- tl;dr sec
- [tl;dr sec] #68 - Securing Lambda, Recon Tool Primer, Blind SSRF Chains
[tl;dr sec] #68 - Securing Lambda, Recon Tool Primer, Blind SSRF Chains
How AWS secures Lambda, Daniel Miessler's overview of @TomNomNom's recon tools, how to demonstrate high impact when you can't see the SSRF response.
I hope you’ve been doing well!
A bunch of people signed up this week, so I just wanted to say hi 👋
Welcome, I’m glad you’re here! You’re among friends.
Srsly Risky Biz
I like how it often takes a topic or theme and then nicely collects a broad swathe of relevant supporting links into one place for easy review, and then ties it together with Brett’s analysis and some jokes and wordplay. Example: Ransom payouts spell trouble for insurers.
If you enjoy long form content about security and privacy-related current events, check it out!
Over 5,000 Subscribers, Giving Back
Recently tl;dr sec surpassed 5,000 subscribers, which is crazy! 🚀
I’ve been reflecting on how lucky I feel to get to do something I love (read too much security content) and share it.
I’m in such a fortunate position, so I want to give back.
I know there are a lot of people in the U.S. right now who are food insecure, so I posted on LinkedIn and Twitter that I’ll donate $1 to Feeding America’s Coronavirus Response fund for every like, re-tweet, or share over the next week.
If you’d like to contribute as well, you can do so here.
Here’s to a better 2021!
📢 RASP that works.
Sqreen helps security leaders protect their applications, APIs and microservices from data breaches. As opposed to traditional solutions that monitor requests at the network level, Sqreen's next-gen RASP analyzes how each request is executed at the application level to identify and block malicious user behavior, not just malicious IPs. Join the 800+ organizations who have deployed Sqreen's RASP in Production.
📜 In this newsletter...
AppSec: Bypassing signature checks with Electron, SANS Virtual Summits are free, writing custom static analysis rules in Brakeman and Semgrep
Cloud Security: How AWS Lambda manages security, creating least privilege custom roles in GCP, OpenID proxy for static sites hosted in S3
Container Security: Worst case scenarios when creating overly permissioned Kubernetes pods
Politics / Privacy: North Korea is targeting security researchers
OSINT / Recon: Automating internal threat intelligence and inventory, primer for @TomNomNom's recon tools
Misc: Fauci in slow motion in all his glory, fraud reports are higher without shared beers and can SEC rules tackle a range of problems?
Twitter: Scott Piper has strong opinions on cast irons, InfoSec awareness sea shanty by Rachel Tobac
A ‘Novel’ Way to Bypass Executable Signature Checks with Electron
Parsia Hakimian gives an overview of analyzing the attack surface of app update mechanisms on Windows, including 6 relevant bugs. He then demonstrates how to bypass signature checks using signed Electron binaries and backdoored
SANS Virtual Summits FREE in 2021
Nice, usually SANS stuff is $$$.
Custom Static Analysis Rules Showdown: Brakeman vs. Semgrep
So you’re doing a code review and you find some code base-specific pattern that likely indicates a bug (e.g. authn/authz). You’d like to search for this code pattern across thousands of files, but because this pattern is unique to this code base, no SAST tool is going to have a rule for it out of the box. This is the perfect opportunity for writing a custom rule.
Include Security’s Jason Kielpinski walks through his experiences writing custom rules in both Brakeman and Semgrep.
Client Side Encryption Bypass Part-1
First find where the logic is implemented.
You can do this via the Developer tools and Ctrl+f-ing for potentially relevant function names, or inspecting DOM elements and looking for onClick or other registered callbacks.
Then set breakpoints, step through the code, and modify it as necessary; after all, it’s running in your browser 😉
Sameer also includes a Docker image practice lab.
A Glossary of Blind SSRF Chains
Blind SSRF is when you can cause a server to make a request to an arbitrary URL but you can’t see the result. Assetnote co-founder Shubham Shah presents a cheatsheet of high impact blind SSRF targets including Elasticsearch, Weblogic, Hashicorp Consul, Structs, Confluence, Jira, Jenkins, Docker, and many more. Other tips include “SSRF canaries,” using DNS and AltDNS to find internal hosts, and side channel leaks. (GitHub repo)
Security Overview of AWS Lambda
20 page PDF by Amazon on how Lambda manages security: process sandboxes, microkernel, hypervisors, how to monitor and audit Lambda functions, and more. H/T Mark Manning for sharing.
Google Cloud IAM Custom Role and Permissions Debugging Tricks
Darkbit’s Brad Geesaman describes the process of creating a custom GCP IAM role to follow least privilege, including using the IAM Policy Troubleshooter.
Bad Pods: Kubernetes Pod Privilege Escalation
What are the risks associated with overly permissive pod creation in Kubernetes? Bishop Fox’s Seth Art describes eight insecure pod configurations and the corresponding methods to perform privilege escalation:
Privileged and hostPid;
Privileged, hostPath, HostPid, hostNetwork, or hostIPC only
See this repo for a collection of manifests that map to these configs.
Politics / Privacy
New campaign targeting security researchers
Google’s Threat Analysis Group has identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations, likely a government-backed entity based in North Korea. They set up fake social media accounts and security research blogs to build trust, and then compromise targets via sharing a backdoored Visual Studio Project or just from visiting the threat actor’s blog (on a fully patched and up-to-date Windows 10 + Chrome browser). Yikes!
OSINT / Recon
An open source tool to automate the internal threat intelligence generation, inventory collection and compliance check from different AWS resources.
A @TomNomNom Recon Tools Primer
Great overview by Daniel Miessler of useful tools by Tom Hudson that follow the Unix philosophy of doing one thing well. See my summary of Daniel’s Mechanizing the Methodology talk for more details on the power of this approach.
gf - Easily grep for security-sensitive things
httprobe - Given a list of domains, finds the ones listening on web ports
unfurl - Easily break down URLs into discrete pieces (e.g. domain, path, URL paraters, etc.) for further processing
meg - Quickly checks a list of interesting paths across a set of domains
anew - Adds the contents of an input stream to the output, but only if it’s new
waybackurls - Finds archived URLs for a domain
Fauci steps up to the podium
In slow motion, with some hyped up entrance music. I couldn’t help but laugh.
Fraud Is No Fun Without Friends
H/T Jon Oberheide for sending me this link. Apparently the SEC has received 31% more tips alleging white-collar malfeasance this year, potentially due to remote work removing the office culture glue that might normalize bending the rules.
Separately, the article also makes the interesting argument that SEC rules that mandate more disclosure could have a positive impact on areas ranging from global warming and corporate diversity to political donations. I don’t have enough context to know if this is possible or a good idea, but it’s interesting.
I did not expect to see an InfoSec sea shanty from my friend Rachel Tobac, but I did, and it made my day 🤣
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!