• tl;dr sec
  • Posts
  • [tl;dr sec] #51 - Continuous Cloud Monitoring, Web Browser for Hackers, How GitHub Threat Models

[tl;dr sec] #51 - Continuous Cloud Monitoring, Web Browser for Hackers, How GitHub Threat Models

Monitor your cloud environment and automatically detect drift, a scriptable browser and bending JavaScript to your will, GitHub's threat modeling process.

Hey there,

I hope you’ve been doing well!

🔥 End of Days 🔥

Yesterday I woke up, walked to my computer and thought, “Wait, is it Daylight Savings Time or something?” Why? Because it was 9am and still dark outside.

But not just dark, a weird, orange-y red-ish dark, like the sky in a post-apocalyptic TV show or movie. Due to the high temperatures in the Bay Area and West Coast in general over the weekend, there are more and bigger fires, leading to much of the West Coast being covered in ash, like what happened to the dinosaurs, but for tech bros.

Here’s a photo from Doug Lawrence:

You can also see some videos and articles from this Twitter thread: Wildfires rage across the entire West Coast of the US.

Sponsor

📢 Jobs @ Praetorian

If you occasionally dream in code and your vocation is your avocation, Praetorian is hiring. Their team is comprised of some of the world’s brightest cybersecurity minds, who humbly put customers first and have fortitude towards making the world a safer and more secure place. A default-to-open, take-the-initiative work culture has earned them Inc’s Best Places to Work, and they've been on Inc's Fastest Growing Companies for 7 years running. Praetorian is hiring for a range of positions from security engineers to director level.

One thing that’s cool about Praetorian is that like Netflix, they have a public culture guide, that discusses their values, culture, onboarding info, a reading list, and more.

📜 In this newsletter...

🔗 Links:

  • Threat Modeling: How GitHub does threat modeling

  • AppSec: A big collection of InfoSec resources, testing the security of CVE scanners

  • Web Security: Manipulate JavaScript like Neo in the Matrix, 30 bug bounty reports for New Relic

  • Cloud Security: The code that deploys GOV.UK in AWS, a collection of Lambda middleware, how to use trust policies with IAM roles, continuously monitoring your cloud environment and alerting on drift

  • Container Security: K8s YAML generator, privilege escalation in EKS by compromising the instance role of worker nodes

  • Blue Team: One click DFIR forensics lab in GCP

  • Fuzzing: JS engine fuzzing and exploitation reading list, finding JS engine bugs with Fuzzilli

  • Red Team: Go from CTF white belt to yellow belt with pwn.college, malware development in Golang + dynamic module loading, distribute O365 password spraying

  • Politics / Privacy: A newsletter on Chinese politics, a deepfake detection tool by Microsoft, U.S. voter records leaked on Russian dark web forum, evading censorship server-side without client participation

  • OSINT: Write-up on using Axiom, domain name enumeration library in Rust

  • Misc: Creating a self-powered wireless keyboard on a simple piece of paper

  • Twitter: Daniel Miessler on the future of media and creators

Threat Modeling

  • How often: they integrate TMing with the existing cadence of software reviews, and before the release of any new features that make major architectural changes, usually ranging from every couple of months to once per year, depending on the amount of engineering taking place on a feature.

  • Beforehand: Engineering teams generate a model in advance using either Microsoft’s Threat Modeling Tool or OWASP’s Threat Dragon. Having these artifacts helps make the most of meeting time and is useful for security compliance requirements later.

  • Threat modeling session: 1 hour session, first 5-10 minutes is spent understanding the design of the system and clarifying any ambiguities. The rest of the time is spent thinking through different threats using Microsoft’s STRIDE.

  • Potential security vulnerabilities and design flaws as well as potential remediations are noted, and included in a summary sent out after the meeting.

AppSec

rmusser01/Infosec_Reference
Pretty massive collection of InfoSec resources, with at least a few links in most any category you can think of, by Robert Musser. See the info rendered nicely here.

Testing docker CVE scanners. Part 2.5 — Exploiting CVE
scanners Gábor Matuz has a nice series on evaluating the performance of CVE scanners. In this post, he examines their security posture, how the owning companies respond to disclosures, and more.

Web Security

🔥 Hackium: a browser for web hackers
Super cool DEF CON 2020 AppSec Village talk and tool release by Jarrod Overson. Hackium allows you to easily control your browser via a REPL or script (uses Puppeteer), makes mouse/typing events look human by adding randomness and jitter, you can easily hook it up to CAPTCHA-solving services, and allows you to easily share your automation or testing of a site via scripts. Jarrod also released:

  • shift-interpreter, a meta-interpreter that can evaluate JavaScript piecemeal (for example, to automatically run a deobfuscation routine).

  • shift-refactor, which enables easier transformation of JavaScript by operating at the AST level.

30 Bug Bounty Reports for New Relic
Bugs found by Jon Bottarini, including IDOR, XSS, information disclosure, and more.

Cloud Security

alphagov/govuk-aws
The code that deploys GOV.UK in AWS.

lambda-middleware
By Daniel Bartholomae: A collection of middleware for AWS lambda functions, including ones for JWT auth, automatically adding CORS headers, error handling, and more.

How to use trust policies with IAM roles 
Detailed post covering topics including: managing access to IAM roles, an example simple trust policy, using the Principal attribute to reduce scope, using identify federation on AWS, using the Condition attribute in a trust policy to reduce scope, limiting role use based on an identifier, limiting role use based on MFA, time, IP address or CIDR range, limiting role use based on tags, limiting or extending access to a role based on AWS org, and role chaining.

Tracking Moving Clouds: How to continuously track cloud assets with Cartography
Great post by Marco Lancini on continuously monitoring your cloud assets using Cartography (tool by Lyft to represent your cloud and other assets as a graph in Neo4J) and alerting on any instance of drift. Dashboards are created in Kibana and alerting to Slack and Jira is done via Elastalert. Marco has also released accompanying code for the ingestor, Kibana dashboards, Elastic Transforms, and Elastalert rules.

Container Security

Kubernetes YAML Generator
A web app that lets you select Kubernetes options and see the corresponding YAML.

Privilege Escalation in AWS Elastic Kubernetes Service by compromising the instance role of worker nodes
By Christophe Tafani-Dereeper: “In this post, we discuss the risks of the AWS Instance Metadata service in AWS Elastic Kubernetes Service (EKS) clusters. In particular, we demonstrate that compromising a pod in the cluster can have disastrous consequences on resources in the AWS account if access to the Instance Metadata service is not explicitly blocked.”

Blue Team

One Click Forensics Lab in the CloudHow to deploy a DFIR forensics lab with one script on GCP, by Jason Alvarez. TIL about REMnux, a Linux toolkit fo rmalware analysis, and T-Pot, which runs a dozen honeypots and aggregates all of the data into an ELK stack for analysis and visualization.

The forensics lab architecture

T-Pot screenshot

Fuzzing

JavaScript Engine Fuzzing and Exploitation Reading List
Conference talks and articles to get you up to speed with browser vulnerability research and exploitation, by Zon8 Research.

Fuzzing JavaScript Engines with Fuzzilli
Doyensec’s Norbert Szetei describes fuzzing JS engines first with Dharma and then Fuzzilli. They were able to identify multiple bugs over the course of four weeks.

Red Team

pwn.college
Yan Shoshitaishvili and Connor Nelson have open sourced the contents for their for their Computer Systems Security course at ASU - the lecture slides/ videos and corresponding challenges. The course is designed to get newcomers at a basic level of proficiency for CTFs and wargames, covering topics like privilege escalation, shellcode, sandboxing, reverse engineering, ROP, and more.

Malware Development Pt. 1: Dynamic Module Loading in Go
Dwight Hohnstein describes a malware development model in Golang in which modules (capabilities) are dynamically loaded, so if an agent gets detected, only the capabilities in memory are burned. This separation of concerns also enables easier parallel development of features. Sources: librarian, gosharedlib.

blacklanternsecurity/TREVORspray
By @thetechr0mancer: “Microsoft is getting better and better about blocking password spraying attacks against O365. TREVORspray can solve this by proxying its requests through an unlimited number of --ssh hosts. Based on MSOLSpray which uses the Microsoft Graph API.

Politics / Privacy

Sinocism
A newsletter by Bill Bishop, an expert on Chinese politics. H/T Robert Musser 

Deepfake detection tool unveiled by Microsoft
The tool, Reality Defender 2020, will only be accessible to news publishers and political campaigns. Interestingly, Microsoft is also partnering with media orgs to put fingerprints in media’s metadata that will make it easy to detect if it’s been manipulated. I like this approach, as it seems more feasible than building an algorithm that can detect every deepfake.

Details of millions of U.S. Voters leaked to Russia’s Dark Web forum
7.6 million voters in Michigan, 2-6 million from Connecticut, Arkansas, Florida and North Carolina. Leaked records include names, dates of birth, gender, dates of voter registration, addresses, zip codes, e-mails, voter registration numbers and polling station numbers. Also:

“The Rewards for Justice program became widely known in the summer; in early August, Znak.com reported that Russians began to receive SMS messages from the State Department with an offer for a reward of up to $ 10 million to detail the facts of foreign interference in the American elections.”

 Evading Censorship from the Server-side
“Using our tool Geneva, we have discovered how to circumvent censorship from the server-side: with no client participation whatsoever. This opens up new avenues for helping people evade censorship, even if they didn’t realize they were being censored in the first place. Geneva (Genetic Evasion) is a genetic algorithm we developed that discovers censorship evasion strategies against a censor. It defeats censorship by manipulating the packet stream to confuse the censor without impacting the underlying connection. We added plugins to train with DNS-over-TCP, FTP, HTTPS, and SMTP.” source code

OSINT

Axiom: It Kinda Feels Like Cheating
Nice overview post by Adam Svoboda of Ben Bidmead’s axiom project, on automating and orchestrating your recon workflow. See also, my summary of Daniel Miessler’s Red Team Village talk: Mechanizing the Methodology.

Twistrs — Domain name enumeration library in RustJuxhin Brigjaj describes Twistrs (source), a domain name permutation and enumeration library written in Rust. The meaty design and implementation sections in the blog post are pretty interesting.

Misc

With a Simple Piece of Paper, Engineers Create Self-Powered, Wireless Keyboard
This week, on holy @#$&^ science is awesome: “Engineers at Purdue University have developed a printing process that can turn an ordinary sheet of paper into a Bluetooth-connected, self-powered, wireless, interactive keyboard or keypad. The layers are constructed to be triboelectric, meaning friction generates its electricity. Essentially, each time a “key” is pressed, energy is produced, so the paper-based tablet is totally self-powered.”

Twitter

I think the next form of media group will be loose collections of like-minded individual creators, whose content is curated and amplified using that group’s shared brand.

Example:

“Subscribe to Time Travelers: A group of individual thinkers who write about the future of tech…”

So it’s actually a set of creators (influencers in today’s parlance) who have a shared set of interests, and a few of them decide to see up the shared brand.

That way people can subscribe to the individual people, or to the brand.

Eventually, after some of these become large enough, when you subscribe to one—say about the future of tech—you’re essentially subscribing to a newspaper in the sense that:

1. You have vetting through curation of the writers

2. You get the advantage of many writers


✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint