• tl;dr sec
  • Posts
  • [tl;dr sec] #87 - Easy Temporary Cloud Access, Monopol-easy Money, AWS Account Boundaries can be Porous

[tl;dr sec] #87 - Easy Temporary Cloud Access, Monopol-easy Money, AWS Account Boundaries can be Porous

Empowering developers' cloud access while improving security, big tech throwing their weight around, 97+ ways data can be shared across AWS accounts.

Hey there,

I hope you’ve been doing well!

Be The Change You Wish to See

The world can be a bit tough out there sometimes, so I work hard to make tl;dr sec a place of positivity and warmth.

You never know what people are going through. But sometimes, the right words, at the right time, can make a world of difference.

So I’ll share an inspirational message from Mick:

Open Security Summit Workshop

I’ll be giving a free workshop next Thursday, June 17th, from 9am - 11am PDT.

We’ll discuss some best practices for rolling out continuous code scanning I’ve seen be effective across many companies, you’ll learn to write Semgrep rules from scratch, and I’ll show how to roll Semgrep out in CI in just a few minutes.

~10% slides, ~90% live demos and hands-on exercises.

I’ll also showcase some just released new Semgrep features that haven’t been discussed publicly yet. And I’ve got to say, they’re pretty 🔥.

Sponsor

📢 Now Available: Security scans for Google Workspace, Zoom

You asked, we listened.

Google Workspace and Zoom security scans, now available on Vectrix.io.

With Vectrix, scan and monitor AWS, GitHub, Google Workspace, and Zoom for security configuration issues leaving you at risk. Get an instant overview of your issues by simply choosing your scans, connecting your tools, and clicking ‘run scan’.

Get started for free, no credit card required!

📜 In this newsletter...

  • Mobile Security: Static analysis tools for mobile apps powered by Semgrep or nuclei

  • Web Security: Tool to fetch web pages with a headless browser and run arbitrary JavaScript on them, using that tool to find prototype pollution

  • AppSec: View open source dependency graphs, query cloud and other things via SQL, scan your Zoom config against CIS

  • Cloud Security: Okta + AWS SSO in an AWS Control Tower environment, AWS accounts can be porous boundaries, malware scanner for AWS instances, tool that enables easy temporary cloud access

  • Container Security: Reverse engineering a Docker image, Kubernetes Goat, ensuring content trust on Kubernetes

  • Blue Team: CISA best practices for mapping to MITRE ATT&CK

  • Making Money Monopol-easy: Ohio sues Google and wants to declare it a public utility, more rent-seeking by Apple's App Store, Amazon's free Prime shipping is just pushing costs onto third party sellers

  • Misc: A monthly one-day vacation policy, what happens to your cryptocurrency when you die

  • Cool Tools: Learn a new language as you watch Netflix, a free web-based video editor

Mobile Security

MobSF/mobsfscan
A static analysis tool by Ajin Abraham and Matthew Payne that can find insecure code patterns in Android and iOS source code. Supports Java, Kotlin, Swift, and Objective C Code. Uses MobSF static analysis rules and is powered by Semgrep.

optiv/mobile-nuclei-templates
Optiv’s Gaurang Bhatnagar and Matt Eidelberg created 40+ nuclei templates that use regexes to scan for secrets as well as interesting settings, configurations, or method calls in mobile apps.

Web Security

detectify/page-fetch
Tool by Detectify’s Tom Hudson that uses headless Chrome to fetch web pages and their loaded resources (JavaScript, CSS, images, XHR/fetch calls, etc.). It can also run arbitrary JavaScript on the pages and see the returned values.

TIL about chromedp, a Go package for driving browsers via the Chrome DevTools protocol without external dependencies. Noice!

What is a Prototype Pollution vulnerability and how does page-fetch help?
Tom Hudson gives an overview of prototype pollution and gives an example of how it can be detected with page-fetch.

AppSec

Introducing the Open Source Insights Project
Google has released deps.dev, a site that makes it easy to view the complete dependency graph of open source components, as well as their security vulnerabilities, licenses, recent releases, and more. Currently supports npm, Maven, Go modules, and Cargo. Interestingly, according to the FAQ, they do this via a custom implemented dependency analysis algorithm in Go (that is, they don’t use the existing package managers).

Steampipe | select * from cloud;
Super cool tool by Turbot: Use SQL to query across your cloud environment, Slack, GitHub, Kubernetes, Twitter, and many other resources, instead of writing separate one-off scripts or learning different tools and APIs. Nice!

turbot/steampipe-mod-zoom-compliance
By Turbot’s Nathan Wallace and David Boeke: Automated scanning of your Zoom account configuration against 100+ CIS Zoom security benchmark controls. (TIL there’s a CIS benchmark for Zoom 🤷)

The README also links to Steampipe compliance scanning mods for AWS CIS & PCI, Azure CIS, GCP CIS, and GitHub best practices.

Cloud Security

Integrating Okta with AWS Single Sign-On in an AWS Control Tower environment
AWS’ Chris Pates, Jose Olcese, and Nam Le show “how to integrate AWS Control Tower, AWS SSO, and Okta as an external identity provider so that you can manage users, entitlements, accounts, and roles in Okta.”

AWS Accounts as Security Boundaries — 97+ Ways Data Can be Shared Across Accounts
Epic post by Matt Fuller. This post explores the many access practices, features, and misconfigurations that can quickly turn an isolated AWS account into a porous attack surface. He breaks risks down into three main categories: poor isolation practices, risks from external attackers leveraging misconfigurations, and supported cross-account resource sharing.

rpetrich/patrolaroid
Kelly Shortridge and Ryan Petrich built a malware scanner for AWS instances that doesn’t “yeet around your prod.” Patrolaroid snapshots AWS instances and buckets to uncover malware, backdoors, cryptominers, toolkits, and other attacker tomfoolery. Unlike other security tools that require running an agent or code in prod, Patrolaroid only needs read-only access to cloud assets.

🔥 Access Service: Temporary Access to the Cloud
Segment’s David Scrobonia and Andy Li describe a super neat internal tool they built (nice overview tweet thread by David). This is an excellent example of thoughtfully creating security tooling that both increases engineering speed/agility and security, highly recommend reading.

  • Devs can peer review cloud access requests.

    • Don’t block on the security team, dev teams generally know better what access is needed.

  • Access is automatically revoked after the specified time period - no more lingering exposure.

  • Access that isn’t used is removed.

  • 90% reduction in privileged access!

You can also hear Andy talk about Access Service on SecuriTEA & Crumpets #8.

Container Security

Reverse Engineering a Docker Image
If you find yourself having to maintain a Docker image without the original source code, Simon Arneaud walks through how to tease it apart, using mostly just tar and reviewing JSON files.

madhuakula/kubernetes-goat
A purposefully vulnerable Kubernetes cluster with ~20 hands-on scenarios, updated by Madhu Akula for his upcoming Black Hat USA 2021 training. There’s also a nice walkthrough guide.

Ensure Content Trust on Kubernetes using Notary and Open Policy Agent
Detailed guide by Maximilian Siegert, including how to define the validating admission controls to enforce content trust, and how to define the mutating admission webhook to automate content trust.

OPA image verification process

Kube API Lifecycle with OPA

Blue Team

CISA Releases Best Practices for Mapping to MITRE ATT&CK®
“As part of an effort to encourage a common language in threat actor analysis, CISA has released Best Practices for MITRE ATT&CK® Mapping. The guide shows analysts—through instructions and examples—how to map adversary behavior to the MITRE ATT&CK framework.”

Making Money Monopol-easy

“Google uses its dominance of internet search to steer Ohioans to Google’s own products – that’s discriminatory and anti-competitive,” Yost said in a statement. “When you own the railroad or the electric company or the cellphone tower, you have to treat everyone the same and give everybody access.”

The creator economy is running into the Apple Tax — this startup is fighting back
Verge article 👆 Thread with details by Fanhouse co-founder Jasmine Rice:

In writing and over the phone, we explained to Apple that we could pay them 30% of our revenues (from our 10% take rate). It’ll be harder to cover costs and build features as a startup, but at least it’d be coming from us. Apple insisted on taking 30% of creators’ total earnings.

I was the first creator on Fanhouse. I grew up on food stamps, my family has over six figures of debt, and we live paycheck to paycheck. I single-handedly provide for my family, and I rely on my Fanhouse as a crucial revenue source to do so.

To date, I’ve made over $20k as a Fanhouse creator. 30% of that is $6,000. That’s months of rent. That’s my mom’s medical bills. That’s my brother’s tuition. When Apple insists on taking 30% of all transactions, they’re taking it from the pockets of people who need it the most.

Amazon Prime Is an Economy-Distorting Lie
Amazon has effectively pushed shipping costs onto third party sellers, which has caused them to raise prices.

Amazon spent $37.9 billion on shipping costs in 2019, and much more in 2020. No matter how amazing your logistics operation, you can’t just offer free shipping to customers without having someone pay for it.

Seller fees now account for 21% of Amazon’s total corporate revenue.

Amazon uses its Buy Box algorithm to make sure that sellers can’t sell through a different store or even through their own site with a lower price and access Amazon customers, even if they would be able to sell it more cheaply. If they do, they get cut off from the Buy Box, and thus, cut off de facto from being able to sell on Amazon.

Meanwhile, Microsoft be playing it cool like:

Misc

M3 Day: The One-Day Vacation We All Need
Remediant co-founder Paul Lanzi describes a policy they enacted after realizing that people weren’t taking vacation time during the pandemic. Monthly Mental Health Day (M3) gives employees one day a month to take off and do whatever they want to recharge. This provides regular time to relax but isn’t so much time it’s disruptive to the business, is mandatory (so people actually take the time), and by calling it by its proper name, “mental health,” it helps to destigmatize discussions about mental health in general.

What happens to your cryptocurrency when you die?
By The Hustle’s Zachary Crockett: Cryptocurrency investors are beginning to think about the afterlife of their digital assets — and a burgeoning industry awaits them.

Cool Tools

Language Learning with Netflix
A Chrome extension for learning a new language as you watch. It shows you two sets of subtitles at the same time (your native one and the language you’re learning) and has a pop-up dictionary where you can hover over words to learn more.

Mastershot: a web-based video editor
Easily trim videos, combine multiple clips, add audio, images, or text, extract audio, and more. Free and supposedly does all of the video processing within your browser. Sounds great, maybe too great? 🤔

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint