• tl;dr sec
  • Posts
  • [tl;dr sec] #58 - New Job šŸŽ‰, Burp Multiplayer, Chaos Engineering Book

[tl;dr sec] #58 - New Job šŸŽ‰, Burp Multiplayer, Chaos Engineering Book

I've joined r2c as Head of Security Research, tool to sync multiple Burp instances, free book on chaos engineering to help you build reliable distributed systems.

Author

Clint Gibler
October 27, 2020

Hey there,

I hope youā€™ve been well!

Academic #truth

Academia can be tough. Thanks @yin_psyched for helping me laugh about it though.

šŸŽ‰ New Job!

Iā€™ve accepted a new role!

A few months ago I became Head of Security Research at r2c, a hip San Francisco-based start-up building Semgrep, an open source, lightweight static analysis tool.

To be honest, it was really tough leaving NCC Group- my colleagues were brilliant, the work was challenging and interesting, and I got to personally help dozens of companies a year improve their security posture.

NCC Group was a career making experience for me. Like a blade tested in a forge, I rapidly improved my security expertise, built a valuable network of security professionals and friends, and had the opportunity to speak at conferences around the world.

I will forever be grateful to NCC Group and my colleagues there, who helped set me up for a successful career and made me the security professional I am today. Thank you šŸ™

But when a uniquely exciting opportunity came my way, I had to take it. I wrote a post about my decision, see below.

Sponsor

šŸ“¢ Sqreen: The Essential Guide to RASP

The new NIST 5 has just been released and now recognizes RASP (Runtime Application Self-Protection) as critical to reducing risk from software vulnerabilities. RASP uses instrumentation to detect and block the exploit of vulnerabilities by taking advantage of the app's runtime. Read the essential guide to RASP to learn more.

šŸ“œ In this newsletter...

šŸ”— Links:

  • AppSec: Three GitHub-themed CTF challenges, best practices for hardening GitHub Actions

  • Fuzzing: Two epic lists of fuzzing papers

  • Web Security: Tool to sync Burp HTTP traffic, comments and highlights in realtime, tool for reversing Google Web Toolkit apps

  • Container Security: Dockerfile security best practices + OPA rules to enforce them, a Kubernetes add-on that injects TLS certs into your containers, Kubernetes security demos, restricting a container's syscalls with seccomp

  • Blue Team: APT tactics in an open source adversary emulation repo, LD_AUDIT runs before LD_PRELOAD, block some forms of malware by setting up LD_PRELOAD whitelisting

  • Red Team: Collaborative reverse engineering with Ghidra Server

  • Politics / Privacy: FAQ to combat election-related disinformation, Iran behind fake voter intimidation emails, massive US voters and consumer databases circulate on hacker forums

  • Misc: A political + tech pun, 27 pages on benchmarking "hello world," free book on Chaos Engineering, Daniel Miessler on writing well, quantum random number generator as a service

My reasoning behind joining r2c and my views on where the future of application security is headed, based my experiences speaking and working with dozens of companies.

AppSec

Hack this repository: The EkoParty 2020 GitHub CTF challenges
Neat write-up by Bas Alberts on their GitHub CTF challenges: use SSH key from git history to clone a private repo, a GitHub Action vulnerable to command injection that can be exploited by a maliciously crafted GitHub Issue, and then use that vulnerability to exfiltrate a secret from the private Action environment.

Security hardening for GitHub Actions
GitHubā€™s best practice docs for securing GitHub Actions.

Fuzzing

Two epic lists of fuzzing papers, H/T Richard Johnson:

Web Security

molochā€“/burp-multiplayer
Hack with friends! Syncs in-scope requests/responses, comments, and highlights across multiple Burp Suite instances in realtime, by Bishop Foxā€™s Joe DeMesy.

GWTMap - Reverse Engineering Google Web Toolkit Applications 
F-Secureā€™s Oliver Simonnet describes GWTMap, ā€œa new tool to help map the attack surface of Google Web Toolkit (GWT) based applications. The purpose of this tool is to facilitate the extraction of any service method endpoints buried within a modern GWT applicationā€™s obfuscated client-side code, and attempt to generate example GWT-RPC requests payloads to interact with them.ā€

Container Security

Dockerfile Security Best Practices
Spotifyā€™s Gianluca Brindisi discusses a number of Dockerfile security best practices and shares corresponding OPA rules you can use to scan your Dockerfiles with using conftest. Practices include: donā€™t store secrets in environment variables, only use trusted base images, donā€™t use the latest tag for base images, avoid curl | bash-ing, donā€™t apt-get upgrade, donā€™t use ADD if possible, and donā€™t use root or sudo.

smallstep/autocert
ā€œA Kubernetes add-on that automatically injects TLS/HTTPS certificates into your containersā€ by smallstep.

cloudogu/k8s-security-demos
Demos of various Kubernetes security features, including Network Policies, Security Context, and Pod Security Policies, by Cloudogu.

Seccomp stands for secure computing mode and has been a feature of the Linux kernel since version 2.6.12. It can be used to sandbox the privileges of a process, restricting the calls it is able to make from userspace into the kernel. Kubernetes lets you automatically apply seccomp profiles loaded onto a Node to your Pods and containers.

Identifying the privileges required for your workloads can be difficult. In this tutorial, you will go through how to load seccomp profiles into a local Kubernetes cluster, how to apply them to a Pod, and how you can begin to craft profiles that give only the necessary privileges to your container processes.

Blue Team

scythe-io/community-threats
Emulate various APT threat actors using the threats enumerated in this adversary emulation repo, which supports SCYTHE threats and MITRE ATT&CK Navigator (both use JSON). Another example of the ā€œdetection-as-codeā€ theme (see also tl;dr sec 55), in which defenders are codifying adversary behavior to ensure detections are repeatable and work as expected.

Leveraging LD_AUDIT to Beat the Traditional Linux Library Preloading Technique
In Linux, LD_PRELOAD is often used by threat actors to intercept library calls (for process hiding and rootkit implementation in user space) and to inject code in general. SentinelOneā€™s Lior Ribak describes how LD_AUDIT runs before LD_PRELOAD, which can be used by defenders to prevent this malicious behavior, or by attackers to write more stealthy malware.

Whitelisting LD_PRELOAD for Fun and (No) Profit
Linked by the above article, Tony Lambert wrote libpreloadvaccine, which enables you to whitelist what libraries you expect to use LD_PRELOAD, making it harder for malware to abuse this functionality.

Red Team

Collaborative Reverse Engineering with Ghidra Server
Given that the NSA has teams of people hunting for bugs, itā€™s not surprising that Ghidra has built-in functionality for ā€œshared projects,ā€ enabling reversers to easily share progress, annotations, and more. This post by Omar Darwish has a nice intro and overview of Ghidraā€™s collaboration features.

Politics / Privacy

Rumor Control | CISA
Nice short write-ups on rumor vs reality to combat election-related disinformation, by the Cybersecurity & Infrastructure Security Agency.

US govt: Iran behind fake Proud Boys voter intimidation emails
ā€œThe US govt has stated that Iran is behind threatening emails sent to Democratic voters warning that they must vote for Trump or face consequences.ā€

Massive US Voters and Consumers Databases Circulate Among Hackers
Trustwaveā€™s Ziv Mador reports on multiple instances of U.S. voter databases being sold on hacker forums, ranging from 186 - 245 million records. Depending on the dump, this data includes full name, physical address, phone number, ethnic group, political affiliation, and more. This info can be used for more effective social engineering scams and to spread disinformation about the election. According to Bitcoin transactions the researchers obtained, the cybercriminal group made $100 million USD in the last five months alone.

Misc

Benchmarking ā€œHello, World!ā€
Itā€™s Friday night, youā€™ve just poured yourself a tall glass of red wine, and youā€™re looking to relax after a tough week. Enter this 27 page PDF by Dr. Richard L. Sites on the difficulties of truly evaluating performance, distributed systems challenges, etc. H/T Collen Dai.

Programmers have pictures in their heads of what their programs are doing. Those pictures are too simplistic and essentially always wrong. Sometimes the performance problem they are looking for is in the missing parts, or in the not-visible dynamics of ā€œevent A causes event Bā€, with time sequencing and cause and effect not observed at all.

The Chaos Engineering Book
Casey Rosenthal chartered the Chaos Engineering Team at Netflix, and you can now download the book on chaos engineering he and Nora Jones wrote for free! Topics include: where Chaos Engineering came from, mental models to challenge mainstream thinking on system reliability, and contributed chapters from people at Slack, Google, Microsoft, LinkedIn, and CapitalOne.

How to Write Well
Advice from the impressively prolific Daniel Miessler:

1. Clear writing is only possible with clear thinking, so start with an outline.

2. Fancy language communicates deception, so write like youā€™re talking to someone.

3. Wandering sentences lose the reader, so be clear and direct.

4. Flow creates impact, so alternate between short and long sentences.

QuantumRNG-aaS - Making use of Quantum Algorithms
A proof of concept implementation by Mark Cardinal of using IBMā€™s Quantum Experience platform to generate the entropy pool for a cryptographically secure pseudorandom number generator (CSPRNG). Because lol, why not?! šŸ¤˜ Friendly reminder: friends donā€™t let friends buy products with ā€œquantum computingā€ in their name.

During my final few years at NCC Group, I spent thousands of hours watching security conference talks, reading technical blog posts, and having frank conversations with security engineers at many forward-thinking tech companies. This lead to me giving a number of talks in which I collected the best tips and tactics into one tome of a slide deck (latest slides).

I began to find that there were some initially surprising, but consistent trends. Things that were a bit different than what was commonly discussed publicy.

In short, I found that many AppSec teams were deprioritizing finding vulnerabilities, and instead building secure defaults and then using lightweight tools to enforce their use. When done properly, this can eliminate certain vulnerability classes from ever occuring in the first place.

Google, Microsoft, Facebook, Netflix, Dropbox, DocuSign, and many other companies have written about this, and I think itā€™s a key shift in the industry.

And as with all big shifts (for example, the adoption of Agile/DevOps, cloud infrastructure, and containers), it requires a shift in our tooling and approach.

If this sounds interesting, check out my blog post for more details.

Bonus The post includes anecdotes like:

  • The rude awakening I faced as an academic, seeing how security works in the Real Worldā„¢

  • What happens when you smack talk an entire Gartner quadrant in an off-the-record session at AppSec USA, when people in sales at the relevant companies are there šŸ˜…

  • Why I should have been a bit cheekier and requested $150,000 for 2 weeks of work

  • What happened when I gave critical feedback to r2cā€™s CEO on my first day

  • How r2cā€™s CTO built a proof-of-concept of an idea I mentioned in passing, in two days šŸš€

āœ‰ļø Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them šŸ™

Thanks for reading!

Cheers,
Clint