• tl;dr sec
  • Posts
  • [tl;dr sec] #74 - Building Securely on AWS, Non-fungible Tokens, Deepfake tools

[tl;dr sec] #74 - Building Securely on AWS, Non-fungible Tokens, Deepfake tools

AWS security for small teams & Well-Architected resources, NFT overview, tools for creating and detecting deepfakes.

Hey there,

I hope you’ve been doing well!

If you’re curious, I wrote a few responses to questions re: my scaling security BSidesSF talk on Reddit, discussing new lessons learned in killing bug classes, visualizing security and dashboards, and new areas/themes on my radar.

Costly Mistakes

One of several reasons I’m glad my job title doesn’t have “cloud” in the name. (H/T Jon Hawes)

The power of modern computing - by @tomgauld

More cartoons: https://t.co/M2o5ypJndu pic.twitter.com/p4rObJdLWb

— New Scientist (@newscientist) January 4, 2021

Sponsor

📢 Is your SaaS Security keeping up with your SaaS Adoption?

Enterprises are adopting SaaS faster than ever with Gartner estimating that 95% of new enterprise application purchases will be in the cloud. But most organizations haven’t invested similarly in SaaS security. Many don’t even have a clear owner when it comes to securing their SaaS platforms. AppOmni can help determine whether your SaaS security is on track. Our risk assessment can determine whether you have exposed data and/or critical vulnerabilities in only 1 hour.

📜 In this newsletter...

🔗 Links:

  • AppSec: Black Hat USA videos released, Netflix Security's Youtube channel, study of secret detection on GitHub, enforcing Golang struct fields are properly initialized

  • Cloud Security: Compliance as Code resources, Checkov updates, building securely on AWS as a small team, AWS Well-Architected Labs and tool, JSFiddle but for AWS Step Functions

  • Container Security: Leverage Windows 10 Sandbox for arbitrary processes, Helm's 2nd security audit

  • Blue Team: Using Windows Service canaries against ransomware

  • Red Team: Extracting Python source code from Py2App packed Mac-O binaries, universal loader for Go

  • Non-fungible Tokens (NFTs): Overview, why they're a dangerous trap

  • Deepfakes: A number of sites/products for creating and detecting them

AppSec

Black Hat USA 2020 Videos Released
Lots of neat talks, including a number on machine learning and influence operations / “Hacking Public Opinion.”

YouTube: Netflix Security
Apparently the Netflix Security team has a YouTube channel of all of their talks. Thanks Astha Singhal for the heads up.

The state of Secrets Sprawl on GitHub
Report by GitGuardian, who scans 2.5M public commits a day, almost 1B public commits a year.

  • Over 5K secrets detected daily, over 2M in 2020 (+20% compared to 2019).

  • 85% of leaks occur on developers’ personal repos, 15% within public repos owned by organizations.

  • Secret types: ~28% Google keys, ~16% development tools (Django, RapidAPI, Okta), 15% data storage (MySQL, Mongo, …), 12% other (CRM, crypto, identity provider, payments systems, monitoring), …

  • GitGuardian has a mean time to detect of 4 seconds, developers have a 25 minute median time to react to the alert.

Today's experiment: write a tool to validate that all fields of a particular struct are set during initialization.

Spoilers: semgrep + reflect + unit tests

🧵#golang

— Damian Gryski (@dgryski) March 10, 2021

rules:
- id: struct-missing-initialized-fields
  patterns:
    - pattern-either:
      - pattern: |
          foo{...}
    - pattern-not: |
        foo{bar:..., baz:..., zot:...}
  message: |
    struct foo initializer missing fields
  severity: ERROR


/**
 * @kind problem
 * @problem.severity warning
 * @id go/missing-struct-init
 */

import go

from StructLit lit, Field f
where
  f = lit.getType().getField(_) and
  not exists(Write w |
        w.writesField(DataFlow::exprNode(lit).getASuccessor*(),
        f, _))
select lit,
  "This literal is missing an assignment to field $@.",
  f, f.getName()

Cloud Security

Compliance as Code
CloudSecDocs page by Marco Lancini covering a variety of tools and resources, including OPA, static analysis tools for Terraform, CloudFormation, Docker, and Kubernetes, and Pipeline / Supply Chain security.

Checkov updates

Essential security for everyone: Building a secure AWS foundation
Byron Pogson provides a nice overview of how small teams can build securely on AWS using the Well-Architected Framework. The post discusses security foundations, identity and access management, detection, infrastructure and data protection, and incident response.

AWS Well-Architected Labs
Documentation and code in the form of hands-on labs to help you learn, measure, and build using architectural best practices. One of the labs: Quest: Quick Steps to Security Success.

AWS Well-Architected Tool
Free tool available in the AWS Management console that helps you review the state of your workloads and compares them to the latest AWS architectural best practices. Define your workload and answer a set of questions regarding operational excellence, security, reliability, performance efficiency, and cost optimization. This tool then provides a plan on how to architect for the cloud using established best practices.

🤯 stepfn.dev
A site by Aidan Steele for rapidly iterating on AWS Step Function designs. Change a few characters, hit Cmd+Enter, see result ~300ms later. It’s intended to be like JSFiddle, but for AWS Step Functions, and you can create links for easy sharing and troubleshooting.

Container Security

Wubes: Leveraging the Windows 10 Sandbox for Arbitrary Processes
By NCC Group’s Cedric Halbronn: Like Qubes but for Windows. Wubes leverages the Windows Sandbox to spawn applications in isolation; that is, an attacker would need additional exploits, not just one in the target application, to compromise your host. Currently supports Firefox, but more programs can be added.

Helm 2nd Security Audit
Audit performed by Trail of Bits, which looked at the source code for the Helm client along with a threat model for the use of Helm. Two consultants, three person-weeks. Findings: 3 Medium, 7 Low, 3 Informational.

Blue Team

We prototyped a Windows Service Canary in order to target parts of the ransomware kill chain to minimize impact and overall success of operations. Multiple instances are installed masquerading as common Windows services that are targeted by threat actors prior to encryption. If multiple instances of these services are stopped then a Canary token is triggered and the host hibernated.

Red Team

How to extract Python source code from Py2App packed Mach-O Binaries
By Taha Karim: Mount the .dmg using hdiutil, find the Py2App packed file, binwalk, patch the target bytecode with the proper header using a tool like Hex Fiend, then decompyle3.

The Universal Loader for Go
By Symbol Crash: A Golang library that provides a consistent interface across all platforms for loading shared libraries from memory without using CGO. Linux, Windows, and OSX, including the new M1 Apple chip.

Non-fungible Tokens (NFTs)

Why NFTs are suddenly selling for millions of dollars
Nice overview by Zachary Crockett: What exactly is an NFT? What makes them so valuable? And what might the future hold for these digital assets? Personally, I don’t think NFTs make sense to purchase, but 🤷

NFTs are a dangerous trap
Marketing legend Seth Godin argues against NFTs because he feels a) they are a trap for creators (e.g. focusing on creating the feeling of scarcity and hustling people vs doing more great work) and b) that they require a vast amount of electricity, which is bad for the environment.

Deepfakes

A few deepfake creation and detection sites / tools have crossed my radar recently, so I’m listing a few for easy reference.

Given that a significant percent of the U.S. population already believes things without any proof and in the face of significant counterevidence (e.g. the election being “stolen,” QAnon), things don’t look great 😅

Creating:

Impressions.app
“Create high quality celebrity face swap videos right from your phone!”

Deepfake App
Deepfake as a Service, just upload your source and target videos.

Detecting:

Amber: fake video solved.
“Fingerprint videos & track provenance as it’s distributed. AI detection of malicious deepfakes sowing disinfo and deception.”

Sensity.ai
“Sensity collects detailed visual threat intelligence from hundreds of source across the open and dark web. We use deep learning to detect malicious visual media and reveal a comprehensive view of the risks associated with audio-visual content targeting individuals and companies.” You can upload your own image and video files, or submit URLs to be analyzed.

Truepic
“Truepic pioneered Controlled Capture technology, which allows anyone to take photos and videos whose origin, pixel contents, and metadata are verifiable. Using cutting-edge artificial intelligence, cryptography, and computer vision technologies, we are bolstering the value of authentic photos and videos, while leading the fight against deceptive ones.”

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint