• tl;dr sec
  • Posts
  • [tl;dr sec] #42 - tl;dr sec Search, Towards Trusted Sensing, Root Causes of Procrastination

[tl;dr sec] #42 - tl;dr sec Search, Towards Trusted Sensing, Root Causes of Procrastination

tl;dr sec now supports search, snapshotting VMs at scale in a way malware can't evade, reflections on why we procrastinate.

Hey there,

I hope you had a relaxing and safe 4th of July weekend!

I’ll let you guess what I got up to:

  1. Pounding beers with my bros 💪

  2. Rabbit holing into Personal Knowledge Management and optimizing how I ingest and store information

  3. Driving in fast cars with the hood rolled down

  4. Just being thankful for how effectively the U.S. government is handling COVID-19

  5. Called my family

  6. Cried softly into my pillow

  7. Did some pleasure reading

If you guessed #2, #5, and #7, you’ve been awarded 10 tl;dr sec points, which you can redeem at our merch store for stickers, high fives, and other exclusive swag.

You can now search across every tl;dr sec issue and post! There are still some things I want to improve, but hopefully this is useful enough for now.


📢 PentesterLab: Stay on top of your Game!

Quickly learn the latest tricks and vulnerabilities with PentesterLab PRO, where we provide you with a clear path to go from Zero to Hero!

Our constantly evolving content covers the latest attacks as well as code review challenges. The challenges start from simple bugs and go up to very complex vulnerability chaining. Master the OWASP TOP 10 as well as complex topics like OAuth2, SAML and the latest JWT attacks.

📜 In this newsletter...

🔗 Links:

  • AppSec: Top 100 Linux security tools, top 10 HackerOne programs by 2020 payout, what modern CI/CD should look like, an accessible book on cryptography, new Vault secrets engine

  • Web Security: Tool to leverage Swagger files when pen testing, auditing OAuth Authorization Code grants

  • Cloud Security: Tools for cloud examination, making CloudTrail logs efficiently Athena-searchable

  • Container Security: CLI tool to assist with the creation and management of constraints when using Gatekeeper

  • Blue Team: Tool/site for egress testing, open source Elastic detection rules, testing detection of cloud attacker TTPs

  • Network Security: Large scale network vulnerability scanner by Google

  • Red Team: Using a cross-platform payload dropper, tool to help pivoting from SSH connections on a compromised host

  • Politics / Privacy: Reflections on the privacy-focused Librem laptops and their upcoming new model

  • Misc: A professor solves 247 computer science exam problems in 4 hours, websites that look like desktops, regex101 but for SQL, total compensation calculator

  • Twitter: An overview of 7 years of fuzzing papers

📚 Toward trusted sensing for the cloud: Introducing Project Freta

Really promising project from Microsoft about being able to scalably snapshot massive VM fleets in a way that malware cannot evade, potentially changing future malware economics.

🔍 Searching for the Ultimate Obstacle to Creativity

Excellent post by Daniel Miessler on Imposter Syndrome, procrastination, being a creator, and more.


Top 100 Linux Security Tools
From Linux Security Labs. Rankings determined by a combination of manual review and automated analysis.

HackerOne’s 2020 Top 10 public bug bounty programs
Some stats for the 10 programs with the largest total payouts, including total bounties paid, top bounty, average time to first response, average time to bounty,hackers thanked, and reports resolved.

What Modern CI/CD Should Look Like
Funny and nice overview post by John Kinsella on the security checks that should be done between writing code and production. He also marks up diagrams for AWS, GCP, and Azure for how he thinks they should look.

I realize AWS has a rich vendor partner ecosystem (unlike Azure) and they don’t want to step on their partners toes (lol OK that’s not it), so possibly that’s why things were left off this diagram.

Why I’m Writing A Book On Cryptography
I’m going to be honest with you: I think cryptography is incredibly important and I value it, but it’s not something I like reading about. Fortunately, my friend David Wong is writing a book that focuses on the actionable things you need to know, is diagram heavy, and isn’t all proofs. This will probably be a pretty cool book.

Encrypting Data while Preserving Formatting with the Vault Enterprise Transform Secrets Engine
“Vault 1.4 Enterprise introduced a new secrets engine called Transform. Transform is a secrets engine that allows Vault to encode and decode sensitive values residing in external systems such as databases or file systems. The Transform engine allows you to ensure that when a system is compromised, and its data is leaked, that the encoded secrets remain uncompromised even when held by an adversary. Unlike the Transit secrets engine, with Transform you can encrypt data while preserving the original formatting.”

Web Security

Simplifying API Pentesting With Swagger Files
Rhino Security Labs created Swagger-EZ (web app, source), which takes in an OpenAPI specification URL or JSON blob and lets you fill in each unique parameter with some valid test data. You can then send off all the requests at once, and when passed through an intercepting proxy, will give you a populated site tree.

Pro-tip: they bypass the headache of supporting many different definition file formats (e.g. Swagger 1.0, API Blueprint, etc.) by converting them to a common format that works with most tools. https://openapi.tools/ contains a list of useful conversion tools, and if the definition file is not sensitive, they typically use https://apimatic.io/transformer, as it accepts many different formats.

An offensive guide to the Authorization Code grant
By NCC Group’s Rami McCarthy: “a comprehensive and digestible enumeration of security concerns in the OAuth 2.0 Authorization Code flow, from an end-user (or penetration tester)’s external vantage. This post will introduce, break down the observable vulnerabilities, and explain the exploitation of each the following aspects of the Authorization Code flow: state, code, redirect_url, client_secret, Access Token, Clickjacking.”

Cloud Security

Tools for Cloud Examination
These slides referenced some interesting tools:

  • log2timeline/dftimewolf - A framework for orchestrating forensic collection, processing and data export.

  • google/turbinia - A framework for deploying, managing, and running distributed forensic workloads. It is intended to automate running of common forensic processing tools (i.e. Plaso, TSK, strings, etc) to help with processing evidence in the Cloud.

  • google/timesketch - A tool for collaborative forensic timeline analysis. Using sketches you and your collaborators can easily organize your timelines and analyze them all at the same time. Add meaning to your raw data with rich annotations, comments, tags and stars.

  • google/GiftStick - Allows an inexperienced user to one click upload forensics evidence (e.g. info about the system, a full disk image as well as the system’s firmware) from a target device (that will boot on an external device containing the code) to Google Cloud Storage.

  • log2timeline/plaso - Python-based engine that can collect all timestamped events of interest on a computer system and have them aggregated in a single place for computer forensic analysis (aka Super Timeline).

Use AWS Glue to make CloudTrail Parquet partitions
Alex Smolen describes his cloudtrail-parquet-glue Terraform module, which makes CloudTrail logs efficiently Athena-searchable with minimal custom code using AWS Glue.

Glue Workflow to convert raw CloudTrail S3 logs to Parquet and expose via a Glue table

Container Security

A CLI tool to assist with the creation and management of constraints when using Gatekeeper, which is a policy controller for Kubernetes.

Blue Team

Let Me Out of Your Net - Egress Testing
Rob Fuller built a website, http://letmeoutofyour.net/, that listens on all ports for HTTP, HTTPS, and SSH, and shares a script to make it easy to use the site to test all the ports/protocols for which your network allows egress.

Elastic Security opens public detection rules repo
The Elastic security team released a GitHub repo of detection rules with coverage for many MITRE ATT&CK techniques, largely written in the Kibana Query Language.

A framework for executing attacker actions in the cloud. It provides a YAML-based format for defining cloud attacker tactics, techniques and procedures (TTPs) and their associated detection properties. These definitions can then be compiled into a web API exposing each test case as an individual endpoint and Sigma rules for detection.

Network Security

“Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.” When a new high severity issue is announced, Tsunami can help scan your thousands to millions of connected systems to find what’s vulnerable. H/T Caleb Sima 

Red Team

Payload Delivery for DevOps : Building a Cross-Platform Dropper Using the Genesis Framework, Metasploit and Docker
Post by @khast3x on creating a cross-platform payload dropper with Gscript. “Gscript is a framework for building multi-tenant executors for several implants in a stager. The engine works by embedding runtime logic (powered by V8) for each persistence technique. This logic gets run at deploy time on the victim machine, in parallel for every implant contained with the stager. The Gscript engine leverages the multi-platform support of Golang to produce final stage one binaries for Windows, Mac, and Linux.”

Tool by @cybiere that allows you, from a simple SSH connection to a compromised host, to quickly gather info on other SSH endpoints to pivot and compromise them.

Politics / Privacy

Librem 14 Thoughts From a Librem 13 Early Adopter
If open source, security, and privacy are important to you; if you have an EFF lower back tattoo and an accompanying “No Ragrets” neck tattoo, then the Librem laptops should be on your radar. They’re open source all the way down, have hardware kill switches for the webcam and microphone, and have good support for Qubes OS.

In this post, Kyle Rankin describes his history with Purism, the company behind Librem, and their upcoming new laptop.


Solutions for EVERY GATE Theory of Computation Question!
A professor solves 247 computer science exam problems in 4 hours 😱 

Web Desktops
If you’re a fan of websites, web apps, and portfolios which resemble desktop GUIs, check it out.

SQL Fiddle
Web app that let’s you create a DB schema, choose a database backend (MySQL, Oracle, PostgreSQL), write a query, and view the results, all within one page. Sort of like regex101 but for SQL. Might be useful for troubleshooting your SQLi payload.

levels.fyi Total Compensation Calculator
Given your company, salary, signing bonus, and total stock grant, it shows your total compensation over 4 years. Also allows comparing multiple offers in the same view.


Overview of 7 years of fuzzing papers
Really neat thread by Marcel Böhme laying out the motivations and contributions of papers from his research group. If I could get one of these for every lab group I’d be so happy 😍 Here’s a taste:

My first technical paper introduced a technique that could, in principle, prove that no bug was introduced by a new code commit ICSE’13. This was also the first of several symbolic execution-based whitebox fuzzers [FSE’13, ASE’16, ICSE’20].

Yet, something was amiss. Even a simple random input generator could outperform my most effective whitebox fuzzer if it generated inputs fast enough. To understand why, we modelled fuzzing as a sampling process and proved some bounds [FSE’14, TSE’15].

It’s not often you come across research that might fundamentally, scalably, push security forward. This ambitious project from Microsoft Research might be one of them.

One thing I like about it is that they come at the problem from an economics angle.

There’s huge economic upside for attackers to build malware that cannot be detected, as they can continue to use it across many victims. Thus, the economics of reuse justify enormous attacker investment in malware non-discoverability.

Conversely, once a malware strain is discovered, it’s value plummets corresponding to how effectively it can still be used.

The question for defenders, then, is how can we raise the cost of non-discovery? Is there a point beyond which a class of malware is no longer economically viable?

The rest of the post describes Project Freta (docs), which can capture and analyze full VM memory snapshots without the tells that enable malware to know it’s been observed and self-destruct or evade detection. Project Freta can batch process 10,000+ live VMs without disrupting their execution.

Some kernel hooking identification is performed automatically; this can be used by analysts to detect novel rootkits.

Of interest to defenders: debugging relationships are provided to allow for investigation of counter-debugging techniques; library imports are listed to allow for investigation of LD_PRELOAD based attacks; and simple hooking of systems calls is detected and mapped.

True story: as I was starting tl;dr sec, I spent ~4-6 weeks evaluating various static site generators and themes. Yes, you heard me correctly - I spent over a month researching before I had written a single post.

Writing is hard. And stressful. One of the best (and every Wednesday, worst) things that’s happened to me is deciding to send out tl;dr sec weekly. It is an invaluable forcing function.

In this excellent post by Daniel Miessler, he connects a number of, on the surface, disparate procrastination mechanisms with the same underlying cause(s). Procrastination can be a self-defense mechanism- it distracts us from the fact that we haven’t made the progress we wanted to, that other people have done so much more, from other prior pain, etc.

Daniel discusses 3 distinct mechanisms:

  1. Training as Avoidance - Studying a craft instead of just doing it.

  2. The Toolbox Fallacy - Waiting for a tool or life condition before we can start pursuing our dreams.

  3. Procrastination - Distracting ourselves from prior trauma or pain.

Don’t try to fix your creator problems with even more study, or even better tools. Instead, look yourself right in the face, and tell yourself the following.

You are awesome. You are creative. You are capable. You are loved. And you are going to be awesome.

I know that you can be a great creator. I believe in you. And you should too.

Go do it.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them


Thanks for reading!