• tl;dr sec
  • Posts
  • [tl;dr sec] #80 - Celleb-fight me, Hardening CI Infrastructure, Secure Access to 100 AWS Accounts

[tl;dr sec] #80 - Celleb-fight me, Hardening CI Infrastructure, Secure Access to 100 AWS Accounts

Signal creator finds bugs in Cellebrite, recommendations on hardening CI, using Okta to secure access to AWS accounts at scale.

Author

Clint Gibler
April 21, 2021

Hey there,

I hope you’ve been doing well!

…he doesn’t know 🤣

There was a pretty epic blog posted by Signal creator Moxie Marlinspike this week (see below), and it brought up a fond memory that I wanted to share.

A few DEF CONs ago I was sitting with my friend Kelly and Moxie in one of the talk rooms, and this young, super earnest, probably college student sat next to us.

“So, what do you guys do?” he asked.

“I’m a ProdSec engineer” − Kelly“I’m a security consultant” - Clint“I work on a messaging app” - Moxie, super casual-like.

The student proceeded to ignore Moxie, and asked Kelly and me a bunch of questions, while we gave each other the, “Wait, I guess he doesn’t know who Moxie is?!” eyes, and tried furiously, mostly successfully, not to giggle 🤣 🤣

It was like being at a wrap party and having some wide-eyed film student not know they just met Steven Spielberg.

I’m looking forward to in-person cons again, you never know who you’ll meet :)

I’m stoked to be joining my friends once more at 1pm EDT this Sunday, April 25th.

I’ll be walking through how to quickly start scanning every PR with Semgrep, how to leverage the massive existing registry of out-of-the-box rules, and how to write custom rules that are specific to your company (e.g. “this is how we do auth”).

And you’re in for a treat!

I’ve been creating a GitHub Learning Lab for the workshop: a step-by-step, automated, hands-on extravaganza. Imagine 🌈:

  • PRs automatically opening with instructions, with the next challenge arriving as you complete each step.

  • Writing and rolling out custom Semgrep rules to block new vulnerabilities trying to enter your code base through automatically created PRs.

  • And more!

(The workshop will be recorded and you can go through the Learning Lab async later.)

Sponsor

📢 Salesforce sends mass email recommending security evaluation of public sites and guest users

On Wednesday, April 14th, Salesforce sent an email to its customers recommending a security evaluation for all companies using public sites - often referred to as communities, customer portals, or partner portals. The goal of the email and suggested evaluations is to ensure access to sensitive, internal data is not unintentionally granted to unauthenticated guest users. In this brief video, AppOmni CTO Brian Soby offers additional detail on this issue, explains why it’s so common, and provides the steps needed to fix it.

📜 In this newsletter...

🔗 Links:

  • AppSec: Security Director on the power of secure guardrails

  • Mobile Security: Detailed write-up on serious WhatsApp bugs

  • Cloud Security: Threat matrix for storage services, secure access to 100 AWS accounts

  • Container Security: Running Vault in Kubernetes, Kubernetes security at every layer

  • Network Security: Tool to automatically grab and crack WPA-2 handshakes

  • Red Team: Native macOS implants for PoshC2, flexible standalone web server in Golang, breach and attack simulation tool

  • Politics / Privacy: Signal pwns Cellebrite, list of legal threats against security researchers

  • OSINT: Continuous recon using GitHub Actions

  • Hardware: Research CPU that kills classes of hardware vulns

  • Misc: Twitter wins because it has the fastest OODA loop, the perils of identifying so strongly with your company

  • Supply Chain: Hardening your CI infrastructure, Codecov compromised and a check to detect it

AppSec

Laksh Raghavan on secure guardrails
Laksh was the Director of AppSec and Innovation at PayPal, and is now the Head of Product, Platform, and Enterprise Security at LinkedIn, so he knows a thing or two about securing software at scale.

Don’t view XSS as a vulnerability that needs fixing - you’ll end up playing “whack-a-mole” till kingdom comes. Instead view “lack of context-aware automated output escaping” in all of your web application frameworks as the issue that needs fixing.

Same for SQLi, CSRF, etc.

Focusing on “secure by default” controls provides the best bang for the buck for any #AppSec program. The less and less “vulns” your developers have to know and worry about, the better!

Mobile Security

Remote exploitation of a man-in-the-disk vulnerability in WhatsApp
Quite the write-up by Census’ Chariton Karamitas on how a phishing attack can result in leaking data from /sdcard, steal TLS secrets, and how a person-in-the-middle attack can lead to RCE on the victim device.

Cloud Security

Threat matrix for storage services
By Microsoft’s Ram Pliskin.

🔥 Secure access to 100 AWS accounts
Very cool work by Evan Johnson and team in which Segment deleted all employee AWS keys and instead gave them an equivalent least privilege role they could access through Okta.

Key point: not only was this more secure, they did the work in making this new flow a drop-in replacement, with similar ease of use, to what was done before. That’s how you get secure processes adopted at scale.

Evan’s “Starting a Security Program at a Startup” AppSec Cali talk was also pretty great, see my detailed summary here.

Container Security

5 best practices to get to production readiness with Hashicorp Vault in Kubernetes
Expel’s David Montoya describes how to initialize and bootstrap a Vault server, run Vault in isolation, implement end-to-end encryption, ensure traffic is routed to the active server, and configure and manage it for tenants with Terraform.

Defend the Core: Kubernetes Security at Every Layer
Nice overview by Fastly’s Jimmy Mesta, covering best practices at the following layers: kernel, container, workload (pod), networking, nodes, and cluster components.

Network Security

redcode-labs/AirStrike
Automatically grab and crack WPA-2 handshakes with a distributed client-server architecture.

Red Team

PoshC2 - Introducing Native macOS Implants
Nettitude’s Kirk Hayes describes PoshC2 improvements, including a new JavaScript for Automation (JXA) implant type. JXA is a scripting language in macOS that is a peer to AppleScript.

nodauf/Swego
By @nodauf: A Swiss army knife web server in Golang, like Python’s SimpleHTTPServer but with many features, including running as a standalone binary, auto certificate generation for HTTPS, directory listing, private folders with basic authentication, downloading files or folders, etc.

guardicore/monkey
An open source breach and attack simulation tool by GuardiCore, in which a number of agents try to propagate across your network using various exploit techniques. (Overview article)

Politics / Privacy

Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app’s perspective
“I was recently out for a walk when I saw a small package fall off a truck ahead of me.” Signal creator Moxie Marlinspike describes finding bugs in Cellebrite, calling into question the accuracy of evidence it collects. Also, future versions of Signal will periodically store “aesthetically pleasing files” in local app storage.

Research Threats: Legal Threats Against Security Researchers
An ongoing collection of legal threats made against Security Researchers: over-reactions, demands, and cease & desist letters against good faith research, by @disclose_io.

OSINT / Recon

projectdiscovery/pd-actions
Continuous recon and vulnerability assessment using Github Actions (free 2,000 minutes/month), by Project Discovery.

Hardware

Morpheus Turns a CPU Into a Rubik’s Cube to Defeat Hackers
Very cool work by University of Michigan professor Todd Austin et al, as part of a DARPA project aimed at developing processors that are inherently immune to whole classes of hardware vulnerabilities.

Morpheus makes the underlying implementation of the machine, the undefined semantics, change every few hundreds milliseconds by encrypting pointers. This kills side channel attacks like Spectre and Meltdown as well as buffer overflows 🤯 Note: this only prevents against low level attacks, not app-level like XSS, SQL injection, etc.

Misc

How the Internet Ate Media
Thought piece by Erik Torenberg on the history of media and today.

One of my theories is that the internet offers a hyper-accelerated OODA loop, and Twitter is the fastest loop across the entire internet. As a result, Twitter has the ability to disrupt all other forms of reality perception. Which means what you see take off on Twitter will also take off (or influence) what you see elsewhere.

After Working at Google, I’ll Never Let Myself Love a Job Again
Companies have a responsibility to protect their employees from harassment. It’s disappointing to see a number of cases like this from Google over the past few years.

Supply Chain

Dino Dai Zovi on hardening CI infrastructure
I’ve also saved this thread here for easy future reference.

Codecov Bash Uploader Dev Tool Compromised in Supply Chain Hack
If breaching you is going to give an attacker access to many other companies, watch yo’ back. Also, it was interesting to see Chegg’s Kurt Boberg share a Semgrep rule that looks for potential CodeCov indicators of compromise (IOCs).

It got me thinking: imagine a world where, within an hour of a breach notification, someone from the security community writes a quick Semgrep rule detecting it, publishes it to the public registry, and then that rule can immediately scan thousands of repos and alert security teams.

Like YARA but for source code IOCs at scale.

We’re not quite there yet, but I’d say the underlying capabilities are like 90% ready.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint