[tl;dr sec] #87 - Easy Temporary Cloud Access, Monopol-easy Money, AWS Account Boundaries can be Porous

Hey there,

I hope you’ve been doing well!

Be The Change You Wish to See

The world can be a bit tough out there sometimes, so I work hard to make tl;dr sec a place of positivity and warmth.

You never know what people are going through. But sometimes, the right words, at the right time, can make a world of difference.

So I’ll share an inspirational message from Mick:

Open Security Summit Workshop

I’ll be giving a free workshop next Thursday, June 17th, from 9am - 11am PDT.

We’ll discuss some best practices for rolling out continuous code scanning I’ve seen be effective across many companies, you’ll learn to write Semgrep rules from scratch, and I’ll show how to roll Semgrep out in CI in just a few minutes.

~10% slides, ~90% live demos and hands-on exercises.

I’ll also showcase some just released new Semgrep features that haven’t been discussed publicly yet. And I’ve got to say, they’re pretty 🔥.

Workshop details and Zoom link here.

Mobile Security

MobSF/mobsfscan
A static analysis tool by Ajin Abraham and Matthew Payne that can find insecure code patterns in Android and iOS source code. Supports Java, Kotlin, Swift, and Objective C Code. Uses MobSF static analysis rules and is powered by Semgrep.

optiv/mobile-nuclei-templates
Optiv’s Gaurang Bhatnagar and Matt Eidelberg created 40+ nuclei templates that use regexes to scan for secrets as well as interesting settings, configurations, or method calls in mobile apps.

Web Security

detectify/page-fetch
Tool by Detectify’s Tom Hudson that uses headless Chrome to fetch web pages and their loaded resources (JavaScript, CSS, images, XHR/fetch calls, etc.). It can also run arbitrary JavaScript on the pages and see the returned values.

TIL about chromedp, a Go package for driving browsers via the Chrome DevTools protocol without external dependencies. Noice!

What is a Prototype Pollution vulnerability and how does page-fetch help?
Tom Hudson gives an overview of prototype pollution and gives an example of how it can be detected with page-fetch.

AppSec

Introducing the Open Source Insights Project
Google has released deps.dev, a site that makes it easy to view the complete dependency graph of open source components, as well as their security vulnerabilities, licenses, recent releases, and more. Currently supports npm, Maven, Go modules, and Cargo. Interestingly, according to the FAQ, they do this via a custom implemented dependency analysis algorithm in Go (that is, they don’t use the existing package managers).

Steampipe | select * from cloud;
Super cool tool by Turbot: Use SQL to query across your cloud environment, Slack, GitHub, Kubernetes, Twitter, and many other resources, instead of writing separate one-off scripts or learning different tools and APIs. Nice!

turbot/steampipe-mod-zoom-compliance
By Turbot’s Nathan Wallace and David Boeke: Automated scanning of your Zoom account configuration against 100+ CIS Zoom security benchmark controls. (TIL there’s a CIS benchmark for Zoom 🤷)

The README also links to Steampipe compliance scanning mods for AWS CIS & PCI, Azure CIS, GCP CIS, and GitHub best practices.

Cloud Security

Integrating Okta with AWS Single Sign-On in an AWS Control Tower environment
AWS’ Chris Pates, Jose Olcese, and Nam Le show “how to integrate AWS Control Tower, AWS SSO, and Okta as an external identity provider so that you can manage users, entitlements, accounts, and roles in Okta.”

AWS Accounts as Security Boundaries — 97+ Ways Data Can be Shared Across Accounts
Epic post by Matt Fuller. This post explores the many access practices, features, and misconfigurations that can quickly turn an isolated AWS account into a porous attack surface. He breaks risks down into three main categories: poor isolation practices, risks from external attackers leveraging misconfigurations, and supported cross-account resource sharing.

rpetrich/patrolaroid
Kelly Shortridge and Ryan Petrich built a malware scanner for AWS instances that doesn’t “yeet around your prod.” Patrolaroid snapshots AWS instances and buckets to uncover malware, backdoors, cryptominers, toolkits, and other attacker tomfoolery. Unlike other security tools that require running an agent or code in prod, Patrolaroid only needs read-only access to cloud assets.

🔥 Access Service: Temporary Access to the Cloud
Segment’s David Scrobonia and Andy Li describe a super neat internal tool they built (nice overview tweet thread by David). This is an excellent example of thoughtfully creating security tooling that both increases engineering speed/agility and security, highly recommend reading.

• Devs can peer review cloud access requests.

  • Don’t block on the security team, dev teams generally know better what access is needed.

• Access is automatically revoked after the specified time period - no more lingering exposure.

• Access that isn’t used is removed.

• 90% reduction in privileged access!

You can also hear Andy talk about Access Service on SecuriTEA & Crumpets #8.

Container Security

Reverse Engineering a Docker Image
If you find yourself having to maintain a Docker image without the original source code, Simon Arneaud walks through how to tease it apart, using mostly just tar and reviewing JSON files.

madhuakula/kubernetes-goat
A purposefully vulnerable Kubernetes cluster with ~20 hands-on scenarios, updated by Madhu Akula for his upcoming Black Hat USA 2021 training. There’s also a nice walkthrough guide.

Ensure Content Trust on Kubernetes using Notary and Open Policy Agent
Detailed guide by Maximilian Siegert, including how to define the validating admission controls to enforce content trust, and how to define the mutating admission webhook to automate content trust.

Blue Team

CISA Releases Best Practices for Mapping to MITRE ATT&CK®
“As part of an effort to encourage a common language in threat actor analysis, CISA has released Best Practices for MITRE ATT&CK® Mapping. The guide shows analysts—through instructions and examples—how to map adversary behavior to the MITRE ATT&CK framework.”

Making Money Monopol-easy

Ohio sues Google, seeks to declare the search engine a public utility

The creator economy is running into the Apple Tax — this startup is fighting back
Verge article 👆 Thread with details by Fanhouse co-founder Jasmine Rice:

Amazon Prime Is an Economy-Distorting Lie
Amazon has effectively pushed shipping costs onto third party sellers, which has caused them to raise prices.

Meanwhile, Microsoft be playing it cool like:

Misc

M3 Day: The One-Day Vacation We All Need
Remediant co-founder Paul Lanzi describes a policy they enacted after realizing that people weren’t taking vacation time during the pandemic. Monthly Mental Health Day (M3) gives employees one day a month to take off and do whatever they want to recharge. This provides regular time to relax but isn’t so much time it’s disruptive to the business, is mandatory (so people actually take the time), and by calling it by its proper name, “mental health,” it helps to destigmatize discussions about mental health in general.

What happens to your cryptocurrency when you die?
By The Hustle’s Zachary Crockett: Cryptocurrency investors are beginning to think about the afterlife of their digital assets — and a burgeoning industry awaits them.

Cool Tools

Language Learning with Netflix
A Chrome extension for learning a new language as you watch. It shows you two sets of subtitles at the same time (your native one and the language you’re learning) and has a pop-up dictionary where you can hover over words to learn more.

Mastershot: a web-based video editor
Easily trim videos, combine multiple clips, add audio, images, or text, extract audio, and more. Free and supposedly does all of the video processing within your browser. Sounds great, maybe too great? 🤔

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint