- tl;dr sec
- Posts
- [tl;dr sec] #95 - Preventing SSRF in AWS, Testing AuthN Flows, Hardening Your Supply Chain
[tl;dr sec] #95 - Preventing SSRF in AWS, Testing AuthN Flows, Hardening Your Supply Chain
Tool to enforce IMDSv2, test authentication flows by modeling them as a finite state machine, detecting malicious dependencies and solving dependency confusion.
Hey there,
I hope you’ve been doing well!
InfoSec 😍 Musicals
It’s not often I get to do this, so I’m going to savor it.
If you’ve been reading tl;dr sec long, you know that I’m one of the (at least!) five people in security who also love musicals.
Do I have tattoos of my favorite lyrics? Not yet, my mom doesn’t approve of tattoos, and she reads this newsletter. One day.
But I loved Tricia’s parody of Dr. Horrible’s “On the Rise” duet, juxtaposing someone starting in security and then a year later.
See also tl;dr sec 86 for Rachel Tobac’s infosec sea shanty.
If you know of any other security + musical or song content, please let me know!
Exeunt stage right, jazz hands a-flourishin’
Sponsor
📢 Integrating Faraday into the software development process.
Usually, software companies see security as an afterthought, which can be generally added when the product is completely operative. What if you could automate your security process. And be able to reach Time-To-Market securely instead of fixing live? No matter which technology you use.
Well, we are going to explain with simple steps how to integrate our Faraday Platform in your software development process. Whether you use Github, Jenkins, Travis or Gitlab.
Plus be the first one to experience our newest version releasing in a few days.
📜 In this newsletter...
AppSec: Awesome OPA
Web Security: sqlmap but for server-side template injection and code injection, testing authentication flows
Cloud Security: Prevent SSRF in AWS via enforcing IMDSv2, how to secure an inherited AWS account, S3 backups and other strategies to survive ransomware attacks
Container Security: Kubernetes hardening advice from NSA and CISA
Blue Team: Account takeover checklist
Red Team: TLS traffic inspection via dynamic instrumentation, what you can do with a stolen full disk encrypted laptop, tunneling/pivoting tool that uses TUN, statically linked SSH server with a reverse connection feature
COVID-19: Tool to search for the latest info by geo, more info on the Delta variant
Crypto: Study of vulnerabilities in cryptographic libraries
Supply Chain: Find malicious dependencies with Falco, how Twilio addressed dependency confusion
Machine Learning: Microsoft competition to test evasion of AI-based malware and phishing detectors, Twitter's algorithmic bias bounty
Misc: Dubai is using laser-beam-shooting drones to shock rain out of the sky
AppSec
anderseknert/awesome-opa
A curated list of awesome Open Policy Agent (OPA) related tools, frameworks and articles by Anders Eknert et al.
Web Security
epinna/tplmap
By Emilio Pinna: Like sqlmap but for Server-Side Template Injection and Code Injection. Tplmap supports over 15 template engines and contains a number of sandbox escape techniques to get access to the underlying operating system.
DigeeX/raider
A framework designed to test authentication for web applications by DigeeX. While web proxies like ZAProxy and Burpsuite allow authenticated tests, they don’t provide features to test the authentication process itself, i.e. manipulating the relevant input fields to identify broken authentication.
Raider treats authentication as a finite state machine. Each authentication step is a different state, with its own inputs and outputs, which can be cookies, headers, CSRF tokens, or other pieces of information. The testing can be arbitrarily flexible, using a Lisp like configuration language.
Cloud Security
salesforce/metabadger
By Salesforce’s Ashish Patel and Kinnaird McQuade: Prevent SSRF attacks on AWS EC2 via automated upgrades to the more secure Instance Metadata Service v2 (IMDSv2).
So You Inherited an AWS Account. A 30-day security guide for engineers…
A guide to help you filter through the mess, isolate the changes you need to make, and start to tame your environment by Matt Fuller. He proposes: get stable access, stop using the root user, update billing info, enable CloudTrail logging and monitoring, clean up IAM entities, locate exposed services, lock down your domains, find expiring certificates, untangle the web of services, and monitor and migrate.
S3 backups and other strategies for ensuring data durability through ransomware attacks
By Scott Piper: “This post will discuss options for ensuring the durability of data stored on S3, through protections in place and backup strategies. The AWS backup service on AWS unfortunately does not backup S3 buckets and a lot of discussions of backups and data durability on AWS do not describe the implementation in sufficient detail, which allows a number of potential dangers. This post will show you the two best options (s3 object locks and replication policies), explains how to use these, and what to watch out for.”
Container Security
Kubernetes Hardening Guidance
By the NSA and CISA. Discusses Pod security, network separation and hardening, authentication and authorization, log auditing, and more.
Blue Team
magoo/ato-checklist
A checklist of practices for organizations dealing with account takeover (ATO), by Ryan McGeehan (@Magoo).
Red Team
Introducing hallucinate: One-stop TLS traffic inspection and manipulation using dynamic instrumentation
SySS’s Moritz Bechler describes hallucinate, a new tool that lets you easily intercept and modify clear-text TLS network traffic by instrumenting the target process (uses Frida or a custom agent for Java). Rather than having to deal with TLS at the network layer, hallucinate uses dynamic instrumentation to perform the traffic inspection or manipulation before data is encrypted and after it is decrypted.
From Stolen Laptop to Inside the Company Network
Dolos Group describes what they were able do with only a Lenovo laptop preconfigured with the standard security stack for a client organization, no additional info. In summary, they took a locked down FDE laptop, sniffed the BitLocker decryption key coming out of the TPM, backdoored a virtualized image, and used its VPN auto-connect feature to attack the internal corporate network.
tnpitsecurity/ligolo-ng
By TNP IT Security: “An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface. Instead of using a SOCKS proxy or TCP/UDP forwarders, Ligolo-ng creates a userland network stack using Gvisor. This allows running tools like nmap without the use of proxychains (simpler and faster).”
Fahrj/reverse-ssh
A statically-linked SSH server with a reverse connection feature for simple yet powerful remote access. Useful during pen tests, CTFs, or similar.
COVID-19
Let’s beat this thing together! 💪
Covid Act Now
Pull up a ton of stats on any city, county, state, or zip, and see the risk level, infection rate, vaccination rate, and a number of other interesting info.
C.D.C. Internal Report Calls Delta Variant as Contagious as Chickenpox
Current evidence suggests that vaccinated people who catch the Delta variant (“breakthrough infections”) are much less likely to get seriously ill, but can still spread it about as readily as the unvaccinated.
There are roughly 35,000 symptomatic infections per week among 162 million vaccinated Americans, according to data collected by the C.D.C. as of July 24.
Crypto
You Really Shouldn’t Roll Your Own Crypto: An Empirical Study of Vulnerabilities in Cryptographic Libraries
Interesting to see that the data backs up common wisdom: non memory safe languages should be replaced, and complexity can negatively impact security.
In this work, we conduct the first comprehensive analysis of cryptographic libraries and the vulnerabilities affecting them. We collect data from the National Vulnerability Database, individual project repositories and mailing lists, and other relevant sources for eight widely used cryptographic libraries.
Among our most interesting findings is that only 27.2% of vulnerabilities in cryptographic libraries are cryptographic issues while 37.2% of vulnerabilities are memory safety issues, indicating that systems-level bugs are a greater security concern than the actual cryptographic procedures. In our investigation of the causes of these vulnerabilities, we find evidence of a strong correlation between the complexity of these libraries and their (in)security, empirically demonstrating the potential risks of bloated cryptographic codebases.
Supply Chain
Meet Package Hunter: A tool for detecting malicious code in your dependencies
GitLab’s Dennis Appelt describes their newly released Package Hunter tool, which analyze a program’s dependencies for malicious code and other unexpected behavior by installing the dependencies in a sandbox environment and monitoring system calls executed during the installation using Falco. Currently supports testing NodeJS modules and Ruby Gems.
Dependencies, Confusions, and Solutions: What Did Twilio Do to Solve Dependency Confusion
Twilio’s Laxman Eppalagudem describes the steps they took:
Introduced & enforced naming conventions for all internal packages published and consumed in Twilio
Blocked proxying of external packages that collide in the specified naming convention
Mandated all package installs come through internal package manager proxies
Restrict deployed hosts from accessing the registry
Delete all old packages that did not follow the introduced naming conventions
Machine Learning
Attack AI systems in Machine Learning Evasion Competition
Microsoft and partners are launching MLSEC.IO, an educational Machine Learning Security Evasion Competition (MLSEC) for the AI and security communities to exercise their muscle to attack critical AI systems in a realistic setting. The competition rewards participants who efficiently evade AI-based malware detectors and AI-based phishing detectors.
Introducing Twitter’s first algorithmic bias bounty challenge
Occurring during DEF CON’s AI Village.
Misc
Dubai Is Using Laser-Beam-Shooting Drones to Shock Rain Out of the Sky
Sometimes I see an article and think, “The future is now.” Maybe this could helpful California with its now annual fire season.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,
Clint