[tl;dr sec] #46 - Grokking CSP, Automating Threat Model ➡️ Security Tests, Unknown Blob ➡️ Plaintext

Hey there,

I hope you’re been doing well.

It’s strange being in my house this time of year.

Usually I’m joining the pilgrimage of security professionals around the world to the Nevada desert, where thousands of mohawk bearing, piercing wearing, hackers in black t-shirts manifest the hacker version of Fear and Self-Loathing in Las Vegas for one beautiful, and mercifully short, week a year.

Every year I look forward to it. Every year I have a blast catching up with friends and making new ones. Every year I feel like it’s a bit much, but I inevitably come back again.

I tip my steam punk monocle to you, my friend and fellow Vegas pilgrim. While we won’t cross paths this summer, we’re still in this together, and we’ll be back getting yelled at cordially helped by goons soon enough. Hang in there ✊

Chrome Twitter Referrer Wonkiness

This is a storyall about howmy links got twist-turned, upside down 🙃

(Context for non American readers.)

Last week, Bram Patelski kindly pointed out that the link to Daniel Cuthbert’s Twitter thread on static analysis appeared to be broken.

I did some light testing, and apparently clicking on a link to Twitter on macOS that opens in Chrome fails when that link has been wrapped, for example, by bit.ly or standard email list software. This does not appear to happen for Safari or Firefox on macOS, or Android 🤷

(╯°□°)╯︵ ┻━┻

If you know why this occurs or how to fix it, please let me know.

AppSec

🔥 secmerc/materialize_threats
Super neat tool by Jacob Salassi and the Snowflake team. Given a threat model diagram drawn using draw.io, parse the exported file into a property graph and store it in a database. From there, you can answer questions like:

• What STRIDE based threat classes impact which elements and flows in my diagram?

• What mitigations & test cases should be considered for this diagram?

materialize_threats can then automatically create a Gherkin feature file with boilerplate scenarios and mitigations, along with remediation tips.

CTF and Hacking Practice Sites
Pretty massive list of hacking challenge sites and CTFs you can play any time, covering a wide variety of topics, from standard web security to reverse engineering, binary exploitation, forensics, and more.

jstrieb/link-lock
“A tool for encrypting and decrypting URLs. When a user visits an encrypted URL, they will be prompted for a password. If the password is correct, Link Lock retrieves the original URL and then redirects there. Each encrypted URL is stored entirely within the link generated by the application. As a result, users control all the data they create with Link Lock. Nothing is ever stored on a server, and there are no cookies, tracking, or signups.” H/T Caleb Sima.

Given a Blob, Find the Plaintext

Oftentimes in CTFs (and sometimes in the real world) you have a jumbled blob of data and you need to figure out what’s inside. Recovering the plaintext requires finding the right algorithm, and in many cases running it (and other algorithms) many times.

These tools help with that process.

jobertabma/transformations
This tool by HackerOne co-founder Jobert Abma is similar but focuses more on web contexts, supporting URL/hex/base64 encoding and decoding, HTML entity escaping, etc.

CyberChef
This tool by GCHQ supports a variety of ciphers, crypto algorithms, encoding/decoding algorithms, and a “magic” mode, in which it attempts to make sense of an unknown blob.

Ciphey/Ciphey
Attempts to detect what encoding or encryption was used and uses a natural language processing module to determine if something is plaintext (and has thus been successfully decoded). Supports various ciphers, base {16|32|64|…}, binary, Morse Code, common hash functions, and more.

Web Security

Researchers exploit HTTP/2, WPA3 protocols to stage highly efficient ‘timeless timing’ attacks
Usenix paper by Tom Van Goethem, Christina Pöpper, Wouter Joosen, and Mathy Vanhoef showing how one can exploit how network protocols handle concurrent requests to do remote timing side-channel attacks. Their approach allows an attacker to detect differences in execution time as small as 100ns, 100X better granularity than traditional timing attacks over the Internet. They describe how these timing attacks can be successfully deployed against HTTP/2 webservers (PoC), Tor onion services, and EAP-pwd.

Certificate Transparency: a bird’s-eye view
Excellent overview of how certificate transparency works, how it defends against particular attacks, and how all the pieces fit together, by Chrome security engineer Emily Stark.

A Pentesters Guide - Part 5 (Unmasking WAFs and Finding the Source)
Detailed article by NaviSec Delta’s Ben Bidmead on a number of techniques to bypass WAFs by identifying a misconfigured underlying server. Techniques covered include CloudFlare unmasking and identifying an AWS WAF typically deployed alongside EC2 instances.

jdonsec/AllThingsSSRF
A collection of writeups, cheatsheets, videos, and books related to SSRF in one place, by @jdonsec.

Cloud Security

How CloudWatch Alarms Work by Andrew Brown

cyberark/SkyArk: Detect “shadow admin accounts” in AWS and Azure
By Asaf Hecht: Certain (combinations of) seemingly limited cloud permissions can be used by attackers to escalate their privileges. This tool aims to enumerate Azure and AWS accounts with permissions that in reality are quite privileged. blog post | RSA 2020 video 

An API Worm In The Making: Thousands Of Secrets Found In Open S3 Buckets
After getting a list of public S3 buckets from DNS info from vendors like RiskIQ or grayhatwarefare, Truffle Security Co. ran the popular secrets finding tool truffleHog, discovering, as you’d expect roughly a bajillion types of secrets, ranging from cloud API keys, SaaS product keys, credentials, database passwords, etc. An interesting argument the post makes is that many of these yield additional access - like additional S3 buckets (which might have more secrets), GitHub API keys, enabling an attacker to steal or backdoor source code, etc. See Bucket Brigade in tl;dr sec 45 for how Databricks secures their S3 buckets.

Amazon Fraud Detector is now Generally Available
“A fully managed service that makes it easy to identify potentially fraudulent online activities such as online payment fraud and the creation of fake accounts.”

AWS Security Hub launches new automated security controls
Seven new automated security controls, which seem to be things you should generally do.

1. S3 buckets should require requests to use Secure Socket Layer

2. Amazon SageMaker notebook instances should not have direct internet access

3. AWS Database Migration Service replication instances should not be public

4. EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT

5. AWS Auto scaling groups associated with a load balancer should use load balancer health checks

6. Stopped EC2 instances should be removed after a specified time period

7. VPC flow logging should be enabled in all VPCs.

Container Security

litmuschaos/litmus
“Litmus is a toolset to do cloud-native chaos engineering. Litmus provides tools to orchestrate chaos on Kubernetes to help SREs find weaknesses in their deployments.” Sidenote: “Chaos Engineer” would be a badass title to have on a business card.

Network Security

odedshimon/BruteShark
By Oded Shimon: A Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files). It includes: password extracting, building a network map, reconstructing TCP sessions, extracting hashes of encrypted passwords and even converting them to a Hashcat format in order to perform an offline brute force attack.

Red Team

Fuzzcoin: Fuzzing
@HomeShare your spare computing power to fuzz. Borrows the proof-of-work concept from BitCoin.

Winstrument: An Instrumentation Framework for Windows Application Assessments
Built on Frida, helpful for reversing Windows apps & assessing their attack surface. Features include: viewing files read/written, registry reads/writes, socket activity, child processes spawned, system calls to named pipes, and more. Also gives you a REPL.

trailofbits/ebpfpub
A generic function tracing library for Linux that supports tracepoints, kprobes and uprobes. Recently added examples: SocketMonitor and execsnoop.

Leveraging DevSecOps Practices to Secure Red Team Infrastructure
Praetorian’s Jesse Somerville describes how they build repeatable red team infrastructure with Terraform, and then make sure it’s properly hardened using OPA/conftest. (Sidenote: pretty neat to see how OPA and/or conftest are being applied in a number of domains.) Conftest is used to ensure that strict ingress and egress controls are maintained through the environment, the right software and versions are used, and how data is handled.

Politics / Privacy

Best VPN Service 2020
Review by Wirecutter. Winners: Mullvad and IVPN.

Hackers Broke Into Real News Sites to Plant Fake Stories
Not content to just propagate fake news on social media, (probably) Russian hackers are taking fake news up to 11 by hacking into content management systems of Eastern European media outlets, planting negative stories about the U.S. and NATO, and then sharing/linking to those stories on other sites. Wow.

Google reportedly peeks into Android data to gain edge over third-party apps
Similar to how Facebook was purportedly using the VPN app they bought, Onavo to determine the popularity of other apps, to either acquire or launch rival services. Honestly, attempts to pursue competitive intelligence like this seems unsurprising 🤷

Misc

What I Learned from Doing 60+ Technical Interviews in 30 Days
Uduak ‘Eren shares 13 lessons he learned from his failures and successes doing many interviews for software engineering roles.

Thinking of a Cybersecurity Career? Read ThisBy Brian Krebs.

Introduction to Graph Theory, 4th EditionFree book!

Introducing Domain-Oriented Microservice Architecture
For some reason, this post has been pulled from the Uber engineering blog. Well, here’s a snippet (thanks Pocket!):

The core principles and terminology associated with DOMA are as follows:

• Instead of orienting around single microservices, we oriented around collections of related microservices. We call these domains.

• We further create collections of domains which we call layers. The layer that the domain belongs to establishes what dependencies the microservices within that domain are allowed to take on. We call this layer design.

• We provide clean interfaces for domains that we treat as a single point of entry into the collection. We call these gateways.

• Finally, we establish that each domain should be agnostic to other domains, which is to say, a domain shouldn’t have logic related to another domain hard coded inside of its code base or data models. Since frequently teams do need to include logic in another team’s domain (for example, custom validation logic or some meta context on a data model), we provide an extension architecture to support well defined extension points within the domain.

📚 Content Security Policy: Going From Idea to Afterthought

I enjoyed GitHub security engineer Neil Matatall’s talk at A Midsummer Night’s Con, so I decided to share my notes.

The event was hosted by Absolute AppSec, which is a nice AppSec-focused podcast by my buds Seth Law and Ken Johnson, who also teach a fun Bill and Ted-themed code review training at conferences.

In this talk, Neil gives an overview of Content Security Policy (CSP): how it works, how to go from no CSP to a solid CSP, and an explanation of strategies to create an effective and dynamic policy including code samples taken directly from the GitHub codebase.

Check out my summary here.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them

🙏

Thanks for reading!

Cheers,

Clint