• tl;dr sec
  • Posts
  • [tl;dr sec] #53 - OneFuzz, Program Analysis, Ring Alarm Teardown

[tl;dr sec] #53 - OneFuzz, Program Analysis, Ring Alarm Teardown

Microsoft releases self-hosted fuzzing-as-a-service platform, several solid program analysis resources, detailed teardown of Ring's hardware and attack surface.

Author

Clint Gibler
September 23, 2020

Hey there,

I hope you’ve been doing well!

Last weekend I watched Max Max, which is an engaging documentary about life in the U.S., though a few years ahead of its time.

I’m going to be joining my friend Jb Aviat next Tuesday, September 29 at 8am PDT / 5pm CET to discuss data they’ve collected about web applications being exploited in the wild.

There are a number of interesting take-aways: there’s data to back up some things we security professionals tend to intuitively believe, and there’s a few things I found pretty surprising.

RIP RBG

This past week the world lost an incredible woman: Ruth Bader Ginsburg.

Despite graduating joint first in her class from Columbia Law School, she couldn’t get a job at a law firm because she was a woman. Nevertheless, she advanced to the highest position in her field, inspiring generations of people who are outside the traditional mold of their field.

This Vox article has a nice overview of her life, and there was even a movie made about her (trailer).

Sponsor

📢 Jobs @ Praetorian

If you default to taking the initiative and prefer the brutal truth over hypocritical politeness, Praetorian is hiring. Their team is comprised of some of the world’s brightest cybersecurity minds, who humbly put customers first and have fortitude towards making the world a safer and more secure place. A default-to-open, take-the-initiative work culture has earned them Inc’s Best Places to Work, and they've been on Inc's Fastest Growing Companies for 7 years running. Praetorian is hiring for a range of positions from security engineers to director level.

📜 In this newsletter...

🔗 Links:

  • Program Analysis: 73 page PDF overview by CMU profs, abstract intrepretation explained through chess, MIT's class on abstract interpretation

  • AppSec: A comic explaining HTTPS, pen testing guide for online roulette apps, lessons learned from 4 years of bug bounty, understanding and preventing web app DoS

  • Cloud Security: Tools to find exposed S3 buckets, tool to visualize your Terraform deployments, 11 tools for mapping trust relationships in AWS

  • Container Security: A compiled list of public Kubernetes failure stories, vulnerability scanner for Windows containers

  • Blue Team: An SSH tarpit to trap scanners

  • Hardware: A teardown of Amazon's Ring alarm system

  • Fuzzing: Microsoft releases a self-hosted fuzzing-as-a-service platform

  • Browser Security: Sniff communication between Chromium processes

  • Red Team: Simple multi-language reverse shell generator

  • Politics / Privacy: Comparing secure messaging apps, Palantir and Thiel shade, banks happily move money for criminals and the U.S. gov't doesn't stop it

  • OSINT: Tool to find a company's infra and files on top cloud providers, an extensible HTTP/DNS scanner, hilarious story of finding former Australian PM's passport number

  • Misc: Toonify yourself, VS Code 4 lyfe

Program Analysis

I got some nice reading recommendations from a Twitter thread started by Sean Heelan, thanks!

Program Analysis
73 page PDF by CMU professors Jonathan Aldrich and Claire Le Goues covering a simple WHILE language, doing dataflow analysis, interprocedural and pointer analysis, symbolic execution, program synthesis, concolic testing, and more.

Concrete and Abstract Interpretation, Explained through Chess
Some neat slides by Rolf Rolles describing abstract interpretation by using the state space of a chess board (all of the possible combinations of piece locations) as sort of an analogy to the state space of programs. If you’ve dreamed of seeing what peak LaTeX/Beamer look like for creating slides, look no further.

16.399: Abstract Interpretation
Reading assignments, slides, and even some example OCaml programs implementing certain ideas. H/T Rolf Rolles

AppSec

How HTTPS works
A nice, high level overview of HTTPS in an approachable comic. Probably understandable by non technical friends and family.

Online Casino Roulette – A guideline for penetration testers and security researchers
NCC Group’s Jesús Calderón Marín presents a pretty thorough walkthrough of security issues to test for when assessing online roulette applications, including time-of-check / time-of-use (TOCTOU), insecure randomness, business logic bugs, and more.

Hacking on Bug Bounties for Four Years
Awesome transparency by AssetNote co-founder Shubham Shah: he earned $635,387.47 over 4 years and 4 months through HackerOne, which is roughly $400/day, though he wasn’t doing bug bounty every day. The continuous attack surface monitoring capabilities he’s been building into Assetnote account for 18% of the bugs he reported- not too shabby 👍

Not all attacks are equal: understanding and preventing DoS in web applications
Django creator Jacob Kaplan-Moss writes a well reasoned post on evaluating the risk posed by application-level DoS attacks. I really like the lens though which he describes this: attacker leverage; that is, how much work must the attacker perform to cause how much work for the target, how strongly the targeted app authenticates users, etc. (Disclaimer: I helped edit this post.)

Cloud Security

mxm0z/awesome-sec-s3
A collection of AWS S3 tools that collect and enumerate exposed S3 buckets by Ygor Maximo.

steeve85/tfviz
Tool by Steeve Barbeau to help you understand your Terraform deployments by visualizing them. Useful for keeping your network schema up-to-date in your documentation/wiki or when threat modeling cloud-based services.

Exploring Cloud Trust Relationships: AWS
This post describes 11 different AWS security scanning tools with a focus on those that can map and graph trust relationships between different objects in AWS. Tools mentioned: Prowler, Pacu, WeirdAAL, AWS Inspector, Cartography, PMapper, Cloudmapper, AWSPX, Aaia, and Altimeter.

Container Security

k8s.af: Kubernetes Failure Stories
A compiled list of links to public failure stories related to Kubernetes by Henning Jacobs.

nccgroup/whalescan
By NCC Group’s Saira Hassan: A vulnerability scanner for Windows containers, which performs several benchmark checks, checks for CVEs/vulnerable packages, and checks the config and Docker files for misconfigurations.

Blue Team

skeeto/endlessh: SSH tarpit that slowly sends an endless banner
“An SSH tarpit that very slowly sends an endless, random SSH banner. It keeps SSH clients locked up for hours or even days at a time. The purpose is to put your real SSH server on another port and then let the script kiddies get stuck in this tarpit instead of bothering a real server.”

Hardware

Inside Amazon’s Ring Alarm System
Great teardown by Tenable’s Nicholas Miles: many screenshots of the hardware internals, then dumping the firmware to understand the device’s attack surface for trying to get a root shell on the device.

Fuzzing

🔥 microsoft/onefuzz: A self-hosted Fuzzing-As-A-Service platform
“Project OneFuzz enables continuous developer-driven fuzzing to proactively harden software prior to release. With a single command, which can be baked into CICD, developers can launch fuzz jobs from a few virtual machines to thousands of cores.” Justin Campbell and Michael Walker spoke about it at Cppcon, but the video doesn’t appear to be live yet. (blog post)

  • Built-in ensemble fuzzing: By default, fuzzers work as a team to share strengths, swapping inputs of interest between fuzzing technologies.

  • Programmatic triage and result de-duplication: It provides unique flaw cases that always reproduce.

  • On-demand live-debugging of found crashes: It lets you summon a live debugging session on-demand or from your build system.

  • Fuzz on Windows and Linux OSes

Browser Security

tomer8007/chromium-ipc-sniffer
A tool to capture communication between Chromium processes on Windows in real-time using Wireshark, by capturing data sent over named pipes.

Red Team

Reverse Shell Generator
A very simple reverse shell generator that’ll give you a 1-liner for Bash, Lua, netcat, PHP, Perl, PowerShell, Python, and Ruby.

Politics / Privacy

Secure Messaging Apps Comparison
Excellent overview of ~12 messaging apps across 30+ attributes by Mark Williams. tl;dr: Use Signal (or Threema or Wire). Snippet from the table:

PalanThiel: The Uncola
Pretty brutal article about Palantir by Scott Galloway:

The analytics firm is attempting to position itself as the “Uncola,” the non-tech tech firm. A more apt metaphor is Zima. Palantir is all of the calories of Facebook (scaled sociopathy) with none of the great taste (profits).

A huge trove of secret government documents reveals for the first time how the giants of Western banking move trillions of dollars in suspicious transactions, enriching themselves and their shareholders while facilitating the work of terrorists, kleptocrats, and drug kingpins.

And the US government, despite its vast powers, fails to stop it.

Today, the FinCEN Files — thousands of “suspicious activity reports” and other US government documents — offer an unprecedented view of global financial corruption, the banks enabling it, and the government agencies that watch as it flourishes.

These documents, compiled by banks, shared with the government, but kept from public view, expose the hollowness of banking safeguards, and the ease with which criminals have exploited them. Profits from deadly drug wars, fortunes embezzled from developing countries, and hard-earned savings stolen in a Ponzi scheme were all allowed to flow into and out of these financial institutions, despite warnings from the banks’ own employees.

OSINT

0xsha/CloudBrute
A tool by @0xsha @j3ssiejjj to find a target company’s infrastructure, files, and apps on the top cloud providers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode). See also ProxyFor for verifying good proxies. blog post 

Community Powered Scanning with Nuclei
A customizable, extensible HTTP/DNS scanner by Project Discovery (@pdnuclei). Specify request patterns in YAML, scan for known CVEs, common misconfigurations, and more. What seems especially useful is being able to define multi-step flows, and have one step extract words or text via regex from prior steps which can be used in later ones. source code 

When you browse Instagram and find former Australian Prime Minister Tony Abbott’s passport number
@mangopdf writes hilarious posts, and this is no exception. One of Australia’s former PMs posted their plane ticket on Instagram, which included their boarding number. Using that, he logged onto the airline’s website as Tony and using extreme hacking skills like right-clicking and selecting “View HTML,” was able to recover passport number and phone number.

Misc

Toonify Yourself
Upload a photo and see what you’d look like in an animated movie, by Justin Pinkney and Doron Adler.

The Era of Visual Studio Code
Roben Kleene argues that VS Code is likely to remain the most popular editors for potentially 10+ years, due to its penetration of the developer market, how it’s maximized the power and visibility of extensions, has successfully moved beyond being a desktop app to the web (Codespaces), and Microsoft is putting significant resources behind it. This post covers some interesting history of text editors, from Vi to Emacs, BBEdit, TextMate, and more. H/T Daghan Altas

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint