- tl;dr sec
- Posts
- [tl;dr sec] #46 - Grokking CSP, Automating Threat Model ➡️ Security Tests, Unknown Blob ➡️ Plaintext
[tl;dr sec] #46 - Grokking CSP, Automating Threat Model ➡️ Security Tests, Unknown Blob ➡️ Plaintext
How to go from no CSP to a solid CSP, automatically creating baseline security tests from a threat model, tools to automagically decode random blobs.
Hey there,
I hope you’re been doing well.
It’s strange being in my house this time of year.
Usually I’m joining the pilgrimage of security professionals around the world to the Nevada desert, where thousands of mohawk bearing, piercing wearing, hackers in black t-shirts manifest the hacker version of Fear and Self-Loathing in Las Vegas for one beautiful, and mercifully short, week a year.
Every year I look forward to it. Every year I have a blast catching up with friends and making new ones. Every year I feel like it’s a bit much, but I inevitably come back again.
I tip my steam punk monocle to you, my friend and fellow Vegas pilgrim. While we won’t cross paths this summer, we’re still in this together, and we’ll be back getting yelled at cordially helped by goons soon enough. Hang in there ✊
Chrome Twitter Referrer Wonkiness
This is a storyall about howmy links got twist-turned, upside down 🙃
(Context for non American readers.)
Last week, Bram Patelski kindly pointed out that the link to Daniel Cuthbert’s Twitter thread on static analysis appeared to be broken.
I did some light testing, and apparently clicking on a link to Twitter on macOS that opens in Chrome fails when that link has been wrapped, for example, by bit.ly or standard email list software. This does not appear to happen for Safari or Firefox on macOS, or Android 🤷
(╯°□°)╯︵ ┻━┻
If you know why this occurs or how to fix it, please let me know.
Sponsor
📢 PentesterLab: Invest in your team!
With PentesterLab PRO enterprise, your team members can quickly learn the latest tricks and vulnerabilities. Like infosec, our content is constantly evolving. We cover the latest attacks as well as providing code review challenges. Our challenges start from very simple bugs and go up to very complex vulnerability chaining. We cover the basics of the OWASP TOP 10 as well as complex challenges on OAuth2, SAML and the latest JWT attacks.
Our reasonable price and flexible licensing allows you to make sure all of your team is up to date and won't miss a bug... So, get a quote now (you don't even need to provide your email address)!
📜 In this newsletter...
🔗 Links:
AppSec: Automate threat model -> security test stubs, CTF and hacking practice site megalist, easily share encrypted links
Given a Blob, Find the Plaintext: 3 tools to help with making sense of garbled data
Web Security: 100X more precise timing attacks, certificate transparency overview, finding the real IP of servers behind WAFs, collection of material on SSRF
Cloud Security: How CloudWatch alarms wrok, detecting "shadow admin" accounts in AWS and Azure, finding secrets in S3 buckets using truffleHog, Amazon Fraud Detector, new automated security controls for AWS Security Hub
Container Security: A toolset to do cloud-native chaos engineering on Kubernetes
Network Security: A network forensic analysis tool that extract passwords, build a network map, and more
Red Team: Fuzzing@Home, framework for Frida on Windows, securing red team infra with OPA/conftest
Politics / Privacy: Wirecutter's best VPN service for 2020, hackers broke into news sites and planted fake stories, Google peeps on Android data to gain edge over third-party apps
Misc: Lessons learned from doing 60+ technical interviews, Brian Krebs on pursuing a career in security, free book on graph theory, Uber on Domain-Oriented Microservice Architectures
📚 Content Security Policy: Going From Idea to Afterthought
GitHub security engineer Neil Matatall gives an overview of CSP: how it works, how to go from no CSP to a solid CSP, and how GitHub implements CSP.
AppSec
🔥 secmerc/materialize_threats
Super neat tool by Jacob Salassi and the Snowflake team. Given a threat model diagram drawn using draw.io, parse the exported file into a property graph and store it in a database. From there, you can answer questions like:
What STRIDE based threat classes impact which elements and flows in my diagram?
What mitigations & test cases should be considered for this diagram?
materialize_threats
can then automatically create a Gherkin feature file with boilerplate scenarios and mitigations, along with remediation tips.
I love this. Anything automating more of the threat modeling process or the creation of security control / integration tests is 💯 in my book. Check out Abhay Bhargav and we45’s ThreatPlaybook for another approach to making threat models concrete via automated security tests.
CTF and Hacking Practice Sites
Pretty massive list of hacking challenge sites and CTFs you can play any time, covering a wide variety of topics, from standard web security to reverse engineering, binary exploitation, forensics, and more.
jstrieb/link-lock
“A tool for encrypting and decrypting URLs. When a user visits an encrypted URL, they will be prompted for a password. If the password is correct, Link Lock retrieves the original URL and then redirects there. Each encrypted URL is stored entirely within the link generated by the application. As a result, users control all the data they create with Link Lock. Nothing is ever stored on a server, and there are no cookies, tracking, or signups.” H/T Caleb Sima.
Given a Blob, Find the Plaintext
Oftentimes in CTFs (and sometimes in the real world) you have a jumbled blob of data and you need to figure out what’s inside. Recovering the plaintext requires finding the right algorithm, and in many cases running it (and other algorithms) many times.
These tools help with that process.
jobertabma/transformations
This tool by HackerOne co-founder Jobert Abma is similar but focuses more on web contexts, supporting URL/hex/base64 encoding and decoding, HTML entity escaping, etc.
CyberChef
This tool by GCHQ supports a variety of ciphers, crypto algorithms, encoding/decoding algorithms, and a “magic” mode, in which it attempts to make sense of an unknown blob.
Ciphey/Ciphey
Attempts to detect what encoding or encryption was used and uses a natural language processing module to determine if something is plaintext (and has thus been successfully decoded). Supports various ciphers, base {16|32|64|…}, binary, Morse Code, common hash functions, and more.
Web Security
Researchers exploit HTTP/2, WPA3 protocols to stage highly efficient ‘timeless timing’ attacks
Usenix paper by Tom Van Goethem, Christina Pöpper, Wouter Joosen, and Mathy Vanhoef showing how one can exploit how network protocols handle concurrent requests to do remote timing side-channel attacks. Their approach allows an attacker to detect differences in execution time as small as 100ns, 100X better granularity than traditional timing attacks over the Internet. They describe how these timing attacks can be successfully deployed against HTTP/2 webservers (PoC), Tor onion services, and EAP-pwd.
Certificate Transparency: a bird’s-eye view
Excellent overview of how certificate transparency works, how it defends against particular attacks, and how all the pieces fit together, by Chrome security engineer Emily Stark.
A Pentesters Guide - Part 5 (Unmasking WAFs and Finding the Source)
Detailed article by NaviSec Delta’s Ben Bidmead on a number of techniques to bypass WAFs by identifying a misconfigured underlying server. Techniques covered include CloudFlare unmasking and identifying an AWS WAF typically deployed alongside EC2 instances.
jdonsec/AllThingsSSRF
A collection of writeups, cheatsheets, videos, and books related to SSRF in one place, by @jdonsec.
Cloud Security
cyberark/SkyArk: Detect “shadow admin accounts” in AWS and Azure
By Asaf Hecht: Certain (combinations of) seemingly limited cloud permissions can be used by attackers to escalate their privileges. This tool aims to enumerate Azure and AWS accounts with permissions that in reality are quite privileged. blog post | RSA 2020 video
An API Worm In The Making: Thousands Of Secrets Found In Open S3 Buckets
After getting a list of public S3 buckets from DNS info from vendors like RiskIQ or grayhatwarefare, Truffle Security Co. ran the popular secrets finding tool truffleHog, discovering, as you’d expect roughly a bajillion types of secrets, ranging from cloud API keys, SaaS product keys, credentials, database passwords, etc. An interesting argument the post makes is that many of these yield additional access - like additional S3 buckets (which might have more secrets), GitHub API keys, enabling an attacker to steal or backdoor source code, etc. See Bucket Brigade in tl;dr sec 45 for how Databricks secures their S3 buckets.
Amazon Fraud Detector is now Generally Available
“A fully managed service that makes it easy to identify potentially fraudulent online activities such as online payment fraud and the creation of fake accounts.”
AWS Security Hub launches new automated security controls
Seven new automated security controls, which seem to be things you should generally do.
S3 buckets should require requests to use Secure Socket Layer
Amazon SageMaker notebook instances should not have direct internet access
AWS Database Migration Service replication instances should not be public
EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT
AWS Auto scaling groups associated with a load balancer should use load balancer health checks
Stopped EC2 instances should be removed after a specified time period
VPC flow logging should be enabled in all VPCs.
Container Security
litmuschaos/litmus
“Litmus is a toolset to do cloud-native chaos engineering. Litmus provides tools to orchestrate chaos on Kubernetes to help SREs find weaknesses in their deployments.” Sidenote: “Chaos Engineer” would be a badass title to have on a business card.
Network Security
odedshimon/BruteShark
By Oded Shimon: A Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files). It includes: password extracting, building a network map, reconstructing TCP sessions, extracting hashes of encrypted passwords and even converting them to a Hashcat format in order to perform an offline brute force attack.
Red Team
Fuzzcoin: Fuzzing
@HomeShare your spare computing power to fuzz. Borrows the proof-of-work concept from BitCoin.
Winstrument: An Instrumentation Framework for Windows Application Assessments
Built on Frida, helpful for reversing Windows apps & assessing their attack surface. Features include: viewing files read/written, registry reads/writes, socket activity, child processes spawned, system calls to named pipes, and more. Also gives you a REPL.
trailofbits/ebpfpub
A generic function tracing library for Linux that supports tracepoints, kprobes and uprobes. Recently added examples: SocketMonitor and execsnoop.
Leveraging DevSecOps Practices to Secure Red Team Infrastructure
Praetorian’s Jesse Somerville describes how they build repeatable red team infrastructure with Terraform, and then make sure it’s properly hardened using OPA/conftest. (Sidenote: pretty neat to see how OPA and/or conftest are being applied in a number of domains.) Conftest is used to ensure that strict ingress and egress controls are maintained through the environment, the right software and versions are used, and how data is handled.
Politics / Privacy
Best VPN Service 2020
Review by Wirecutter. Winners: Mullvad and IVPN.
Hackers Broke Into Real News Sites to Plant Fake Stories
Not content to just propagate fake news on social media, (probably) Russian hackers are taking fake news up to 11 by hacking into content management systems of Eastern European media outlets, planting negative stories about the U.S. and NATO, and then sharing/linking to those stories on other sites. Wow.
Google reportedly peeks into Android data to gain edge over third-party apps
Similar to how Facebook was purportedly using the VPN app they bought, Onavo to determine the popularity of other apps, to either acquire or launch rival services. Honestly, attempts to pursue competitive intelligence like this seems unsurprising 🤷
Misc
What I Learned from Doing 60+ Technical Interviews in 30 Days
Uduak ‘Eren shares 13 lessons he learned from his failures and successes doing many interviews for software engineering roles.
Introducing Domain-Oriented Microservice Architecture
For some reason, this post has been pulled from the Uber engineering blog. Well, here’s a snippet (thanks Pocket!):
The core principles and terminology associated with DOMA are as follows:
Instead of orienting around single microservices, we oriented around collections of related microservices. We call these domains.
We further create collections of domains which we call layers. The layer that the domain belongs to establishes what dependencies the microservices within that domain are allowed to take on. We call this layer design.
We provide clean interfaces for domains that we treat as a single point of entry into the collection. We call these gateways.
Finally, we establish that each domain should be agnostic to other domains, which is to say, a domain shouldn’t have logic related to another domain hard coded inside of its code base or data models. Since frequently teams do need to include logic in another team’s domain (for example, custom validation logic or some meta context on a data model), we provide an extension architecture to support well defined extension points within the domain.
I enjoyed GitHub security engineer Neil Matatall’s talk at A Midsummer Night’s Con, so I decided to share my notes.
The event was hosted by Absolute AppSec, which is a nice AppSec-focused podcast by my buds Seth Law and Ken Johnson, who also teach a fun Bill and Ted-themed code review training at conferences.
In this talk, Neil gives an overview of Content Security Policy (CSP): how it works, how to go from no CSP to a solid CSP, and an explanation of strategies to create an effective and dynamic policy including code samples taken directly from the GitHub codebase.
Check out my summary here.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them
🙏
Thanks for reading!
Cheers,
Clint