[tl;dr sec] #30 - Securing Your Home Network, ATT&CK for Kubernetes, Google on Building Secure Syste

tl;dr sec is a newsletter about AppSec and scaling security, automated bug finding, conference talk and paper summaries, and useful links from around the web. You can subscribe here and see past issues here.

(You can also read this on our blog

here

.)

Hey there,

I hope you’ve been doing well and staying healthy.

FYI: I’m going to take a week or two off from tl;dr sec after this issue.

Don’t worry, I’m fine, there’s just a few things I need to wrap up. In fact, there’s something I’ve been working on that I’m excited to share with you soon!

  Poll Results: What Readers Prefer 

What we learned: ~44% of readers most prefer a weekly digest with more info about links, and links with fewer details and talk summaries tied at ~28% each.

Fewer than 10% of the people who opened the email voted. For shame! 😛

📜 In this newsletter...

🔗 Links:

• Protecting Your Home Network: Caleb Sima and Scott Helme on canaries, getting visibility into your devices, VLANs and more

• Web Security: Stanford releases their web security course curriculum, does DNS over HTTP affect DNS rebinding?

• AppSec: Lessons learned from running Facebook and Uber's bug bounty, run Snyk in VS Code, free book from Google on building secure systems

• Cloud Security: Consolidated Azure security docs, gotchas in isolating networks on AWS, AWS Detective publicly available, find potential permission issues with IAM Access Analyzer, locking down IAM policies with global condition context keys, using an image release process

• Container Security: Easily use Vault with Kubernetes, ATT&CK matrix for Kubernetes

• Blue Team: Wirecutter's best security key for 2FA, stats from 1,3000 phishing campaigns

• Privacy / Politics: Leaked Amazon memo details plans to smear fired warehouse organizer

• Misc: Twitter thread on the origins of Triscuit, how Slack deploys code, trying to set fires by hacking 3D printers, bringing 4K anime to Netflix, thoughts on COVID-19's impact on higher ed

🔗 Links

  Securing Your Home Network 

How I protected my home networkCaleb Sima wanted a “it just works” setup that he could plug in and forget about. He ended up setting up a honeypot (like Thinkst Canary) to detect when someone is trying to scan or do bad things on the network, and the Fingbox to give visibility into all devices on the network and kick misbehaving ones off. 

Securing your home network in preparation for Working From HomeScott Helme recommends using a good password on your WiFi network, creating a separate WiFi network for trusted devices (e.g. your laptop, phone, etc.) and a guest network (IoT, guests), using a VLAN to prevent guest network devices from talking to devices on the main network, and regularly update your hardware, as new security issues are always being reported. He uses the Unifi Security Gateway and is happy with it.

  Web Security 

Stanford: CS 253 Web SecurityIncludes videos, course slides, reading material and course assignments. For hands-on exercises, the course offers projects on writing security exploits, defending insecure web apps, and implementing emerging web standards.

• Topics include: Principles of web security, attacks and countermeasures, the browser security model, web app vulnerabilities, injection, denial-of-service, TLS attacks, privacy, fingerprinting, same-origin policy, cross site scripting, authentication, JavaScript security, emerging threats, defense-in-depth, and techniques for writing secure code.

• Course projects include: writing security exploits, defending insecure web apps, and implementing emerging web standards.

Impact of DNS over HTTPS (DoH) on DNS Rebinding AttacksBy NCC Group’s Roger Meyer and Gerald Doussot: DoH encrypts DNS traffic using HTTPS, which prevents ISPs, people on public WiFi, and anybody in a privileged network position from observing the traditional plaintext DNS traffic sent from the browser to the DNS server.

tl;dr: “Our results show that DoH does not prevent DNS rebinding attacks and all rebinding strategies and techniques implemented in Singularity still work, including the fast multiple answers strategy and DNS cache flooding technique that allow rebinding in just a few seconds.”

The post has a nice overview of DoH, how to configure it in Firefox and Chrome, and this neat tidbit of how to get easily get DNS results in JSON:

  AppSec 

Bug Bounty 5 years inHow to prepare, launch, and run a high quality bounty program, based on what Collin Greene learned from launching and leading the Facebook and Uber programs. Tons of great insights, a Must Read™ post if you’re interested in running bug bounty programs. 

Vuln Cost: security scanner for VS CodeSnyk released a VS Code extension that will show you the known vulnerabilities in the dependencies you’re using. 

Building Secure and Reliable SystemsFree 550+ page book from Google’s SRE team. Seems to have a ton of great principles and practical discussions of real challenges, and appears to be one of the most practically useful security books I’ve come across recently. 

Cloud Security

Azure Security DocumentationNew Microsoft site that consolidates a number of relevant resources in one place. 

Isolated networks on AWSBy Scott Piper: “It is possible on AWS to have an isolated network where you cannot communicate in or out except through limited, controlled pathways. Setting something like this up has some gotchas. This post provides a CDK app to help you experiment and see these issues for yourself, with discussions of the gotchas, their mitigations, and limitations of those mitigations.” 

Amazon Detective – Rapid Security Investigation and AnalysisA fully managed service that empowers users to automate the heavy lifting involved in processing large quantities of AWS log data to determine the cause and impact of a security issue.

Once enabled, Detective automatically begins distilling and organizing data from AWS Guard Duty, AWS CloudTrail, and Amazon Virtual Private Cloud Flow Logs into a graph model that summarizes the resource behaviors and interactions observed across your entire AWS environment. 

Use AWS IAM Access Analyzer in AWS OrganizationsHelps you understand who can access resources by analyzing permissions granted using policies for S3 buckets, IAM roles, KMS keys, Lambda functions, and SQS queues. Access Analyzer uses automated reasoning to determine all possible access paths allowed by a resource policy.

For each analyzer, you can create a zone of trust (account or an entire organization), which can help you quickly identify when resources in your organization can be accessed from outside your org. See also the re:Invent talk: Dive Deep into IAM Access Analyzer. 

Fine-tuning access with AWS IAM global condition context keysBy Alex Smolen: AWS IAM policies answer the question “who gets access to what?”. AWS IAM policy conditions answer the more precise question “who gets access to what, when?”. Conditions enhance the expressive power of IAM policies by allowing authors to restrict access control by context.

This blog post describes the AWS global condition context keys (i.e. those prefixed with aws:) and their caveats. Alex describes the key points of how you can restrict by:

• Calling service: CalledVia, CalledViaFirst, CalledViaLast and ViaAWSService, SourceAccount, SourceArn

• Network: SourceIp, SourceVpc, SourceVpce, VpcSourceIp

• Header: Referer, UserAgent

• Transport: SecureTransport

• Region: RequestedRegion

• Request time: CurrentTime, EpochTime

• Credential time: TokenIssueTime, MultiFactorAuthAge

• Credential type: MultiFactorAuthPresent

• Tag: RequestTag, ResourceTag, TagKeys

• Principal: PrincipalAccount, PrincipalArn, PrincipalOrgID, PrincipalOrgPaths, PrincipalTag, PrincipalType, userid, username

Example request service chain with aws:CalledVia values

Using an Image Release Process for Security WinsVideo and slides. “Through a image release process using AWS-AMI, this walkthrough will harden the security of the images used to deploy applications in a safe way without disrupting your services.” 

Container Security

HashiCorp Vault: Delivering Secrets with KubernetesA walk through example of delivering database credentials from Vault to a Kubernetes pod using the Vault Agent Side-car Injector.

The Vault Agent Injector alters pod specifications to include Vault Agent containers that render Vault secrets to a shared memory volume using Vault Agent Templates. By rendering secrets to a shared volume, containers within the pod can consume Vault secrets without being Vault aware. Demo code 

Attack matrix for KubernetesMicrosoft created the first Kubernetes attack matrix: an ATT&CK-like matrix comprising the major techniques that are relevant to container orchestration security, with a focus on Kubernetes.

Blue Team

The Best Security Key for Multi-Factor AuthenticationWirecutter, which does in-depth reviews of various products, just released one on physical security keys that can be used for 2FA. Result: “The Yubico YubiKey 5 Series has the best combination of compatibility, usability, and security of any key we tested.” 

Crave the Data: Statistics from 1,300 Phishing CampaignsNCC Group’s Simon Palmer describes results from Piranha, NCC Group’s phishing platform.

• 1,300 phishing campaigns were analysed involving over 360,000 users

• Targets in Charities were over 3 times more likely to click than the Health Sector

• However once clicked half of all targets were likely to supply credentials, regardless of sector

• Best case 1/10 of targets will click a link

• Best case 1/20 of targets will supply credentials

  Politics / Privacy 

Leaked Amazon Memo Details Plan to Smear Fired Warehouse OrganizerAmazon fired a warehouse worker after he led a walkout, motivated by a lack of protective measures against COVID-19 in the warehouse, people coming in sick due to mandatory overtime, etc. Vice obtained leaked notes from an internal meeting of Amazon leadership:

  Misc 

Twitter thread about the origins of TriscuitA fun story about when your curiosity can’t be satisified and you just have to know something. You’re welcome. 

Deploys at SlackNot really security, but an interesting overview of how Slack deploys code 10+ times a day to many servers without breaking things. 

With IoT, Common Devices Pose New ThreatsIoT security is generally a dumpster fire, but the perceived risk can often be low. This post by Coalfire’s Dan McInerney pursues a question (and maybe goal) that many of us have: can I cause an IoT device to start a fire/explode/etc.? “Even people with zero reverse engineering experience will be able to follow along as we try to weaponize this 3D printer into a fire bomb. Stay tuned!” 

Bringing 4K and HDR to Anime at Netflix with Sol LevanteFascinating post about the challenges in creating an anime with a digital-first workflow (vs paper), and includes details on the ecosystem around how anime is produced. The short, Sol Levante, is available on Netflix now, and to help other creators, they’re even making public the image and sound assets for Sol Levante including TIFF sequence and IMF, selected After Effects projects, ProTools sessions, animatic and storyboard, and more.

Post Corona: Higher EdI really enjoy Scott Galloway’s newsletter, “No Mercy / No Malice.” Scott is a professor of marketing at NYU Stern who applies a critical eye to many things (often tech), with a snarky and critical wit.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them

🙏

Thanks for reading!

Cheers,

Clint