[tl;dr sec] #42 - tl;dr sec Search, Towards Trusted Sensing, Root Causes of Procrastination

Hey there,

I hope you had a relaxing and safe 4th of July weekend!

I’ll let you guess what I got up to:

1. Pounding beers with my bros 💪

2. Rabbit holing into Personal Knowledge Management and optimizing how I ingest and store information

3. Driving in fast cars with the hood rolled down

4. Just being thankful for how effectively the U.S. government is handling COVID-19

5. Called my family

6. Cried softly into my pillow

7. Did some pleasure reading

If you guessed #2, #5, and #7, you’ve been awarded 10 tl;dr sec points, which you can redeem at our merch store for stickers, high fives, and other exclusive swag.

tl;dr Search

You can now search across every tl;dr sec issue and post! There are still some things I want to improve, but hopefully this is useful enough for now.

AppSec

Top 100 Linux Security Tools
From Linux Security Labs. Rankings determined by a combination of manual review and automated analysis.

HackerOne’s 2020 Top 10 public bug bounty programs
Some stats for the 10 programs with the largest total payouts, including total bounties paid, top bounty, average time to first response, average time to bounty,hackers thanked, and reports resolved.

What Modern CI/CD Should Look Like
Funny and nice overview post by John Kinsella on the security checks that should be done between writing code and production. He also marks up diagrams for AWS, GCP, and Azure for how he thinks they should look.

Why I’m Writing A Book On Cryptography
I’m going to be honest with you: I think cryptography is incredibly important and I value it, but it’s not something I like reading about. Fortunately, my friend David Wong is writing a book that focuses on the actionable things you need to know, is diagram heavy, and isn’t all proofs. This will probably be a pretty cool book.

Encrypting Data while Preserving Formatting with the Vault Enterprise Transform Secrets Engine
“Vault 1.4 Enterprise introduced a new secrets engine called Transform. Transform is a secrets engine that allows Vault to encode and decode sensitive values residing in external systems such as databases or file systems. The Transform engine allows you to ensure that when a system is compromised, and its data is leaked, that the encoded secrets remain uncompromised even when held by an adversary. Unlike the Transit secrets engine, with Transform you can encrypt data while preserving the original formatting.”

Web Security

Simplifying API Pentesting With Swagger Files
Rhino Security Labs created Swagger-EZ (web app, source), which takes in an OpenAPI specification URL or JSON blob and lets you fill in each unique parameter with some valid test data. You can then send off all the requests at once, and when passed through an intercepting proxy, will give you a populated site tree.

Pro-tip: they bypass the headache of supporting many different definition file formats (e.g. Swagger 1.0, API Blueprint, etc.) by converting them to a common format that works with most tools. https://openapi.tools/ contains a list of useful conversion tools, and if the definition file is not sensitive, they typically use https://apimatic.io/transformer, as it accepts many different formats.

An offensive guide to the Authorization Code grant
By NCC Group’s Rami McCarthy: “a comprehensive and digestible enumeration of security concerns in the OAuth 2.0 Authorization Code flow, from an end-user (or penetration tester)’s external vantage. This post will introduce, break down the observable vulnerabilities, and explain the exploitation of each the following aspects of the Authorization Code flow: state, code, redirect_url, client_secret, Access Token, Clickjacking.”

Cloud Security

Tools for Cloud Examination
These slides referenced some interesting tools:

• log2timeline/dftimewolf - A framework for orchestrating forensic collection, processing and data export.

• google/turbinia - A framework for deploying, managing, and running distributed forensic workloads. It is intended to automate running of common forensic processing tools (i.e. Plaso, TSK, strings, etc) to help with processing evidence in the Cloud.

• google/timesketch - A tool for collaborative forensic timeline analysis. Using sketches you and your collaborators can easily organize your timelines and analyze them all at the same time. Add meaning to your raw data with rich annotations, comments, tags and stars.

• google/GiftStick - Allows an inexperienced user to one click upload forensics evidence (e.g. info about the system, a full disk image as well as the system’s firmware) from a target device (that will boot on an external device containing the code) to Google Cloud Storage.

• log2timeline/plaso - Python-based engine that can collect all timestamped events of interest on a computer system and have them aggregated in a single place for computer forensic analysis (aka Super Timeline).

Use AWS Glue to make CloudTrail Parquet partitions
Alex Smolen describes his cloudtrail-parquet-glue Terraform module, which makes CloudTrail logs efficiently Athena-searchable with minimal custom code using AWS Glue.

Container Security

plexsystems/konstraint
A CLI tool to assist with the creation and management of constraints when using Gatekeeper, which is a policy controller for Kubernetes.

Blue Team

Let Me Out of Your Net - Egress Testing
Rob Fuller built a website, http://letmeoutofyour.net/, that listens on all ports for HTTP, HTTPS, and SSH, and shares a script to make it easy to use the site to test all the ports/protocols for which your network allows egress.

Elastic Security opens public detection rules repo
The Elastic security team released a GitHub repo of detection rules with coverage for many MITRE ATT&CK techniques, largely written in the Kibana Query Language.

 FSecureLABS/leonidas
A framework for executing attacker actions in the cloud. It provides a YAML-based format for defining cloud attacker tactics, techniques and procedures (TTPs) and their associated detection properties. These definitions can then be compiled into a web API exposing each test case as an individual endpoint and Sigma rules for detection.

Network Security

google/tsunami-security-scanner
“Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.” When a new high severity issue is announced, Tsunami can help scan your thousands to millions of connected systems to find what’s vulnerable. H/T Caleb Sima 

Red Team

Payload Delivery for DevOps : Building a Cross-Platform Dropper Using the Genesis Framework, Metasploit and Docker
Post by @khast3x on creating a cross-platform payload dropper with Gscript. “Gscript is a framework for building multi-tenant executors for several implants in a stager. The engine works by embedding runtime logic (powered by V8) for each persistence technique. This logic gets run at deploy time on the victim machine, in parallel for every implant contained with the stager. The Gscript engine leverages the multi-platform support of Golang to produce final stage one binaries for Windows, Mac, and Linux.”

cybiere/baboossh
Tool by @cybiere that allows you, from a simple SSH connection to a compromised host, to quickly gather info on other SSH endpoints to pivot and compromise them.

Politics / Privacy

Librem 14 Thoughts From a Librem 13 Early Adopter
If open source, security, and privacy are important to you; if you have an EFF lower back tattoo and an accompanying “No Ragrets” neck tattoo, then the Librem laptops should be on your radar. They’re open source all the way down, have hardware kill switches for the webcam and microphone, and have good support for Qubes OS.

In this post, Kyle Rankin describes his history with Purism, the company behind Librem, and their upcoming new laptop.

Misc

Solutions for EVERY GATE Theory of Computation Question!
A professor solves 247 computer science exam problems in 4 hours 😱 

Web Desktops
If you’re a fan of websites, web apps, and portfolios which resemble desktop GUIs, check it out.

SQL Fiddle
Web app that let’s you create a DB schema, choose a database backend (MySQL, Oracle, PostgreSQL), write a query, and view the results, all within one page. Sort of like regex101 but for SQL. Might be useful for troubleshooting your SQLi payload.

levels.fyi Total Compensation Calculator
Given your company, salary, signing bonus, and total stock grant, it shows your total compensation over 4 years. Also allows comparing multiple offers in the same view.

Twitter

Overview of 7 years of fuzzing papers
Really neat thread by Marcel Böhme laying out the motivations and contributions of papers from his research group. If I could get one of these for every lab group I’d be so happy 😍 Here’s a taste:

📚 Towards trusted sensing for the cloud: Introducing Project Freta

It’s not often you come across research that might fundamentally, scalably, push security forward. This ambitious project from Microsoft Research might be one of them.

One thing I like about it is that they come at the problem from an economics angle.

There’s huge economic upside for attackers to build malware that cannot be detected, as they can continue to use it across many victims. Thus, the economics of reuse justify enormous attacker investment in malware non-discoverability.

Conversely, once a malware strain is discovered, it’s value plummets corresponding to how effectively it can still be used.

The rest of the post describes Project Freta (docs), which can capture and analyze full VM memory snapshots without the tells that enable malware to know it’s been observed and self-destruct or evade detection. Project Freta can batch process 10,000+ live VMs without disrupting their execution.

🔍 Searching for the Ultimate Obstacle to Creativity

True story: as I was starting tl;dr sec, I spent ~4-6 weeks evaluating various static site generators and themes. Yes, you heard me correctly - I spent over a month researching before I had written a single post.

Writing is hard. And stressful. One of the best (and every Wednesday, worst) things that’s happened to me is deciding to send out tl;dr sec weekly. It is an invaluable forcing function.

In this excellent post by Daniel Miessler, he connects a number of, on the surface, disparate procrastination mechanisms with the same underlying cause(s). Procrastination can be a self-defense mechanism- it distracts us from the fact that we haven’t made the progress we wanted to, that other people have done so much more, from other prior pain, etc.

Daniel discusses 3 distinct mechanisms:

1. Training as Avoidance - Studying a craft instead of just doing it.

2. The Toolbox Fallacy - Waiting for a tool or life condition before we can start pursuing our dreams.

3. Procrastination - Distracting ourselves from prior trauma or pain.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them

🙏

Thanks for reading!

Cheers,

Clint