[tl;dr sec] #24 - BSidesSF/RSA, tl;dr sec Mascot, REST API Fuzzing, AWS Auto-remediation
I'm speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
Next week's issue may be a bit light due to the upcoming madness of BSidesSF and RSA. I'll be at both, so hope to see you there!
Provided my animal sacrifices have appeased the shipping gods, I'll have tl;dr sec stickers to hand out! 🎉🎁 So for the first time shown publicly, here's our mascot:
Local Events: BSidesSF and RSA
BSidesSF will be this Saturday, Feb 22, through Monday, Feb 24. Good talks, great people, affordable- I highly recommend attending.
An important RSA tradition is visiting the vendor hall and gathering more swag than you can carry, winning buzzword bingo by reading security startup marketing collateral, and networking with professional colleagues over copious free food and beverages at vendor parties. See here for a website and a Twitter handle that list RSA parties.
Monday, Feb 24
Panel: Lessons Learned from the DevSecOps TrenchesBSidesSF: From 1:30pm - 2:20pm I’ll be moderating a panel with my awesome buds Zane Lackey of Signal Sciences, Astha Singhal of Netflix, Doug DePerry of Datadog, and Justine Osborne of Apple.
How to 10X Your Company’s Security (Without a Series DBSidesSF: After a luxurious 70 min break, from 3:30pm - 4:20pm I’ll then give a solo talk about modern AppSec best practices and how companies have effectively scaled their security, pulling from over 50 conference talks and countless blog posts, open source tools, and in-person conversations. This will be an updated and improved version of my AppSec Cali 2020 talk.
Tuesday, Feb 25
FuzzConFrom 9:00am to 1:30pm there’s a mini fuzzing conference at The Pearl in the Dogpatch. Presentations from some impressive people in the fuzzing world, likely worth attending.
DevSecOps State of the UnionRSA: 2:20pm - 3:10pm in Moscone West 3024 I’ll again be talking about effectively scaling security. Apparently people care about this topic, who’d have thought? 🙂
📜 In this newsletter...
Cloud / Container Security: Escalating privs/stealing secrets in GCP, running Parliament on Terraform files, finding exposed EBS volumes, automating AWS security responses
Side Channel Shenanigans: Exfiltrating data using screen brightnes, interacting with voice assistants using ultrasonic waves
Pen Testing / Red Team: BloodHound 3.0, pivot cheatsheet, network data manipulation examples, C# post-exploitation library, polyglot shell, OSINT tools, finding attackers using canaries
Web Security: Stateful fuzzer for finding IDORs in Swagger APIs, REing client side encryption, Portswigger's 2019 top 10 hacking techniques
Writing: Two short, practical writing guides
Politics / Privacy: Federal agencies buying commercial cellphone info for immigration enforcement, Amazon's data on you
Programming: Reflections on Haskell, teaching CS to kids, and how you don't need a master plan to have a great career, just get started on something that interests you
Cloud / Container Security
How to escalate privileges and steal secrets in GCPLengthy blog post that introduces several tools targeting GCP environments: gcp_firewall_enum: generate targeted port scans for Compute Instances exposed to the internet, gcp_enum: most of the enumeration commands in this blog, consolidated to a single script, and gcp_misc: various tools for attacking GCP environments.
rdkls / tf-parliament
By default, Parliament runs only on JSON IAM policies, not Terraform files. This utility parses your Terraform, finds aws_iam_policy_document elements, generates resulting IAM policy document strings, and runs Parliament on them. (Thx Claus Houmann for the heads up)
Dufflebag: Uncovering Secrets in Exposed EBS Volumes
As I mentioned in tl;dr sec #6, Bishop Fox’s Ben Morris gave a DEF CON 2019 talk on how he built a tool that found a number of publicly exposed AWS EBS volumes (i.e. virtual hard drives). This blog post has some nice additional details, a video of the tool in action, and the source code is now on GitHub.
Where Security is Headed 🚀As I called out in my AppSec Cali 2020 slides, I think defining invariants about your code and cloud environment, things that must always or never be true, is an incredibly powerful approach. I see some companies starting to do this now, and I think it’s going to be a much bigger thing in the future.
Side Channel Shenanigans
Exfiltrating Data from Air-Gapped Computers Using Screen Brightness
By researchers at Israel’s Ben Gurion University.
Pen Testing / Red Team
Introducing BloodHound 3.0
Given an Active Directory environment, BloodHound represents your assets and their privileges in graph form and then finds potential attack paths to get domain admin. This version contains three new attack primitives (GMSA control, OU control, and SID history) as well as performance and quality of life improvements.
A Pivot Cheatsheet for Pentesters
How to set up a practice environment and 4 pivot techniques: SSH and proxychains, meterpreter and SOCKS proxy, ncat or netcat relay, or installing local tools.
Network data manipulation on the fly
Walkthrough of performing a few common network-related tasks useful on pen tests/red teams using maproxy, including creating a simple bidirectional proxy, data modification, creating a simple phishing web page, and messing with Ethernet/IP.
Staying # and Bringing Covert Injection Tradecraft to .NET
BlueHatIL 2020 talk by The Wover and Ruben Boonen on SharpSploit, a .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers.
llamasoft / polyshellA script that’s simultaneously valid in Bash, Windows Batch, and PowerShell, which makes it useful for pen testing, as it will run on most systems without you needing to make a target-specific payload. PolyShell is specifically designed to be deliverable via input injection using a USB Rubby Ducky, MalDuino, or similar devices.
Week in OSINT #2020–06
Satellite imagery, OSINT_Spider, custom search engines, Google Analytics ID reverse lookup, view LinkedIn profile without being logged in, OSINT bookmarks, Yuleak - search for (sub)domains, IP addresses, onion addresses and other indicators for a provided domain/IP.
Birding Guide: Detect Attackers without Breaking the Bank46 page PDF from Haroon Meer’s team at Thinkst Canary on tips and tricks for using canaries to catch bad people on your network. Covers a bunch of topics, including using canaries in SCADA/PLC contexts, office file tokens, inbox traps, AWS API key tokens, detecting cloned websites, Google Drive, MSSQL, web image, QR code, redirect, and Windows Directory tokens.
Automated IDOR Discovery through Stateful Swagger FuzzingGreat blog post by Yelp on a tool they built, fuzz-lightyear (🤣👏), that can identify broken access controls (i.e. insecure direct object reference vulns, or IDORs), using stateful Swagger fuzzing. fuzz-lightyear can be integrated into your CI pipeline to give consistent, automatic test coverage as your web apps and microservices evolve. Basically since Swagger became a thing I’d been expecting a tool like this, and had been surprised it didn’t already exist. I haven’t played with fuzz-lightyear yet, but it seems well done.
The post goes into to some nice details about their approach and thought process, and links an interesting academic paper from Microsoft Research that describes how their stateful REST API fuzzer found new bugs in several deployed production Azure and Office-365 cloud services. (Thx Dmitry Sotnikov for the heads up)
Detecting IDOR in a hypothetical sequence of requests
Reverse engineering Blind’s API and client side encryption
Portswigger’s Top 10 web hacking techniques of 2019Portswigger’s annual round up is always worth reading to get a pulse on some of the most novel/impactful web security research that’s happened recently.
Community favorite: HTTP desync attacks
Owning The Clout Through Server Side Request Forgery Cross-Site Leaks 1 2 3
Learning Technical Writing: Using the Engineering Method
22 page PDF on building a writing group from a Tufts University professor. I like that it focuses on specific, actionable advice and principles and includes a number of example practice exercises. Essay Writing Guide25 page Google Doc by Jordan Petersen on writing.
Politics / Privacy
Why Amazon knows so much about you
BBC article on the history of Amazon’s obsession with customer data, some details on what’s currently collected, discussion of implications and potential future directions this could head.
Functional Programming Languages and the Pursuit of Laziness with Dr. Simon Peyton Jones
Dr. Simon Peyton Jones is a former academic, now programming language researcher at Microsoft Research. In this interview, he discusses a bit of history behind functional programming and Haskell, teaching practical algorithmic thinking to schoolchildren, and more.
Dr. Jones is brilliant and has had quite the career, so I found the following inspiring, or at least heartening. (emphasis mine)
Or, as the modern day philosopher, Shia LaBeouf, once said, “Just Do It!”
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!