- tl;dr sec
- [tl;dr sec] #36 - AWS Security Maturity Roadmap, Fuzzing, Dynamic Infra for Security Testing
[tl;dr sec] #36 - AWS Security Maturity Roadmap, Fuzzing, Dynamic Infra for Security Testing
An AWS Security Maturity Roadmap for 2020, fuzzing the Windows kernel & differential crypto fuzzing, easily spin up a cloud env for security testing
I hope you’re doing well. If you’re based out of the US, I hope you had a relaxing Memorial Day weekend.
Indexing Your Brain
Like a normal person with reasonable hobbies and work-life balance, I spent some time during the extended weekend to relax, hang out with friends, reach inner enlightenment, reflect on how I consume, store, and reference info I find useful.
I spend probably tens of hours a week reading articles, watching talks, reviewing slides, etc., and I feel like I’m not making the most of it. I’m not storing my notes in a way that makes them easily searchable or discoverable later, in the right context.
Apparently there’s even a name for this, Personal Knowledge Management (PKM).
If you’ve put some thought into optimizing how you ingest, distill, and then store info for later use, feel free to email me some details about your workflow, I’d love to hear about it.
Expect more on this later 😎
📜 In this newsletter...
Mobile Security: Disabling SSL pinning on iOS 12
Web Security: Unexploitable XSS labs by Portswigger
Cloud Security: 2020 AWS security maturity roadmap, S3 security challenges, 163 AWS services in 1 sentence each, CloudGoat walkthrough, control the naming of individual IAM role sessions, new course on AWS security, identity, and compliance, a vulnerable by design Terraform training project
Container Security: Amazon EKS security best practices guide, too to find vulnerabilities in Docker images and monitor them for anomalous activities, GitHub action to scan Docker images for OS and application vulnerabilities
Blue Team: An Elasticsearch honeypot, Docker image for continuously testing Elastalert rules, analysis of the 2020 Verizon Data Breach Report
Red Team: Easily spin up your infra for bug bounty and pen testing, walkthrough of exploiting a purposefully vulnerable driver, a tool to generate statically undetectable binary payloads, a red team maturity model, SOCKS5 or TCP tunnels from a reverse connection over TLS, SOCKS over RDP
Fuzzing: Vrankenfuzz and differential crypto fuzzing, fuzzing the Windows kernel, better vulnerability discovery from fuzzing seems to require exponentially more resources
Politics / Privacy: 35 VPN services compared, the facial recognition world map, Zoom's E2E encryption proposal, Mozilla's pro-privacy incubator, China is targeting COVID-19 research organization
OSINT: Find sensitive data in screenshots
Misc: The formally verified seL4 microkernel, your private Reddit RSS feeds, marriage counseling with capitalism, other non pandemic things to worry about, the 4th great unlock
How SSL Kill Switch works on iOS 12
This post describes the updates Alban Diquet made to his tool SSL Kill Switch, a blackbox tool for disabling SSL pinning in iOS apps, in order to add support for iOS 12.
Documenting the impossible: Unexploitable XSS labs
Portswigger has put together a list of examples of risky behavior in which they can’t quite pop a sweet, sweet alert() on. Solve them for much glory!
AWS Security Maturity Roadmap 2020
Awesome, practical guide by Scott Piper on increasing your AWS security maturity over time, broken down into concrete steps. Definitely worth reading. Also, congrats to Marco Lancini and CloudSecList for getting a shout-out as a great resource. Well earned! 🙌 (tl;dr sec got called out too 😎)
Easily control the naming of individual IAM role sessions
“AWS IAM now has a new sts:RoleSessionName condition element for the AWS Security Token Service (STS), that makes it easy for AWS account administrators to control the naming of individual IAM role sessions. You can now use the new condition to control how IAM principals and applications name their role sessions when they assume an IAM role, and rely on the role session name to easily track their actions when viewing AWS CloudTrail logs.”
Getting Started with AWS Security, Identity, and Compliance
A new 3 hour course that covers key services used in identity and access management, detective controls, infrastructure protection, and data protection categories. Including: IAM, Cognito, Directory Service, GuardDuty, Security Hub, Macie, AWS WAF, AWS Shield, Key Management Services (KMS), Certification Manager, Secrets Manager, Config, and the AWS Well-Architected Tool.
TerraGoat, a vulnerable-by-design Terraform training project
“Terragoat (source code) is a vulnerable-by-design Terraform project designed to give devops engineers a place to learn how to identifying misconfigured infrastructure as code modules and test infrastructure code without polluting their own professional AWS account.” Checkov can be used via pre-commit hooks or linters to find errors before they’re pushed. Terragoat include issues like:
Ensure all data stored in an RDS bucket is not publicly accessible
Ensure no hardcoded AWS access key and secret key exists in EC2 user data
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22
Ensure no hardcoded AWS access key and secret key exists in lambda environment
S3 Bucket has an ACL defined, which allows public READ access
and many, many more!
Introducing the Amazon EKS Best Practices Guide for Security
“The guide covers a broad range of topics including pod security, network security, incident response, and compliance. Each section includes an overview of key concepts, followed by specific recommendations and recommended tools for enhancing the security of your EKS clusters.” See the guide here or on GitHub.
“A tool to perform static analysis of known vulnerabilities in Docker images/containers and to monitor running Docker containers for detecting anomalous activities.” Loads CVEs and other known vulnerabilities, uses OWASP Dependency Check and Retire.js for analyzing dependencies, uses Sysdig Falco for monitoring Docker container behavior.
A GitHub Action to help you scan your Docker image for vulnerabilities. Uses Trivy to detect vulnerabilities in OS packages (e.g. Alpine, RHEL, …) and application dependencies (Bundler, npm, …). Uses dockle, a container linter, to identify when you haven’t followed certain best practices when building an image or you’re not following CIS Benchmark checkpoints.
“A honeypot simulating a vulnerable Elasticsearch server opened to the Internet.”
Open source continuous integration for Elastalert rules
“A Docker image that can be used to continously test Elastalert rules against Elasticsearch data, to verify that new rules and edits to existing rules work as expected” by Feroz Salam.
This year, they looked at 3,950 breaches and 157,525 incidents— 32,002 of which qualified to be analyzed by them
45% of breaches involved Hacking. Errors were causal events in 22% of breaches
70% were perpetrated by external actors (30% involved insiders).
The top actor was by far Organized Crime, at 55%
Nation-state, end-user, and system admins each took around 10% of the actor pool
The top 2 breach threat actions were Phishing and Use of Stolen Creds.
Within hacking, web applications accounted for over 95% of breaches. Over 80% involved using brute force or stolen creds
Breaches that take days or less are rising, while those taking months or more are declining
Neat tool by NaviSec Delta’s Ben Bidmead: “A set of utilities for managing a small dynamic infrastructure on Digital Ocean for bug bounty and pentesting. Run axiom-init and watch as a new instance is created in under 2 minutes containing everything you could ever want or need to run your reconnaissance for your pentest, catch a shell in netcat, or VPN through.” Also check out his blog for solid posts on OSINT, privilege escalation, a reverse shell reference, and more.
One ring (zero) to rule them all
“Endpoint Detection and Response (EDR) is starting to rear its head in more and more environments, constraining and making post exploitation activities more difficult for operators. I expect over the next year or two, we will see kernel land shenanigans become more mainstream and no longer just Techniques, Tactics and Procedures (TTPs) of APTs and advanced red teams.” This post walks through exploiting each of the vulnerabilities in the HackSys Extreme Vulnerable Driver.
“SGN is a polymorphic binary encoder for offensive security purposes such as generating statically undetectable binary payloads. It uses an additive feedback loop to encode given binary instructions.”
A Red Team Maturity Model
“A model to reference when gauging Red Team maturity, as well as set goals and provide guidance when building internal Red Teams.”
A simple and lightweight tool for establishing SOCKS5 or TCP tunnels from a reverse connection over TLS. “Comparable to Meterpreter with Autoroute + Socks4a, but more stable and faster.”
Tool Release – Socks Over RDP
Tool by NCC Group’s Balazs Bucsay: “Just like SSH, upon connection a SOCKS Proxy is created on the client site, which can be used to proxy everything over the existing RDP connection.” source
The author, Guido Vranken, has also released cryptofuzz, a fuzzer that’s used differential fuzzing (basically, compare the outputs of two programs implementing the same thing, differing output => bugs) to find over 50 bugs in various crypto libraries.
Bugs on the Windshield: Fuzzing the Windows Kernel
In previous research, Netanel Ben-Simon and Yoav Alon used WinAFL to fuzz user-space applications running on Windows, and found over 50 vulnerabilities in Adobe Reader and Microsoft Edge. They then decided to target the Windows kernel.
They initially considered kAFL, a research fuzzer that leverages AFL style fuzzing to attack OS kernels, but quickly found that a syscall fuzzer could reach a bigger attack surface, so they went with syzkaller. Overall, they found 8 vulnerabilities, DoS bugs and deadlocks in the Windows 10 Kernel. See their OffensiveCon20 talk for more details.
kAFL fuzzing loop
Fuzzing: On the Exponential Cost of Vulnerability Discovery
FSE 2020 paper by Marcel Böhme and Brandon Falk:
Politics / Privacy
VPN Report 2020 – 35 Services
Lengthy report by AV Comparatives comparing 35 VPN services across features like supported protocols (OpenVPN, PPTP, SOCKS, SSH, …), their logging policies, pricing, tests if they’ll leak your IP if the VPN drops, and more.
Zoom End-to-End Encryption Whitepaper
A 25 page public proposal for implementing E2E encryption in Zoom.
Mozilla’s Fix-The-Internet Incubator
“We’re looking to invest in people, projects, and technologies that shape the internet and have a positive impact without having to only worry about the bottom line. Privacy over profit. No Shareholders. No data for sale.”
FBI: People’s Republic of China (PRC) Targeting of COVID-19 Research Organizations
“These actors have been observed attempting to identify and illicitly obtain valuable IP and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research. “
The seL4 Microkernel
“seL4 is a high-assurance, high-performance operating system microkernel. It is unique because of its comprehensive formal verification, without compromising performance. It is meant to be used as a trustworthy foundation for building safety- and security-critical systems. seL4’s implementation is formally (mathematically) proven correct (bug-free) against its specification and has been proved to enforce strong security properties”
Reddit Private RSS Feeds
“Get listings of your content (personalized front page, message panel, saved listing, etc.) without having to deal with cookies or other auth.” Thanks Daniel Miessler for the tip.
We Need To Talk: Marriage Counseling with Capitalism Itself
A beautifully illustrated philosophical discussion about Humanity, Capitalism, and post-Capitalism, framed as a counseling session.
Experts Knew a Pandemic Was Coming. Here’s What They’re Worried About Next.
In case COVID-19 has you in an overly cheery mood, here’s a detailed discussion of other crises, that are also feasible, that we may be even less prepared for. Also 😖:
👉 Amazon investing in at-home Covid tests, plasma donors, PPE equipment, distancing, additional compensation, and protocols to adapt to a new world.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them
Thanks for reading!