• tl;dr sec
  • Posts
  • [tl;dr sec] #36 - AWS Security Maturity Roadmap, Fuzzing, Dynamic Infra for Security Testing

[tl;dr sec] #36 - AWS Security Maturity Roadmap, Fuzzing, Dynamic Infra for Security Testing

An AWS Security Maturity Roadmap for 2020, fuzzing the Windows kernel & differential crypto fuzzing, easily spin up a cloud env for security testing

Hey there!

I hope you’re doing well. If you’re based out of the US, I hope you had a relaxing Memorial Day weekend.

Indexing Your Brain

Like a normal person with reasonable hobbies and work-life balance, I spent some time during the extended weekend to relax, hang out with friends, reach inner enlightenment, reflect on how I consume, store, and reference info I find useful.

I spend probably tens of hours a week reading articles, watching talks, reviewing slides, etc., and I feel like I’m not making the most of it. I’m not storing my notes in a way that makes them easily searchable or discoverable later, in the right context.

Apparently there’s even a name for this, Personal Knowledge Management (PKM).

If you’ve put some thought into optimizing how you ingest, distill, and then store info for later use, feel free to email me some details about your workflow, I’d love to hear about it.

Expect more on this later 😎

📜 In this newsletter...

🔗 Links:

  • Mobile Security: Disabling SSL pinning on iOS 12

  • Web Security: Unexploitable XSS labs by Portswigger

  • Cloud Security: 2020 AWS security maturity roadmap, S3 security challenges, 163 AWS services in 1 sentence each, CloudGoat walkthrough, control the naming of individual IAM role sessions, new course on AWS security, identity, and compliance, a vulnerable by design Terraform training project

  • Container Security: Amazon EKS security best practices guide, too to find vulnerabilities in Docker images and monitor them for anomalous activities, GitHub action to scan Docker images for OS and application vulnerabilities

  • Blue Team: An Elasticsearch honeypot, Docker image for continuously testing Elastalert rules, analysis of the 2020 Verizon Data Breach Report

  • Red Team: Easily spin up your infra for bug bounty and pen testing, walkthrough of exploiting a purposefully vulnerable driver, a tool to generate statically undetectable binary payloads, a red team maturity model, SOCKS5 or TCP tunnels from a reverse connection over TLS, SOCKS over RDP

  • Fuzzing: Vrankenfuzz and differential crypto fuzzing, fuzzing the Windows kernel, better vulnerability discovery from fuzzing seems to require exponentially more resources

  • Politics / Privacy: 35 VPN services compared, the facial recognition world map, Zoom's E2E encryption proposal, Mozilla's pro-privacy incubator, China is targeting COVID-19 research organization

  • OSINT: Find sensitive data in screenshots

  • Misc: The formally verified seL4 microkernel, your private Reddit RSS feeds, marriage counseling with capitalism, other non pandemic things to worry about, the 4th great unlock

Mobile Security

How SSL Kill Switch works on iOS 12
This post describes the updates Alban Diquet made to his tool SSL Kill Switch, a blackbox tool for disabling SSL pinning in iOS apps, in order to add support for iOS 12.

 Web Security 

Documenting the impossible: Unexploitable XSS labs
Portswigger has put together a list of examples of risky behavior in which they can’t quite pop a sweet, sweet alert() on. Solve them for much glory!

 Cloud Security 

AWS Security Maturity Roadmap 2020
Awesome, practical guide by Scott Piper on increasing your AWS security maturity over time, broken down into concrete steps. Definitely worth reading. Also, congrats to Marco Lancini and CloudSecList for getting a shout-out as a great resource. Well earned! 🙌 (tl;dr sec got called out too 😎)

S3 Game
A series of S3-related security challenges, like flaws.cloud.

163 AWS Services in 1 Sentence Each
Joshua Thijssen - you sir, are a gentleman and a scholar 🙏 

Attacking CloudGoat 2
A step-by-step walkthrough of CloudGoat 2.0 (a “vulnerable by design” AWS deployment tool) scenarios by Appsecco.

Easily control the naming of individual IAM role sessions
“AWS IAM now has a new sts:RoleSessionName condition element for the AWS Security Token Service (STS), that makes it easy for AWS account administrators to control the naming of individual IAM role sessions. You can now use the new condition to control how IAM principals and applications name their role sessions when they assume an IAM role, and rely on the role session name to easily track their actions when viewing AWS CloudTrail logs.”

Getting Started with AWS Security, Identity, and Compliance
A new 3 hour course that covers key services used in identity and access management, detective controls, infrastructure protection, and data protection categories. Including: IAM, Cognito, Directory Service, GuardDuty, Security Hub, Macie, AWS WAF, AWS Shield, Key Management Services (KMS), Certification Manager, Secrets Manager, Config, and the AWS Well-Architected Tool.

TerraGoat, a vulnerable-by-design Terraform training project
“Terragoat (source code) is a vulnerable-by-design Terraform project designed to give devops engineers a place to learn how to identifying misconfigured infrastructure as code modules and test infrastructure code without polluting their own professional AWS account.” Checkov can be used via pre-commit hooks or linters to find errors before they’re pushed. Terragoat include issues like:

  • Ensure all data stored in an RDS bucket is not publicly accessible

  • Ensure no hardcoded AWS access key and secret key exists in EC2 user data

  • Ensure no security groups allow ingress from 0.0.0.0:0 to port 22

  • Ensure no hardcoded AWS access key and secret key exists in lambda environment

  • S3 Bucket has an ACL defined, which allows public READ access

  • and many, many more!

Container Security

Introducing the Amazon EKS Best Practices Guide for Security
“The guide covers a broad range of topics including pod security, network security, incident response, and compliance. Each section includes an overview of key concepts, followed by specific recommendations and recommended tools for enhancing the security of your EKS clusters.” See the guide here or on GitHub.

eliasgranderubio/dagdaElías Grande:
“A tool to perform static analysis of known vulnerabilities in Docker images/containers and to monitor running Docker containers for detecting anomalous activities.” Loads CVEs and other known vulnerabilities, uses OWASP Dependency Check and Retire.js for analyzing dependencies, uses Sysdig Falco for monitoring Docker container behavior.

Azure/container-scan
A GitHub Action to help you scan your Docker image for vulnerabilities. Uses Trivy to detect vulnerabilities in OS packages (e.g. Alpine, RHEL, …) and application dependencies (Bundler, npm, …). Uses dockle, a container linter, to identify when you haven’t followed certain best practices when building an image or you’re not following CIS Benchmark checkpoints.

Blue Team

ElasticPot
“A honeypot simulating a vulnerable Elasticsearch server opened to the Internet.”

Open source continuous integration for Elastalert rules
“A Docker image that can be used to continously test Elastalert rules against Elasticsearch data, to verify that new rules and edits to existing rules work as expected” by Feroz Salam.

  • This year, they looked at 3,950 breaches and 157,525 incidents— 32,002 of which qualified to be analyzed by them

  • 45% of breaches involved Hacking. Errors were causal events in 22% of breaches

  • 70% were perpetrated by external actors (30% involved insiders).

    • The top actor was by far Organized Crime, at 55%

    • Nation-state, end-user, and system admins each took around 10% of the actor pool

  • The top 2 breach threat actions were Phishing and Use of Stolen Creds.

  • Within hacking, web applications accounted for over 95% of breaches. Over 80% involved using brute force or stolen creds

  • Breaches that take days or less are rising, while those taking months or more are declining

Red Team

pry0cc/axiom
Neat tool by NaviSec Delta’s Ben Bidmead: “A set of utilities for managing a small dynamic infrastructure on Digital Ocean for bug bounty and pentesting. Run axiom-init and watch as a new instance is created in under 2 minutes containing everything you could ever want or need to run your reconnaissance for your pentest, catch a shell in netcat, or VPN through.” Also check out his blog for solid posts on OSINT, privilege escalation, a reverse shell reference, and more.

One ring (zero) to rule them all
“Endpoint Detection and Response (EDR) is starting to rear its head in more and more environments, constraining and making post exploitation activities more difficult for operators. I expect over the next year or two, we will see kernel land shenanigans become more mainstream and no longer just Techniques, Tactics and Procedures (TTPs) of APTs and advanced red teams.” This post walks through exploiting each of the vulnerabilities in the HackSys Extreme Vulnerable Driver.

EgeBalci/sgn
“SGN is a polymorphic binary encoder for offensive security purposes such as generating statically undetectable binary payloads. It uses an additive feedback loop to encode given binary instructions.”

A Red Team Maturity Model
“A model to reference when gauging Red Team maturity, as well as set goals and provide guidance when building internal Red Teams.”

sysdream/ligolo
A simple and lightweight tool for establishing SOCKS5 or TCP tunnels from a reverse connection over TLS. “Comparable to Meterpreter with Autoroute + Socks4a, but more stable and faster.”

Tool Release – Socks Over RDP
Tool by NCC Group’s Balazs Bucsay: “Just like SSH, upon connection a SOCKS Proxy is created on the client site, which can be used to proxy everything over the existing RDP connection.” source

Fuzzing

vfuzz
In tl;dr sec 021 I called out a whitepaper about a nifty sounding fuzzer called Vrankenfuzz, which has now been open sourced.

The author, Guido Vranken, has also released cryptofuzz, a fuzzer that’s used differential fuzzing (basically, compare the outputs of two programs implementing the same thing, differing output => bugs) to find over 50 bugs in various crypto libraries.

Bugs on the Windshield: Fuzzing the Windows Kernel
In previous research, Netanel Ben-Simon and Yoav Alon used WinAFL to fuzz user-space applications running on Windows, and found over 50 vulnerabilities in Adobe Reader and Microsoft Edge. They then decided to target the Windows kernel.

They initially considered kAFL, a research fuzzer that leverages AFL style fuzzing to attack OS kernels, but quickly found that a syscall fuzzer could reach a bigger attack surface, so they went with syzkaller. Overall, they found 8 vulnerabilities, DoS bugs and deadlocks in the Windows 10 Kernel. See their OffensiveCon20 talk for more details.

kAFL fuzzing loop

We present counterintuitive results for the scalability of fuzzing. Given the same non-deterministic fuzzer, finding the same bugs linearly faster requires linearly more machines. Yet, finding linearly more bugs in the same time requires exponentially more machines. Similarly, with exponentially more machines, we can cover the same code exponentially faster, but uncovered code only linearly faster. In other words, re-discovering the same vulnerabilities (or achieving the same coverage) is cheap but finding new vulnerabilities (or achieving more coverage) is expensive. This holds even under the simplifying assumption of no parallelization overhead.

We derive these observations from over four CPU years worth of fuzzing campaigns involving almost three hundred open source programs, two state-of-the-art greybox fuzzers, four measures of code coverage, and two measures of vulnerability discovery. We provide a probabilistic analysis and conduct simulation experiments to explain this phenomenon.

Politics / Privacy

VPN Report 2020 – 35 Services
Lengthy report by AV Comparatives comparing 35 VPN services across features like supported protocols (OpenVPN, PPTP, SOCKS, SSH, …), their logging policies, pricing, tests if they’ll leak your IP if the VPN drops, and more.

Zoom End-to-End Encryption Whitepaper
A 25 page public proposal for implementing E2E encryption in Zoom.

Mozilla’s Fix-The-Internet Incubator
“We’re looking to invest in people, projects, and technologies that shape the internet and have a positive impact without having to only worry about the bottom line. Privacy over profit. No Shareholders. No data for sale.”

FBI: People’s Republic of China (PRC) Targeting of COVID-19 Research Organizations
“These actors have been observed attempting to identify and illicitly obtain valuable IP and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research. “

OSINT

utkusen/shotlooter
By Utku Sen: Finds sensitive data inside the screenshots that are uploaded to https://prnt.sc/ (via the LightShot software) by applying OCR and image processing methods.

Misc

The seL4 Microkernel
“seL4 is a high-assurance, high-performance operating system microkernel. It is unique because of its comprehensive formal verification, without compromising performance. It is meant to be used as a trustworthy foundation for building safety- and security-critical systems. seL4’s implementation is formally (mathematically) proven correct (bug-free) against its specification and has been proved to enforce strong security properties”

Reddit Private RSS Feeds
“Get listings of your content (personalized front page, message panel, saved listing, etc.) without having to deal with cookies or other auth.” Thanks Daniel Miessler for the tip.

We Need To Talk: Marriage Counseling with Capitalism Itself
A beautifully illustrated philosophical discussion about Humanity, Capitalism, and post-Capitalism, framed as a counseling session.

Experts Knew a Pandemic Was Coming. Here’s What They’re Worried About Next.
In case COVID-19 has you in an overly cheery mood, here’s a detailed discussion of other crises, that are also feasible, that we may be even less prepared for. Also 😖:

Every year, the intelligence community releases the Worldwide Threat Assessment—a distillation of worrisome global trends, risks, problem spots and emerging perils. But this year, the public hearing on the assessment, usually held in January or February, was canceled, evidently because intelligence leaders, who usually testify in a rare open hearing together, were worried their comments would aggravate President Donald Trump. And the government has not yet publicly released a 2020 threat report.

 

In the last 20 years, there have been three unlocks in the business world that have created over $500 billion in shareholder value. I believe the fourth was revealed last week.

👉 Amazon investing in at-home Covid tests, plasma donors, PPE equipment, distancing, additional compensation, and protocols to adapt to a new world.

Great strategy cuts a swath between market conditions and a firm’s assets. Put more simply, strategy is a firm’s answer to the following question:

What can we do that is really hard?

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them

🙏

Thanks for reading!

Cheers,

Clint