[tl;dr sec] #40 - Uber's Continuous AWS Monitoring, AWS's Hands-off Deployments, Auto-remove Unneeded Feature Flags
Uber continuous AWS monitoring tool and process, how AWS does safe, fast, continuous deployment, tool to auto-delete no longer needed feature flags.
I hope you’re well!
This issue seems long, but it’s mostly because there are a number of large diagrams.
Greenfield Platform Security Architectures
When a company has been around awhile, it’s often hard to migrate to newer paradigms and tech as you have too much existing infrastructure and code built up.
A super sharp friend of mine at a FAANG company is interested in chatting with companies who’ve been able to take advantage of newer security offerings, tech advancements, etc.
Topics like: Service Mesh, FaaS, Sidecar-proxy-all-the-things, automatic authorization policy creation based on resource usage, self healing infra, declarative and managed delivery models, everything as code, etc.
If this describes your company or one you know, please reach out! 👋
📢 Sr. Staff Engineer @ Databricks
Databricks is looking for a Sr Staff Engineer to join their Cyber Offense Program (COP), responsible for penetration testing, red teaming, vulnerability assessment, security code audits, and developing automation to identify security issues at scale. Founded by the original creators of Apache Spark™ (a bunch of UC Berkeley PhDs), join Databricks and help secure the unified platform for massive-scale engineering used by more than 5,000 organizations worldwide.
Bonus ☝️: you get to work with Caleb Sima (twitter, linkedin) a super sharp dude who’s founded and sold multiple security companies. He’s also a friend and advisor to tl;dr sec, playing a key role in making this newsletter what it is today.
📜 In this newsletter...
AppSec: Tool to automatically delete code around unneeded feature flags, finding and preventing JWT mistakes, GitHub's linter wrapper
Web Security: Free e-book on API security and OAuth, 2-hour session on OAuth 2.0 and OpenID Connect, tools to find endpoints and parameters / sensitive data in JS files
Cloud Incident Response: AWS's incident response guide, AWS IR runbooks based on NIST's incident handling guide
Cloud Security: CLI tool to extract info from CloudTrail, CLI that uses Okta IdP via SAML to acquire temp AWS creds, set of tools to check CloudFormation templates for policy compliance, a list of what to review when evaluating an AWS environment for the first time, AWS security services diagram, IAM Assume Role vulns found in many vendors, how AWS does safe, continuous deployment
Container Security: Tool to show container images used in a Kubernetes cluster, a Kubernetes Adminission Controller for Image Scanning using OPA
Network Security: Free workshop content on networking basics + scapy
Reverse Engineering: RE-ing Snapcghat, RE beginning to intermediate resource list
Red Team: Cracking zip password with a dictionary attack, password guessing tool targeting Kerberos and LDAP, Excel Macro document reader/writer, automatically refactoring Meterpreter to bypass AV/EDR, minimalistic Powershell TCP/UDP port scanner
Politics / Privacy: CIA list its tools and didn't notice, Russia's trying to stoke U.S. racial tensions before the election, Facebook groups are polarizing users, AG Barr tries to fire a district attorney investigating Trump's inner circle, but the attorney refused to resign
OSINT: A recon guide for pen testers and bug bounty hunters
Misc: Resources to teach yourself Computer Science, 59 ways to write better Python, solder your own Kindle alternative, JIRA for kids 🤣
📚 Uber on AWS Continuous Monitoring: Part 1
Uber describes their continuous cloud monitoring service and the workflows and process design that makes it successfully adopted by engineering teams.
🔥 Introducing Piranha: An Open Source Tool to Automatically Delete Stale Code
Given a feature flag, Piranha can automatically delete the code immediately surrounding the feature flag API, delete the code that becomes unreachable as a result of the previous step, and finally delete any tests related to the flag. Currently supports Java, Swift, and Objective-C. Academic paper with more details, InfoQ overview.
The flag management system periodically sends a list of potentially stale flags to Piranha, which generates a diff and sends it to the original flag author. The author can then determine whether to land the diff
Hardcoded secrets, unverified tokens, and other common JWT mistakes
Post by Vasilii Ermilov describing common JWT mistakes: hardcoded secrets, allowing the none algorithm when signing, not correctly verifying tokens, and exposing sensitive data. He also provides some open source checks that can be used to detect these issues in your code as well as prevent them from being introduced in the future 🤘
Introducing GitHub Super Linter: one linter to rule them all
Run ~17 linters via one GitHub Action. The linters seem to mostly be for style/correctness, not security. HN discussion. Honestly, I’m surprised GitHub hasn’t created a similar wrapper for security tools, as Gitlab Ultimate’s SAST offering is largely just wrapping open source tools, as is the primary value prop for some scanning companies like Codacy . This value prop doesn’t seem very easy to differentiated to me, and seems ripe for commodification.
Reflection: But I could be wrong, as maintaining the glue between a vast number of services is a big pain, and buying may be a much better use of resources than AppSec team. For general automation, Zapier seems quite profitable, Demisto and Komand (both acquired) have done this for SOC tools (SOAR, according to Gartner), as ZeroNorth is doing for AppSec tools (application security testing orchestration, ASTO).I predict wrapping open source tools will become commodified, and orchestrating commercial tools and APIs, which tend to be more complex and change more frequently (and may be more miserable to integrate with), will be profitable, as it’s too much of a pain.
Understanding API Security
Free! “A selection of chapters from several Manning books that give you some context for how API security works in the real world by showing how APIs are put together and how the OAuth protocol can be used to protect them.” H/T Dmitry Sotnikov
Cloud Incident Response
AWS Security Incident Response Guide
An overview of the fundamentals of responding to security incidents within a customer’s AWS Cloud environment, focusing on an overview of cloud security and incident response concepts, and identifies cloud capabilities, services, and mechanisms that are available to customers who are responding to security issues.
AWS Incident Response Runbook Samples
The samples cover several common scenarios and outline steps based on the NIST Computer Security Incident Handling Guide that can be used to:
Contain and then eradicate the incident
recover from the incident
Conduct post-incident activities, including post-mortem and feedback processes
A CLI tool to get valuable information out of AWS CloudTrail, like getting events matching a filter, downloading logs, generating a Policy from some CloudTrail records, extending an existing policy by guessing matching actions, and finding CloudTrail events and generating an IAM Policy.
“A CLI that utilizes Okta IdP via SAML to acquire temporary AWS credentials.”
“A set of tools to check AWS CloudFormation templates for policy compliance using a simple, policy-as-code, declarative syntax cloudformation.”
Conducting a Cloud Assessment in AWS
Chris Farris’s recommendations of “a general list of things you want to look at when evaluating an AWS environment for the first time,” to understand how the org uses AWS, what controls they have in place, and how they are using AWS’s security features. Mentions CloudTrail, GuardDuty, IAM Access Analyzer, Account Contacts, IAM, Workloads, Multi-Account, and other holes.
AWS IAM Assume Role Vulnerabilities Found in Many Top Vendors
Praetorian’s Kesten Broughton evaluated 90 vendors and found that 37% had not implemented ExternalID correctly to protect against confused deputy attacks. A further 15% of vendors did not properly validate the ExternalID parameter on the backend, making them vulnerable as well. An attacker could use these vulnerable products to gain access to their customers’ environments. Great details about the risk and recommended solution.
Automating safe, hands-off deployments
Very interesting and detailed article about how Amazon does safe, continuous deployment, using automated steps to prevent customer-impacting defects from reaching production, and mitigating the impact if they do. This automation frees up significant developer time.
Show container images used in a Kubernetes cluster.
Kubernetes Admission Controller for Image Scanning using OPA. “Combines Sysdig Secure image scanner with OPA policy-based rego language to evaluate the scan results and the admission context, providing great flexibility on the admission decision.”
Reverse Engineering Snapchat (Part I): Obfuscation Techniques
By Abdelrahman Eid: Some interesting details about the anti-analysis tricks Snapchat uses. Part II discusses bypassing breakpoint checks, setting watchpoints, and briefly solving constraints using the symbolic execution engine Triton.
Reverse Engineering Resources-Beginners to intermediate Guide/Links
By @bbinfosec: Assembly, C, RE fundamentals, tools, tutorials, frameworks, OS-specific resources, and more.
Python script to crack zip passwords with a dictionary attack.
Digging Your Talons In – New Take On Password Guessing
Tool release by Optiv’s Matt Eidelberg: A password guessing tool that targets Kerberos and LDAP services. “Talon has two main functions for performing successful password guessing attacks. The first is user enumeration to generate a list of valid users for attacks. Talon can provide more details about the valid users in a company’s active directory, giving you more information than just if the user exists or not. Talon utilizes Kerberos for enumeration.”
Engineering antivirus evasion
“How we managed to automatically refactor Meterpreter to bypass every AV/EDR we were put up against.” Uses a custom Clang pass to obfuscate strings. Future posts will discuss API imports hiding / syscalls rewriting. source
Minimalistic TCP / UDP Port Scanner
Sometimes you’re in a heavily restricted environment where you can’t upload anything (e.g. isolated VDI / Citrix environment), or existing port scanners will be caught by AV or EDR. This post describes minimal Powershell implementations so short you can type them in by hand.
Politics / Privacy
Elite CIA unit that developed hacking tools failed to secure its own systems
Insights from a redacted internal CIA report obtained by Senator Ron Wyden. “Had the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss.” ~34 TB of data was stolen 😅
Russia Trying to Stoke U.S. Racial Tensions Before Election
“The Russian government has stepped up efforts to inflame racial tensions in the US as part of its bid to influence November’s presidential election, including trying to incite violence by white supremacist groups and to stoke anger among African-Americans, according to seven American officials briefed on recent intelligence.”
Facebook Groups Are Destroying America
The privacy and community aspects of Facebook groups also make them more effective at spreading disinformation and conspiracy theories. A recent WSJ investigation revealed that Facebook was aware of groups’ polarizing tendencies from 2016 but stopped efforts to make the site less divisive. This post’s authors recommend eliminating algorithmically suggested groups and Related Pages and that groups above a certain membership size (e.g. 5,000) should automatically be set to public.
Clash Over U.S. Attorney Who Investigated Trump Associates Sets Off Crisis
Attorney General William Barr was like, “The US attorney for the Southern District of NY, Geoffrey Berman, is resigning, and definitely not because he has been investigating Trump’s inner circle. Unrelated, pinky swear.” Berman responded, “I have not resigned, and have no intention of resigning my position.”
Just another Recon Guide for Pentesters and Bug Bounty Hunters
Great overview and list of tools by @slashcrypto:
Teach Yourself Computer Science
“You don’t need yet another ‘200+ Free Online Courses’ listicle. You need: Which subjects should you learn, and why? What is the best book or video lecture series for each subject? This guide is our attempt to definitively answer these questions.”
Effective Python: 59 Specific Ways to Write Better Python
Code samples from the book by Brett Slatkin.
Open Source, DRM-Free Kindle Alternative
“The Open Book aims to be a simple device that anyone with a soldering iron can build for themselves,” designer Joey Castillo said on the GitHub repository for the project.
Introducing JIRA Jr. Project Tracking… for Kids!
Most corporate videos intended to be funny tend to be more groan worthy than humorous. This one made me laugh though.
Uber describes their continuous cloud monitoring service, CMON, and the workflows and process design that makes it successfully adopted by engineering teams.
I thought this article was excellent, so I made a standalone post for my notes:
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them
Thanks for reading!