino, or similar devices.
Week in OSINT #2020ā06
Satellite imagery, OSINT_Spider, custom search engines, Google Analytics ID reverse lookup, view LinkedIn profile without being logged in, OSINT bookmarks, Yuleak - search for (sub)domains, IP addresses, onion addresses and other indicators for a provided domain/IP.
Birding Guide: Detect Attackers without Breaking the Bank46 page PDF from Haroon Meerās team at Thinkst Canary on tips and tricks for using canaries to catch bad people on your network. Covers a bunch of topics, including using canaries in SCADA/PLC contexts, office file tokens, inbox traps, AWS API key tokens, detecting cloned websites, Google Drive, MSSQL, web image, QR code, redirect, and Windows Directory tokens.
Web Security
Automated IDOR Discovery through Stateful Swagger FuzzingGreat blog post by Yelp on a tool they built, fuzz-lightyear (š¤£š), that can identify broken access controls (i.e. insecure direct object reference vulns, or IDORs), using stateful Swagger fuzzing. fuzz-lightyear can be integrated into your CI pipeline to give consistent, automatic test coverage as your web apps and microservices evolve. Basically since Swagger became a thing Iād been expecting a tool like this, and had been surprised it didnāt already exist. I havenāt played with fuzz-lightyear yet, but it seems well done.
The post goes into to some nice details about their approach and thought process, and links an interesting academic paper from Microsoft Research that describes how their stateful REST API fuzzer found new bugs in several deployed production Azure and Office-365 cloud services. (Thx Dmitry Sotnikov for the heads up)
Detecting IDOR in a hypothetical sequence of requests
Reverse engineering Blindās API and client side encryption
Nice example walkthrough of figuring out how to reverse/bypass client side encryption in JavaScript.
Portswiggerās Top 10 web hacking techniques of 2019Portswiggerās annual round up is always worth reading to get a pulse on some of the most novel/impactful web security research thatās happened recently.
Community favorite: HTTP desync attacks
Infiltrating Corporate Intranet Like NSA: Pre-Auth RCE On Leading SSL VPNs
Owning The Clout Through Server Side Request Forgery Cross-Site Leaks 1 2 3
Writing
Learning Technical Writing: Using the Engineering Method
22 page PDF on building a writing group from a Tufts University professor. I like that it focuses on specific, actionable advice and principles and includes a number of example practice exercises. Essay Writing Guide25 page Google Doc by Jordan Petersen on writing.
Politics / Privacy
The Trump administration has bought access to a commercial database that maps the movements of millions of cellphones in America and is using it for immigration and border enforcement, according to people familiar with the matter and documents reviewed by The Wall Street Journal.
Why Amazon knows so much about you
BBC article on the history of Amazonās obsession with customer data, some details on whatās currently collected, discussion of implications and potential future directions this could head.
Programming
Functional Programming Languages and the Pursuit of Laziness with Dr. Simon Peyton Jones
Dr. Simon Peyton Jones is a former academic, now programming language researcher at Microsoft Research. In this interview, he discusses a bit of history behind functional programming and Haskell, teaching practical algorithmic thinking to schoolchildren, and more.
Dr. Jones is brilliant and has had quite the career, so I found the following inspiring, or at least heartening. (emphasis mine)
I never had a long-term research plan. I never had a, āOh, here are the 3 big things Iām going to do with my life and Iām on this 20-year trajectory to do it.ā I was always just doing the next thing. So, I, Iām not really a very long-range planner. But I did have hold of one idea, this functional programming idea. I didnāt know how it would turn out. But I just found it fascinating.
So, I would suggest to younger people, just start with something.
I remember when I started as a researcher at the University College, London, I didnāt have a PhD. My head of department gave me some time off to do research. But I had no idea what to do. So, I just sat there with a sharp pencil and a blank sheet of paper, hoping for great ideas to come, which of course they didnāt.
And then my colleague, John Washbrook, he said to me, āSimon, just do something. Anything. No matter how humble and simple. Just start something.ā And so, I did. I wrote a little parser generator for a functional language called SASL. And that eventually turned into a research paper, as it happened.So, the wonderful thing about computer science is you can start almost anything, itāll turn into something interesting. Donāt be too worried, just get started on something that interests you.
#wisdom #inspiration
Or, as the modern day philosopher, Shia LaBeouf, once said, āJust Do It!ā
āļø Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them š
Thanks for reading!
Cheers,
Clint