- tl;dr sec
- [tl;dr sec] #51 - Continuous Cloud Monitoring, Web Browser for Hackers, How GitHub Threat Models
[tl;dr sec] #51 - Continuous Cloud Monitoring, Web Browser for Hackers, How GitHub Threat Models
I hope you’ve been doing well!
🔥 End of Days 🔥
Yesterday I woke up, walked to my computer and thought, “Wait, is it Daylight Savings Time or something?” Why? Because it was 9am and still dark outside.
But not just dark, a weird, orange-y red-ish dark, like the sky in a post-apocalyptic TV show or movie. Due to the high temperatures in the Bay Area and West Coast in general over the weekend, there are more and bigger fires, leading to much of the West Coast being covered in ash, like what happened to the dinosaurs, but for tech bros.
Here’s a photo from Doug Lawrence:
You can also see some videos and articles from this Twitter thread: Wildfires rage across the entire West Coast of the US.
📢 Jobs @ Praetorian
If you occasionally dream in code and your vocation is your avocation, Praetorian is hiring. Their team is comprised of some of the world’s brightest cybersecurity minds, who humbly put customers first and have fortitude towards making the world a safer and more secure place. A default-to-open, take-the-initiative work culture has earned them Inc’s Best Places to Work, and they've been on Inc's Fastest Growing Companies for 7 years running. Praetorian is hiring for a range of positions from security engineers to director level.
One thing that’s cool about Praetorian is that like Netflix, they have a public culture guide, that discusses their values, culture, onboarding info, a reading list, and more.
📜 In this newsletter...
Threat Modeling: How GitHub does threat modeling
AppSec: A big collection of InfoSec resources, testing the security of CVE scanners
Cloud Security: The code that deploys GOV.UK in AWS, a collection of Lambda middleware, how to use trust policies with IAM roles, continuously monitoring your cloud environment and alerting on drift
Container Security: K8s YAML generator, privilege escalation in EKS by compromising the instance role of worker nodes
Blue Team: One click DFIR forensics lab in GCP
Fuzzing: JS engine fuzzing and exploitation reading list, finding JS engine bugs with Fuzzilli
Red Team: Go from CTF white belt to yellow belt with pwn.college, malware development in Golang + dynamic module loading, distribute O365 password spraying
Politics / Privacy: A newsletter on Chinese politics, a deepfake detection tool by Microsoft, U.S. voter records leaked on Russian dark web forum, evading censorship server-side without client participation
OSINT: Write-up on using Axiom, domain name enumeration library in Rust
Misc: Creating a self-powered wireless keyboard on a simple piece of paper
Twitter: Daniel Miessler on the future of media and creators
How often: they integrate TMing with the existing cadence of software reviews, and before the release of any new features that make major architectural changes, usually ranging from every couple of months to once per year, depending on the amount of engineering taking place on a feature.
Beforehand: Engineering teams generate a model in advance using either Microsoft’s Threat Modeling Tool or OWASP’s Threat Dragon. Having these artifacts helps make the most of meeting time and is useful for security compliance requirements later.
Threat modeling session: 1 hour session, first 5-10 minutes is spent understanding the design of the system and clarifying any ambiguities. The rest of the time is spent thinking through different threats using Microsoft’s STRIDE.
Potential security vulnerabilities and design flaws as well as potential remediations are noted, and included in a summary sent out after the meeting.
Testing docker CVE scanners. Part 2.5 — Exploiting CVE
scanners Gábor Matuz has a nice series on evaluating the performance of CVE scanners. In this post, he examines their security posture, how the owning companies respond to disclosures, and more.
🔥 Hackium: a browser for web hackers
Super cool DEF CON 2020 AppSec Village talk and tool release by Jarrod Overson. Hackium allows you to easily control your browser via a REPL or script (uses Puppeteer), makes mouse/typing events look human by adding randomness and jitter, you can easily hook it up to CAPTCHA-solving services, and allows you to easily share your automation or testing of a site via scripts. Jarrod also released:
The code that deploys GOV.UK in AWS.
How to use trust policies with IAM roles
Detailed post covering topics including: managing access to IAM roles, an example simple trust policy, using the Principal attribute to reduce scope, using identify federation on AWS, using the Condition attribute in a trust policy to reduce scope, limiting role use based on an identifier, limiting role use based on MFA, time, IP address or CIDR range, limiting role use based on tags, limiting or extending access to a role based on AWS org, and role chaining.
Tracking Moving Clouds: How to continuously track cloud assets with Cartography
Great post by Marco Lancini on continuously monitoring your cloud assets using Cartography (tool by Lyft to represent your cloud and other assets as a graph in Neo4J) and alerting on any instance of drift. Dashboards are created in Kibana and alerting to Slack and Jira is done via Elastalert. Marco has also released accompanying code for the ingestor, Kibana dashboards, Elastic Transforms, and Elastalert rules.
Kubernetes YAML Generator
A web app that lets you select Kubernetes options and see the corresponding YAML.
Privilege Escalation in AWS Elastic Kubernetes Service by compromising the instance role of worker nodes
By Christophe Tafani-Dereeper: “In this post, we discuss the risks of the AWS Instance Metadata service in AWS Elastic Kubernetes Service (EKS) clusters. In particular, we demonstrate that compromising a pod in the cluster can have disastrous consequences on resources in the AWS account if access to the Instance Metadata service is not explicitly blocked.”
One Click Forensics Lab in the CloudHow to deploy a DFIR forensics lab with one script on GCP, by Jason Alvarez. TIL about REMnux, a Linux toolkit fo rmalware analysis, and T-Pot, which runs a dozen honeypots and aggregates all of the data into an ELK stack for analysis and visualization.
The forensics lab architecture
Conference talks and articles to get you up to speed with browser vulnerability research and exploitation, by Zon8 Research.
Doyensec’s Norbert Szetei describes fuzzing JS engines first with Dharma and then Fuzzilli. They were able to identify multiple bugs over the course of four weeks.
Yan Shoshitaishvili and Connor Nelson have open sourced the contents for their for their Computer Systems Security course at ASU - the lecture slides/ videos and corresponding challenges. The course is designed to get newcomers at a basic level of proficiency for CTFs and wargames, covering topics like privilege escalation, shellcode, sandboxing, reverse engineering, ROP, and more.
Malware Development Pt. 1: Dynamic Module Loading in Go
Dwight Hohnstein describes a malware development model in Golang in which modules (capabilities) are dynamically loaded, so if an agent gets detected, only the capabilities in memory are burned. This separation of concerns also enables easier parallel development of features. Sources: librarian, gosharedlib.
By @thetechr0mancer: “Microsoft is getting better and better about blocking password spraying attacks against O365. TREVORspray can solve this by proxying its requests through an unlimited number of --ssh hosts. Based on MSOLSpray which uses the Microsoft Graph API.
Politics / Privacy
Deepfake detection tool unveiled by Microsoft
The tool, Reality Defender 2020, will only be accessible to news publishers and political campaigns. Interestingly, Microsoft is also partnering with media orgs to put fingerprints in media’s metadata that will make it easy to detect if it’s been manipulated. I like this approach, as it seems more feasible than building an algorithm that can detect every deepfake.
Details of millions of U.S. Voters leaked to Russia’s Dark Web forum
7.6 million voters in Michigan, 2-6 million from Connecticut, Arkansas, Florida and North Carolina. Leaked records include names, dates of birth, gender, dates of voter registration, addresses, zip codes, e-mails, voter registration numbers and polling station numbers. Also:
Evading Censorship from the Server-side
“Using our tool Geneva, we have discovered how to circumvent censorship from the server-side: with no client participation whatsoever. This opens up new avenues for helping people evade censorship, even if they didn’t realize they were being censored in the first place. Geneva (Genetic Evasion) is a genetic algorithm we developed that discovers censorship evasion strategies against a censor. It defeats censorship by manipulating the packet stream to confuse the censor without impacting the underlying connection. We added plugins to train with DNS-over-TCP, FTP, HTTPS, and SMTP.” source code
Axiom: It Kinda Feels Like Cheating
Nice overview post by Adam Svoboda of Ben Bidmead’s axiom project, on automating and orchestrating your recon workflow. See also, my summary of Daniel Miessler’s Red Team Village talk: Mechanizing the Methodology.
Twistrs — Domain name enumeration library in RustJuxhin Brigjaj describes Twistrs (source), a domain name permutation and enumeration library written in Rust. The meaty design and implementation sections in the blog post are pretty interesting.
With a Simple Piece of Paper, Engineers Create Self-Powered, Wireless Keyboard
This week, on holy @#$&^ science is awesome: “Engineers at Purdue University have developed a printing process that can turn an ordinary sheet of paper into a Bluetooth-connected, self-powered, wireless, interactive keyboard or keypad. The layers are constructed to be triboelectric, meaning friction generates its electricity. Essentially, each time a “key” is pressed, energy is produced, so the paper-based tablet is totally self-powered.”
Daniel Miessler on the Future of Media / CreatorsSnippet from Daniel’s thread:
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!