[tl;dr sec] #41 - Threat Modeling Kubernetes, Secret Scanner Benchmark, OWASP Software Component Verification Standard
Overview of current work threat modeling Kubernetes, a repo to test your secret scanning, and v1 of OWASP's standard on identifying/reducing supply chain risk.
I hope you’re doing well! It’s important to set aside some time, especially in these unusual times, to relax, do something you enjoy, and maybe cut loose and go wild.
Like me, for example- last weekend I had ~600 lbs of Ikea furniture delivered, so I spent about one and a half days assembling it.
I know not everyone is comfortable throwing caution to the wind and raging hard like that, but what can I say, that’s just the kinda person I am.
Sidenote: If you’re thinking about buying one of Ikea’s customizable PAX storage units, check out the PAX planner. It’s Flash (ugh), but pretty useful for testing the visual layout of various components.
Cyber June’Gle Virtual Summit
I gave my “Opinionated Guide to Scaling Your Company’s Security” talk at this great event, which was organized by the DEF CON Red Team Village. The variety of talks was really cool to see, I appreciated that. Youtube Playlist of the talks.
Software Security Gurus Webcast Episode #7: Clint Gibler
I chatted with my bud Matias Madou, CTO and co-founder of Secure Code Warrior, about static analysis, threat modeling, and writing summaries for an entire conference.
📢 Datadog Security Monitoring
Security threats in cloud-native environments move fast, which means that security teams need to have the same visibility into their infrastructure, network, and applications as developers and operations. With Datadog Security Monitoring, engineering teams can easily detect malicious activity in real-time before it affects their customers. Use OOTB detection rules and detailed observability data in one, unified platform to investigate security attacks. See it in action by signing up for a 👇
📜 In this newsletter...
AppSec: Overview of website 2FA support, v3 of the security auditing tool lynis, OWASP Software Component Verification Standard v1
Mobile Security: Quarklab examined Google's Fuchsia OS, system hardening in Android 11
Web Security: Tool to exfiltrate browser data using DNS, hiding JS in EXIF metadata, exfiltrating data to Google Analytics, web cache deception in the wild study, Portswigger started a Youtube channel, open source Kubernetes operator for ZAP
Secrets Management: Tool to search GitHub for secrets, a repo full of different hard-coded secrets to benchmark your secret scanners
Cloud Security: # of APIs by AWS service
Kubernetes Security: Checkov now supports scanning Kubernetes manifests, a modular K8s lab to deploy a test cluster, the current state of Kubernetes threat modeling
Container Security: Cryptominers found in Docker Hub images, lessons learned running 3 open source container scanning tools
Blue Team: Get anomaly alerts in dank memes
Hardware: New Intel chip family including anti exploit tech, a small multi-tool for hardware testing
Reverse Engineering: Four hour class on learning reverse engineering with Ghidra, new Frida version supports Java runtime bridge beyond just Android
Politics / Privacy: Open dataset on GitHub for police brutality during recent protests, Russian news outlets interviewing U.S. police officers to try to stoke divisions
OSINT: An OSINT, recon, and vuln scanner that combines many tools
Misc: Tensorflow implementation to auto-cartoonize images, Facebook's new lightweight VR headset, a security analysis of 6 videoconferencing solutions, the food you buy is shrinking, GitHub CTO on advice he'd give his younger self
A list of websites by category, if they support 2FA, and if so, what types (SMS, phone call, email, hardware token, software token).
“Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening.” V3 includes some security fixes, initial support for profiles (e.g. DevOps, forensics, and pen testing), and a number of new tests. H/T Michael Boelen
OWASP Software Component Verification Standard v1.0
By project lead Steve Springett: “The SCVS is a community-driven effort to establish a framework for identifying activities, controls, and best practices, which can help in identifying and reducing risk in a software supply chain.” Sections: Inventory, Software Bill of Materials, Build Environment, Package Management, Component Analysis, Pedigree and Provenance.
Playing Around With The Fuchsia Operating System
Detailed post by Quarkslab, discussing the Zircon micro kernel and attacking Fuchsia: the USB and Bluetooth stack, a hypervisor vmcall bug, and kernel mishandling of MXCSR and iretq.
System hardening in Android 11
Post by Google describing a number of hardening steps, including automatic memory initialization in both Android 11’s userspace (stack variables) and the Linux kernel (stack and heap initialization), Scudo is now Android’s default native memory allocator (hardened to help detect and mitigate memory corruption bugs in the heap), and more.
Web skimmer hides within EXIF metadata, exfiltrates credit cards via image files
Crooks abuse Google Analytics to conceal theft of payment card data
To conceal their data exfiltration, some attackers are sending data they’ve skimmed to an account they control on google-analytics.com, which tends to be whitelisted by site owners.
Cached and Confused: Web Cache Deception in the Wild
Usenix 2020 paper, overview article by Portswigger’s Ben Dickson.
PortSwigger has started a Youtube Channel
Will be interesting to see what they add over time 👍
Operator driven API security testing based on OpenAPI definition
Last Autumn Banzai Cloud open sourced dast-operator, which aims to make it easy to run OWASP ZAP as a Kubernetes operator. dast-operator can now ingest OpenAPI definitions to feed the ZAP scan.
# of APIs by AWS Service by Scott Piper
Kubernetes static code analysis with Checkov
Checkhov now scans Kubernetes manifests and identifies security and configuration issues in Kubernetes workloads, including issues like over-privileged containers, bad image lifecycle practices, QoS and health check misconfiguration, and more.
Modular Kubernetes Lab that provides an easy and streamlined way to deploy a test cluster, by Marco Lancini. Currently supports Vault and ELK, with Prometheus and Grafana, Kafka, Istio, and more on the roadmap.
🔥 The Current State of Kubernetes Threat Modelling
Excellent blog post by Marco Lancini that ties together three main initiatives: a blog post by NCC Group’s Rory McCune, the CNCF Financial User Group, and the Kubernetes Security Audit Working Group, including an audit by Trail of Bits.
Kubernetes Trust Boundaries, from the CNCF
Kubernetes Data Flow, from the wg-security-audit
Threat Alert: DzMLT has Hidden Cryptominers in Container Images
Aqua Security found 23 Docker Hub container images that included crypto mining code, collectively downloaded over 330,000 times. To avoid detection by static security tools, many of them downloaded malicious elements hosted on GitHub at runtime.
Even in base images, different scanners product very different results.
The scanning engines support different sets of base images, so keep that in mind when you’re deciding which one to use.
Even in a fully updated base image, there can still be outstanding CVEs, depending on the update cycle of both Docker Hub and the underlying distribution.
“dankAlerts, powered by Sysmon, presents anomalies to you in text written into meme images and guides you in order to reduce false positives.”
Intel to bring anti-exploit tech to market in this year’s Tiger Lake chip family
Intel is set to debut security mechanisms known as Control Flow Enforcement Technology (CET) in its microprocessors.
Flipper Zero - Tamagochi For Hackers
Flipper is a small, pocket-sized multi-tool that aims to combine all hardware tools needed for pentesting in a portable device. Features: 433/868 MHz Transceiver, 125kHz RFID, Infrared transceiver, Arduino compatibility, can be connected to any hardware-piece that uses GPIO, can emulate a USB device and pose as a regular input device, like a keyboard, built-in iButton reader/writer, etc.
Frida 12.10 Released
frida-java-bridge now supports the HotSpot JVM, which means the Java runtime bridge is no longer exclusively for Android. Frida also recently added Java.enumerateMethods(query), a brand new API for efficiently locating methods matching a given query.
Politics / Privacy
Police Brutality During the 2020 George Floyd Protests
GitHub repo with a public dataset in a structured format, easily slice and diceable.
Russian Info Ops Putting US Police in Their Crosshairs
The Russian state-sponsored news outlet RT has been interviewing U.S. police offers and publishing their frustrations related to the protests in an effort to further divide Americans ahead of the presidential election.
An OSINT, recon & vulnerability scanner that combines many tools with different module sets in order to quickly perform recon tasks, check network firewalling, enumerate remote and local hosts, and scan for the ‘blue’ vulnerabilities within Microsft and if unpatched, exploit them.
Learning to Cartoonize Using White-box Cartoon Representations
Tensorflow implementation for the CVPR2020 paper. Includes a number of neat images of cartoon-ifying landscapes, food, indoor scenes, and people.
Facebook’s newest proof-of-concept VR headset looks like a pair of sunglasses
Instead of a bulky contraption that covers most of your face. Whitepaper with details. H/T Bryant Zadegan
Video killed the conferencing star
A 6 part security analysis of videoconferencing solutions for business, covering Zoom, Microsoft Teams, Cisco Webex Meetings and Teams, Google Meet, Bluejeans, Skype for Business, Tixeo, Jitsi Meet, and BigBlueButton. Some nice overview tables on encryption, authentication, jurisdiction, security management, and vulnerability management.
The food you buy really is shrinking
ather than increasing the price, some food and household good manufacturers are instead changing the container sizes and keeping the same price to be more profitable.
What advice would you give to your younger self?
By GitHub CTO Jason Warner. This ask me anything (AMA) repo has a number of other threads on other topics like making difficult decisions and maintaining work/life balance. H/T Daghan Altas
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them
Thanks for reading!