• tl;dr sec
  • Posts
  • [tl;dr sec] #54 - Complexity in Capital, Communicating a Breach, Offensive Terraform

[tl;dr sec] #54 - Complexity in Capital, Communicating a Breach, Offensive Terraform

I contributed to an article in Forbes, how to communicate when you've been hacked, Terraform to spin up offensive infrastructure.

Hey there,

I hope you’ve been doing well!

One exciting thing that happened this week is an article I collaborated on with my friend, Louisa Xu, a Partner at IVP, was published in Forbes! I’ve never had anything in Forbes before, so that was neat.

In the article, Louisa and I discuss:

  • How product complexity and cheap capital make vetting the quality of security products hard

  • Modern AppSec best practices

  • Why security vendors using machine learning is often overhyped, and some tough questions to ask them

Fun fact: on publishing your first article in Forbes, they mail you a monocle, a smoking jacket, and a personalized copy of The Great Gatsby.

Framed on my wall

Trimmed Descriptions

I’m trying something new: trimming some of the descriptions and snippets in the email and having them on just the blog instead.

That way, if you want to see more, you can go to this blog post, otherwise, you can more easily skim the email.

Feel free to let me know what you think.

Sponsor

📢 Secure Your Business-Critical SaaS with AppOmni

AppOmni is the leading provider of SaaS Security Posture Management (SSPM) solution. AppOmni provides continuous monitoring, management and security of SaaS solutions, enabling organizations to maintain best practices and secure sensitive data. AppOmni’s technology deeply scans APIs, security controls, and configuration settings to evaluate the current state of SaaS deployments and enable simple remediation. With AppOmni, organizations can establish rules for data access, data sharing, and third-party applications that will be continuously and automatically validated. Get a free AppOmni Risk Assessment today.

If you're not familiar, AppOmni was co-founded by Brendan O'Connor, a super sharp and nice dude, who used to be CSO at Salesforce.

📜 In this newsletter...

  • AppSec: Hacking Artifactory guide, combine HTTP API tools, Java RMI for pen testers

  • Web Security: An opinionated web app pen testing methodology, Twitter account for Burp tips

  • Cloud Security: AWS IAM explained, tool to detect common GKE misconfigurations, walkthrough of enumerating and pivoting through an AWS environment, Amazon Detective can analyze how IAM roles are used, mTLS for Amazon API Gateway

  • Fuzzing: Fuzzing workshop material from EkoParty

  • Red Team: Using VMs to persist and evade detection, Terraform modules to spin up offensive infrastructure

  • Politics / Privacy: Service that scans a provided URL for trackers, China's snooping on important people around the world, the dumpster fire that is U.S. politics

  • OSINT: Tool to download exposed .git directories, a list of subdomains for public bug bounty programs

  • Misc: How to effectively communicate after a breach

AppSec

Artifactory Hacking Guide
Nice overview by Guillaume Quéré: default users and passwords, checking account permissions and listing users, high severity known vulnerabilities, post exploitation, and how to defend it.

OWASP APICheck
New project by Daniel García that aims to make it easy to integrate HTTP API tools into execution chains, where the output and input of each is JSON, so you can pipe things together like *NIX tools. This approach reminds of Daniel Miessler’s approach in his Red Team Village talk, Mechanizing the Methodology.

Java RMI for pentesters: structure, recon and communication (non-JMX Registries)
Łukasz Mikuła describes what RMI (Remote Method Invocation) interfaces are (tl;dr: expose Java RPC calls over the network), how to build one from source, what info you can learn about an RMI interface using an Nmap scan, how to build an RMI client, and what are typical issues and stack traces you encounter when dealing with RMIs and what they mean.

Web Security

tprynn/web-methodology
An opinionated guide on how to conduct a web application security assessment by NCC Group’s Tanner Prynn covering a range of topics including application mapping, reviewing the design, authentication and authorization, frontend attacks, input handling, & cryptography.

@Mastering Burp Suite Pro
Twitter account full of Burp tips by Nicolas Grégoire, creator of a popular Burp Suite training course.

Cloud Security

google/gke-auditor
A tool to detect a set of common Google Kubernetes Engine misconfigurations.

Exploiting fine-grained AWS IAM permissions for total cloud compromise: a real world example (part 1/2)
Nice write-up by Federico Lago describing a testing flow: Hadoop instance with an exposed unauthenticated ResourceManager service -> RCE with Metasploit -> AWS access keys in core-site.xml -> enumerate permissions with enumerate-iam -> check for privilege escalation with aws_escalate.py -> enumerate S3 buckets you can read -> more AWS creds, and more.

Amazon Detective introduces IAM Role Session Analysis
“Amazon Detective now analyzes IAM role sessions so that you can visualize and understand the actions that users and apps have performed using assumed roles. Detective enables you to answer questions such as “which federated user invoked APIs that are associated with a security finding?”, “what API calls did a user invoke across a chain of role assumptions?”, “What API activity did an EC2 instance perform?” and “which of my users use this cross-account role?”, all without manually analyzing CloudTrail logs.”

Introducing mutual TLS authentication for Amazon API Gateway
“AWS is introducing certificate-based mTLS authentication for Amazon API Gateway. This is a new method for client-to-server authentication that can be used with API Gateway’s existing authorization options.”

Fuzzing

Red Team

Beware of the Shadowbunny - Using virtual machines to persist and evade detections
Johann Rehberger describes an attacker tactic of deploying a VM on a target host to pivot, provide persistence, and at the same time evade detection.

Offensive Terraform
Terraform modules to automatically exploit certain AWS scenarios, like copying a publicly exposed EBS snapshot, spinning up a Lambda to exfiltrate an AWS temporary credential, and more.

Politics / Privacy

Blacklight by The Markup
Blacklight is a service that will visit a provided URL with a headless browser that fingerprints ad trackers, third-party cookies, session recording services, if it captures keystrokes, and if there are certain Facebook or Google analytics on it.

The data dump that reveals the astonishing breadth of Beijing’s interference operations
China is systematically gathering information on politically or otherwise important people around the world so that they can influence them. Not surprising, but concerning. See relevant snippets on the blog.

The work of Zhenhua — which boasts that its clients are Chinese defense and intelligence agencies — offers concrete evidence of the Xi government’s global attempts to build relationships among political elites.

First, you identify your targets and their associates. Next, you scrape data on them, determining whether they are friendly to China’s policies and if they have any secrets worth gaining. Finally, you make an approach to cultivate a relationship. This could be the offer of a business opportunity, a directorship or other honor, an all-expenses paid conference trip in China, or a political donation offered via an intermediary.

Intriguingly, the Zhenhua data also include criminals, classified as “special interest persons,” who have been convicted of serious crimes such as trafficking and fraud. Such people are profiled because they may be more susceptible to cooperating with foreign intelligence organizations.

The United States has the most names in the database: 51,934. Over 80 percent of sub-headings are U.S.-related, set up to collect details about the U.S. political elite and U.S. military capacities, from facilities to base personnel mental states. President Trump’s trade adviser Peter Navarro and outside China adviser Michael Pillsbury turn up, as does deputy national security adviser Matt Pottinger. Jared Kushner has over 561 mentions, while Ivanka Trump has 1,913.

The Dumpster Fire that is U.S. Politics
It seems almost impossible to even keep track of current events, but here are a few things that happened recently:

  • Massive investigative report by the NY Times, who obtained the president’s tax information over the past two decades. They found that he paid $750 in federal income taxes in 2016 and 2017, paid none at all in 10/15 of the previous years, and has generally been using huge losses from various businesses to write off having to pay taxes.

    • Trump is currently “personally responsible for loans and other debts totaling $421 million.”

    • Several Trump properties, e.g. Mar-a-Lago, have had record revenue since he became president, as foreign government officials and other parties have stayed there to curry favor.

  • A leaked copy of a vast election database used by the Trump 2016 campaign appears to indicate that the campaign purposefully targeted 3.5 million black Americans in battleground states with negative Hillary Clinton ads on Facebook to discourage them from voting. The effort is said to have been devised in part by Cambridge Analytica.

  • In the first debate, the U.S. president refused to denounce a far-right white supremacist group, telling them to “stand by,” which the group took as an endorsement of them physically attacking people they disagree with.

    • Though Trump said he sees more violence coming from the left, the FBI director Christopher Wray said that violent extremism from white supremacists makes up a majority of domestic terrorism threats.

    • Oh, and also that the FBI has observed Russia conducting a “very active” campaign to spread disinformation and interfere in the presidential election, with Mr. Biden as the primary target.

OSINT

liamg/gitjacker
By Liam Galvin: Downloads git repositories and extracts their contents from sites where the .git directory has been mistakenly uploaded. It can still recover a significant portion of a repo even where directory listings are disabled.

HunterSuite Assets
A list of subdomains for publicly listed programs.

Misc

A framework for effective corporate communication after cyber security incidents
Paper by academics that lays out a framework for how organizations should communicate after a security incident. The paper has some great overview figures, so I pulled them out into a quick summary blog post.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint