[tl;dr sec] #64 - Kubernetes Guide, XSS for PDFs, SolarWinds FTL
[tl;dr sec] #64 - Kubernetes Guide, XSS for PDFs
Hope you’ve been doing well!
2020 has been tough, but we can all relax and enjoy the holidays, no matter how humble.
The Joy of #collabs
Recently I’ve been working on several blog posts with a few friends, and it’s been so fun.
Keep an eye out for more collaborations and guest posts from top notch people next year 😎
Break for the Holidays
I’m taking the next two weeks off for Christmas and New Years.
tl;dr sec will be roaring back to your inbox the first week of January with new found resolve – more great resources, more original content, and it’ll be hitting the gym 5 days a week, no exceptions.
📢 Protect your SaaS data with AppOmni
Have you ever looked at the security of your SaaS applications? Why not start now with our free 1-hour risk assessment. AppOmni was founded by SaaS security veterans and is quickly becoming the leading provider of advanced enterprise SaaS security. We provide continuous monitoring, management, and security of applications including: Salesforce, Slack, Microsoft Office 365, Github, Box, and Zoom. Some of your most important data is stored in the cloud. With AppOmni, you'll know who has access to it.
📜 In this newsletter...
AppSec: Comparing BSIMM & SAMM
Web Security: XSS for PDFs, active TLS server fingerprinting tool, deep dive into site isolation, Ekoparty workshop on server-side vulnerabilities, wiki detailing cross-site info leaks
Cloud Security: Protecting sensitive data in Terraform, AWS Audit Manager helps you prep for audit, Semgrep for cloud security
Container Security: Tool to escalate privileges and escape container, how Kubernetes container isolation impacts privilege escalation attacks
Politics / Privacy: Cloudflare releases privacy-first web analytics, SolarWinds write-up by FireEye, opinion piece by Homeland Security Adviser
OSINT / Recon: Analysis of the RECON/attack surface management space
📚 Risk8s Business: Risk Analysis of Kubernetes Clusters
Awesome guide by Mark Manning on assessing the risk of your Kubernetes clusters.
Comparing BSIMM & SAMM
Brian Glas, a contributer to OWASP SAMM, describes BSIMM has descriptive (you compare your company’s state and initiatives to what other orgs are doing) and SAMM as prescriptive (you should do these things as you increase your security posture).
Easily Identify Malicious Servers on the Internet with JARM
Salesforce’s John Althouse describes a newly released tool, JARM, an active TLS server fingerprinting tool, which can be used to:
Quickly verify that all servers in a group have the same TLS configuration.
Group disparate servers on the internet by configuration, identifying that a server may belong to Google vs. Salesforce vs. Apple, for example.
Identify default applications or infrastructure.
Identify malware command and control infrastructure and other malicious servers on the Internet.
Silas Cutler gave JARM a spin and wrote about his findings in this blog post. In short, he found that “JARM fingerprints alone are rarely (not always) unique enough to be a reliable method for clustering.”
Deep Dive into Site Isolation (Part 1)
This post by Jun Kokatsu well deserves the term “deep dive.” He describes how Site Isolation and related security features work, and walks through several bugs he found in Chrome’s implementation. See also his presentation at bugSWAT.
I also found this intuition interesting (highlights are mine):
Demystifying the Server Side
Ekoparty 2020 workshop (video) by Harsh Jaiswal, Rahul Maini, and Rajanish Pathak covering server-side vulnerabilities like SSRF, XXE, Remote Code Execution and reverse proxy attacks. Includes a number of interesting case studies.
Wiki by some Googlers describing and providing PoC code for how malicious websites can use side-channels to infer information about users, as well as defense mechanisms. The source is on GitHub.
How To Protect Sensitive Data in Terraform
Guide by Digital Ocean: “In this tutorial, you’ll hide sensitive data in outputs during execution and store your state in a secure cloud object storage, which encrypts data at rest.”
AWS Audit Manager Simplifies Audit Preparation
Audit Manager is a new AWS service that “provides prebuilt frameworks for common industry standards and regulations, and automates the continual collection of evidence to help you in preparing for an audit.”
Kernel privilege escalation: how Kubernetes container isolation impacts privilege escalation attacks
Kamil Potrec describes how Kubernetes container isolation impacts privilege escalation attacks, and shows using common kernel exploitation techniques to figure out how container abstractions layers can hinder one’s path to that precious root shell.
Politics / Privacy
Cloudflare’s privacy-first Web Analytics is now available for everyone
Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
Whoa, a pretty impressive supply chain attack. A reflection Twitter thread by Alex Stamos:
OSINT / Recon
Analysis of the RECON/Attack Surface Management Space
Daniel Miessler believes this space breaks down into several overlapping areas, which will probably all merge into Attack Surface Management within ~3-6 years.
Attack Surface Management
Bounty Researcher Tooling
Discovery, Monitoring, and Alerting
Reporting and Remediation
Vulnerability Discovery and Management
In my opinion, there are meaningful differences and trade-offs if you come at this from a whitebox or blackbox perspective. Both have strengths and weaknesses, and based on some chats I’ve had with Caleb Sima, seems like companies might need both.
A few weeks ago I was catching up with Mark Manning. One thing led to another, and next thing I knew we had decided to write a meaty Kubernetes security guide. It happens.
I’m especially excited to share this with you because Mark is legit - he spent several years at NCC Group doing largely Kubernetes and container security projects for a wide array of clients, and he helped build out NCC Group’s Kubernetes and container practice.
The guide ramps you up on Kubernetes terms and how the pieces fit together if you’re new, then dives into how to get the lay of the land of your Kubernetes environment and how to take a measured approach to meaningfully reduce your security risk.
It’s approachable, actionable, and downright funny. Here’s a taste:
One more thing before I go -- forgive me this self-indulgence, but if you've found tl;dr sec useful, I'd really appreciate you forwarding this email if there's anyone who you think would like it, or sharing tl;dr sec on Twitter or LinkedIn. Thanks and happy holidays! 🙏 🎄
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!