• tl;dr sec
  • Posts
  • [tl;dr sec] #96 - Learn Reverse Engineering, Cloud Security Orienteering, Kernel Pwning with eBPF

[tl;dr sec] #96 - Learn Reverse Engineering, Cloud Security Orienteering, Kernel Pwning with eBPF

Free workshops to learn reverse engineering, how to rapidly familiarize yourself in a new cloud environment, eBPF deep dive.

Hey there,

I hope you’ve been doing well!

An Auspicious Visit

I’ve been quite cautious the past year and change, with most of my outside the house activities being taking walks or going on hikes, going to the grocery store, and staring pensively out the window, like a cat.

But last weekend my brother visited from Utah with his wives partner, and it was awesome catching up.

I hope you and yours are doing well, and here’s to an eventual back to normal ✊


📢 Scan Google Workspace for exposed files in <5 minutes

Concerned about your company's file security?

One-click security scans for Google Workspace, now available on Vectrix.io. In just a few minutes, detect exposed files, insecure settings, user access issues, and more.

With Vectrix, security and IT teams get instant visibility into business-critical apps, including Google Workspace, O365 (coming soon), Slack, Zoom, GitHub, and more.

Get started for free, no credit card required!

📜 In this newsletter...

  • Conferences: DEF CON 2021 videos, Pwnie awards, Black Hat and DEF CON roundup

  • AppSec: End-to-end encryption through Kafka, securing XML implementations, Slack's static analysis program

  • Cloud Security: GCP Goat, orienting yourself in a new cloud, new AWS org checklist, building an AWS perimeter

  • Container Security: Threat hunting with Kubernetes audit logs, Kubernetes IDE

  • Blue Team: Protect domains that do not send email

  • Red Team: Kernel pwning with eBPF

  • Reverse Engineering: Reverse engineering for beginners, collection of RE workshops, Android app reversing 101

  • Politics / Privacy: Community to promote privacy-preserving AI tech, iOS will start scanning photos on your phone, Pentagon using AI to "see days in advance"

  • Misc: Talking to an AI version of a lost loved one, global warming's impact on big tech company campuses, open source alternative tools, the impact of explosive satellite grow

  • Twitter: Tracking down a stolen scooter with Airtags


DEF CON 29 Videos
2021 videos are posted.

All of the 2021 Pwnie Awards
In this Twitter thread by Dhiraj Mishra.

Top Hacks from Black Hat and DEF CON 2021
The Daily Swig’s John Leyden nicely references a number of presentations, including attacking Let’s Encrypt, FragAttacks, request smuggling with HTTP/2, moar Microsoft Exchange bugs by Orange Tsai, hacking humans using AI as a service, hacking rooms in a capsule hotel, e-books that compromise your Kindle, and more.


End-to-End Encryption through Kafka
Ockam’s Mrinal Wadhwa describes how two programs can send end-to-end encrypted messages over the network, via a cloud service, through Kafka. The programs will mutually authenticate each other and have a cryptographic guarantee that the integrity, authenticity, and confidentiality of their messages is protected end-to-end. Ockam seems neat: Apache 2 Rust and Elixir libraries to make E2EE easier. More open source secure primitives ftw 👍

Securing XML implementations across the web
Mattermost’s Juho Nurminen found XML round-trip parsing errors in four popular XML parsing libraries (in Ruby, NPM, Java, and .NET), and was able to confirm authentication bypasses in major SAML implementations and web applications for two of them. Juho doesn’t hold back:

Don’t get distracted by something like Golden SAML, when SAML itself is the problem. It’s a relic from an age when enterprise software meant XML and software that wasn’t built on top of XML was ridiculed and shunned.

SAML is inherently fragile, exceedingly complex, and nearly impossible to implement correctly. There are plenty of well-documented SAML vulnerability types predating my research yet still prevalent today: XEE, XML Signature Wrapping, Duo’s text node splitting attack etc.

Free as in Beer: Creating a Low-Cost Static Analysis Program
Slack’s Erin Browning and Tim Faraci have built out static analysis programs at multiple companies, using commercial and open source tools. In this DEF CON AppSec Village talk (slides), they discuss why at Slack they’re building their program around Semgrep.

I’ve written several Semgrep rules, and it takes me longer to write the developer guidance than the actual rule.

We’re finding similar true positive numbers running our open source Semgrep rules as I am comparing it to commercial offerings.

How easy is it to add a new language to Semgrep? Well, an intern can do it! Actually two interns who almost done with their CS degrees. (Slack interns David Frankel and Nicholas Lin have been adding Hacklang support this summer.)

Cloud Security

GCP Goat
An intentionally vulnerable GCP environment to learn and practice GCP security, by Joshua Jebaraj.

Cloud Security Orienteering
Excellent DEF CON Cloud Village talk by Cedar’s Rami McCarthy on how to rapidly find the information necessary to familiarize yourself with a new cloud environment, dig in to identify the risks that matter, and put together remediation plans that address short, medium, and long term goals.

AWS Organizations - Checklist for 2021
Chris Farris provides a great checklist of what you should do when setting up a new AWS Organization from scratch.

Building an AWS Perimeter
Whitepaper by AWS covering perimeter objectives, identity, resource, and network boundaries, preventing access to internal credentials, and cross-region requests.

Container Security

Threat Hunting with Kubernetes Audit Logs
Square’s Ramesh Ramani walks through the basics of Kubernetes audit logs and how one can use these audit logs effectively to hunt for attackers in Kubernetes clusters. Ramesh covers specific log fields to focus on and why.

An extension for Lens - The Kubernetes IDE that displays Kubernetes resources and their relations as a real-time force-directed graph, by Lauri Nevala.

Blue Team

Protect domains that do not send email
Make sure that domains that do not send email cannot be used for spoofing, using SPF and DMARC.

Red Team

Kernel Pwning with eBPF: a Love Story
Grapl’s Valentina Palmiotti covers eBPF basics & verifier internals, exploiting CVE-2021-3490 for local privilege escalation, debugging eBPF bytecode, exploitation techniques for DoS, info leak, and LPE, and weaknesses still in eBPF. Super detailed write-up 🤘.

Reverse Engineering

Reverse Engineering for Beginners
New free workshop by Guardicore’s Ophir Harpaz covering an x86 overview, a short intro to IDA, and a number of exercises with hints.

Reverse Engineering Workshops by Malware Unicorn
Malware Unicorn’s workshops include reverse engineering 101 and 102, PE injection, macOS Dylib Injection, anti-analysis techniques, and more.

Android App Reverse Engineering 101
Maddie Stone’s workshop focuses on static analysis, covering DEX bytecode, native libraries, obfuscation, and more.

Politics / Privacy

OpenMined is an open-source community whose goal is to make the world more privacy-preserving by lowering the barrier-to-entry to private AI technologies.

With OpenMined, people and organizations can host private datasets, allowing data scientists to train or query on data they “cannot see”. The data owners retain complete control: data is never copied, moved, or shared.

Apple confirms it will begin scanning iCloud Photos for child abuse images
iOS will start scanning pictures on your device to look for known bad images. It tries to do this in a privacy preserving-ish way, but some security professionals view this as a step in the direction of giving law enforcement backdoors. More: Wired, Stratechery, must read Alex Stamos thread.

The Pentagon Is Experimenting With Using Artificial Intelligence To “See Days In Advance”
Basically they’re feeding ML/AI real-time data gathered by a network of sensors around the globe, including “commercially available information.” The AI can detect changes, and will trigger additional intelligence gathering to take a closer look at what might be ongoing in a location. Well on our way to Westworld Season 3.


The Jessica Simulation: Love and loss in the age of A.I.
By Jason Fagone. Your partner passes away before their time. You upload their text messages, email, and other communications to Project December, which is powered by GPT-3. Soon, you’re talking to “them” again. Wow, this was quite a read.

Rising Seas Are Coming For Big Tech Campuses. Who Will Pay To Protect Them?
Some pretty neat visualizations by NPR. Basically, a number of Bay Area communities around Google, Facebook, and others are likely going to get flooded due to global warming. Mitigations will be expensive, but who will pay for it?

Open Source Alternatives
A curated list of 200+ open source alternatives to tools that businesses require in day-to-day operations.

How the explosive growth in satellites could impact life on Earth
Satellites can be used for a variety of purposes, including: counting the number of cars in retail parking lots (like Walmart, Home Depot, etc.), monitoring activity at metal processing and storage facilities to predict metal prices and related trends, analyzing car numbers at certain hospitals to predict future pandemics, identifying and preventing illegal deforestation, assessing disasters like floods and oil leaks, provide Internet to the world, and more.

Downsides: potential surveillance abuse, space debris falling to Earth, potential interference with astronomers and current weather prediction services.


Man, what a story.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!