• tl;dr sec
  • Posts
  • [tl;dr sec] #26 - Learnings from Duo, Auto-healing Clouds, Fuzzing

[tl;dr sec] #26 - Learnings from Duo, Auto-healing Clouds, Fuzzing

Jon Oberheide on Duo, self-healing AWS environments, Google's fuzzer benchmarking and CIFuzz, securing Windows & MS accounts at scale.


I hope you’ve been doing well.

I’m excited to say this issue includes a new talk summary! The past few issues I’d been too busy with work, conferences, and checking in with loved ones so they know I’m still alive.

Oh also, the BSidesSF 2020 videos are live!

📜 In this newsletter...

🔗 Links:

  • Cloud Security: Auto-fixing open security groups and S3 buckets, continuous compliance monitoring with InSpec, AWS Config Conformance packs, GitHub Action to watch your K8s config, epic list of AWS security tools, AWS security fundamentals course, container scanning API, Kubernetes attack surface slides

  • Web Security: SSRF bug bounty walkthrough, Web App Hacker's Handbook extras, stealing WiFi creds with DNS rebinding

  • Blue Team: DoD on DevSecOps, how Microsoft secures Windows, Microsoft study on compromised accounts, DevSecOps in the future

  • Fuzzing: Google launches a fuzzer benchmarking service, fuzz your open source projects with CIFuzz, paper on greybox fuzzing + static analysis

  • Misc: Karaoke any song, IoTGoat, SpiderFoot ASCIIcasts, GUI for the Empire C2 server, Cloudflare on building a diverse team and inclusive culture

📚 New Summary: Learnings from Duo

  • Jon Oberheide on Duo's story, from conception through acquisition, and the important lessons he learned along the way. Tons of great insights 🤘

Cloud Security

The Times, They Are A-changin’
I called out a number of important trends in my recent AppSec Cali, BSidesSF, and RSA talks, including enforcing invariants and auto-remediating them, continuous compliance, and more. I also referenced auto-remediation in tl;dr sec #24.It’s interesting to see these themes coming up again and again, from the cloud vendors as well as those using them. When you’re reading the description of the first few links, notice how they’re in the same theme.I’m going to write a longer post about this at some point, but I believe we’re seeing a key shift in security: away from vulnerability identification, and towards defining how our environment and systems should and should not look, and then enforcing those expectations programmatically, continuously, everywhere. 🚀 

AWS Automated Remediation - Part 1: Security Groups
Nathan Getty describes a customized system to automatically remediating high risk findings. This post discusses automatically removing open security groups, the second focuses on open S3 buckets.

Continuous compliance monitoring with Chef InSpec and AWS Security Hub
“How to run a Chef InSpec scan with AWS Systems Manager and Systems Manager Run Command across your managed instances. InSpec is an open-source runtime framework that lets you create human-readable profiles to define security, compliance, and policy requirements and then test your EC2 instances against those profiles. InSpec profiles can also be used to make sure certain network ports aren’t reachable, to verify that certain packages are not installed, and/or to confirm that certain processes are running on your instances.”

The flow of events in the solution described in this post

Introducing AWS Config Conformance Packs
“The latest addition to the AWS Config service: conformance packs. Conformance packs help you manage configuration compliance of your AWS resources at scale – from policy definition to auditing and aggregated reporting, using a common framework and packaging model.” The post also discusses adding custom rules, remediations (which can be automatically applied), and deploying a cross-organization conformance pack.

GitOps Security with k8s-security-configwatch
K8s-security-configwatch is a Github Action that reviews the changes in your Kubernetes configuration files, highlighting those that can affect the security of the cluster. Reviewers can then take special care in those areas and ensure that the right eyes are validating every PR.” Detects changes done on Kubernetes SecurityContext objects, PodSecurityContext objects and the host namespaces settings.”

toniblyx / my-arsenal-of-aws-security-tools
Epic list of AWS security tools for defensive, offensive, auditing, DFIR, etc. Includes the tool name, URL, a concise description, number of stars, and useful metadata like last commit, number of open issues, etc. 🔥 

AWS Security Fundamentals (Second Edition)
A free, self-paced course by AWS that teaches “fundamental AWS cloud security concepts, including AWS access control, data encryption methods, and how network access to your AWS infrastructure can be secured.”

On-Demand Container Scanning API
Jerry Gamblin announced https://scan.vulnerablecontainers.org/, an open Python API which for now has two public endpoints: #1 provides a trivy report of all open vulnerabilities and #2 provides a list of open CVEs for the specified container.

Kubernetes Attack Surface
Slides on Kubernetes’ attack surface and a number of links to related work and useful tools.

Web Security

Exploiting an SSRF: Trials and Tribulations
Bug bounty walkthrough of bypassing a whitelist and other challenges in getting a PoC to work.

six2dez / wahh_extras
A number of extras from the Web Application Hacker’s handbook, including answers to prompts and relevant source code.

DNS Rebinding: Stealing WiFi creds through your solar panel inverter
Fun example of the impact of DNS rebinding in the real world, with a nice shout out to NCC Group’s DNS rebinding framework Singularity.

Blue Team

DoD Enterprise DevSecOps Ask Me Anything Sessions
I didn’t expect to come across a DoD page on DevSecOps, but hey. Contains a series of audio recordings, slide decks, and some maturity review, container hardening, and other docs.

Keeping Windows Secure
BlueHat IL 2020 talk by David Weston, Director of OS Security at Microsoft, on how to secure Windows at scale. I haven’t reviewed this talk in detail yet, but the slides look 💯 video 

Microsoft: 99.9% of compromised accounts did not use multi-factor authentication
Microsoft RSA presentation (slides) with some interesting results:

  • 99.9% of the compromised accounts they track don’t use 2FA.

  • Only 11% of enterprise accounts use MFA

  • On average, around 0.5% of all accounts get compromised each month (1.2 million in January 2020)

  • 40% of the compromised accounts are due to password spraying, another 40% are due to credential stuffing

  • The vast majority of password spraying and password replay attacks target older legacy authentication protocols, such as SMTP, IMAP, POP, and others.

Advancing DevSecOps Into the Future
Post by Gunter Ollmann, CSO of Microsoft’s Cloud and AI Security Division, that concisely describes a number of the DevSecOps trends I’ve observed, and describes some forward thinking ideas, like communications between external tools and the apps they protect, the importance of standardizing threat and behavior nomenclatures, and the future potential of AI, both by attackers in rapidly exploiting environments, and by defenders in automatically detecting and patching issues. Gunter and I chatted a bit about this post on LinkedIn, which you can see here.


Google Launches Free Fuzzer Benchmarking Service
Google released FuzzBench, fuzzer benchmarking as a service.

Researchers can simply integrate a fuzzer and the service automatically runs an experiment for 24 hours, using multiple trials and real world benchmarks. Then, FuzzBench will deliver a report to compare the performance of the fuzzer to similar tools and offer details on the strengths and weaknesses of each fuzzer.

Such integrations are simple and normally take less than 50 lines of code. Once integrated, the fuzzer can “fuzz almost all 250+ OSS-Fuzz projects out of the box,” Google says. Fuzzers such as AFL, LibFuzzer, Honggfuzz, and several academic projects such as QSYM and Eclipser have already been integrated with the service.

“Performance is determined by the amount of covered program edges, though we plan on adding crashes as a performance metric,” Google says.

OSS-Fuzz offers CIFuzz, which will run your fuzz targets each time a pull request is submitted, for projects hosted on GitHub. CIFuzz works by checking out a repository at the head of a pull request. The project’s fuzz targets are built and run for a definite amount of time (default is 10 minutes). If a bug is found, the stack trace as well as the test case are made available for download.

Targeted Greybox Fuzzing with Static Lookahead Analysis
ICSE 2020 paper by Valentin Wüstholz and Maria Christakis:

In this paper, we introduce a novel technique for targeted greybox fuzzing using an online static analysis that guides the fuzzer toward a set of target locations, for instance, located in recently modified parts of the program. This is achieved by first semantically analyzing each program path that is explored by an input in the fuzzer’s test suite. The results of this analysis are then used to control the fuzzer’s specialized power schedule, which determines how often to fuzz inputs from the test suite. We implemented our technique by extending a state-of-the-art, industrial fuzzer for Ethereum smart contracts and evaluate its effectiveness on 27 real-world benchmarks. Our experiments show that targeted fuzzing significantly outperformsstandard greybox fuzzing for reaching 83% of the challenging targetlocations (up to 14x of median speed-up).


youkaclub / youka-desktop
Karaoke for any song in any language. You can dance if you want to, you can leave COVID-19 behind 🕺💃 

IoTGoat - A Deliberately Insecure Firmware Based On OpenWrt
The built-in vulnerabilities are based on OWASP’s IoT Top 10 project.

SpiderFoot tutorials
17 ASCIIcasts on using the OSINT framework SpiderFoot, including researching data breaches, scraping names, emails, and phone numbers, etc.

An Introduction to Starkiller
A multi-user GUI for interfacing with the Empire C2 server.

International Women’s Day 2020: Building a Modern Security Team
One of my favorite parties this RSA was at Cloudflare - cool people, good food, and a rooftop bar with a nice view. I had the opportunity to meet more of the Cloudflare security team, and I was impressed by how genuine and kind everyone was. This article by Susan Chiang and Joe Sullivan has a number of concrete, actionable tips on their lessons learned building a diverse team and inclusive culture. Here’s one point that especially stuck out to me:

We make sure we put together the right interview panel for the candidate: that means not only evaluating the candidate thoroughly but also giving the candidate the opportunity to look across the table at someone they feel comfortable asking “can someone like us succeed here?” You are not just using the interview process to evaluate the candidate, you are showing the candidate who you are as a team.

📚 New Summary: Learnings from Duo

I had the very fortunate opportunity this RSA to see Jon Oberheide give a frank, open, unrecorded talk of his experiences co-founding Duo through having it be acquired (shoutout to Haroon Meer for organizing).

With Jon’s permission, I’m sharing my notes.

The talk was dense with insights and useful takeaways, so I highly reading the full summary. Here are some of the key points:

Two of Duo’s values include engineering the business, treating the business like the product itself, constantly iterating on and improving it, and to be kinder than necessary.

In the beginning, the founders thought they’d build some advanced new security technology. Then they talked with customers, and realized account takeover was a core, recurring problem. Don’t just build something because it’s intellectually interesting, build something that solves a real problem.

To build a big, successful company, a) go after a big existing market, ideally b) with a weak incumbent.

  • Attack this big, boring, immediate market opportunity while building towards a long term vision.

  • Don’t try to create a new category if possible.

  • Taking existing allocated budget is way easier than convincing businesses to allocate new budget.

Write down what you want to be. What do you want to be known for? How do you want to be viewed by customers in the market?

A clever go to market strategy can make a winner.

Design your go to market engine early. A smooth, fast, well-tuned customer journey can utterly disrupt the slow, high friction processes of your competitors. Can you have customers see value in the first 60 seconds of using your product? Can you help them start getting wins and have a “wow” moment in the first hour?

Duo has a high net promoter score, not because it’s a great product, but because every step in the process has been carefully engineered to be a great user experience.

Duo hired for attitude and aptitude over experience. “No brilliant jerks.”

Teach empathy and communicate your company values in stories: those stick with people better than slogans on the wall.

You may be a founder, but it’s not your company. You have a lot of shareholders, and even more stakeholders. It’s important to stand up for the best interests of the company and the employees.

As you’re building a company, there will be many challenging decisions that will test your values. Doing the right thing will pay off in the long term.

Read the 👉 full summary here 👈

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!