[tl;dr sec] #95 - Preventing SSRF in AWS, Testing AuthN Flows, Hardening Your Supply Chain

Hey there,

I hope you’ve been doing well!

InfoSec 😍 Musicals

It’s not often I get to do this, so I’m going to savor it.

If you’ve been reading tl;dr sec long, you know that I’m one of the (at least!) five people in security who also love musicals.

Do I have tattoos of my favorite lyrics? Not yet, my mom doesn’t approve of tattoos, and she reads this newsletter. One day.

But I loved Tricia’s parody of Dr. Horrible’s “On the Rise” duet, juxtaposing someone starting in security and then a year later.

See also tl;dr sec 86 for Rachel Tobac’s infosec sea shanty.

If you know of any other security + musical or song content, please let me know!

Exeunt stage right, jazz hands a-flourishin’

AppSec

anderseknert/awesome-opa
A curated list of awesome Open Policy Agent (OPA) related tools, frameworks and articles by Anders Eknert et al.

Web Security

epinna/tplmap
By Emilio Pinna: Like sqlmap but for Server-Side Template Injection and Code Injection. Tplmap supports over 15 template engines and contains a number of sandbox escape techniques to get access to the underlying operating system.

DigeeX/raider
A framework designed to test authentication for web applications by DigeeX. While web proxies like ZAProxy and Burpsuite allow authenticated tests, they don’t provide features to test the authentication process itself, i.e. manipulating the relevant input fields to identify broken authentication.

Raider treats authentication as a finite state machine. Each authentication step is a different state, with its own inputs and outputs, which can be cookies, headers, CSRF tokens, or other pieces of information. The testing can be arbitrarily flexible, using a Lisp like configuration language.

Cloud Security

salesforce/metabadger
By Salesforce’s Ashish Patel and Kinnaird McQuade: Prevent SSRF attacks on AWS EC2 via automated upgrades to the more secure Instance Metadata Service v2 (IMDSv2).

So You Inherited an AWS Account. A 30-day security guide for engineers…
A guide to help you filter through the mess, isolate the changes you need to make, and start to tame your environment by Matt Fuller. He proposes: get stable access, stop using the root user, update billing info, enable CloudTrail logging and monitoring, clean up IAM entities, locate exposed services, lock down your domains, find expiring certificates, untangle the web of services, and monitor and migrate.

S3 backups and other strategies for ensuring data durability through ransomware attacks
By Scott Piper: “This post will discuss options for ensuring the durability of data stored on S3, through protections in place and backup strategies. The AWS backup service on AWS unfortunately does not backup S3 buckets and a lot of discussions of backups and data durability on AWS do not describe the implementation in sufficient detail, which allows a number of potential dangers. This post will show you the two best options (s3 object locks and replication policies), explains how to use these, and what to watch out for.”

Container Security

Kubernetes Hardening Guidance
By the NSA and CISA. Discusses Pod security, network separation and hardening, authentication and authorization, log auditing, and more.

Blue Team

magoo/ato-checklist
A checklist of practices for organizations dealing with account takeover (ATO), by Ryan McGeehan (@Magoo).

Red Team

Introducing hallucinate: One-stop TLS traffic inspection and manipulation using dynamic instrumentation
SySS’s Moritz Bechler describes hallucinate, a new tool that lets you easily intercept and modify clear-text TLS network traffic by instrumenting the target process (uses Frida or a custom agent for Java). Rather than having to deal with TLS at the network layer, hallucinate uses dynamic instrumentation to perform the traffic inspection or manipulation before data is encrypted and after it is decrypted.

From Stolen Laptop to Inside the Company Network
Dolos Group describes what they were able do with only a Lenovo laptop preconfigured with the standard security stack for a client organization, no additional info. In summary, they took a locked down FDE laptop, sniffed the BitLocker decryption key coming out of the TPM, backdoored a virtualized image, and used its VPN auto-connect feature to attack the internal corporate network.

tnpitsecurity/ligolo-ng
By TNP IT Security: “An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface. Instead of using a SOCKS proxy or TCP/UDP forwarders, Ligolo-ng creates a userland network stack using Gvisor. This allows running tools like nmap without the use of proxychains (simpler and faster).”

Fahrj/reverse-ssh
A statically-linked SSH server with a reverse connection feature for simple yet powerful remote access. Useful during pen tests, CTFs, or similar.

COVID-19

Let’s beat this thing together! 💪

Covid Act Now
Pull up a ton of stats on any city, county, state, or zip, and see the risk level, infection rate, vaccination rate, and a number of other interesting info.

C.D.C. Internal Report Calls Delta Variant as Contagious as Chickenpox
Current evidence suggests that vaccinated people who catch the Delta variant (“breakthrough infections”) are much less likely to get seriously ill, but can still spread it about as readily as the unvaccinated.

Crypto

You Really Shouldn’t Roll Your Own Crypto: An Empirical Study of Vulnerabilities in Cryptographic Libraries
Interesting to see that the data backs up common wisdom: non memory safe languages should be replaced, and complexity can negatively impact security.

Supply Chain

Meet Package Hunter: A tool for detecting malicious code in your dependencies
GitLab’s Dennis Appelt describes their newly released Package Hunter tool, which analyze a program’s dependencies for malicious code and other unexpected behavior by installing the dependencies in a sandbox environment and monitoring system calls executed during the installation using Falco. Currently supports testing NodeJS modules and Ruby Gems.

Dependencies, Confusions, and Solutions: What Did Twilio Do to Solve Dependency Confusion
Twilio’s Laxman Eppalagudem describes the steps they took:

• Introduced & enforced naming conventions for all internal packages published and consumed in Twilio

• Blocked proxying of external packages that collide in the specified naming convention

• Mandated all package installs come through internal package manager proxies

• Restrict deployed hosts from accessing the registry

• Delete all old packages that did not follow the introduced naming conventions

Machine Learning

Attack AI systems in Machine Learning Evasion Competition
Microsoft and partners are launching MLSEC.IO, an educational Machine Learning Security Evasion Competition (MLSEC) for the AI and security communities to exercise their muscle to attack critical AI systems in a realistic setting. The competition rewards participants who efficiently evade AI-based malware detectors and AI-based phishing detectors.

Introducing Twitter’s first algorithmic bias bounty challenge
Occurring during DEF CON’s AI Village.

Misc

Dubai Is Using Laser-Beam-Shooting Drones to Shock Rain Out of the Sky
Sometimes I see an article and think, “The future is now.” Maybe this could helpful California with its now annual fire season.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint