• tl;dr sec
  • Posts
  • [tl;dr sec] #6 - Post Hacker Summer Camp

[tl;dr sec] #6 - Post Hacker Summer Camp

Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.

Author

Clint Gibler
August 20, 2019

Hey there,

I hope you're at least mostly recovered from Hacker Summer Camp in Vegas.

I am, and it only took two jugs of locally sourced, all organic kombucha, three pieces of avocado toast, and a week of goat yoga. You know, just normal #SFlife things.

Trays of champagne, glass boxes full of money, and a magician explaining via a card trick metaphor why a security product is essential for your company's security, courtesy of the Black Hat vendor hall.

⭐️ Neat Hacker Summer Camp Talks

Martin Vigo wrote an article on how to get someone's phone number from their email address at BSidesLV and the Recon Village @ DEF CON. (video | slides)

NCC Group's Gerald Doussot and Roger Meyer presented "State of DNS Rebinding: Attack & Prevention Techniques and the Singularity of Origin" at BSidesLV and DEF CON (BSidesLV video | slides). To the best of my knowledge, this is the current definitive work on DNS rebinding.

  • Their tool, Singularity, speeds up DNS rebinding from 60sec to 3sec on most major OSs and browsers, has a bunch of built-in payloads, can auto fingerprint and auto pwn services, allows you to browse internal web apps without a web proxy using some neat websocket shenanigans, and they were able to bypass every tool that claimed to protect against DNS rebinding that they reviewed🔥.

Rolf Rolles' Automation Techniques in C++ Reverse Engineering (slides) at BlackHat USA, which he also presented at RECON, is some awesome technical work in recovering type structures from binaries via executing the program, recording memory accesses and program behavior, and applying some intelligent tricks. What I particularly liked is at several points he weighs various options and explores the trade-offs of different approaches. Really neat to see his thought processes and methodology.

Ben Morris of Bishop Fox gave a DEF CON talk (abstract | Tech Crunch overview | slides) describing how he found a number of publicly exposed AWS EBS volumes (i.e. virtual hard drives) from a variety of companies including large healthcare providers, tech companies, and government contractors.

  • He found application keys, SSH private keys, PII, admin credentials, source code, VPN config info, etc. In total, he manually confirmed 50 exposures in one AWS region and estimates ~750-1,250 exposures across all regions.

  • The overall attack is: use the AWS EBS API to query for public snapshots, attach the snapshot to an EC2 instance you control, search the disk for secrets.

  • Source code to be released in a few weeks.

Amazon Web Services In Plain English has some great clear and concise descriptions of what AWS services actually do.

Static Analysis at Scale: An Instagram Story describes how Instagram built custom lightweight static analysis that can run on the hundreds of commits they push to production per day on their Django monolith. They even have auto-fixing lints, which is pretty neat.

Halvar Flake wrote a blog post that nicely describes a number of points of view regarding responsible disclosure. Some key points: it's unrealistic to expect that attackers will not get info about unreleased vulns from small, "private" discussion groups, the risk of unpatched vulns is not uniform (e.g. whistle blower vs average person), attackers' automated patch diffing infrastructure means patches are basically "here's the bug," publishing detailed exploits helps defenders keep up with attackers, current incentives are not aligned for software makers to care about security (risk is pushed onto consumers), and the tech industry gains massive profits while offloading risk onto users. Disclosure is complicated and anyone who thinks there is an easy answer probably hasn't thought deeply enough about it.

Twitter just announced they've uncovered a "significant, state-backed information operation focused on the situation in Hong Kong." They're releasing the complete Tweet history and user info for the most active 936 accounts identified (out of a larger, 200,000 network of spammy accounts). "We have reliable evidence to support that this is a coordinated state-backed operation."

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

Also, if there's anyone you think who would find this newsletter interesting or useful, I'd really appreciate if you'd forward it to them. 🙏

Thanks for reading!

Cheers,

Clint