[tl;dr sec] #45 - Bucket Brigade, ReDoS Cheat-sheet, Understanding OAuth

Hey there,

I hope been doing well! Maybe even chill and folksy, like the new T Swift album.

AppSec

“There’s something truly special happening in the static analysis world”
Neat thread by OWASP ASVS co-author Daniel Cuthbert on how he sees static analysis currently changing, and its future 🚀 

Abusing Privilege Escalation in Salesforce
Nitay Bachrach describes how a malicious insider with the Author Apex permission can escalate their privileges to take over an organization’s Salesforce account and all data within it.

GitHub’s Security Roadmap
GitHub is now tracking some of its roadmap via public GitHub issues, which is neat. 👆 filters to just the security-focused ones. H/T Isaac Evans for the link.

Zero Knowledge Proofs: An illustrated primer 
Great overview and explanation in plain English (and funny!) by Johns Hopkins University professor Matthew Green.

The Regular Expression Denial of Service (ReDoS) cheat-sheet
Great ReDoS overview by Purdue Professor Jamie Davis, including many links to tools and approaches to prevent and detect ReDoS, with bountiful links to other resources to learn more. See also his tool vuln-regex-detector to scan your projects for vulnerable regexes and google/re2 for a fast regex implementation. Also, the re.DEBUG flag can be useful in identifying dangerous nested patterns, H/T Martín Obiols.

Regexper can be used to visualize regexes, and this regex visualizer, simulator and cross-compiler tool by Robert Elder Software is a neat tool that walks you through each step of the match.

OAuth

Introducing the OAuth 2.0 Flow Simulator
Nifty web app by Philippe De Ryck that allows you to walk through OAuth 2.0 and OpenID Connect flows step-by-step, making backchannel requests visible, and showing frontchannel requests without you needing to dig through your browser’s developer tools.

OAuth 2.0 Playground
Similarly, helps you understand the OAuth authorization flows and shows each step of the process of obtaining an access token. Choose from several potential OAuth flows: authorization code, PKCE, implicit, device code, or OpenID Connect.

Web Security

qazbnm456/awesome-web-security
A massive list of web security resources by Boik.

Cloud Security

New tool detects AWS intrusions where hackers abuse self-replicating tokens
CyberArk and NetSPI have found that some attackers are now sneakily hiding their persistence by using the AWS Security Token Service (STS) to continually create short-lived tokens they can use. Omer Tsarfati has open sourced SkyWrapper, a tool that generates a spreadsheet that lists all the currently active temporary tokens and the access keys that were used to create them.

So I Heard You Want to Learn Kafka
Great overview post by Marco Lancini on what Kafka is and how it works, enabling transport layer encryption, authentication and authorization options, and more.

Introducing The CIS Amazon EKS Benchmark
The CIS Amazon EKS Benchmark consists of four sections on control plane logging configuration, node security configurations, policies and managed services. See also CIS EKS Benchmark Assessment Using kube-bench.

Introducing the State of Open Source Terraform Security Report
Bridgecrew scanned all 2.6K modules in the public Terraform Registry using their open source tool, checkhov, which currently contains 300 compliance and security checks across AWS, Azure, and Google Cloud.

Network Security

RustScan: Faster Nmap Scanning with Rust
Tool by Brandon Skerritt that can scan all 65K ports in 8s and then easily pipe them into nmap. Also, the README throws some shade 🤣

Red Team

Sinking U-Boots with Depthcharge
Depthcharge by Jon Szymaniak is an extensible Python 3 toolkit designed to aid security researchers when analyzing a customized, product-specific build of the U-Boot bootloader. This blog post details the motivations for Depthcharge’s creation, highlights some key features, and exemplifies its use in a “tethered jailbreak” of a smart speaker that leverages secure boot functionality.

yeyintminthuhtut/Awesome-Red-Teaming
List of red teaming resources by @yeyint_mth covering initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, exfiltration, command and control, device hacking, red team gadgets, ebooks, training, and certs.

Reverse Engineering

Battelle Publishes Open Source Binary Visualization Tool
The newly released CantorDust Ghidra plugin enables the rapid visualization of unknown binary data, reducing the burden on digital forensics and reverse engineering teams.

frida/cryptoshark
“Self-optimizing cross-platform code tracer based on dynamic recompilation, powered by Frida and Capstone. Works at the machine code level, no source code needed. Tags threads based on which APIs they use, showing you in real-time what functions have been called, allowing you to study them by carefully injecting logging and other side-effecty code.”

Politics / Privacy

Can you spot deep fake people?
Fascinating Twitter thread by Raphael Satter of examples of the types of artifacts and tells current GANs have when generating people’s faces.

OSINT

yogeshojha/rengine
An automated reconnaissance framework meant for gathering information a web app pen test, by Yogesh Ojha. reNgine has customizable scan engines, which can be used to scan websites, endpoints, and gather info.

Misc

Notes from Alan Kay’s talk: “Metaphors, Magnetic Fields, Snobbery and Slogans”

An OSCP Exam Report Template in MarkdownCompiles to a nice PDF using Pandoc, by @noraj_rawsec.

The worst tool for the job

Refinement Types and Program Synthesis, Featuring Nadia Polikarpova
Last week I wrote a summary of a new Twitch stream (PLTalk) by Jean Yang and Hongyi Hu on making academic-y programming languages research more accessible. This week I was thrilled to see that my friend Quinn Wilton has started a newsletter where she will be summarizing the PLTalk videos.

Reverse Threat Modeling for Pursuing Attribution
Daniel Miessler on determining potential actors behind attacks based on who benefits from outcome.

Convert your photos to anime characters
With an AI GAN image-to-image translator. paper source code 

I probably need to choose a pic with a less busy background and maybe less soft focus, but still interesting to see.

📚 How to use the Bucket Brigade to Secure Your Public AWS S3 Buckets

Awesome post by Adam Youngberg on how Databricks secures their public S3 buckets, and they’ve open sourced their solution.

The first step is to have a solid asset inventory (which I think is so important, I included it as one of my 3 “fundamentals” in my most recent scaling security talk, along with vulnerability management and continuous scanning)- determine all public S3 buckets. This can be done with Lyft’s Cartography tool or the commercial JupiterOne.

Do we have non-public files in intentionally public buckets?

For this, they repurpose Níels Ingi’s YAR tool, except instead of scanning GitHub repos for secrets, they spin up EC2 instances, synchronize the bucket contents, and scan them with YAR + additional patterns specific to their secrets.

 Keeping buckets from becoming unintentionally public 

They leverage Cloud Custodian, a real-time cloud security, governance, and management tool that uses AWS Lambda functions and CloudWatch events to detect changes to configuration.

They added a Cloud Custodian policy to automatically enable AWS public access blocks for buckets explosed publicly through any access control lists (ACLs).

If dev teams want an exception, they must follow an internal policy and process for intentionally public buckets that required this functionality to remain disabled.

In short: they use JupiterOne for alerting on publically accessible buckets, and Cloud Custodian for enforcement.

What if non public data gets later added to existing public buckets?

It’s not enough to point-in-time evaluable if the contents of a public bucket are safe, ideally you want real-time alerting if this were to ever change in the future.

Any time bucket objects are created or updated, an S3 event is triggered that goes to an SQS queue. Lambda functions then process these events inspecting, each file for secrets, using pattern matching similar to the YAR method.

If any matches are found, the output is sent to an alert queue, which the security team receives results from in near real-time.

Making this work in the Real World

So far, technically, this approach sounds great.

But there are important things about rolling out changes like this that are crucial to getting buy-in in your company, that the post and repo also address, which is what takes this post from “oh this is cool” to 🔥🔥 (yes, the elusive double fire).

Specifically:

• How do you address ownership and dependencies between resources?

• And how do you message these changes to the rest of the org?

The repo includes email templates, both for leadership as well as to a more broader audience, about the Cloud Custodian public access block and owner tag enforcement.

Nailing the workflow/process and communicating the changes to the rest of your company are key, so the fact that the post and repo share details about these components is 👌 in my book.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them

🙏

Thanks for reading!

Cheers,

Clint