[tl;dr sec] #40 - Uber's Continuous AWS Monitoring, AWS's Hands-off Deployments, Auto-remove Unneeded Feature Flags

Hey there,

I hope you’re well!

This issue seems long, but it’s mostly because there are a number of large diagrams.

Greenfield Platform Security Architectures

When a company has been around awhile, it’s often hard to migrate to newer paradigms and tech as you have too much existing infrastructure and code built up.

A super sharp friend of mine at a FAANG company is interested in chatting with companies who’ve been able to take advantage of newer security offerings, tech advancements, etc.

Topics like: Service Mesh, FaaS, Sidecar-proxy-all-the-things, automatic authorization policy creation based on resource usage, self healing infra, declarative and managed delivery models, everything as code, etc.

If this describes your company or one you know, please reach out! 👋

Bonus ☝️: you get to work with Caleb Sima (twitter, linkedin) a super sharp dude who’s founded and sold multiple security companies. He’s also a friend and advisor to tl;dr sec, playing a key role in making this newsletter what it is today.

AppSec

🔥 Introducing Piranha: An Open Source Tool to Automatically Delete Stale Code
Given a feature flag, Piranha can automatically delete the code immediately surrounding the feature flag API, delete the code that becomes unreachable as a result of the previous step, and finally delete any tests related to the flag. Currently supports Java, Swift, and Objective-C. Academic paper with more details, InfoQ overview.

Hardcoded secrets, unverified tokens, and other common JWT mistakes
Post by Vasilii Ermilov describing common JWT mistakes: hardcoded secrets, allowing the none algorithm when signing, not correctly verifying tokens, and exposing sensitive data. He also provides some open source checks that can be used to detect these issues in your code as well as prevent them from being introduced in the future 🤘 

Introducing GitHub Super Linter: one linter to rule them all
Run ~17 linters via one GitHub Action. The linters seem to mostly be for style/correctness, not security. HN discussion. Honestly, I’m surprised GitHub hasn’t created a similar wrapper for security tools, as Gitlab Ultimate’s SAST offering is largely just wrapping open source tools, as is the primary value prop for some scanning companies like Codacy . This value prop doesn’t seem very easy to differentiated to me, and seems ripe for commodification.

Web Security

Understanding API Security
Free! “A selection of chapters from several Manning books that give you some context for how API security works in the real world by showing how APIs are put together and how the OAuth protocol can be used to protect them.” H/T Dmitry Sotnikov 

Introduction to OAuth 2.0 and OpenID Connect
A free 2-hour session on the concepts of OAuth 2.0 and OpenID Connect by Philippe De Ryck. slides | Q&A 

GerbenJavado/LinkFinder
By Gerben Javado: A Python script for discovering endpoints and their parameters in JavaScript files so that pen testers and bug hunters are able to gather new, hidden endpoints on the websites they are testing. Uses jsbeautifier for Python + regular expressions.

m4ll0k/SecretFinder
By @m4ll0k: Python script that uses jsbeautifier and regexes like LinkFinder ^, but for finding sensitive data like API keys, access tokens, authorizations, JWT, etc. in JavaScript files.

Cloud Incident Response

AWS Security Incident Response Guide
An overview of the fundamentals of responding to security incidents within a customer’s AWS Cloud environment, focusing on an overview of cloud security and incident response concepts, and identifies cloud capabilities, services, and mechanisms that are available to customers who are responding to security issues.

AWS Incident Response Runbook Samples
The samples cover several common scenarios and outline steps based on the NIST Computer Security Incident Handling Guide that can be used to:

• Gather evidence

• Contain and then eradicate the incident

• recover from the incident

• Conduct post-incident activities, including post-mortem and feedback processes

Cloud Security

flosell/trailscraper
A CLI tool to get valuable information out of AWS CloudTrail, like getting events matching a filter, downloading logs, generating a Policy from some CloudTrail records, extending an existing policy by guessing matching actions, and finding CloudTrail events and generating an IAM Policy.

HBOCodeLabs/gimme-aws-creds
“A CLI that utilizes Okta IdP via SAML to acquire temporary AWS credentials.”

aws-cloudformation/cloudformation-guard
“A set of tools to check AWS CloudFormation templates for policy compliance using a simple, policy-as-code, declarative syntax cloudformation.”

Conducting a Cloud Assessment in AWS
Chris Farris’s recommendations of “a general list of things you want to look at when evaluating an AWS environment for the first time,” to understand how the org uses AWS, what controls they have in place, and how they are using AWS’s security features. Mentions CloudTrail, GuardDuty, IAM Access Analyzer, Account Contacts, IAM, Workloads, Multi-Account, and other holes.

AWS Security Services
Diagram shared by Corey Quinn:

AWS IAM Assume Role Vulnerabilities Found in Many Top Vendors
Praetorian’s Kesten Broughton evaluated 90 vendors and found that 37% had not implemented ExternalID correctly to protect against confused deputy attacks. A further 15% of vendors did not properly validate the ExternalID parameter on the backend, making them vulnerable as well. An attacker could use these vulnerable products to gain access to their customers’ environments. Great details about the risk and recommended solution.

Automating safe, hands-off deployments
Very interesting and detailed article about how Amazon does safe, continuous deployment, using automated steps to prevent customer-impacting defects from reaching production, and mitigating the impact if they do. This automation frees up significant developer time.

Container Security

chenjiandongx/kubectl-images
Show container images used in a Kubernetes cluster.

sysdiglabs/opa-image-scanner
Kubernetes Admission Controller for Image Scanning using OPA. “Combines Sysdig Secure image scanner with OPA policy-based rego language to evaluate the scan results and the admission context, providing great flexibility on the admission decision.”

Network Security

The Art of Packet Crafting with Scapy
Free workshop content covering networking basics, creating/inspecting/sending packets, network recon, network attacks, exercises, and more by Bharath.

Reverse Engineering

Reverse Engineering Snapchat (Part I): Obfuscation Techniques
By Abdelrahman Eid: Some interesting details about the anti-analysis tricks Snapchat uses. Part II discusses bypassing breakpoint checks, setting watchpoints, and briefly solving constraints using the symbolic execution engine Triton.

Reverse Engineering Resources-Beginners to intermediate Guide/Links
By @bbinfosec: Assembly, C, RE fundamentals, tools, tutorials, frameworks, OS-specific resources, and more.

Red Team

Zip Cracker
Python script to crack zip passwords with a dictionary attack.

Digging Your Talons In – New Take On Password Guessing
Tool release by Optiv’s Matt Eidelberg: A password guessing tool that targets Kerberos and LDAP services. “Talon has two main functions for performing successful password guessing attacks. The first is user enumeration to generate a list of valid users for attacks. Talon can provide more details about the valid users in a company’s active directory, giving you more information than just if the user exists or not. Talon utilizes Kerberos for enumeration.”

michaelweber/Macrome
Excel Macro document reader/writer for red teamers & analysts by Michael Weber.

Engineering antivirus evasion
“How we managed to automatically refactor Meterpreter to bypass every AV/EDR we were put up against.” Uses a custom Clang pass to obfuscate strings. Future posts will discuss API imports hiding / syscalls rewriting. source 

Minimalistic TCP / UDP Port Scanner
Sometimes you’re in a heavily restricted environment where you can’t upload anything (e.g. isolated VDI / Citrix environment), or existing port scanners will be caught by AV or EDR. This post describes minimal Powershell implementations so short you can type them in by hand.

Politics / Privacy

Elite CIA unit that developed hacking tools failed to secure its own systems
Insights from a redacted internal CIA report obtained by Senator Ron Wyden. “Had the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss.” ~34 TB of data was stolen 😅 

Russia Trying to Stoke U.S. Racial Tensions Before Election
“The Russian government has stepped up efforts to inflame racial tensions in the US as part of its bid to influence November’s presidential election, including trying to incite violence by white supremacist groups and to stoke anger among African-Americans, according to seven American officials briefed on recent intelligence.”

Facebook Groups Are Destroying America
The privacy and community aspects of Facebook groups also make them more effective at spreading disinformation and conspiracy theories. A recent WSJ investigation revealed that Facebook was aware of groups’ polarizing tendencies from 2016 but stopped efforts to make the site less divisive. This post’s authors recommend eliminating algorithmically suggested groups and Related Pages and that groups above a certain membership size (e.g. 5,000) should automatically be set to public.

Clash Over U.S. Attorney Who Investigated Trump Associates Sets Off Crisis
Attorney General William Barr was like, “The US attorney for the Southern District of NY, Geoffrey Berman, is resigning, and definitely not because he has been investigating Trump’s inner circle. Unrelated, pinky swear.” Berman responded, “I have not resigned, and have no intention of resigning my position.”

OSINT

Just another Recon Guide for Pentesters and Bug Bounty Hunters
Great overview and list of tools by @slashcrypto:

Misc

Teach Yourself Computer Science
“You don’t need yet another ‘200+ Free Online Courses’ listicle. You need: Which subjects should you learn, and why? What is the best book or video lecture series for each subject? This guide is our attempt to definitively answer these questions.”

Effective Python: 59 Specific Ways to Write Better Python
Code samples from the book by Brett Slatkin.

Open Source, DRM-Free Kindle Alternative
“The Open Book aims to be a simple device that anyone with a soldering iron can build for themselves,” designer Joey Castillo said on the GitHub repository for the project.

Introducing JIRA Jr. Project Tracking… for Kids!
Most corporate videos intended to be funny tend to be more groan worthy than humorous. This one made me laugh though.

📚 Uber on AWS Continuous Monitoring: Part 1

Uber describes their continuous cloud monitoring service, CMON, and the workflows and process design that makes it successfully adopted by engineering teams.

I thought this article was excellent, so I made a standalone post for my notes:

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them

🙏

Thanks for reading!

Cheers,

Clint