[tl;dr sec] 98 - Cloud Security Orienteering, Last S3 Document You’ll Need, Burnout

tl;dr sec is a newsletter about AppSec and scaling security, automated bug finding, conference talk and paper summaries, and useful links from around the web. You can subscribe here and see past issues here.

(You can also read this issue on our blog

here

)

Hey there,

I hope you’ve been doing well!

  Hard Truths 

We start relationships brimming with anticipation.

We can read novels of meaning from a crinkle of their eye or turn of their lips, or drift away, content, in the fragrance of their hair.

Sometimes things are almost perfect, if we could just change one thing. Sometimes you can.

But other times, there are hard mathematical truths we must face, which this image by Ericstotle reminds us.

(Read further in the linked thread for an explanation if you forget your calculus.) Other MuseumsAfter I mentioned a few virtual museums last week, some readers mentioned some other great options. lcamtuf’s Museum of Broken Packets (H/T Jon Oberheide) Take a 3D tour of The National Museum of Computing. I’ve visited Bletchley Park (where Alan Turing and many others helped break German ciphers in World War 2) before, and it was incredible. I highly recommend checking it out if you have the chance. (H/T James Mckinlay)✨ Cloud Security OrienteeringI’m incredibly excited to announce the next tl;dr sec guest post, by my friend Rami McCarthy: Cloud Security Orienteering.Rami kindly agreed to turn his DEF CON Cloud Village talk into a detailed guide on how to rapidly orient yourself in a totally unfamiliar cloud environment, identify and prioritize risks, and create an actionable plan for securing it.It’s pretty great, highly recommend checking it out.He also distilled the guide down into an actionable checklist, of specific tasks to do, in order.If you want the Clint Notes™ version, you can check out my summary tweet thread.Here’s a quick preview:

Sponsor

  📢 Protect Access to Your SaaS Data with AppOmni 

SaaS applications have evolved into complex platforms that provide data access not only to internal users, but also to external users, 3rd party apps, contractors, and managed service providers. In short, there are now more categories of users, and more data access points for attackers to exploit. Over 95% of enterprises we’ve analyzed have over-provisioned external users with access to sensitive data. See who has access to your business-critical data with AppOmni’s free risk assessment.

📜 In this newsletter...

• AppSec: Malicious PDF generator, ElectronJS hardener

• Static Analysis: Thread on how to use SAST (in)effectively

• Web Security: Making a JavaScript payload that's terrible to reverse, how Figma is securing internal web apps

• Cloud Security: Thorough threat model of S3

• Container Security: Threat hunting with Kubernetes audit logs, tool to determine if Kubernetes was deployed securely

• Blue Team: macOS 11's hidden security improvements, top 15 vulnerabilities used to target Linux systems

• Red Team: How to escalate privileges when you can use a package manager

• Politics / Privacy: U.S. vs China discussion, Taliban has seized U.S. military biometrics devices, academics warn of risks of Apple's CSAM scanning approach, OnlyFans is/isn't banning adult content

• Burnout: Mandatory team fun time, and an honest discussion of burnout and recovering

• Misc: Parse a number of *nix command output to JSON

AppSec

jonaslejon/malicious-pdfBy Jonas Lejon: “Generate ten different malicious pdf files with phone-home functionality. Can be used with Burp Collaborator. Used for penetration testing and/or red-teaming.” 

1Password/electron-hardenerA Rust library and command line tool to harden Electron binaries against runtime behavior modifications. 

Static Analysis

Some interesting comments in this thread. I’ve taken a few snippets that touch on things I’ve seen successful across a number of companies (bolding mine).

NetSuite’s John Melton:

Netflix’s Patrick Thomas:

All-around baller Jim Manico:

Marqeta’s Ronnie Flathers:

Web Security

Anti-Debug JS/WASM by Hand“Let’s write the most cursed abomination to ever grace a web browser.” Remy describes making some JavaScript that’s miserable to debug: WebAssembly by hand, WebAssembly bytecode with HTML in it, that HTML has embedded JavaScript in it, … 

Inside Figma: securing internal web appsFigma’s Max Burkhardt describes their system to securely provide access to internal apps using AWS ALBs, Cognito, Okta, and Lambdas. Loved the details on getting fine-grained access control right.

The discerning tl;dr sec reader might recall Hongyi Hu’s AppSec Cali 2019 talk on how Dropbox secures internal apps (my summary), which is still one of my favorite talks on modern security engineering, highly recommend it. In fact, Dev Akhawe and Hongyi were at Dropbox, and are now on Figma’s security team with Max. Small world!

Cloud Security

The last S3 security document that we’ll ever need, and how to use it163 page Threat Model of S3 by TrustOnCloud’s Jonathan Rault covering:

1. Best practices (best security/effort ratio)

2. Reviewing the service depending on your application(s), and implementing the controls based on your risk tolerance

3. Onboarding for large enterprises/agencies

4. Compliance mapping to demonstrate a risk-based approach, gap analysis and formulating an action plan

Container Security

Threat Hunting with Kubernetes Audit Logs - Part 2Square’s Ramesh Ramani walks through threat hunting using ATT&CK for Containers.

• Execution: Finding repeated exec failures

• Persistence: Unusual cronjob creation failures

• Privilege Escalation: Users being given “cluster-admin” access

• and more

armosec/kubescapeTool by Armosec to determine if Kubernetes is deployed securely as defined in the Kubernetes Hardening Guidance by the NSA and CISA.

  Blue Team 

macOS 11’s hidden security improvementsMalwarebytes discusses some lesser known security changes they found by diffing the macOS 11 and 10.15 SDKs, including CPU security mitigation APIs, endpoint security API improvements, and a new open flag, O_NOFOLLOW_ANY, that can mitigate an entire family of potential vulnerabilities. 

Top 15 Vulnerabilities Attackers Exploited Millions of Times to Hack Linux SystemsData by Trend Micro: from “50 million events reported from 100,000 unique Linux hosts during the same time period, the researchers found 15 different security weaknesses that are known to be actively exploited in the wild or have a PoC.”

Red Team

Linux Privilege Escalation - Package ManagersMichael Ikua describes how to escalate privileges when you can’t sudo but you can use package managers.

  Politics / Privacy 

Seeing RedInteresting discussion on the political and economic competition between the U.S. and China, by Prof Galloway. 

The Taliban Have Seized U.S. Military Biometrics DevicesThe U.S. military spent years gathering biometric data like iris scans and fingerprints of Afghans helping them. That data is now in Taliban hands, and could be used to target them. This is what’s so dangerous about surveillance tech and PII: you don’t know who will be elected or seize power, and how they may abuse it. 

Opinion | We built a system like Apple’s to flag child sexual abuse material — and concluded the tech was dangerousPrinceton University professor Jonathan Mayer and PhD candidate Anunay Kulshrestha wrote a peer-reviewed paper on building a system for detecting child sexual abuse material in encrypted images, but concluded it was too dangerous, as it could be easily repurposed for surveillance and censorship.

OnlyFans CEO on why it banned adult content: ‘the short answer is banks’Article by the Verge.

And this thread has some pretty interesting context around various groups’ attempts to attack the sex industry, using sex trafficking and other bad things as a proxy.

Last minute update: OnlyFans has reversed course and will not ban adult content.

  Burnout 

Mandatory Team Fun TimeTwitter’s Ronnie Chen describes a practice she created which allowed their distributed team to have a day of fun. Guidelines:

• You are strictly forbidden from spending your offsite time on catching up on work, chores, or other obligations and commitments.

• Select an activity or activities that you would not otherwise have time to do that you find delightful, meaningful, serene, challenging, relaxing, amusing, awe-inspiring, satisfying, or intriguing.

Burning out and quittingA powerfully honest and great post by my friend Maya Kaczorowski (HN discussion). I’m not going to lie, reading this from someone as brilliant and productive as Maya made me feel a little better about my (probably continuing) feelings of burnout during the pandemic.

  Misc 

Bringing the Unix Philosophy to the 21st CenturyKelly Brazil describes his tool jc, which parses the output of a number of *nix commands into nicely consummable JSON. If you like the idea of piping a bunch of security tools together, Unix-style, check out my summary of Daniel Miessler’s Red Team Village talk, Mechanizing the Methodology.

Thanks for reading!

Cheers,

Clint