- tl;dr sec
- Posts
- [tl;dr sec] #92 - Hardening Kubernetes, Ransomware, Authz at Scale
[tl;dr sec] #92 - Hardening Kubernetes, Ransomware, Authz at Scale
Securing AWS EKS and lessons from a k8s security report, inside the ransomware economy, and building fine-grained authorization that works at scale.
Clint Gibler
July 14, 2021
Hey there,
I hope you’ve been doing well!
Programming or security themed parodies can be hit or miss, but this parody of Aladdin’s “A Whole New World” is 👌
Thanks Malware Unicorn for sharing!
I’m tempted to include some lines, but I don’t want to spoil it, so here’s a taste:
Speaking Stuff
I’ve had the privilege of chatting with some awesome people recently.
I joined Lewis Ardern on one of the best named British Bake Off security podcasts, SecuriTEA & Crumpets. See this video for the Semgrep demo portion with minute markers, and the beginning of the full video for how I got into improv comedy, the origin of tl;dr sec and some lessons learned growing it, career thoughts, and more.
I also chatted with John Kinsella and Adrian Sanabria on Application Security Weekly #156 on scaling security programs via secure defaults, how modern AppSec teams work with their engineering counterparts 🤝, and other good stuff.
Sponsor
📢 Live Workshop: Cloud DevSecOps with Terraform and Bridgecrew
Gain hands-on experience implementing an automated Terraform security workflow from code to cloud. Don’t miss the
with Bridgecrew and HashiCorp on July 29th! You’ll leverage infrastructure as code and your favorite dev tools to find, fix, and prevent misconfigs and cloud drift.
📜 In this newsletter...
AppSec: Massive list of resources, Orange Tsai's CTF exercises, web app decision tree generator, finding oversharing in Salesforce, guide to determine if you should run a bug bounty
Authorization: Carta's highly scalable permissions system inspired by Google's Zanzibar, code patterns for API authz, layering authz into an existing web app
Cloud Security: Getting partial AWS account IDs for any Cloudfront website, defending against DNS exfiltration in AWS, building an attribute-based access control strategy with AWS SSO and Okta
Container Security: AWS Lambda deep dive, two resources on hardening AWS EKS, Red Hat State of Kubernetes Security Report 2021
Ransomware: Inside the ransomware economy, site tracking ransomware profits, political methods to stop ransomware
Politics / Privacy: Iran's government planned kidnapping in the U.S.
OSINT: Find profiles across 350 sites by username
Misc: Drama inside Blizzard
AppSec
The Book of Secret Knowledge
Massive collection by Michał Ży of inspiring lists, manuals, cheatsheets, blogs, hacks, one-liners, cli/web tools, and more.
orangetw/My-CTF-Web-Challenges
A repository of the CTF challenges Orange Tsai’s created, including the source code, write-up and explanation.
Deciduous: A Security Decision Tree Generator
Ryan Petrich and Kelly Shortridge describe a web app they’ve released (source) that lets you focus on attacker actions, potential mitigations, and how attackers will respond, and Deciduous will dynamically generate an organized and styled graph.
Are you oversharing (in Salesforce)? Our new tool could sniff it out!
NCC Group’s Jerome Smith has released raccoon, an open source tool to identify potential misconfigurations that could expose sensitive data within Salesforce. It establishes which Profiles and Permissions Sets (with active users) have some combination of read/edit/delete permissions to ALL records for a given set of objects, based on their effective sharing and objects settings.
Is a Bug Bounty Program Right for You?
Chapter 2 from the Bug Bounty Community of Interest is probably one of the most detailed, practical guides about real world concerns and best practices of running a bug bounty program at your company. Factors to consider, vulnerability management details, leadership buy-in, communications, internal processes, operationalizing, and more.
Great work by Sean Poris, Johnathan Kuskos, Joshua Dembling, Katie Trimble-Noble, Deana Shick, and Christopher Robinson.
AuthZ: Carta’s highly scalable permissions system
Carta’s Aaron Tainter describes how they went from JWT-based authorization, decided against OPA, to building their own system inspired by Google’s Zanzibar. Great example of building an MVP and iterating quickly based on internal customer feedback (your engineering colleagues).
The HN discussion contains some interesting anecdotes from other companies and links to a number of open source and commercial authz tool options.
Code Patterns for API Authorization: Designing for Security
NCC Group’s Tanner Prynn describes four different common patterns when implementing authorization for web apps and APIs, and compares their security trade-offs: ad hoc, route-based, centralized, and object-based.
I saw many different authorization schemes as a security consultant, including many legacy ones that companies were struggling with or revamping after it was making new development painful. This is tough to do well, and I appreciated seeing this overview of different approaches in one place.
Layering authorization into a web application
Gusto’s Flora Jin discusses introducing granular authorization into their app and API (2019). They used the CanCanCan authorization gem, and their authorization specification (in a separate file) looks like:
subject(Payroll, company_id: params(:company_id)) do
can [:read], with: Permissions::READ_PAYROLLS
can [:create, :update, :destroy], with: Permissions::MANAGE_PAYROLLS
end
# Route annotation
authorize :read, resource
# raises 401 if you don’t have access to the resourceCloud Security
Getting Partial AWS Account IDs for any Cloudfront Website
Chime’s Arkadiy Tetelman describes how using a new Cloudfront API and a crypto trick.
If we want to find the partial AWS account ID for some domain, we can fetch the real public certificate for that domain, generate a random private key, and update the precomputed public key parameters on our private key to be the same as the public key on the certificate we want to impersonate. ACM has a bug in that it does not validate the private key truly corresponds to the public key - it only checks the precomputed values on the private key, which are under our control.
How to defend against DNS exfiltration in AWS?
By SoftServe’s Pawel Rzepa.
• VPCs by default use the Amazon-provided DNS which can be used to bypass some network-level protection mechanisms (e.g. NACLs or SGs) or monitoring (e.g. VPC Flow Logs)
• Recently a new service has been released: the Route 53 Resolver DNS Firewall which allows for blocking and monitoring DNS queries to Amazon DNS.
• GuardDuty can also detect malicious DNS traffic, but only in a limited manner.
Build an end-to-end attribute-based access control strategy with AWS SSO and Okta
By AWS’ Louay Shaat: “This blog post discusses the benefits of using an attribute-based access control (ABAC) strategy and how to use ABAC with AWS SSO when you’re using Okta as an identity provider. With ABAC, you can simplify your access control strategy by granting access to groups of resources, which are specified by tags, instead of managing long lists of individual resources.”
Container Security
Behind the scenes, AWS Lambda
Deep dive by Bruno Schaatsbergen on how Lambda and load balancing/scaling works under the hood. H/T Caleb Sima.
Hardening AWS EKS security with RBAC, secure IMDS, and audit logging
Snyk’s Kamil Potrec provides a nice overview of how to harden default AWS EKS settings: authentication/authorization, restricting access to the Kubernetes API and the instance metadata service, and enabling logging.
Guide to Designing EKS Clusters for Better Security
Excellently detailed guide by StackRox’s Karen Bruner including: VPC layout, dedicated IAM role for cluster creation, managed vs self-managed node groups, controlling SSH access, EC2 Security Groups for nodes, and more.
Red Hat: State of Kubernetes Security Report 2021
A few of the things that stuck out to me:
94% of respondents experienced at least one security incident in their Kubernetes environments in the last 12 months (Kubernetes, so easy to use! 😂).
88% of respondents use Kubernetes as their container orchestrator, with 74% in production.
Six different open source security tools are used by at least 20% of respondents, with KubeLinter and OPA as the top two.
Ransomware
Ming Zhao: Inside the Ransomware Economy
Fascinating thread, highly recommend reading.
This crowdsourced payments tracker wants to solve the ransomware visibility problem
Krebs Stamos Group’s Jack Cable has built Ransomwhe.re, a site keeps a running tally of ransoms paid out to cybercriminals in Bitcoin, made possible thanks to the public record-keeping of transactions on the blockchain and self-reported incidents. Filter by time, ransomware group, and more.
If Moscow wanted to stop Russia’s cybercriminals from hacking American targets, experts say, it would. That is why, some Russia experts argue, the United States needs take aim at Russia’s kleptocracy, either by leaking details of Mr. Putin’s financials or by freezing oligarchs’ bank accounts.
“The only language that Putin understands is power, and his power is his money,” said Garry Kasparov, the Russian chess grandmaster and a Putin critic. “It’s not about tanks; it’s about banks. The U.S. should wipe out oligarchs’ accounts, one by one, until the message is delivered.”
Politics
OSINT
thewhiteh4t/nexfil
By @thewhiteh4t: A tool written in Python for finding profiles by username. Provided usernames are checked on over 350 websites within a few seconds.
Misc
Insider leak on the current happenings inside Blizzard
StarCraft and Warcraft brought me countless of hours of joy (and swearing) with my friends growing up. Sounds like Blizzard has been having trouble.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,
Clint