[tl;dr sec] #11 - ShellCon 2019 Roundup

7 minute read

Hey there,

I hope you’ve been doing well!

🎆Trying something new

I’ve added a quick index below.

I’d really appreciate feedback on if you’d like me to keep or cut the index for future tl;dr sec issues 🙏

In this newsletter...

Links
  • Tools: a fuzzer for JavaScript, a type checker / static analyzer for Python.
  • Dropbox and Twilio (tool release) discuss their detection and response automation.
  • A hacking group tips off a journalist about a child exploitation website, a list of cloud native services from the Cloud Native Computing Foundation, Q3 2019 updates from the Chrome security team.
ShellCon 2019 Talks
  • Solve vulnerability classes with secure by default libraries.
  • Useful DevSecOps tips and agile culture mindsets.
  • Mainframe hacking, how Hollywood was hacked, and building custom static analysis with open source tools.

Tools

JsFuzz - a coverage-guided fuzzer for testing JavaScript/NodeJS packages.

pyre-check - performant type-checking for Python from Facebook. Can also use data-flow analysis to find web app type vulnerabilities.

Introducing Twilio’s SOCless: Automated Security Runbooks - “a serverless framework to help organizations easily automate their security workflows and respond to threats quickly and at scale.” This allows the Twilio SecOps to write runbooks for standard procedures (e.g. warn employees of phishing emails within seconds of receipt, investigate anomalous activity in their cloud environment, etc.). Source code on GitHub, hat tip to Marco Lancini for the link.

SOCless base architecture

Misc

How Segment reduced their infrastructure costs by 30% in six months.

A journalist’s story about how he was alerted by a hacker group about a dark web site running a massive child sexual exploitation operation. He reached out to the FBI with the info and heard nothing for two years. Then recently indictments were filed: 337 arrests and 23 children rescued. The individuals were found not by the FBI but actually the IRS who traced Bitcoin transactions used to pay for uploading/downloading videos on the site.

The Cloud Native Computing Foundation’s Interactive Landscape has an impressive list of cloud services and companies. Allows filtering by category, license, organization, etc. and groups them by category (e.g. CI/CD, scheduling & orchestration, service proxy, cloud native storage, security and compliance, and more).

CNCF

Q3 2019 Summary from the Chrome Security team

  • Improvements in Safe Browsing, mixed content (http:// on https:// pages) will start being blocked.
  • XSS Auditor removed, it was more trouble than it was worth.
  • FuzzedDataProvider added to clang (simplifies writing fuzz targets requiring multiple inputs), Black Hat USA 2019 talk on structure aware fuzzing. Misc ClusterFuzz and OSS Fuzz improvements.
  • The Kazakhstan government created a root CA and with local ISPs was trying to encourage all KZ citizens to install and trust it. Ripe Atlas, an Internet measurement network, detected the CA man-in-the-middling social media traffic. Chrome blocked the cert and with Mozilla issued a joint PR statement condemning the attempt.

How Dropbox Security builds tools for threat detection and incident response

(Thanks Jason Craig)

  • Dropbox can’t store all their logs in one place due to volume (~10’s of TB / day), which makes life harder for analysts, who may need to use multiple query languages to pull data from multiple data sources during an investigation. So here’s what they did to improve their efficiency.
  • Alertbox was created to contextualize alerts - e.g. find the users, hosts, and processes involved and automatically run code in response to alerts.
  • A datasources library was built for the workflows to use to abstract away storage details.
  • They then built Covenant, an investigation tool built on Jupyter Notebooks (essentially super powered Python REPLs). Here code and output are intermingled and the analysis is self-documented. Investigations are recorded and tied to individual alerts fired.
  • Overall process: alert fires -> Alertbox calls an RPC service named Forerunner, which returns a Jupyter notebook corresponding to the alert. Alertbox embeds the URL of the notebook into the alert ticket. In the background, Forerunner runs the alert notebook asynchronously.
  • The on-call can then conduct their investigation in the notebook using the same primitives provided by the datasources library. The investigations are automatically recorded.

Dropbox DART diagram

“Traditionally, the most common method of building threat detection and response tools is to de-couple the automation and investigation pieces. In our experience, this leads to a massive amount of thrash. At Dropbox, we have invested in a common underlying abstraction for our logs which is available during various stages of the Incident Response cycle.”

⭐️ ShellCon 2019

Don’t Run With Scissors: How to Standardize the Way Your Developers Use Dangerous Aspects of Your Framework

I’m a fan of this talk by Morgan Roman (slides) on how DocuSign eliminated several bug classes (e.g. XSS, open redirect, XXE, SSRF, etc.) via wrapper classes + greps. He also gave this talk at DevSecCon Seattle, see my notes here.

Are you ready to leverage DevSecOps? Get ready and use it for good

Nicole Schwartz gave a nice intro to DevSecOps and touched on some important themes and ideas I agree with and have found to be true in a number of companies.

How to prioritize: what’s your most common vulnerability type? Target those with the best approach (e.g. SAST, DAST, wrapper libraries, …). Determine your critical threat surface (we have PCI / SSNs *here*, *this* just has marketing material). Rate the data that can be breached, start with the highest risk then work your way down.

GitLab’s security play: basically they’re taking a bunch of open source tools that do SAST, DAST, container scanning, out-of-date dependency checks, license compliance checks, etc. and making it trivial to integrate into a project’s SDLC.

  • I’ve seen a number of companies build their own glue code connecting CI/CD and security tools. It tends to be a pain and ongoing unwanted engineering cost. I expect integration/orchestration functionality to continue growing as a selling point for various tools.

Don’t say no: Instead, “How about this instead? Have you considered this alternative approach?” Help developers find ways to do their job. e.g. We need to {share really big files} often? OK, let’s find a secure way to do that.

Security metrics: finding more pre-production findings is great, that’s where you should find them so that issues in prod decrease. Focusing on reducing time to remediate is useful as well.

If you see shadow IT in your company, it’s probably because someone said “No.” - @CircuitSwan

LOL We’re All Screwed: Mainframe Hacking in 2019

“Why are we talking about mainframes? It’s 2019.” Oh, my young, idealistic reader, have I got news for you. Have you used a credit card, or a bank, or flown in an airplane recently? Those were probably ran on a mainframe.

I can’t do the talk justice here, but I did want to say that one thing I really like about Soldier of FORTRAN’s talks is how they’re both very technical and fun at the same time. It’s tough to both, so if you’re looking for examples of engaging presenters I recommend watching one of his talks (e.g. ShmooCon 2019, DEF CON 22).

How Hollywood Got Hacked

There were two primary components to this talk by Michael Wylie: a) a discussion of several breaches in the entertainment industry and b) an overview of the Trusted Partner Network (TPN), which is basically like PCI or HIPAA but for the screen industry.

The discussion of breaches (e.g. Sony, Larson Studios, Disney, Line 204) aggregated available public information (what was leaked, timeline, impact of the breach, etc.). One thing I found interesting is that a hacking group called The Dark Overlord seem to have targeted a number of studios.

Previously, each major studio would perform their own assessment of vendors (e.g. to do editing, sound, etc.), and the criteria applied could be vastly different. The TPN provides a documented, single benchmark that vendors must fulfill, reducing duplicated assessments and providing a consistent standard.

Rolling Your Own: How to Write Custom, Lightweight Static Analysis Tools

My friend Daniel DeFreez and I have been wanting to give a talk like this for a long time.

The core premise is that you don’t need expensive, complex tools to get value from static analysis. You can actually address some classes of problems fairly precisely and performantly with Abstract Syntax Tree (AST) matching (aka “linting”), which is you can think of as a nice middle ground between grep and data-flow analysis.

In a few hundred lines of Python, we built some simple PoC code using GitHub’s semantic to show how one could:

  • Iteratively explore a new Rails code, using static analysis to extract code organization information and point out potential code hot spots to manually examine.
  • Find command injection in ExpressJS apps across all of GitHub using a simple two-step taint analysis.

I’ll write a detailed blog post about this at some point, stay tuned!

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them🙏

Thanks for reading!

Cheers,
Clint

@clintgibler @programanalysis