[tl;dr sec] #37 - Kubernetes, SAST Snark, and Malware Targeting Open Source Supply Chain

Hey there,

I hope you’re safe and healthy! Phew, a lot has happened since last week 😅

Oof, Current Events

I live in the Bay Area, and this past weekend I fell asleep to the sound of police sirens and helicopters. Though I’ve been very fortunate to be safe, there are many who have not been so lucky. A number of businesses within a short walking distance away have been looted and have since been boarded up for the time being.

Since the death of George Floyd, I’ve been heartened to see thousands of people across many cities protest the injustices many Americans face on a regular basis, and have for a long time. I’ve been saddened to see opportunists use the ongoing protests as cover to be violent and cause destruction.

Stay safe out there!

AppSec

RMIScout: Safely and Quickly Brute-Force Java RMI Interfaces for Code Execution
Tool by Bishop Fox’s Jake Miller: “RMIScout uses wordlist and bruteforce strategies to enumerate Java RMI functions and exploit RMI parameter unmarshalling vulnerabilities.” source 

Game Security
A high level overview of the cheat and anti-cheat mechanisms in video games.

Source Code Analysis Tools
OWASP’s list of static analysis tools.

Semgrep: Stop grepping code
“Semgrep is an open-source tool that is like a code-aware grep: you can easily match all calls to a certain function, match all specific function arguments regardless of order, or find all cases where a call like A() occurs after B().”

SAST Snark on Twitter
There were some interesting threads on Twitter about challenges people have faced with many modern SAST tools. Some snippets:

Cloud Security

Enabling AWS Security Hub integration with AWS Chatbot
“In this post, we show you how to configure AWS Chatbot to send findings from AWS Security Hub to Slack. AWS Chatbot is an interactive agent that makes it easy to monitor and interact with your AWS resources in your Slack channels and Amazon Chime chat rooms.”

Client Side Monitoring
Scott Piper gives us the heads up on an AWS SDK feature that appears mostly undocumented outside of the SDK source code. By setting an environment variable, all AWS API calls will be recorded. “According to the docs, this feature is ‘available only to customers with an Enterprise Support subscription.’ This article will discuss what this is and how we can use aspects of it without a fancy support contract.”

Kubernetes

Using Gatekeeper in Kubernetes
“Gatekeeper” allows a Kubernetes administrator to implement policies for ensuring compliance and best practices in their cluster. It makes use of Open Policy Agent (OPA) and is a validating admission controller. The policies are written in the Rego language. Gatekeeper embraces Kubernetes native concepts such as Custom Resource Definitions (CRDs) and hence the policies are managed as kubernetes resources.”

Kubernetes Pod Security Policies with Open Policy Agent
“First I will discuss the Pod Security Policy admission controller. Then we will see how Open Policy Agent can implement Pod Security Policies.”

“Admission Controllers are part of the kube-apiserver. They intercept requests to the Kubernetes API server before configuration is stored in cluster settings (etcd). An admission controller can be validating (one which validates the incoming request) or mutating (one which modifies the incoming request) or both.”

How to setup Vault with Kubernetes

Container Security

GoogleContainerTools/container-diff
A tool for analyzing and comparing container images along criteria including: Docker image history, image filesystem and size, as well as apt, rpm, pip, and npm packages.

docker-slim/docker-slim
“docker-slim will optimize and secure your containers by understanding your application and what it needs using various analysis techniques. It will throw away what you don’t need, reducing the attack surface of your container.” In some cases, up to a 30x slim down, whoa.

Blue Team

Linux Security Hardening and Other Tweaks
By @blakkheim: Full disk encryption, ensure your package manager uses only HTTPS mirrors, hardened kernel options, firewall, sudo, application sandboxing, etc.

Mozilla SSL Configuration Generator
Nifty web app that lets you select your server software (Apache, Golang, nginx, …), how strict you want to be about cipher suites and a few other options, and then it’ll generate a config for you. Nice!

Hardware Root of Trust — Bios and UEFI
“This article explains modern and antiquated protections which attempt to prevent attackers who have already achieved root level access from persisting via kernel-mode drivers or firmware implants. Much of the information comes from the excellent Rootkits and Bootkits book.”

“It provides a series of test steps which allow security engineers to determine what attack vectors are available to an attacker who is looking to persist their root level privileges beyond the capabilities provided by user-mode exploits.”

The Octopus Scanner Malware: Attacking the open source supply chain
Interesting deep dive by the GitHub SIRT team: they discovered “malware designed to enumerate and backdoor NetBeans projects, and which uses the build process and its resulting artifacts to spread itself. We uncovered 26 open source projects that were backdoored by this malware and that were actively serving backdoored code.”

Basically, the Octopus Scanners determines if the infected machine uses NetBeans, and if so, infects every JAR file built by any project. The dropper ensures local persistence and connects to the attacker’s C2 servers. The malware also infected any JAR files that were available in the project, such as dependencies—not necessarily just build artifacts.

Red Team

rebootuser/LinEnum
Script that performs a number of local Linux enumeration and privilege escalation checks. Gathers system info, info about current users (user lists, password policies, who has access to sudo, …), examines current (cron) jobs and services, finds SUID/GUID files, etc.

IDA Plugin: Dynamic Data Resolver (DDR)
Cisco Talos is releasing the 1.0 beta version of an IDA that makes reverse-engineering malware easier by using instrumentation techniques (DynamoRIO) to resolve dynamic values at runtime from the sample.

Exploring macOS Calendar Alerts: Part 2 – Exfiltrating data
By NCC Group’s Andy Grant: “Using a carefully crafted calendar event, an attacker can retrieve semi-arbitrary files from a target victim’s machine, all the victim has to do is click on the invite.”

mzfr/go-gtfo
Golang CLI tool for searching GTFOBins (a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions) and LOLBAS (“living off the land binaries and scripts”).

entynetproject/ghost
“Ghost Framework is an Android post-exploitation framework that exploits the Android Debug Bridge to remotely access an Android device. Ghost Framework gives you the power and convenience of remote Android device administration.” It can be used to remotely remove the passcode of an Android device if it has been forgotten as well as access the remote Android device shell without using OpenSSH or other protocols.

Entynetproject appears to also have post-exploitation frameworks for Linux, PHP, iOS/macOS, and Windows

Privacy

Chinese Province Wants to Label Citizens by Their Health Rating Using Data on Their Sleep, Eating, and Exercising
“The Chinese province of Hangzhou has proposed that authorities assign a permanent health rating to its residents, which would be based on people’s medical records and lifestyle habits. Hangzhou’s health authority explained that, when making the rating, it would consider indicators such as people’s eating and drinking habits, whether they smoke and drink alcohol, how much they exercised, and how much they slept the night before. If approved, both residents and companies of Hangzhou will have colored health grades, with a score from 0 to 100.” Catch up, Black Mirror writers!

Safety Over Freedom: How Governments Introduce Surveillance Under Veil of Coronavirus Control
Nice overview of government surveillance under coronavirus. Also, check out this interactive map by a Russian non-profit showing the extent to which the governments of particular countries violate people’s privacy.

Politics

Concise Argument and Evidence That Steven Pinker is Wrong About How Good Things Are
For the past few years, I’ve been thinking a lot about how the U.S. and other economies have been changing. In short, I think advances in automation, AI, and robotics, are and will continue to eliminate broad swathes of former middle class jobs. Inequality will continue to rise, which will stoke tensions and lead to serious turmoil (or more) unless addressed. People whose jobs have been automated won’t just suddenly become machine learning experts or other knowledge workers without support and training. One reason I liked Andrew Yang is because he seemed to be one of the few politicians who grokked this massive oncoming (/ongoing) train wreck and was actively talking about it. I was glad to see this article by Daniel Miessler, which lays out the reasoning behind this concern clearly and concisely. I wish more people were talking about this.

The Black Panthers and the FBI’s Counter-Intelligence Program 
Tweet thread history lesson about how J. Edgar Hoover’s FBI had a secret project designed to spy on, infiltrate, and discredit every progressive activist movement, with a particular emphasis on African American civil rights leaders, especially the Black Panthers.

There’s also a booklet with more details, but the crazy thing is that the only reason we know this program existed is that in 1971 a group of white activists broke into an FBI field office in Pennsylvania, stole a bunch of documents and revealed the existence of the then-secret COINTELPRO operation to the public.

Research-based solutions to Stop Police Violence
Interesting Twitter thread on studies about what actually decreases police violence in practice. Some of the results may surprise you.

Also, uhhh what:

OSINT

ninoseki/shodan-dojo
Katas for learning the basics of Shodan search.

Misc

Pimp My Terminal
Some tips and tricks for building an awesome terminal UX - color schemes (e.g. gogh), useful aliases, lsd as a better ls, bat as a better cat, customizing bash/zsh prompts, zsh-autosuggestions, and more.

Magic: The Gathering is Turing Complete
An academic paper proving that there is still good in this world, or, at least people with a bit too much free time 🤘

How a Lazy Bitch like me learned to be Productive
Getting yourself to do something beyond your routine is really hard, and we can only do so much of that per day. The key is good habits, which, if you’re interested in, you should absolutely read James Clear’s book Atomic Habits, which is excellent. Here are Madison’s three rules:

1. I only make one or two habits each month.

2. I do them in small quantities every single day the first month- I never push it too hard during the first 30 days, but I also do it every single day, no matter how I feel.

3. I never go over my goal for the first month. So if my goal is to write for an hour daily I don’t let myself go over one hour/day for the first month. This is to give my brain some peace of mind; if I set consistent expectations with it, then even on the days when I don’t want to do my new habit, my brain knows there’s a set end time/amount that I won’t go over, and it reluctantly agrees.

✉️ Wrapping Up’

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them

🙏

Thanks for reading!

Cheers,

Clint