[tl;dr sec] #69 - Cloud Security Table Top Exercises, Finding RCE in ExpressJS, InSpec for GKE
Valuable cloud security scenarios to think through, leveraging the Handlebars templating engine for local file read or RCE, check your GKE cluster against CIS.
I hope you’ve been doing well!
This year’s Day of Shecurity will be held March 23rd, and they’re currently looking for speakers and sponsors.
This is a great event, check it out! 🙌
If you’re like me, you may have slightly let yourself go during quarantine (#SweatPantsLyfe), as you’re not seeing many people in person, nor are you packed face to armpit on a luxurious carriage BART heading in to the office.
But never fear, I’ve been scouring the Internet for novel grooming styles and fashion that will put the spring back in your step.
Are you agile, clever, strong for your size, and want to convey this via your facial hair? Well you’re in luck. I present you with: the monkey tail beard.
For more tips like these, smash that subscribe button and follow me on Insta and the TikTokz.
Thank you so much everyone who took me up on my offer last week and shared tl;dr sec.
Your kind words blew me away🙏
If you’d also like to donate to Feeding America’s Coronavirus Response Fund, you can do so here.
📢 Codify your cloud security with Bridgecrew
Bridgecrew embeds security directly into developer workflows. By leveraging automation and delivering security-as-code,
empowers teams to find, fix, and prevent misconfigurations in deployed cloud resources and in infrastructure as code without slowing them down. Streamline your infrastructure security from commit to cloud with Bridgecrew.
📜 In this newsletter...
AppSec: Tool that infers hash types, SecuriTEA & Crumpets on CodeQL, Java's problem with insecure defaults, detecting supply chain attacks with static and dynamic analysis
Web Security: Getting RCE in ExpressJS apps via Handlebars, CLI tool to parse HTML
Cloud Security: CloudSecDocs on Service Control Policies, GCP whitepaper on building a cloud-native data security program, cloud security table top exercises
Container Security: Check your GKE cluster against CIS using InSpec
Politics / Privacy: Chinese police database reveals them being really nice what you'd expect, Facebook misinformation ads can target US military members, China's push to control Americans' health care future
Misc: When you should move on as a security leader, finding crypto bugs with Z3, a templating language that could make you fall in love on the first date
Have you ever come across a hash such as
5f4dcc3b5aa765d61d8327deb882cf99 and wondered what type of hash that is? This neat tool by Brandon Skerritt and team will tell you, from most to least likely, so you can put it into HashCat or other tools.
SecuriTEA & Crumpets: Ep 1 - Mathew Payne - CodeQL
A new Twitch series by Lewis Arden in which he and guests get hands on with various security tools. In this episode, GitHub’s Matthew Payne discusses CodeQL. “SecuriTEA & Crumpets” is perhaps the best possible stream name for a British host tips hat 🤣
No, Java is not a Secure Programming Language
Scott Contini gives a number of examples of how Java’s insecure defaults (e.g. XML parsing, deserialization, XSS) and poor documentation (e.g. crypto) cause security issues, while .Net has consciously worked to avoid at least some of these mistakes. I’m a huge proponent of secure defaults, I think they’re one of the most powerful tools we have in our toolbelts as security professionals.
Detecting zero days in software supply chain with static and dynamic analysis
Ajin Abraham describes how one might detect previously unknown malicious dependencies using static analysis (Semgrep) and dynamic analysis (
--seccomp-bpf), with stealing environment variables as the example.
The Secret Parameter, LFR, and Potential RCE in NodeJS Apps
Excellent post by @0xCaptainFreak on how providing a
layout parameter to ExpressJS apps using the Handlebars templating engine can lead to local file read or remote code execution. Great example of digging into the common frameworks people build on and finding subtle issues.
CloudsecDocs: AWS Service Control Policies (SCPs)
Nice overview page of SCPs by Marco Lancini covering what they are, what they can’t do, and example policies like denying API calls from root users, denying the ability to disrupt CloudTrail or GuardDuty, and more.
Designing your data security program in a cloud-native way on Google Cloud
New 23 page whitepaper from the GCP team: “we wanted to explore both the question of starting a data security program in a cloud-native way, as well as adjusting your existing daily security program when you start utilizing cloud computing.” It covers the 3 pillars of effective cloud security (Identity, Boundary and Access, Visibility), controls that enable the pillars, rethinking your data security strategy, and more.
Malicious VPC peering request
Compromised Lambda Layers
Injected CloudFormation Templates
Broken CloudTrail Logs
and a bunch more
Assess the security of Google Kubernetes Engine (GKE) with InSpec for GCP
Automatically assess GKE clusters against security controls recommended by CIS using this open source InSpec profile, by Bakh Inamov and Konrad Schieban.
Politics / Privacy
Surveillance of Uyghurs Detailed in Chinese Police Database
Massive, detailed post by The Intercept based on a police database they obtained that’s used by the Chinese government to facilitate police surveillance of citizens in Xinjiang.
Facebook Ad Services Let Anyone Target US Military Personnel
Facebook ads allow targeting various demographics, including US military. Given misinformation campaigns by foreign (and local) actors, this could have serious implications.
China’s push to control Americans’ health care future
Many senior U.S. government officials see China’s broad acquisition of American healthcare data (“legitimately” through donations and partnerships, as well as stealing it) as a potentially existential security threat. Having the most data provides a significant competitive advantage in medical advances.
Security Leadership: Moving On. How to Know When It’s Time To Go
Useful advice by Helen Patton on when it might be time to find your next role as a security leader, including:
When you’ve accomplished the org’s and/or your goals (e.g. building the right team)
You’ve maxed out your growth
To make way for the next generation
Your strengths are no longer needed (e.g. maybe you’re great at starting things but now they need someone operational-focused)
Software Verification and Analysis Using Z3
It’s Friday night, you have a full glass of Cabernet, and you want to treat yourself with some formal methods. Enter this article by my friend Gerald Doussot, about using the Z3 theorem prover to reason about the correctness of cryptographic software, protocols and otherwise, and to identify potential security vulnerabilities. The post covers:
Modeling an algorithm documented in an old version of the QUIC Transport protocol IETF draft
Modeling a specific finite field arithmetic operations for elliptic curve cryptography
I see Z3 and other formal methods tools and approaches making their way into “mainstream” security work, for example, in symbolic execution or symbolic execution + fuzzing. I think this is an interesting space to watch, for both bug finding as well as building high assurance systems.
Re-use config across files
(Sane) Variables, conditionals, functions
Generate JSON, YAML, INI, & other formats
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!