Shalom!

This week’s tl;dr sec is coming to you live, from Tel Aviv! That’s right, live, I’m typing this up as fast as I can, so don’t scroll down too quickly, or you’ll see a blank page and it’ll be embarrassing.

I’m here because I was invited to give the closing keynote at DevSecCon Tel Aviv, which was exciting, as it’s my first keynote! 🎉 To be honest, I was a bit nervous, but it seemed to be well-received and there were some great questions afterwards.

I enjoyed the talks and met some sharp people. I’ll share some of my notes over the next few weeks.

📜 In this newsletter...

Links:
  • Tools: an SSH multiplex backdoor, intentionally vulnerable AWS infrastructure for training.
  • Talk: Owning the Cloud through SSRF and PDF Generators.
  • Misc: learn quantum mechanics from a comic strip, a tale of the cyber security version of Theranos.
  • Asset Inventory: Thoughts on Bugcrowd's new offering and two more companies in the space.

New Summary:

In this Global AppSec Amsterdam 2019 talk, Gusto security engineer Nathan Yee describes his experiences and lessons learned on how to be effective as the only AppSec engineer at a start-up, without a senior title.

Tools

sadcloud - A tool for spinning up (and down) intentionally vulnerable AWS infrastructure using Terraform, built by Rami McCarthy and Joshua Dow of NCC Group (blog post).

Similarly, in case you haven’t already heard about it, flaws.cloud is another great hands-on AWS security resource by Scott Piper, who I recommend following if you’re into cloud security.

SSHession - an SSH multiplex backdoor tool released by NCC Group, useful for red teams. Described more in this blog post: Bypassing Authentication on SSH Bastion Hosts.

Owning the Cloud through SSRF and PDF Generators

(Slides) This talk by Ben Sadeghipour and Cody Brocious, presented at DEFCON, Global AppSec DC, and ShellCon, has neat tips and tricks on some more advanced SSRF scenarios, for example, attacking headless browsers and HTML renderers. Worth a read if you do web app security testing.

Example content:

  • Problem: metadata or internal IPs are getting filtered
    • Solution: Use a custom domain like meta.mydomain.com and point it to the asset you are trying to access (aws.mydomain.com -> 169.254.169.254)
  • Problem: Only able to use whitelisted domains
    • Solution: Find an ‘Open Redirect’ on the whitelisted domain(s) and use that to exploit your SSRF
  • Problem: SSRF is there but I can’t see the output
    • Solution: Use Javascript and exfil data

Misc

“The Talk” by SMBC - a hilarious comic strip about a mother giving her son the… quantum computing talk. I guarantee you’ll laugh (and learn something).

A Cybersecurity Firm’s Sharp Rise and Stunning Collapse
A long piece on how the company Tiversa ended up being like a Theranos for the security industry - charismatic leader and fraud, served with a side of extortion. No movies on it yet (hello, Netflix readers 😉).

Asset Inventory III: Revenge of the Shadow IT

tl;dr: Bugcrowd is offering an “Attack Surface Management” service, where their researchers will do asset inventory for you. Makes sense for Bugcrowd to offer given their current resources. This approach has some pros, but I’m unsure if they’ll be able to incentivize consistent, continuous good coverage.

As we’ve seen in tl;dr sec #8, #9, and #10, asset inventory is a hot space right now. Bugcrowd is now joining the fray with their product “Attack Surface Management” (announcement blog post, product page).

As far as I can tell, the service is basically just paying some of Bugcrowd’s researchers to do asset discovery for you. My initial thoughts on this approach:

Pros:

  • Keeps up with new asset discovery techniques as security tools and methodologies evolve.
  • (In theory) Can handle acquisitions, shadow IT, and other edge cases where “internal” solutions may fail, where you need to provide an AWS access key or otherwise have some level of control over the infrastructure; you can’t also do this, for example, in massive international companies with distributed development and IT teams.
  • (For Bugcrowd) They can leverage their existing resources (researchers) without having to build out new software that could be time-intensive and complex.

Cons:

  • I’m unsure of how complete and rigorous coverage will be for one’s exposed attack surface over time. More on this below.

The open secret about bug bounty (is it even a secret?) is that while platforms tout how many researchers they have (“We have 1 BILLION expert hackers ready to…”), most of the accounts are probably inactive.

Of the active accounts, most are either script kiddies or people who report issues like, “By right-clicking on your web page I can view your site’s source code. Hacked! Bug bounty plz.” I’d guesstimate most bug bounty platforms have at most a few thousand competent security professionals that semi-regularly report bugs, with maybe 100-200 people who are excellent.

So given how limited active, knowledgeable bug bounty researchers there are, I’d be curious to see how Bugcrowd plans to effectively incentivize them to continuously monitor companies’ externally facing attack surface.

To me, for a researcher, it seems like the incentive would be more to do a deep, thorough job as soon as a company registers for this service, make some quick $$$, then check back in quarterly or after a big event like an acquisition. Maybe the top researchers will just set up some automated scripts and periodically check the results, as I’ve heard some already do for detecting website changes that indicate new or modified functionality.

It will be interesting to see Bugcrowd’s long term plans for this service. Will they attempt to observe the processes and methodologies of their top researchers working for the service, then use their engineering team to build out a more production-ready, scalable version and cut out the middle men? Like Lyft and Uber working hard to build autonomous vehicles.

…and one more thing
Other asset inventory companies include Assetnote and Intruder.io, who focus on monitoring companies’ external attack surface. (Thanks David Scrobonia and JB Aviat)

⭐ New Summary: Being Powerful While Powerless: Elevating Security By Leading Without Authority

Title Slide

In this Global AppSec Amsterdam 2019 talk, Gusto security engineer Nathan Yee describes his experiences and lessons learned on how to be effective as the only AppSec engineer at a start-up, without a senior title.

I liked this talk because it discusses common challenges that resonate with many security teams:

  • Given a preciously finite amount of security engineer time, how do you scale the security team’s visibility and impact in a company?
  • How do you effect organizational change when you can’t lean on a director-level title?

Read the full summary here.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler @programanalysis