• tl;dr sec
  • Posts
  • [tl;dr sec] #41 - Threat Modeling Kubernetes, Secret Scanner Benchmark, OWASP Software Component Verification Standard

[tl;dr sec] #41 - Threat Modeling Kubernetes, Secret Scanner Benchmark, OWASP Software Component Verification Standard

Overview of current work threat modeling Kubernetes, a repo to test your secret scanning, and v1 of OWASP's standard on identifying/reducing supply chain risk.

Author

Clint Gibler
July 01, 2020

Hey there,

I hope you’re doing well! It’s important to set aside some time, especially in these unusual times, to relax, do something you enjoy, and maybe cut loose and go wild.

Like me, for example- last weekend I had ~600 lbs of Ikea furniture delivered, so I spent about one and a half days assembling it.

I know not everyone is comfortable throwing caution to the wind and raging hard like that, but what can I say, that’s just the kinda person I am.

Sidenote: If you’re thinking about buying one of Ikea’s customizable PAX storage units, check out the PAX planner. It’s Flash (ugh), but pretty useful for testing the visual layout of various components.

Speaking

Cyber June’Gle Virtual Summit
I gave my “Opinionated Guide to Scaling Your Company’s Security” talk at this great event, which was organized by the DEF CON Red Team Village. The variety of talks was really cool to see, I appreciated that. Youtube Playlist of the talks.

Software Security Gurus Webcast Episode #7: Clint Gibler
I chatted with my bud Matias Madou, CTO and co-founder of Secure Code Warrior, about static analysis, threat modeling, and writing summaries for an entire conference.

Sponsor

📢 Datadog Security Monitoring 

Security threats in cloud-native environments move fast, which means that security teams need to have the same visibility into their infrastructure, network, and applications as developers and operations. With Datadog Security Monitoring, engineering teams can easily detect malicious activity in real-time before it affects their customers. Use OOTB detection rules and detailed observability data in one, unified platform to investigate security attacks. See it in action by signing up for a 👇

📜 In this newsletter...

🔗 Links:

  • AppSec: Overview of website 2FA support, v3 of the security auditing tool lynis, OWASP Software Component Verification Standard v1

  • Mobile Security: Quarklab examined Google's Fuchsia OS, system hardening in Android 11

  • Web Security: Tool to exfiltrate browser data using DNS, hiding JS in EXIF metadata, exfiltrating data to Google Analytics, web cache deception in the wild study, Portswigger started a Youtube channel, open source Kubernetes operator for ZAP

  • Secrets Management: Tool to search GitHub for secrets, a repo full of different hard-coded secrets to benchmark your secret scanners

  • Cloud Security: # of APIs by AWS service

  • Kubernetes Security: Checkov now supports scanning Kubernetes manifests, a modular K8s lab to deploy a test cluster, the current state of Kubernetes threat modeling

  • Container Security: Cryptominers found in Docker Hub images, lessons learned running 3 open source container scanning tools

  • Blue Team: Get anomaly alerts in dank memes

  • Hardware: New Intel chip family including anti exploit tech, a small multi-tool for hardware testing

  • Reverse Engineering: Four hour class on learning reverse engineering with Ghidra, new Frida version supports Java runtime bridge beyond just Android

  • Politics / Privacy: Open dataset on GitHub for police brutality during recent protests, Russian news outlets interviewing U.S. police officers to try to stoke divisions

  • OSINT: An OSINT, recon, and vuln scanner that combines many tools

  • Misc: Tensorflow implementation to auto-cartoonize images, Facebook's new lightweight VR headset, a security analysis of 6 videoconferencing solutions, the food you buy is shrinking, GitHub CTO on advice he'd give his younger self

AppSec

twofactorauth.org/
A list of websites by category, if they support 2FA, and if so, what types (SMS, phone call, email, hardware token, software token).

CISOfy/lynis
“Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening.” V3 includes some security fixes, initial support for profiles (e.g. DevOps, forensics, and pen testing), and a number of new tests. H/T Michael Boelen 

OWASP Software Component Verification Standard v1.0
By project lead Steve Springett: “The SCVS is a community-driven effort to establish a framework for identifying activities, controls, and best practices, which can help in identifying and reducing risk in a software supply chain.” Sections: Inventory, Software Bill of Materials, Build Environment, Package Management, Component Analysis, Pedigree and Provenance.

Mobile Security

Playing Around With The Fuchsia Operating System
Detailed post by Quarkslab, discussing the Zircon micro kernel and attacking Fuchsia: the USB and Bluetooth stack, a hypervisor vmcall bug, and kernel mishandling of MXCSR and iretq.

A few days of vulnerability research allowed us to conclude that the common programming bugs found in other OSes can also be found in Fuchsia. However, while these bugs can often be considered as vulnerabilities in other OSes, they turn out to be uninteresting on Fuchsia, because their impact is, for the most part, mitigated by Fuchsia’s security properties.

We note however that these security properties do not - and in fact, cannot - hold in the lowest layers of the kernel related to virtualization, exception handling and scheduling, and that any bug here remains exploitable just like on any other OS.

Fuchsia has the potential to significantly increase the difficulty for attackers to compromise devices.

System hardening in Android 11
Post by Google describing a number of hardening steps, including automatic memory initialization in both Android 11’s userspace (stack variables) and the Linux kernel (stack and heap initialization), Scudo is now Android’s default native memory allocator (hardened to help detect and mitigate memory corruption bugs in the heap), and more.

Web Security

veggiedefender/browsertunnel
By Jesse Li: a tool for exfiltrating data from the browser using DNS.

Web skimmer hides within EXIF metadata, exfiltrates credit cards via image files
Huh. Apparently attackers had placed JavaScript in the Copyright metadata field of favicons.

Crooks abuse Google Analytics to conceal theft of payment card data
To conceal their data exfiltration, some attackers are sending data they’ve skimmed to an account they control on google-analytics.com, which tends to be whitelisted by site owners.

We present the first large-scale study that quantifies the prevalence of WCD in 340 high-profile sites among the Alexa Top 5K. Our analysis reveals WCD vulnerabilities that leak private user data as well as secret authentication and authorization tokens that can be leveraged by an attacker to mount damaging web application attacks. Furthermore, we explore WCD in a scientific framework as an instance of the path confusion class of attacks, and demonstrate that variations on the path confusion technique used make it possible to exploit sites that are otherwise not impacted by the original attack. Our findings show that many popular sites remain vulnerable two years after the public disclosure of WCD.

PortSwigger has started a Youtube Channel
Will be interesting to see what they add over time 👍

Operator driven API security testing based on OpenAPI definition
Last Autumn Banzai Cloud open sourced dast-operator, which aims to make it easy to run OWASP ZAP as a Kubernetes operator. dast-operator can now ingest OpenAPI definitions to feed the ZAP scan.

Secrets Management

d1vious/git-wild-hunt
Searches GitHub for secrets using truffleHog’s regexes, by Jose Hernandez.

Plazmaz/leaky-repo
A repo purposefully full of hard-coded secrets that you can use to vet your secret detection tools, a “benchmark for secrets scanners,” by Dylan Katz 🤘 H/T Ishaq Mohammed

Cloud Security

# of APIs by AWS Service by Scott Piper

Kubernetes Security

Kubernetes static code analysis with Checkov
Checkhov now scans Kubernetes manifests and identifies security and configuration issues in Kubernetes workloads, including issues like over-privileged containers, bad image lifecycle practices, QoS and health check misconfiguration, and more.

marco-lancini/k8s-lab
Modular Kubernetes Lab that provides an easy and streamlined way to deploy a test cluster, by Marco Lancini. Currently supports Vault and ELK, with Prometheus and Grafana, Kafka, Istio, and more on the roadmap.

🔥 The Current State of Kubernetes Threat Modelling
Excellent blog post by Marco Lancini that ties together three main initiatives: a blog post by NCC Group’s Rory McCune, the CNCF Financial User Group, and the Kubernetes Security Audit Working Group, including an audit by Trail of Bits.

Kubernetes Trust Boundaries, from the CNCF

Kubernetes Data Flow, from the wg-security-audit


Container Security

Threat Alert: DzMLT has Hidden Cryptominers in Container Images
Aqua Security found 23 Docker Hub container images that included crypto mining code, collectively downloaded over 330,000 times. To avoid detection by static security tools, many of them downloaded malicious elements hosted on GitHub at runtime.

Container Vulnerability Scanning Fun
NCC Group’s Rory McCune ran 3 open source vuln scanning tools (Anchore Engine, Clair, trivy) on 4 base images. Key takeaways:

  • Even in base images, different scanners product very different results.

  • The scanning engines support different sets of base images, so keep that in mind when you’re deciding which one to use.

  • Even in a fully updated base image, there can still be outstanding CVEs, depending on the update cycle of both Docker Hub and the underlying distribution.

Blue Team

firstoctet/dankAlerts
“dankAlerts, powered by Sysmon, presents anomalies to you in text written into meme images and guides you in order to reduce false positives.”

Hardware

Intel to bring anti-exploit tech to market in this year’s Tiger Lake chip family
Intel is set to debut security mechanisms known as Control Flow Enforcement Technology (CET) in its microprocessors.

Flipper Zero - Tamagochi For Hackers
Flipper is a small, pocket-sized multi-tool that aims to combine all hardware tools needed for pentesting in a portable device. Features: 433/868 MHz Transceiver, 125kHz RFID, Infrared transceiver, Arduino compatibility, can be connected to any hardware-piece that uses GPIO, can emulate a USB device and pose as a regular input device, like a keyboard, built-in iButton reader/writer, etc.

Reverse Engineering

Introduction to Reverse Engineering with Ghidra
A four session class, each of which contains a video, lab, and office hour component, by @wrongbaud.

Frida 12.10 Released
frida-java-bridge now supports the HotSpot JVM, which means the Java runtime bridge is no longer exclusively for Android. Frida also recently added Java.enumerateMethods(query), a brand new API for efficiently locating methods matching a given query.

Politics / Privacy

Police Brutality During the 2020 George Floyd Protests
GitHub repo with a public dataset in a structured format, easily slice and diceable.

Russian Info Ops Putting US Police in Their Crosshairs
The Russian state-sponsored news outlet RT has been interviewing U.S. police offers and publishing their frustrations related to the protests in an effort to further divide Americans ahead of the presidential election.

OSINT

s1l3nt78/sifter
An OSINT, recon & vulnerability scanner that combines many tools with different module sets in order to quickly perform recon tasks, check network firewalling, enumerate remote and local hosts, and scan for the ‘blue’ vulnerabilities within Microsft and if unpatched, exploit them.

Misc

Learning to Cartoonize Using White-box Cartoon Representations
Tensorflow implementation for the CVPR2020 paper. Includes a number of neat images of cartoon-ifying landscapes, food, indoor scenes, and people.

Facebook’s newest proof-of-concept VR headset looks like a pair of sunglasses
Instead of a bulky contraption that covers most of your face. Whitepaper with details. H/T Bryant Zadegan 

Video killed the conferencing star
A 6 part security analysis of videoconferencing solutions for business, covering Zoom, Microsoft Teams, Cisco Webex Meetings and Teams, Google Meet, Bluejeans, Skype for Business, Tixeo, Jitsi Meet, and BigBlueButton. Some nice overview tables on encryption, authentication, jurisdiction, security management, and vulnerability management.

The food you buy really is shrinking
ather than increasing the price, some food and household good manufacturers are instead changing the container sizes and keeping the same price to be more profitable.

What advice would you give to your younger self?
By GitHub CTO Jason Warner. This ask me anything (AMA) repo has a number of other threads on other topics like making difficult decisions and maintaining work/life balance. H/T Daghan Altas

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them

🙏

Thanks for reading!

Cheers,

Clint