• tl;dr sec
  • Posts
  • [tl;dr sec] #75 - IAM Least Privilege at Speed, Spectre, and How to Beat a Grandmaster at Chess

[tl;dr sec] #75 - IAM Least Privilege at Speed, Spectre, and How to Beat a Grandmaster at Chess

How Netflix enables development velocity + security with ConsoleMe, Spectre PoC and proposed defenses, and why speed is a superpower.

Author

Clint Gibler
March 17, 2021

Hey there,

I hope you’ve been doing well!

DevSecCon announced the winners:

  • Most effective DevSecOps team: CNCF Sig-Security

  • Outstanding DevSecOps community: OWASP DevSlop

  • Inspiring DevSecOps individual: Tanya Janca

A big congrats to all these great people doing great work, keep it up! 🙌

With (Mediocre) Power Comes…

One fun thing about tl;dr sec is that periodically people share neat articles with me that I wouldn’t have otherwise seen, or share tools that haven’t been publicly released yet.

Like endgame, if you saw that kerfuffle. And there’s another tool in the works that I think will also cause a bit of splash. Keep an eye out 😎

Another thing I realized, is that tl;dr sec in the wrong hands could be used to spoil the twist in some movie or TV show for a pretty decent number of people.

I’m not the type to do that, but it was a random shower thought I had.

Sponsor

📢 Use SpiderFoot HX for broader attack surface visibility

An attack surface is made up of more than open ports and hostnames; you need a full spectrum of OSINT. If you already know this, then you've probably hit the next hurdle: automating collection and correlation of all that data. That's where SpiderFoot HX comes in. Built on top of the popular open source version, it automates your OSINT collection and gives you the tools to find the critical needle in the stack of needles. It's also cloud-hosted, so always online and ready to go. As a tl;dr sec subscriber, you'll receive a 10% discount on any annual subscription by using the coupon TLDRSEC.

One of the cool things about SpiderFoot is that it started as (and still is) an open source project by Steve Micallef and team. I’m a fan of open source projects with a commercial version with enterprise-y features.

That way, businesses can get their problems solved, the open source version can be actively supported, and the maintainers can earn a good living. Check it out!

📜 In this newsletter...

🔗 Links:

  • AppSec: GitHub App to up your PR approval policy game, overview of a lightweight threat modeling approach

  • Web Security: Middleware misconfigurations and potential exploits

  • Spectre: Spectre demo in your browser, RFC on protecting against it, Chrome extension to find potentially vulnerable resources

  • Cloud Security: Tool to balance IAM least privilege + development velocity, manage GCP secrets in your IDE, hackingthe.cloud, when to use Amazon Cognito

  • Container Security: OWASP Docker security cheat sheet, PoC scripts to demonstrate Kubernetes DoS conditions

  • Red Team: Bash script that automated data exfiltration over DNS

  • Politics / Privacy: T-Mobile is selling your data by default now. Shame!

  • Beating a grandmaster at chess: Moving quickly is a superpower

AppSec

palantir/policy-bot
A GitHub App for enforcing approval policies on pull requests that goes beyond what GitHub natively supports, including:

  • Require reviews from specific users, organizations, or teams

  • Apply rules based on the files, authors, or branches involved in a pull request

  • Combine multiple approval rules with and and or conditions

  • Automatically approve pull requests that meet specific conditions

Rapid Risk Assessments (RRA): a lightweight approach to measuring risks and modeling threats
~30min video by Julien Vehent in which he describes rapid risk assessments, a lightweight threat modeling approach that I think is quite practical and useful. (Mozilla docs).

Web Security

Middleware, middleware everywhere and lots of misconfigurations to fix
Detectify’s Frans Rosén, Mathias Karlsson, and Fredrik Almroth describe some interesting middleware misconfigurations and potential exploits that, if left unchecked, leaves your web applications vulnerable to attack. See also, common Nginx misconfigurations.

Spectre

🔥 Spectre Demo
“This site hosts a proof of concept for the Spectre vulnerability written in JavaScript.” Really cool demo, worth checking out. Blog post with more info. Great work by Google’s Artur Janc and Stephen Röttger.

Post-Spectre Web Development
W3C RFC by Google’s Mike West et al that does a nice job of laying out the threat model and concrete mitigations in different scenarios. Sidenote: if you’re interested in modern web and browser security features, this RFC references a number of useful topics and resources.

Spectroscope
Chrome extension by Lukas Weichselbaum et al that “identifies resources which are exempt from default protections enabled in Google Chrome (Cross-Origin Read Blocking, SameSite cookies) and which can be embedded cross-site. The results are added to Chrome’s DevTools “Spectroscope” panel and include security recommendations to help protect your resources from Spectre and other cross-site attacks.”

Cloud Security

Introducing Cloud Code Secret Manager Integration
You can now create and manage secrets stored in GCP’s Secret Manager right from your IDE (VS Code, IntelliJ, Cloud Shell Editor). Wow, this is some A+ developer UX work, well done.

hackingthe.cloud
“An encyclopedia of attacks/tactics/techniques that offensive security professionals can use on their next cloud exploitation adventure,” by Nick Frichette. Currently covers general knowledge, enumeration, exploitation, avoiding detection, and post exploitation for AWS.

  • Pros: Very cost effective and plays nicely with AWS services.

  • Cons: Poorly documented and some of its features feel undercooked.

🔥 ConsoleMe: A Central Control Plane for AWS Permissions and Access
This is like the security engineering equivalent of a fancy schmancy wine you’d swirl around in your glass to make sure its properly aerated before enjoying (“Mmm, hints of least privilege with notes of cloud-native.”).

Super cool work by the Netflix cloud security team, including Curtis Castrapel, Patrick Sanders, and Hee Won Kim, on how Netflix balances IAM least privilege with development velocity. Snape kills Dumbledore. Travis McPeak and Will Bengston discussed ConsoleMe in their AppSec Cali 2019 talk (summary), and what I love about it is it improves security and developer productivity.

Highly recommended reading as inspiration for your internal security engineering efforts.

Container Security

OWASP Cheat Sheet Series: Docker Security
11 rules to follow, a list of static analysis tools, and a number of useful reference articles.

uchi-mata/dostainerBy Matthias Luft: Three scripts to demonstrate resource exhaustion from within a Kubernetes cluster, including allocating all remaining RAM, allocating all remaining disk space, and fork bombing.

Red Team

vp777/procrustes
By @_vepe: A bash script that automates the exfiltration of data over DNS. Useful when you have a blind command execution on a server where all outbound connections except DNS are blocked.

Politics / Privacy

T-Mobile to Step Up Ad Targeting of Cellphone Customers
So frustrating 🤬 “T-Mobile will automatically enroll its phone subscribers in an advertising program informed by their online activity, testing businesses’ appetite for information that other companies have restricted.” Thankfully Drew FitzGerald with some opt-out info. H/T Zack Whittaker.

From ConvertKit founder Nathan Barry’s newsletter:

“You could beat a grandmaster at chess if you could move twice every time he moved once.” — James Currier

How fast you move matters. In chess you don’t get to choose your own pace. But in business—especially creator focused businesses—you do.

There are about 50 working weeks in a year. If on Monday you say, “let’s decide next week” you just used up 2% of your year.

If you’re anything like me, you’ve got massive goals for the year. Every week counts.

At ConvertKit we’ve formed a new habit this year: when a teammate says, “I’ll have that for you next week” we ask, “could you get it for me tomorrow?”

Sometimes the answer is no: it actually takes a week. But more often we just say something like “next week” or “by the end of the week” because it sounds easy, but doesn’t promise too much. Then the task just goes at the bottom of the todo list.

If you’re building something you believe in don’t waste a day.

Make decisions, take decisive action. Don’t delay.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint