- tl;dr sec
- Posts
- [tl;dr sec] #69 - Cloud Security Table Top Exercises, Finding RCE in ExpressJS, InSpec for GKE
[tl;dr sec] #69 - Cloud Security Table Top Exercises, Finding RCE in ExpressJS, InSpec for GKE
Valuable cloud security scenarios to think through, leveraging the Handlebars templating engine for local file read or RCE, check your GKE cluster against CIS.
Clint Gibler
February 03, 2021
Hey there,
I hope you’ve been doing well!
This year’s Day of Shecurity will be held March 23rd, and they’re currently looking for speakers and sponsors.
This is a great event, check it out! 🙌
Looking Quaranstylish
If you’re like me, you may have slightly let yourself go during quarantine (#SweatPantsLyfe), as you’re not seeing many people in person, nor are you packed face to armpit on a luxurious carriage BART heading in to the office.
But never fear, I’ve been scouring the Internet for novel grooming styles and fashion that will put the spring back in your step.
Are you agile, clever, strong for your size, and want to convey this via your facial hair? Well you’re in luck. I present you with: the monkey tail beard.
For more tips like these, smash that subscribe button and follow me on Insta and the TikTokz.
Giving Back
Thank you so much everyone who took me up on my offer last week and shared tl;dr sec.
Your kind words blew me away🙏
If you’d also like to donate to Feeding America’s Coronavirus Response Fund, you can do so here.
Sponsor
📢 Codify your cloud security with Bridgecrew
Bridgecrew embeds security directly into developer workflows. By leveraging automation and delivering security-as-code,
empowers teams to find, fix, and prevent misconfigurations in deployed cloud resources and in infrastructure as code without slowing them down. Streamline your infrastructure security from commit to cloud with Bridgecrew.
📜 In this newsletter...
🔗 Links:
AppSec: Tool that infers hash types, SecuriTEA & Crumpets on CodeQL, Java's problem with insecure defaults, detecting supply chain attacks with static and dynamic analysis
Web Security: Getting RCE in ExpressJS apps via Handlebars, CLI tool to parse HTML
Cloud Security: CloudSecDocs on Service Control Policies, GCP whitepaper on building a cloud-native data security program, cloud security table top exercises
Container Security: Check your GKE cluster against CIS using InSpec
Politics / Privacy: Chinese police database reveals them being really nice what you'd expect, Facebook misinformation ads can target US military members, China's push to control Americans' health care future
Misc: When you should move on as a security leader, finding crypto bugs with Z3, a templating language that could make you fall in love on the first date
AppSec
HashPals/Name-That-Hash
Have you ever come across a hash such as 5f4dcc3b5aa765d61d8327deb882cf99 and wondered what type of hash that is? This neat tool by Brandon Skerritt and team will tell you, from most to least likely, so you can put it into HashCat or other tools.
SecuriTEA & Crumpets: Ep 1 - Mathew Payne - CodeQL
A new Twitch series by Lewis Arden in which he and guests get hands on with various security tools. In this episode, GitHub’s Matthew Payne discusses CodeQL. “SecuriTEA & Crumpets” is perhaps the best possible stream name for a British host tips hat 🤣
No, Java is not a Secure Programming Language
Scott Contini gives a number of examples of how Java’s insecure defaults (e.g. XML parsing, deserialization, XSS) and poor documentation (e.g. crypto) cause security issues, while .Net has consciously worked to avoid at least some of these mistakes. I’m a huge proponent of secure defaults, I think they’re one of the most powerful tools we have in our toolbelts as security professionals.
Detecting zero days in software supply chain with static and dynamic analysis
Ajin Abraham describes how one might detect previously unknown malicious dependencies using static analysis (Semgrep) and dynamic analysis (strace with --seccomp-bpf), with stealing environment variables as the example.
Web Security
The Secret Parameter, LFR, and Potential RCE in NodeJS Apps
Excellent post by @0xCaptainFreak on how providing a layout parameter to ExpressJS apps using the Handlebars templating engine can lead to local file read or remote code execution. Great example of digging into the common frameworks people build on and finding subtle issues.
ericchiang/pup
By Eric Chiang: A CLI tool for slicing and dicing HTML using CSS selectors, like jq allows for JSON.
Cloud Security
CloudsecDocs: AWS Service Control Policies (SCPs)
Nice overview page of SCPs by Marco Lancini covering what they are, what they can’t do, and example policies like denying API calls from root users, denying the ability to disrupt CloudTrail or GuardDuty, and more.
Designing your data security program in a cloud-native way on Google Cloud
New 23 page whitepaper from the GCP team: “we wanted to explore both the question of starting a data security program in a cloud-native way, as well as adjusting your existing daily security program when you start utilizing cloud computing.” It covers the 3 pillars of effective cloud security (Identity, Boundary and Access, Visibility), controls that enable the pillars, rethinking your data security strategy, and more.
Cloud Security Table Top Exercises
A great list of scenarios to think through by Matt Fuller, including:
Malicious VPC peering request
Compromised Lambda Layers
Injected CloudFormation Templates
Broken CloudTrail Logs
and a bunch more
Container Security
Assess the security of Google Kubernetes Engine (GKE) with InSpec for GCP
Automatically assess GKE clusters against security controls recommended by CIS using this open source InSpec profile, by Bakh Inamov and Konrad Schieban.
Politics / Privacy
Surveillance of Uyghurs Detailed in Chinese Police Database
Massive, detailed post by The Intercept based on a police database they obtained that’s used by the Chinese government to facilitate police surveillance of citizens in Xinjiang.
(The database) sheds further light on a campaign of repression that has reportedly seen cameras installed in the homes of private citizens, the creation of mass detention camps, children forcibly separated from their families and placed in preschools with electric fences, the systematic destruction of Uyghur cemeteries, and a systematic campaign to suppress Uyghur births through forced abortion, sterilization, and birth control.
When Ayup lived in Xinjiang, he said, groups of 10 families were required to report somebody once a week in a feedback box, which existed before the app. “The problem is, if you cannot find something to write, you have to make it up to avoid being sent to the camps and to the center, so it’s obligatory. That’s the problem, but you cannot blame someone who reports because it’s his or her obligation,” he said.
Facebook Ad Services Let Anyone Target US Military Personnel
Facebook ads allow targeting various demographics, including US military. Given misinformation campaigns by foreign (and local) actors, this could have serious implications.
In the wake of the Capitol riots, for example, researchers at the Tech Transparency Project found that Facebook’s systems had shown ads for military equipment like body armor and gun holsters alongside updates on the insurrection and content that promoted election misinformation.
China’s push to control Americans’ health care future
Many senior U.S. government officials see China’s broad acquisition of American healthcare data (“legitimately” through donations and partnerships, as well as stealing it) as a potentially existential security threat. Having the most data provides a significant competitive advantage in medical advances.
Current estimates are that 80% of American adults have had all of their personally identifiable information stolen by the Communist Party of China.
“Do we wanna have another nation systematically eliminate our health care services? Are we okay with that as a nation? If we are, then so be it. But that’s what’s happening.”
What happens if we realize that all of our future drugs, our future vaccines, future health care are all completely dependent upon a foreign source? If we don’t wake up, we’ll realize one day we’ve just become health care crack addicts and someone like China has become our pusher.
Misc
Security Leadership: Moving On. How to Know When It’s Time To Go
Useful advice by Helen Patton on when it might be time to find your next role as a security leader, including:
When you’ve accomplished the org’s and/or your goals (e.g. building the right team)
You’ve maxed out your growth
To make way for the next generation
Your strengths are no longer needed (e.g. maybe you’re great at starting things but now they need someone operational-focused)
Software Verification and Analysis Using Z3
It’s Friday night, you have a full glass of Cabernet, and you want to treat yourself with some formal methods. Enter this article by my friend Gerald Doussot, about using the Z3 theorem prover to reason about the correctness of cryptographic software, protocols and otherwise, and to identify potential security vulnerabilities. The post covers:
Modeling an algorithm documented in an old version of the QUIC Transport protocol IETF draft
Modeling a specific finite field arithmetic operations for elliptic curve cryptography
I see Z3 and other formal methods tools and approaches making their way into “mainstream” security work, for example, in symbolic execution or symbolic execution + fuzzing. I think this is an interesting space to watch, for both bug finding as well as building high assurance systems.
Jsonnet - The Data Templating Language
I never thought I’d be excited about a data templating language…but then I met Jsonnet, and it is straight up 🔥. H/T Yoann Padioleau
Re-use config across files
(Sane) Variables, conditionals, functions
Generate JSON, YAML, INI, & other formats
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,
Clint