[tl;dr sec] #74 - Building Securely on AWS, Non-fungible Tokens, Deepfake tools

Hey there,

I hope you’ve been doing well!

If you’re curious, I wrote a few responses to questions re: my scaling security BSidesSF talk on Reddit, discussing new lessons learned in killing bug classes, visualizing security and dashboards, and new areas/themes on my radar.

Costly Mistakes

One of several reasons I’m glad my job title doesn’t have “cloud” in the name. (H/T Jon Hawes)

AppSec

Black Hat USA 2020 Videos Released
Lots of neat talks, including a number on machine learning and influence operations / “Hacking Public Opinion.”

YouTube: Netflix Security
Apparently the Netflix Security team has a YouTube channel of all of their talks. Thanks Astha Singhal for the heads up.

The state of Secrets Sprawl on GitHub
Report by GitGuardian, who scans 2.5M public commits a day, almost 1B public commits a year.

• Over 5K secrets detected daily, over 2M in 2020 (+20% compared to 2019).

• 85% of leaks occur on developers’ personal repos, 15% within public repos owned by organizations.

• Secret types: ~28% Google keys, ~16% development tools (Django, RapidAPI, Okta), 15% data storage (MySQL, Mongo, …), 12% other (CRM, crypto, identity provider, payments systems, monitoring), …

• GitGuardian has a mean time to detect of 4 seconds, developers have a 25 minute median time to react to the alert.

Semgrep implementation

rules:
- id: struct-missing-initialized-fields
  patterns:
    - pattern-either:
      - pattern: |
          foo{...}
    - pattern-not: |
        foo{bar:..., baz:..., zot:...}
  message: |
    struct foo initializer missing fields
  severity: ERROR

CodeQL implementation

/**
 * @kind problem
 * @problem.severity warning
 * @id go/missing-struct-init
 */

import go

from StructLit lit, Field f
where
  f = lit.getType().getField(_) and
  not exists(Write w |
        w.writesField(DataFlow::exprNode(lit).getASuccessor*(),
        f, _))
select lit,
  "This literal is missing an assignment to field $@.",
  f, f.getName()

Cloud Security

Compliance as Code
CloudSecDocs page by Marco Lancini covering a variety of tools and resources, including OPA, static analysis tools for Terraform, CloudFormation, Docker, and Kubernetes, and Pipeline / Supply Chain security.

Checkov updates

• Inline IaC scanning and fixes with the Checkov Visual Studio Code extension (requires a valid Bridgecrew API token to invoke real-time scans and fixes from Bridgecrew)

• You can now easily share organization-specific, custom Checkov checks you’ve written hosted in git repos using the --external-checks-git flag.

Essential security for everyone: Building a secure AWS foundation
Byron Pogson provides a nice overview of how small teams can build securely on AWS using the Well-Architected Framework. The post discusses security foundations, identity and access management, detection, infrastructure and data protection, and incident response.

AWS Well-Architected Labs
Documentation and code in the form of hands-on labs to help you learn, measure, and build using architectural best practices. One of the labs: Quest: Quick Steps to Security Success.

AWS Well-Architected Tool
Free tool available in the AWS Management console that helps you review the state of your workloads and compares them to the latest AWS architectural best practices. Define your workload and answer a set of questions regarding operational excellence, security, reliability, performance efficiency, and cost optimization. This tool then provides a plan on how to architect for the cloud using established best practices.

🤯 stepfn.dev
A site by Aidan Steele for rapidly iterating on AWS Step Function designs. Change a few characters, hit Cmd+Enter, see result ~300ms later. It’s intended to be like JSFiddle, but for AWS Step Functions, and you can create links for easy sharing and troubleshooting.

Container Security

Wubes: Leveraging the Windows 10 Sandbox for Arbitrary Processes
By NCC Group’s Cedric Halbronn: Like Qubes but for Windows. Wubes leverages the Windows Sandbox to spawn applications in isolation; that is, an attacker would need additional exploits, not just one in the target application, to compromise your host. Currently supports Firefox, but more programs can be added.

Helm 2nd Security Audit
Audit performed by Trail of Bits, which looked at the source code for the Helm client along with a threat model for the use of Helm. Two consultants, three person-weeks. Findings: 3 Medium, 7 Low, 3 Informational.

Blue Team

Deception Engineering: exploring the use of Windows Service Canaries against ransomware
By NCC Group’s Ollie Whitehouse (source code):

Red Team

How to extract Python source code from Py2App packed Mach-O Binaries
By Taha Karim: Mount the .dmg using hdiutil, find the Py2App packed file, binwalk, patch the target bytecode with the proper header using a tool like Hex Fiend, then decompyle3.

The Universal Loader for Go
By Symbol Crash: A Golang library that provides a consistent interface across all platforms for loading shared libraries from memory without using CGO. Linux, Windows, and OSX, including the new M1 Apple chip.

Non-fungible Tokens (NFTs)

Why NFTs are suddenly selling for millions of dollars
Nice overview by Zachary Crockett: What exactly is an NFT? What makes them so valuable? And what might the future hold for these digital assets? Personally, I don’t think NFTs make sense to purchase, but 🤷

NFTs are a dangerous trap
Marketing legend Seth Godin argues against NFTs because he feels a) they are a trap for creators (e.g. focusing on creating the feeling of scarcity and hustling people vs doing more great work) and b) that they require a vast amount of electricity, which is bad for the environment.

Deepfakes

A few deepfake creation and detection sites / tools have crossed my radar recently, so I’m listing a few for easy reference.

Given that a significant percent of the U.S. population already believes things without any proof and in the face of significant counterevidence (e.g. the election being “stolen,” QAnon), things don’t look great 😅

Creating:

Impressions.app
“Create high quality celebrity face swap videos right from your phone!”

Deepfake App
Deepfake as a Service, just upload your source and target videos.

Detecting:

Amber: fake video solved.
“Fingerprint videos & track provenance as it’s distributed. AI detection of malicious deepfakes sowing disinfo and deception.”

Sensity.ai
“Sensity collects detailed visual threat intelligence from hundreds of source across the open and dark web. We use deep learning to detect malicious visual media and reveal a comprehensive view of the risks associated with audio-visual content targeting individuals and companies.” You can upload your own image and video files, or submit URLs to be analyzed.

Truepic
“Truepic pioneered Controlled Capture technology, which allows anyone to take photos and videos whose origin, pixel contents, and metadata are verifiable. Using cutting-edge artificial intelligence, cryptography, and computer vision technologies, we are bolstering the value of authentic photos and videos, while leading the fight against deceptive ones.”

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint