[tl;dr sec] #25 - BSidesSF and RSA, Demystifying Container Security, Your Privacy Online
Round-up of BSidesSF and RSA + my updated slides, overview of container security, pen testing K8s walkthrough, maintaining privacy online.
Phew, if you also attended some combination of BSidesSF and RSA, I hope your travel home was uneventful, you’ve been catching up on rest, and are coronavirus-free.
You can read this post on our blog here. 👈Media
I was interviewed by Rob Lemos for this TechBeacon article: RSA Conference 2020: 5 key takeaways for security teams.
Last DevSecCon Seattle, I was interviewed by Snyk co-founder Guy Podjarny for The Secure Developer podcast, which is now live: Ep. #48, Sustainable and Scalable Ways to Buy Down Risk.
BSidesSF and RSA
Some quick reflections on last week, more to come.
tl;dr sec stickers came just in the nick of time. Gave away >200 of them.
Let me know if you want some, I’m considering mailing them to people.
I gave 3 talks in 2 days across BSidesSF and RSA. Nice Twitter thread about our DevSecOps panel by Tanya here.
I caught up with some people I only knew from online interactions- it was great, and I didn’t wake up in a bathtub full of ice with only one kidney.
Ate delicious banana bread from someone’s backpack at BSidesSF.
Verily, I Secure Thee
“…did you start your talk doing a part of Hamlet’s monologue?” Dev asked me, referring to my AppSec Cali talk. “Yep,” I replied.
It turns out we’re both big fans of Shakespeare and classic literature, so we’ve decided to do a Shakespeare themed security talk at some point, so stay tuned 😂
How to 10X Your Security
My BSidesSF talk was an updated and improved version of my AppSec Cali talk.
I cut and modified a few slides to make the talk easier to follow.
Added more details about continuous scanning and static analysis, moved dynamic analysis (and fuzzing) content to backup slides.
The "Continuous Compliance" and "Quantifying Risk" sections were also moved to backup slides, streamlined "Apply" slides at the end - actionable things to do in the near, medium, and longer term.
Added even more relevant links to backup slides as well as a few new topics that I couldn't fit into the main talk. Added a backup slide index to make navigating the slides easier.
There are still more improvements I was planning to make to the backup slides, but at some point one must rest one’s weary head and acknowledge that things are sufficient. For now.
You can 👉 see my updated slides here 👈
Oh also, my talk was drawn live by an incredibly talented artist. This was really neat, I’ve never had this done before.
📜 In this newsletter...
Web Security: SSRF lab, find Jinja2 templates that aren't autoescaped, DOM clobbering updates, API security tips
Cloud Security: Hacking Cognito misconfigurations, ALB authentication with GSuite SAML + Cognito, accessing Secret Manager from Terraform, using aws:CalledVia condition key for least priv actions
Container Security: Walkthrough of real-world Kubernetes threats, CloudSploit supports GCP, disambiguating what "container security" means, Istio network security gotchas
Red Team: Detailed Shodan guide, dynamic and scalable red team C2 infrastructure, malware evasion technique encyclopedia
Politics / Privacy: Republican mega-donor buys Twitter stock and wants Dorsey out, app that'll tell you what info IoT devices around you collect, NYT and John Opdenakker on controlling your online exposure
Misc: Having the right metrics for AI is fundamentally hard, Node library to automate Chromium/Firefox/Webkit, whitepaper on microcontroller readback protection (bypasses and defenses)
Lab: SSRF with whitelist-based input filter
Web Security Academy lab based on Orange Tsai’s research on breaking URL parsers.
Bento check: Flask template files that aren’t autoescaped by default
Apparently Jinja2 only autoescapes templates ending in
.xhtml when using
render_template(). If you use
render_template() with another extension, like
.jinja2, etc., you may be vulnerable to XSS. Nice post by r2c on creating a check for this bad pattern and running it against 715 open source Flask apps on GitHub. Get this and other checks with bento.
DOM Clobbering strikes back
From Portswigger’s Gareth Heyes: “As classic client-side vulnerabilities like XSS and CSRF get patched, CSP’d and SameSite’d into oblivion, niche attack techniques like DOM Clobbering are becoming ever more relevant. In this post, I’m going to quickly introduce DOM Clobbering, expand on my original research with some new techniques, and share two interactive labs so you can try the techniques out for yourself.”
31 Tips — API Security & Pentesting
Tips on authorization, authentication, CSRF, data exposuure, DoS, injection, mass assigngment, tools, and what to do if you get stuck during a pen test.
Hacking AWS Cognito Misconfigurations
Case study: Target application had a login page and no sign up feature exposed, Cognito was misconfigured to allow sign up of new users, sign up and login to obtain AWS temporary token for authenticated Identities, AWS token had access to Lambda functions -> privilege escalation.
ALB authentication with G Suite SAML using Cognito
Post by Alex Smolen on how he tried to get Cognito to play nicely with G Suite SAML for ALB authentication. There ended up being an encoding issue, but this seems like a really promising way to “zero trust”-ify APIs in AWS.
gsuite-saml-cognito source code
Accessing Secret Manager from Terraform
Post by Seth Vargo on how to access Secret Manager, Google Cloud’s service for storing API keys, passwords, certificates, and other sensitive data, from Terraform. Source code here.
How to define least-privileged permissions for actions called by AWS services
“IAM now includes condition keys to make it easier to grant only the minimum level of access necessary for IAM principals (users and roles) and AWS services to take those actions. Using the
aws:CalledVia condition key, you can create distinct access rules for the actions performed by your IAM principals, and for the subsequent actions taken by AWS services on your behalf.” The post gives a walkthrough of how to secure access to a database managed in Amazon Athena behind a VPC: how to grant access to execute queries in Athena without granting direct access to dependent services such as S3, and how you can use
aws:CalledVia to prevent access to your databases from outside your private networks.
Deep Dive into Real-World Kubernetes Threats
Companion blog post by NCC Group’s Mark Manning that extends his “Command and KubeCTL: Real-World Kubernetes Security for Pentesters” Shmoocon 2020 talk. I saw an early version of this at NCC Con, and I really appreciated how it doesn’t just present a number of ideas, but instead presents key concepts in a walkthrough/scenario-based way, as if you were actively trying to gain control of a cluster. slides, demo code
Announcing General Availability of CloudSploit by Aqua for GCP
“Compliance support now includes mapping of CloudSploit’s library of GCP plug-ins to PCI-DSS and HIPAA requirements, to provide individual, actionable policy checks to help detect compliance violations across GCP accounts.” CloudSploit by Aqua’s library of GCP plug-ins are also mapped to the popular CIS Benchmark controls.
Container Security – Nobody Knows What It Means But It’s Provocative
Capsule8’s Kelly Shortridge wrote an excellent disambiguation of “container security,” breaking it into 3 core areas: build, ship, and run, corresponding to the phases of a typical software development lifecycle. For each area, she describes the primary features of solutions, their benefits and downsides, and some representative OSS tools and vendors. Super useful post 💯
A Survey of Istio’s Network Security Features
Detailed blog post by NCC Group’s Jack Leadford on some uninituitive subtleties in Istio’s behavior, on topics including IPv6, mutual TLS (fun fact: there are edge cases in which it’s not enforced), restricting egress traffic, and more. Every section has thorough reproduction steps for demonstrating the behavior locally. Nice!
Shodan Pentesting Guide
Lengthy guide to the CLI commands, website, language client libraries, search query syntax, and more.
Introduction To Modern Routing For Red Team Infrastructure - using Traefik, Metasploit, Covenant and Docker
“We want to deploy a more evolved red teaming infrastructure that can dynamically create routes to our C2 Docker containers, instead of manually editing a configuration file every time we want a new route from our reverse-proxy. We also want it to be easy to scale, and easy to monitor… Traefik will enable us to easily manage dynamic routes, and deploy C2 containers with smooth forwarding to our payloads and session handlers… Once done, we’ll have an elastic reverse-proxy, functional routes to two different C2 containers with payloads and handlers, and the knowledge to summon many more at will. And a nice route monitoring UI.”
Check Point Research: Evasion Techniques
A malware evasion encyclopedia, which contains over 50 techniques used by various malware to detect virtualized and sandboxed environments.
Politics / Privacy
Republican mega-donor buys stake in Twitter and seeks to oust Jack Dorsey
In October, Twitter announced a ban on political advertising, due to its influence and manipulation potential when used by politicians. Paul Singer, a billionnaire and Republican mega-donor, has purchased a stake in Twitter and is purportedly seeking to oust Dorsey.
What the Hell Is That Device, and Is It Spying on You? This App Might Have the Answer
Researchers at Carnegie Mellon University have released a beta of an app, The Internet of Things (IoT) Assistant, which will scan any unidentified IOT nearby, tell you what they do, and guide you toward the ability to opt out of data collection (assuming such an option exists). The app “relies on a database compiled by volunteers, cybersecurity experts, and companies trying to simplify compliance with new privacy legislation like the California Consumer Privacy Act (CCPA) or Europe’s General Data Protection Regulation (GDPR).”
How to Dox Yourself on the Internet
Article on the NYT’s “step-by-step guide to finding and removing your personal information from the Internet.” Some useful context in the post, and see here for a series of Google docs detailing the NYT’s program consisting of repeatable steps that can be taken to clean up one’s online footprint.
How to control your online exposure
Post by John Opdenakker on several ways to find public information about you, having it removed, and setting Google alerts to learn when new info about you is published.
The Problem with Metrics is a Fundamental Problem for AI
Thanks Jon Hawes for the heads up on this paper.
Microcontroller Readback Protection: Bypasses and Defense
Whitepaper by NCC Group’s Sultan Qasim Khan: “Microcontrollers commonly include features to prevent the readout of sensitive information in internal storage. Such features are commonly referred to as readback protection or readout protection. This paper describes common readback protection implementation flaws, discusses techniques that can be used to defeat readback protection, and provides guidance to implement effective readback protection.”
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!