Easily Identify Malicious Servers on the Internet with JARM
Salesforce’s John Althouse describes a newly released tool, JARM, an active TLS server fingerprinting tool, which can be used to:
- Quickly verify that all servers in a group have the same TLS configuration.
- Group disparate servers on the internet by configuration, identifying that a server may belong to Google vs. Salesforce vs. Apple, for example.
- Identify default applications or infrastructure.
- Identify malware command and control infrastructure and other malicious servers on the Internet.
Silas Cutler gave JARM a spin and wrote about his findings in this blog post. In short, he found that “JARM fingerprints alone are rarely (not always) unique enough to be a reliable method for clustering.”
Deep Dive into Site Isolation (Part 1)
This post by Jun Kokatsu well deserves the term “deep dive.” He describes how Site Isolation and related security features work, and walks through several bugs he found in Chrome’s implementation. See also his presentation at bugSWAT.
Site Isolation is a security feature that separates web pages from each Site to its own process. With Site Isolation, the boundary of a Site is aligned with OS-level process isolation, instead of in-process logical isolation, such as the same-origin policy.
I also found this intuition interesting (highlights are mine):
In my approach for bug hunting for Chrome, I would usually start with manual testing rather than code audit. This is because the Chrome team is generally good at code reviews. So I think that most of the logical bugs that slip through their code reviews are difficult to find by code audit. Therefore, I followed the same methodology when I began looking at Site Isolation.
Demystifying the Server Side
Ekoparty 2020 workshop (video) by Harsh Jaiswal, Rahul Maini, and Rajanish Pathak covering server-side vulnerabilities like SSRF, XXE, Remote Code Execution and reverse proxy attacks. Includes a number of interesting case studies.
Wiki by some Googlers describing and providing PoC code for how malicious websites can use side-channels to infer information about users, as well as defense mechanisms. The source is on GitHub.
How To Protect Sensitive Data in Terraform
Guide by Digital Ocean: “In this tutorial, you’ll hide sensitive data in outputs during execution and store your state in a secure cloud object storage, which encrypts data at rest.”
AWS Audit Manager Simplifies Audit Preparation
Audit Manager is a new AWS service that “provides prebuilt frameworks for common industry standards and regulations, and automates the continual collection of evidence to help you in preparing for an audit.”
Semgrep for Cloud Security
Marco Lancini walks through using Semgrep for Terraform files and Kubernetes YAML, including writing new rules.
In a few hours, thanks to the official documentation and Playground, I was able to go from absolute 0 to writing my first rules.
Tool by Matthew Rollings: “Docker Enumeration, Escalation of Privileges and Container Escapes.”
Kernel privilege escalation: how Kubernetes container isolation impacts privilege escalation attacks
Kamil Potrec describes how Kubernetes container isolation impacts privilege escalation attacks, and shows using common kernel exploitation techniques to figure out how container abstractions layers can hinder one’s path to that precious root shell.
Politics / Privacy
Cloudflare’s privacy-first Web Analytics is now available for everyone
Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
Whoa, a pretty impressive supply chain attack. A reflection Twitter thread by Alex Stamos:
The overall security quality of enterprise IT products is terrible and that is the responsibility of every F500 CIO, CISO and board for creating the wrong incentives. I include myself in this.
There are dozens of companies that represent critical, systemic risk across the public and private sector and most of the “security community” has interacted with none of them. The outside pressure that has pushed consumer IT to improve does not exist for most of IT.
See also the excellent (and hilarious) Virus Bulletin keynote by Haroon Meer and Adrian Sanabria: The security products we deserve.
I Was the Homeland Security Adviser to Trump. We’re Being Hacked
The number of organizations that downloaded the corrupted update could be as many as 18,000, which includes most federal government unclassified networks and more than 425 Fortune 500 companies.
While the Russians did not have the time to gain complete control over every network they hacked, they most certainly did gain it over hundreds of them. It will take years to know for certain which networks the Russians control and which ones they just occupy.
The actual and perceived control of so many important networks could easily be used to undermine public and consumer trust in data, written communications and services. In the networks that the Russians control, they have the power to destroy or alter data, and impersonate legitimate people. Domestic and geopolitical tensions could escalate quite easily if they use their access for malign influence and misinformation — both hallmarks of Russian behavior.
OSINT / Recon
Analysis of the RECON/Attack Surface Management Space
Daniel Miessler believes this space breaks down into several overlapping areas, which will probably all merge into Attack Surface Management within ~3-6 years.
- Attack Surface Management
- Asset Inventory
- Bounty Researcher Tooling
- Discovery, Monitoring, and Alerting
- Reporting and Remediation
- Vulnerability Discovery and Management
In my opinion, there are meaningful differences and trade-offs if you come at this from a whitebox or blackbox perspective. Both have strengths and weaknesses, and based on some chats I’ve had with Caleb Sima, seems like companies might need both.
A few weeks ago I was catching up with Mark Manning. One thing led to another, and next thing I knew we had decided to write a meaty Kubernetes security guide. It happens.
I’m especially excited to share this with you because Mark is legit - he spent several years at NCC Group doing largely Kubernetes and container security projects for a wide array of clients, and he helped build out NCC Group’s Kubernetes and container practice.
The guide ramps you up on Kubernetes terms and how the pieces fit together if you’re new, then dives into how to get the lay of the land of your Kubernetes environment and how to take a measured approach to meaningfully reduce your security risk.
It’s approachable, actionable, and downright funny. Here’s a taste: