#security

Archive: https://archive.sweetops.com/security/

2019-10-15

Richard Pearce
Sudo Flaw Lets Linux Users Run Commands As Root Even When They're Restricted

A vulnerability in Sudo, tracked as CVE-2019-14287, could allow Linux users to run commands as root user even when they’re restricted.

2
Erik Osterman

Hah was just going to share this

1

2019-10-10

sarkis
Kubernetes 'Billion Laughs' Vulnerability Is No Laughing Matter - The New Stack

A new vulnerability has been discovered within the Kubernetes API. This flaw is centered around the parsing of YAML manifests by the Kubernetes API server. During this process the API server is open to potential Denial of Service (DoS) attacks. The issue (CVE-2019-11253 — which has yet to have any details fleshed out on the page) has been labeled a ‘Billion Laughs’ attack because it targets the parsers to carry out the attack.

2019-09-16

Erik Osterman
Google Warns LastPass Users Were Exposed To ‘Last Password’ Credential Leak

Google Project Zero security researcher reveals that the LastPass password manager could, somewhat ironically, leak the last password you used to any website you visited

Thanks for sharing, Erik

2019-09-12

Erik Osterman
If you’re not using SSH certificates you’re doing SSH wrong

SSH has some pretty gnarly issues when it comes to usability, operability, and security. The good news is this is all easy to fix. SSH is ubiquitous. It’s the de-facto solution for remote administration of *nix systems. SSH certificate authentication makes SSH easier to use, easier to operate, and more secure.

1
kskewes

How does this compare to teleport by gravitational? Looks very similar.

If you’re not using SSH certificates you’re doing SSH wrong

SSH has some pretty gnarly issues when it comes to usability, operability, and security. The good news is this is all easy to fix. SSH is ubiquitous. It’s the de-facto solution for remote administration of *nix systems. SSH certificate authentication makes SSH easier to use, easier to operate, and more secure.

1
Erik Osterman

Yep. This is what teleport does (and then some!)

1
Erik Osterman

teleport adds full TTY session logging and replay which is priceless. no other solution has that.

1
Erik Osterman

@kskewes do you use teleport?

1
Erik Osterman

This article goes more into the theory of why you should do it and how you would do it with off the shelf open source software.

1
kskewes

Thanks for quick reply. I only skimmed the article but it looks good whichever way one goes. I’ve been wanting to roll out teleport for a year but other projects keep leap frogging it. So not yet… :(

1
Erik Osterman

Are you on k8s?

1
kskewes

Mostly. We have some bare metal with GPU that we will move to VM soon. We’re about to embark on migration to AWS from IBM.

1

2019-09-10

Jonathan Le

Anyone have experience with running Palo Alto networks firewalls at scale on AWS?

2019-09-05

Maciek Strömich
grsecurity - Teardown of a Failed Linux LTS Spectre Fix

grsecurity is an extensive security enhancement to the Linux kernel that defends against a wide range of security threats through intelligent access control, memory corruption-based exploit prevention, and a host of other system hardening that generally require no configuration.

2019-09-04

is there more of a security risk having SHA1 (i.e. AES128-SHA, ECDHE-ECDSA-AES128-SHA) ciphers in the ELB TLS security policies?

Maciek Strömich

as always, it depends

Maciek Strömich

thanks!

2019-09-02

2019-08-31

2019-08-30

Hey, anyone using Pomerium?

Maciek Strömich

I wouldn’t trust any 3rd party proxy/vpn provider to allow access to my internal infrastructure, regardless of the purpose of such infrastructure.

Jonathan Le

What do you use?

Maciek Strömich

openvpn if I need a vpn

Maciek Strömich
A very deep dive into iOS Exploit chains found in the wild

Posted by Ian Beer, Project Zero Project Zero’s mission is to make 0-day hard. We often work with other companies to find and report se…

2019-08-29

Maciek Strömich
Non-root containers, Kubernetes CVE-2019-11245 and why you should care | Twistlock

On May 31th, the Kubernetes Product Security Committee announced a security regression in Kubernetes for which they had assigned CVE-2019-11245. The problem caused containers that use images which are supposed to run with a non root user to run as root, on the second time they are used or upon restart of the container. Before …

2019-08-28

Sharanya

Did anyone Come across NPM memory Issues ?

2019-08-27

Has anybody used any of the AWS WAF subscriptions? Any feedback?

From reviews, looks like it’s really a black box

Jonathan Le

I have used them

Jonathan Le

what do you want to know?

Jonathan Le

They’re totally a black box

Jonathan Le

you can setup some logging now to see what gets blocked, but you have no influence on changing that blocking rule

Jonathan Le

For compliance reasons, you can setup a “swiss cheese” WAF….and maybe for some protections on some wordpress or static sites.

Jonathan Le

I can’t recommend them else where, but that was my experience with it about 1.25 years ago. If you can afford it, I hear great things about Signal Sciences.

Jonathan Le

@Jonathan Le “ no influence on changing that blocking rule” sounds like a non-starter.

Or is there an ability to whitelist/bypass the rules?

Jonathan Le

It was a large glob of rules when I was using it - not sure if they broke that out in the last year. If they did, I’d imagine that for each exposed rule name you can do “Override to count”, which basically makes that specific rule fire with a “[non]fail to open”.

Jonathan Le

If you investigate it, let me know if they expose the rules now.

2019-08-14

2019-08-09

Erik Osterman
Privacy law exploited to reveal fiancee’s data

One in four firms holding a test subject’s data released it to her partner without her permission.

@Erik Osterman going to use this one in my industry updates for my meetup. its a great article

Privacy law exploited to reveal fiancee’s data

One in four firms holding a test subject’s data released it to her partner without her permission.

Erik Osterman

This is serious and confirms my suspicions with this well-intentioned but wholly unrealistic provision of GDPR.

Erik Osterman

This should be a walk in the park for identity thieves. Thieves are already able to social engineer their way through companies with that make it difficult for identify thieves (banks, telephone companies, etc). How are smaller, less sophisticated companies going to be capable of perform sufficient identity verification?

2019-08-08

chrism
bitnami-labs/sealed-secrets

A Kubernetes controller and tool for one-way encrypted Secrets - bitnami-labs/sealed-secrets

kskewes

We use it. Simple and reliable. Have added some Prometheus metrics And mixin in a fork. Waiting for maintainer feedback before submitting PR.

bitnami-labs/sealed-secrets

A Kubernetes controller and tool for one-way encrypted Secrets - bitnami-labs/sealed-secrets

2019-08-05

Jonathan Le

Anyone here have any experience with network micro segmentation on AWS? Just starting down the path of researching this subject and looking for links/recommended tools esp./papers

Erik Osterman

can you elaborate on your usecase?

Jonathan Le

Where I’m at right now, I spend a lot of time trying support network comms and the things allowed to egress/ingress on each subnet with a combination of Network ACLs, Security Group rules and outbound Palo Alto Networks firewalls.

This is the customer’s design and I can already see it starting to reach it’s limits. On AWS NACLs you get 40 ingress and 40 egress rules per subnet at max…

I saw some interesting articles about network “microsegmentation” a few years ago, but never had a chance to look at it. I think this is what the customer is trying to achieve - complete control and visibility of an Apps traffic flows across the network with a “whitelist” only approach down to ports + protocols.

I’ve had to table this topic for at least on more sprint, but will probably do a spike on it in soon.

2019-08-02

A Technical Analysis of the Capital One Hack

The recent disclosure of yet another cloud security misconfiguration leading to the loss of sensitive personal information made the…

2019-07-30

aknysh
More Than 100 Million Consumer Personal Data Leaked After A Massive Cloud Breach At Capital One

Atherton Research’s Principal Analyst and Futurist Jeb Su offers his key takeaways of the latest Capital One massive data breach scandal that has affected over 100 million individuals in the United States and Canada.

These headlines are barely shocking anymore. > 10 million is the new normal when it comes to data breaches.

Erik Osterman

2019-07-13

Maciek Strömich

Something to be aware of when choosing pw manager just for local storage option

Maciek Strömich

2019-07-09

2019-06-28

2019-06-27

Is anybody using an IDS/IPS solution in their AWS environment?

Erik Osterman

We are currently implementing the whole suite of AWS security related products. Macie, GuardDuty, CIS Foundations with CFN, AWS Config with aggregation, AWS Inspector, AWS Security Hub

chrism

We use inspector/guard duty/watch/etc, configs pricings off-putting

Thanks. Have you guys heard of Security Onion? Looks like an interesting option and the new VPC mirroring should help with setting it up

AFAIK Guard Duty does not fully qualify as IDS/IPS

Erik Osterman
3
2
Alex Siegman

Interesting. If it all shows up in cloudtrail, while it won’t be as user friendly as something like teleport, it seems like it’s not a bad substitute if it doesn’t cost an arm and a leg

3
2
Erik Osterman

Although no kubectl integration -> k8s rbac

3
2
Erik Osterman
3
2
Blaise Pabon


EC2 Instance Connect is now available at no additional cost in US East (Ohio and N. Virginia), US West (N. California and Oregon), Asia Pacific (Mumbai, Seoul, Singapore, Sydney, and Tokyo), Canada (Central), EU (Frankfurt, Ireland, London, and Paris), and South America (São Paulo) AWS regions.

3
2

this is nice, had to use https://github.com/Netflix/bless in the past to achieve the same thing

3
2
Blaise Pabon

Oh wow @btai: I did not know about Bless. This looks cool!

3
2

@Blaise Pabon im not sure its worth the hassle anymore because of ec2 connect

3
2
Blaise Pabon

but maybe to use internally between apps? I guess that would be what KMS is for (I’m relatively new to AWS)

3
2

2019-06-26

Mike Nock

“The Chinese government has never in any form participated in or supported any person to carry out the theft of commercial secrets,” it said in a statement to Reuters.

Bahahahahaha, righttttt lol

Erik Osterman
How to Protect Yourself From the New macOS Security Vulnerability

Mac users take heed: A recently disclosed vulnerability present in the macOS Gatekeeper—otherwise known as the “Cavallarin” exploit—has reportedly been leveraged by adware creators. It’s times like these when we’re reminded of the best advice for keeping your Mac protected from these kinds of issues: When in doubt, install apps from the Mac App Store or trusted third-party sources, not just any ol’ thing you found on the internet.

2019-06-18

2019-06-14

Maciek Strömich
Your Linux Can Get Hacked Just by Opening a File in Vim or Neovim Editor

Critical Code Execution Flaw (CVE-2019-12735) Found in the Popular Vim and Neovim Linux Editors

1

2019-06-10

Igor Rodionov

2019-06-07

Bogdan

anyone knows a faster way to setup Vault than described in https://github.com/hashicorp/terraform-aws-vault ?

hashicorp/terraform-aws-vault

A Terraform Module for how to run Vault on AWS using Terraform and Packer - hashicorp/terraform-aws-vault

Fast don’t think so. depend on your target config

2019-05-23

Maciek Strömich
Two more Microsoft zero-days uploaded on GitHub | ZDNet

SandboxEscaper has now published seven zero-days in Microsoft products; two more to come.

2

2019-05-16

Maciek Strömich
Microsoft’s First Windows XP Patch in Years Is a Very Bad Sign

A very bad vulnerability in Windows XP could have serious ramifications, even with a patch.

1

2019-05-15

Maciek Strömich
Meltdown Redux: Intel Flaw Lets Hackers Siphon Secrets from Millions of PCs

Two different groups of researchers found another speculative execution attack that can steal all the data a CPU touches.

2019-05-09

Exequiel Barrirero

For Alpine Linux container based implementations.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5021

Versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the `root` user. This vulnerability appears to be the result of a regression introduced in December of 2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container which utilize Linux PAM, or some other mechanism which uses the system shadow file as an authentication database, may accept a NULL password for the `root` user.
CVE - CVE-2019-5021

Common Vulnerabilities and Exposures (CVE®) is a list of entries — each containing an identification number, a description, and at least one public reference — for publicly known cybersecurity vulnerabilities. Assigned by CVE Numbering Authorities (CNAs) from around the world, use of CVE Entries ensures confidence among parties when used to discuss or share information about a unique software vulnerability, provides a baseline for tool evaluation, and enables data exchange for cybersecurity automation.

2019-05-02

Maciek Strömich
Remote Code Execution on most Dell computers

What computer do you use? Who made it? Have you ever thought about what came with your computer? When we think of Remote Code Execution (RCE) vulnerabilities in mass, we might think of vulnerabilities in the operating system, but another attack vector to consider is “What third-party software came with my PC?”. In this article, I’ll be looking at a Remote Code Execution vulnerability I found in Dell SupportAssist, software meant to “proactively check the health of your system’s hardware and software” and which is “preinstalled on most of all new Dell devices”.

2019-05-01

Issif/sysdig-vs-malware

A short story about how Sysdig helped us to unreveal a malware - Issif/sysdig-vs-malware

2019-04-30

Maciek Strömich
Vodafone Found Hidden Backdoors in Huawei Equipment

While the carrier says the issues found in 2011 and 2012 were resolved at the time, the revelation may further damage the reputation of a Chinese powerhouse.

Erik Osterman

Wow

Erik Osterman

Fianally the smoking gun

2019-04-29

Maciek Strömich

but tbh, it was a matter of time when that happens. too valuable of a target

2019-04-26

Erik Osterman

Docker Hub Hacked. 190K accounts affected (~5%), GitHub tokens may be exposed.

4

2019-04-10

Erik Osterman
A Peek Into the Toolkit of the Dangerous Triton Hackers

Security firm FireEye is naming a collection of tools it says might help identify more active Triton intrusions.

2019-04-08

Erik Osterman
No one, not even the Secret Service, should randomly plug in a strange USB stick

If you’ve been on Twitter today, you’ve probably seen one story making the rounds. So the Secret Service stuck Zhang’s thumbdrive into their computer. https://t.co/0T6LAfOtEl http://pic.twitter.com/RSfUgw4I4n — Chris Wysopal (@WeldPond) April 8, 2019 The case follows a Chinese nation…

2019-03-28

chrism

Ha yeah; worked with him once. I’m suprised he knew how to delete anything

chrism

that reports wrong of course

chrism

he’s serving 12 months

chrism

and 1 year on license

chrism

” the company lost “big contracts with transport companies” to the tune of £500,000 “ If you’re in aws sharing creds and no 2fa you don’t really get sympathy

chrism

“Could Voova have avoided this crisis? Yes, and the solution would have been simple: a 2FA (two-factor authentication) system. By implementing this system, when Needham logged into the system a text message would’ve been sent to Speedy’s smartphone also asking for permission to login” When you write an article but don’t bother to look at the auth options

chrism

… journalists, pfft

1

2019-03-27

I think LastPass offers better enterprise support. They have an extensive list of policies.

2019-03-26

how do you guys send sensitive data to each other? i use keybase but was wondering if there are better alternatives

Erik Osterman

Keybase

Erik Osterman

But 1Password just added the ability to share to individuals

Erik Osterman

Also, chamber is ideal for development secrets

i use 1pw for personal

Erik Osterman

We use 1Password for teams

Erik Osterman

It’s great

Erik Osterman

Plus integrates with Duo for MFA/geofencing

Erik Osterman

And supports slack notifications so we have an easily accessible audit log

Tim Malone

@Erik Osterman Geofencing for passwords… is this some fancy voodoo? (like, i can only log in when i’m in the office?)

Erik Osterman

Yea Duo works with push, so if your phone is not in a specific geography (not sure how specific) it will reject the request. E.g. coming from North Korea ;)

Tim Malone

oo fancy!

@Erik Osterman I love 1PW, my company (like most) uses lastpass cause it’s cheaper :P

Erik Osterman

Yea it seems like party lines are drawn between LastPass and 1p. I never got used to the LastPass UI. Briefly used Dashlane for 1 year and so happy to be back to 1Password.

2019-03-18

2019-03-13

chrism

Aqua Security has a good microscanner

anyone running zero-trust even for their mail/collaboration/etc and integreated with MDM/EMM?

davidvasandani

There are three new Rails security issues that were just released. This can lead to remote code execution, file disclosure and denial of service.

https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw

1

2019-03-12

Maciek Strömich

does anyone use something like anchore to scan docker images for vulnerabilities?

Maciek Strömich

or claire maybe?

Erik Osterman

#codefresh has many examples for using claire

Erik Osterman

(not the channel, but the docs)

2019-03-09

Erik Osterman
Iranian hackers ransack Citrix, make off with 6TB+ of emails, biz docs, internal secrets

Remote-desktop giant ‘among more than 200 govt agencies, oil, gas, tech corps’ hit by cyber-gang

2019-03-07

Maciek Strömich

I only heard about https://github.com/fffaraz/dockerweb some time ago but never used it

fffaraz/dockerweb

A docker-powered bash script for shared web hosting management. The ultimate Docker LAMP/LEMP Stack. - fffaraz/dockerweb

Richard Pearce
New Google Chrome Zero-Day Vulnerability Found Actively Exploited in the Wild

Update your Google Chrome browser immediately to patch a new high-severity zero-day RCE vulnerability (CVE-2019-5786) that hackers are actively exploiting in the wild

1

2019-03-06

Erik Weber

Are anyone familiar with any webserver security check tools? I have a couple of servers that does shared hosting (don’t get me started on why…) and I’d like to assess wether or not they are secure enough (as far as shared hosting can get secure)

Erik Weber

That is, I’m interested in the actual server configuration, not individual web applications

Erik Osterman

@Erik Weber is this in a containerized env?

Erik Weber

Unfortunately, no

Erik Osterman

Hrm… yea, don’t have any suggestions for that.

Erik Weber

Thanks anyway. Do you know of any container based shared hosting solutions? I’ve taken over some legacy crappy shared webservers I’d like to get rid of

2019-02-27

Maciek Strömich
Top ten most popular docker images each contain at least 30 vulnerabilities | Snyk

we found that 44% of docker image scans had known vulnerabilities, and for which there were newer and more secure base image available. Most vulnerabilities originate in the base image you selected. For that reason, remediation should focus on base image fixes.

Maciek Strömich
88% increase in application library vulnerabilities over two years | Snyk

A good number of security vulnerabilities are discovered and fixed in non-official channels. We measured Snyk DB to uncover 67% more vulnerabilities than public databases. In 2018, new disclosures for npm grew by 47%, and Maven Central grew by 27%

2019-02-18

I’ve been pretty active in getting http://github.com/pomerium/pomerium up and working, which is a fork of buzzfeed/sso with OIDC support (not my project, but have been contributing to it since I found it).

pomerium/pomerium

Pomerium is an identity-aware access proxy. Contribute to pomerium/pomerium development by creating an account on GitHub.

2
antonbabenko

This is awesome! I’ve been looking for such tool because I don’t want to deal with VPN.

pomerium/pomerium

Pomerium is an identity-aware access proxy. Contribute to pomerium/pomerium development by creating an account on GitHub.

2

Not sure pomerium is the full picture for zero-trust and no vpn. I particularly miss A) documentation B) where is this covered? “device state.”

2

2019-02-14

Erik Osterman
05:22:29 AM

@Erik Osterman set the channel purpose: Archive: https://archive.sweetops.com/security/

2019-02-13

It works well!

the official stable chart has been updated to reflect that: https://github.com/helm/charts/tree/master/stable/oauth2-proxy not sure https://github.com/cloudposse/charts/tree/master/incubator/oauth2-proxy is still needed (it’s out of date)

helm/charts

Curated applications for Kubernetes. Contribute to helm/charts development by creating an account on GitHub.

cloudposse/charts

The “Cloud Posse” Distribution of Kubernetes Applications - cloudposse/charts

Its a shame that buzzfeed/sso is so poorly documented

Erik Osterman

and doesn’t support OIDC, WebSockets or half the jazz of bitly’s proxy

There is that as well

because the idea of splitting the proxy part (so it can be used as sidecar) is really nice

Im also looking at https://ory.sh but seems so young (oathkeeper)

ORY - Open Source OAuth2 and OpenID Connect Access Control & API Security

Implement OAuth 2.0 and OpenID Connect in minutes with open source from ORY. Works in both new and existing systems.

2019-02-12

Erik Osterman

finally an official fork of bitly oauth2 proxy

Erik Osterman
pusher/oauth2_proxy

A reverse proxy that provides authentication with Google, Github or other provider - pusher/oauth2_proxy

1
Erik Osterman

with fixes for OIDC support

2019-01-28

2019-01-23

Erik Osterman
Polyverse Corporation

Moving Target Defense, Zero Day & Cyber Resilience

2019-01-22

duo-labs/cloudtracker

CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies. - duo-labs/cloudtracker

2019-01-15

Maciek Strömich

not sure how many of you are windows users/admins and how many of you follow hackernews (hopefully all) https://thehackernews.com/2019/01/vcard-windows-hacking.html

Unpatched vCard Flaw Could Let Attackers Hack Your Windows PCs

Unpatched Zero-Day vCard Contact File Vulnerability Could Let Attackers Compromise Your Windows Computer

Erik Osterman
11:44:33 PM
1

2019-01-14

The laws of Australia will trump the laws of mathematics: Turnbull | ZDNet

Despite calling the laws of mathematics ‘commendable’, the prime minister of Australia told ZDNet the only law that applies in Australia is the law of Australia when it comes to legislating decryption.

That’s from July, but they actually passed the bill in December

Erik Osterman

Maciek Strömich

july 2017

1

2019-01-10

Maciek Strömich
11:05:52 AM

@Maciek Strömich has joined the channel

2018-12-27

Erik Osterman
Using Cloudflare Workers to identify pwned passwords

Last week Troy Hunt launched his Pwned Password v2 service which has an API handled and cached by Cloudflare using a clever anonymity scheme. The following simple code can check if a password exists in Troy’s database without sending the password to Troy.

2018-12-26

Erik Osterman

And then using this pattern with Kubernetes https://www.bitservices.io/blog/confd-kubernetes/

confd With Kubernetes

Using confd to Inject Secrets into Kubernetes Pods Whilst using Kubernetes over the past few months, one challenge I repeatedly faced was to get secrets - such as passwords, SSH keys or certificate keys - securely into applications running on Kubernetes. Whilst this is quite easy if the container image is under your full control, to achieve this with an ‘off the shelf’ image is a little more tricky.

mrwacky

Are k8s secrets still unencrypted in etcd?

mrwacky

and not at all secret?

Erik Osterman

they are encrypted at rest in etcd

mrwacky

that seems new since I last looked (1+ year ago)

Erik Osterman

though I guess it depends on your k8s implementation

Erik Osterman
cloudposse/geodesic

Geodesic is the fastest way to get up and running with a rock solid, production grade cloud platform built on top of strictly Open Source tools. https://slack.cloudposse.com/ - cloudposse/geodesic

Erik Osterman

here’s the setup in kops manifest

1
Erik Osterman

I’m not comfortable with secrets at present because they are in the clear. I attended a kubecon session on security, they talked about the encryption providers: https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/

2018-12-21

2018-12-20

sarkis

yea, great timing…

Erik Osterman
mrwacky

I think I might prefer a git credential helper instead

Erik Osterman

haha, yea, in the end I’ll be using my OSX keychain instead

Erik Osterman

here’s where I see this as interesting: EC2 Instance “master keys”

Erik Osterman

while these should not be used for regular maintence

Erik Osterman

they can be good as a last resort

Erik Osterman

this lets you store them in a centralized place and use IAM to control who has access to them.

Erik Osterman

while also leveraging them from the command line to connect

mrwacky

we have our vault unseal token in SSM

Erik Osterman

exactly - like that

Erik Osterman

are you using vault enterprise or the community edition?

mrwacky

community

mrwacky

my understanding is they’ve added auto-unseal to enterprise

Erik Osterman

…the other way aaround

Erik Osterman

auto-unseal is now available in CE using KMS

mrwacky

that’s what I meant

sarkis

Whoa this is really nice for the times you need a server to grab a deploy key… i had been grabbing the private deploy key from hashicorp vault or aws ssm - but then writing to a file . Didn’t think of temporary add to a ssh-agent!

Erik Osterman

Nice trick

2018-12-19

Erik Osterman
What Is AWS Client VPN? - AWS Client VPN

Enable access to your VPC and on-premises network from anywhere, on any device.

1
1
Erik Osterman

oh joy!

Erik Osterman

just something in time for the holidays… a gift to the spammers & scammers for christmas

2018-12-16

Erik Osterman
mumoshu/falco-operator

Kubernetes operator for Sysdig Falco that allows developers to manage rules for detecting intruders and backdoors - mumoshu/falco-operator

2

2018-12-05

aknysh
01:10:37 PM
3

lololol

Erik Osterman

gravitational guys have reproduced the kubernetes exploit

2018-12-04

Erik Osterman
HashiCorp Vault 1.0

Today we are excited to announce the public availability of HashiCorp Vault 1.0. Vault is a tool to manage secrets and protect sensitive data for any infrastructure and application…

1
Erik Osterman

@antonbabenko auto unseal has arrived

joshmyers

About time.

antonbabenko

Beautiful

2018-12-03

Erik Osterman

this is neat: https://privacy.com/

Privacy — Seamless & Secure Online Card Payments

Checkout securely online by creating unique virtual card numbers for every purchase. Avoid data breaches, unwanted charges, and stolen credit card numbers.

2018-11-30

Erik Osterman
Marriott hack hits 500 million guests

The hotel chain says details of up to 500 million guests may have been accessed in a database breach.

aknysh

Erik Osterman

Basically if you’ve stayed at Starwood’s hotel brands that include W Hotels, Sheraton, Le Méridien and Four Points by Sheraton - your information is pwned

Erik Osterman

name address phone number email address passport number account information date of birth gender arrival and departure information

aknysh

how they have so many people?

Erik Osterman

Starwood is one of the largest international hotel chains

tamsky

read: all guest stay details since ~2014

tamsky

luckily I can change my passport number quite easily – thanks to my newfangled e-ink passport

Erik Osterman

Whatttt??

Erik Osterman

Is that for real? E ink passport?

tamsky

lol

tamsky

trolled

tamsky

just imagine: single use passport numbers

Erik Osterman

tamsky

I think this should just teach folks everywhere to rarely share accurate details that are never used with folks that don’t need the details. Typically there are no consequences for providing a wrong birthdate / address / phone / passport#

1
joshmyers

Oh dear.

Erik Osterman

1Password should implement an identity generator

Erik Osterman

So I can have a unique identity for every property

tamsky

I like that idea

tamsky

can it also make up unique answers to “security” questions too ?

Erik Osterman

But let 1p keep track of it so I am not stuck in identity verification hell

Erik Osterman

Yea

joshmyers

@tamsky an e-ink passport?

1
joshmyers

Ah, as someone that has worked at the UK passport office that sounded interesting :D

So the sad part is, they store everything, but when you checkin at the hotel you still wait 10 minutes for the clerk to type everything over again and again

1

Next hack will be Hertz & Enterprise

tamsky

https://www.gemalto.com/govt/travel/security-printing – apparently counterfeiting is still a thing

Security Printing: a 2018 Guide to Passport Papers and Design

Security Printing solutions for national passport integrity : an expert guide on how best Gemalto use paper elements to protect any principles of passport design.

Stuff like this makes GDPR is a very needed initiative.. Policy.

tamsky

I dunno, I feel like fines, or the threat of fines, won’t prevent these events

tamsky

fines don’t get anyone’s data back

Fines will make companies do more to prevent things like this to happen. Personal data must be spread out, and for warehousing it must be anonimized for example. Also the retention of data is a topic.

1

I was a customer of Mariott in 2015.. why is my data still there ?

tamsky

agree with all that

joshmyers

Aye, I know UK PCI mandates data can only be stored for a year, not sure about PII

Erik Osterman
11:33:42 PM

@Erik Osterman set the channel topic:

2018-11-27

joshmyers
I don't know what to say. · Issue #116 · dominictarr/event-stream

EDIT 26/11/2018: Am I affected?: If you are using anything crypto-currency related, then maybe. As discovered by @maths22, the target seems to have been identified as copay related libraries. It on…

joshmyers

Aye, people giving maintainer quite a lashing

Erik Osterman

yea, it’s given me pause

Erik Osterman

we also maintain cloudposse/packages which basically bundles other repos binaries

Erik Osterman
07:19:28 PM
Erik Osterman

need something like that for npm

loren

blockchain for packages lol

tamsky

I don’t feel like a web of trust helps prevent the attack; and only marginally affects the ability to cast blame. Malicious code/package changes could happen, but a developer may be only guilty of having their signing key compromised.

Erik Osterman

security is always just about layers

Erik Osterman

a developer can also be held at gun point

joshmyers

^^ Sounds like suggesting a key signing party. Weird places

mrwacky

I’m still waiting for the first malicious Ubuntu PPA

2018-11-26

aknysh
Announcing the First AWS Security Conference: AWS re:Inforce 2019 | Amazon Web Services

On the eve of re:Invent 2018, I’m pleased to announce that AWS is launching our first conference dedicated to cloud security: AWS re:Inforce. The event will offer a deep dive into the latest approaches to security best practices and risk management utilizing AWS services, features, and tools. Security is the top priority at AWS, and […]

2

2018-11-22

Erik Osterman

Uh oh, think solar winds properties were hacked

Erik Osterman
02:24:18 AM
Erik Osterman

Wow they are planning a 500m IPO

Erik Osterman
SolarWinds Plans $500M IPO Three Years After Exiting Public Market

The provider of IT management solutions, currently owned by two private equity giants, has expanded its cloud capabilities this year through two major acquisitions

2018-10-21

2018-10-12

samh
10:30:05 PM

@samh has joined the channel

2018-10-11

antonbabenko

Yes, this sounds like what I have meant. Where did you see it? URL?

antonbabenko

Thanks everyone for bunch of security links!

Erik Osterman

(Meetup today / presenter was from hashicorp)

Erik Osterman

Expect announcement at hashiconf

antonbabenko

Ahh, I thought it is there already. Yes, I know, there will be few exciting things announced there. Looking forward to it

mrwacky

@Gabe - of course you’re already here

1

it’s where i saw pacbot

@endofcake have you used it?

any thoughts/opinions?

endofcake

PacBot was released on Oct 5. Today is Oct 12. No, I haven’t used it, @Gabe.

1
antonbabenko

What did you do the whole week???

1
endofcake

I’ve been loafing, clearly )

1

Ohhh… didn’t realize it was that new

2018-10-10

endofcake

PacBot by T-Mobile for compliance monitoring - potentially useful? Quite heavy weight though, what with Redshift as one of the dependencies. https://github.com/tmobile/pacbot

tmobile/pacbot

PacBot (Policy as Code Bot). Contribute to tmobile/pacbot development by creating an account on GitHub.

Max Moon

not quite as comprehensive but another similar project i was looking at last year: https://github.com/capitalone/cloud-custodian

capitalone/cloud-custodian

Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources - capitalone/cloud-custodian

aknysh

a bunch of other security stuff

aknysh
22 Most Under-Used AWS Security Metrics – Threat Stack

22 AWS security experts provide insights into important, yet often overlooked AWS security metrics by answering this question:

aknysh
CloudSploit Scans - AWS Security Scanning Checks

Leading source of Security Tools, Hacking Tools, CyberSecurity and Network Security

aknysh
Netflix launches tool for monitoring AWS credentials

At Black Hat 2018 in Las Vegas, Netflix security engineer William Bengtson explained how his company monitors AWS credentials and introduced a new open source tool, called Trailblazer.

aknysh
Dow Jones Develops Automated Security Tool

The new tool, called Hammer, was developed partly in response to the growing need for automation amid talent shortages and the fast-paced nature of software development, said Dow Jones CISO Jaswinder Hayre.

Erik Osterman

@antonbabenko from the horses mouth: kms-based auto unsealing for vault getting released to open source

2
antonbabenko
03:38:19 AM

@antonbabenko has joined the channel

Erik Osterman

Looks like your dream of simplifying module will be made easier

2018-10-03

2018-10-01

Erik Osterman
forward3d/garrison

Security, Compliance and Informational Dashboard System - forward3d/garrison

Erik Osterman
06:03:03 PM
Erik Osterman

@Daren @Max Moon

Erik Osterman

looks pretty!

Daren
06:06:57 PM

@Daren has joined the channel

2018-09-26

Max Moon
genuinetools/bane

Custom & better AppArmor profile generator for Docker containers. - genuinetools/bane

2018-09-22

Erik Osterman
Single Sign-On for Internal Apps in Kubernetes using Google Oauth / SSO

NOTE: This guide is geared towards a Kubernetes cluster running in AWS. You might have to tweak things to fit your needs.

Erik Osterman

Looks like an alternative to the bitly oauth2 proxy which is unmaintained

Erik Osterman

But this one seems pretty tightly coupled to google

Erik Osterman
jenkins-x/sso-operator

Single Sign-On Kubernetes operator for Dex identity provider - jenkins-x/sso-operator

Erik Osterman
Proposal for Official Fork · Issue #628 · bitly/oauth2_proxy

Hi, As everyone here can see, the project is almost abandoned. I believe someone or preferable a group of people fluent in Go lang should create an 'official' fork of the project so the com…

Erik Osterman

@Igor Rodionov the bitly oauth2 proxy Is officially abandoned by bitly and will be archived by the end of the month

Erik Osterman
[stable/oauth2-proxy] Deprecates oauth2-proxy by compleatang · Pull Request #7454 · helm/charts

Upstream for this project (which has not worked in ages against anything close to a current implementation of ingress controllers) has been abandoned. See bitly/oauth2_proxy#628 (comment) My compan…

Igor Rodionov
09:42:41 PM

@Igor Rodionov has joined the channel

Erik Osterman

@Max Moon should probably consider replacing oauth2 proxy with CloudFlare access

Max Moon
09:51:13 PM

@Max Moon has joined the channel

2018-09-19

2018-09-18

2018-09-17

2018-09-12

Erik Osterman
Dynamic SSH Keys - SSH - Secrets Engines - Vault by HashiCorp

When using this type, the administrator registers a secret key with appropriate sudo privileges on the remote machines. For every authorized credential request, Vault creates a new SSH key pair and appends the newly-generated public key to the authorized_keys file for the configured username on the remote host. Vault uses a configurable install script to achieve this.

It’s been deprecated, so I ended up using SSHCA instead.

Erik Osterman

Yea sorry linked to wrong page

It’s cleaner too, because you’re not constantly shedding keys to the target servers; they just trust the vault CA sand vault gives out short lived certs

Erik Osterman

Yea like with teleport and Netflix bless

Erik Osterman

How long have you been using it?

Erik Osterman

Was it easy to get up and running?

At that time we had Puppet pushing changes so adding the cert wasnt too bad… Ansible would have been just as easy

That’s the hardest part: pushing the trusted public to all your machines

Are you redeploying? Do you have some kind of cfg management? Etc.

Security had a big requirement if no self-signed so I had to follow extra steps to make vault an issuing CA and not a root. But that’s a one time thing

Erik Osterman

No, our case is a bit different. Would be containers.

Ssh into containers?

Erik Osterman

But I think we will stick with teleport approach

Erik Osterman

Bastions are deployed as containers

In your case rebuild lol. But yeah, didn’t try it on containers (should work just fine)

Does teleport track logins? That was the thing or security team liked. It logged every access request

“jking requested a cert for the next 1hour for target y”

loren

this was just released, but may not help with containers, https://aws.amazon.com/blogs/aws/new-session-manager

loren

but it does track and audit the logins and commands

Just tried using that today… But our ssmagent is too old.

Looks nice though

Erik Osterman

That’s cool. Didn’t see the announcement.

In the containers I had (company actually moved off them) we tried to just parse logs and redeploy. Bastions were traditional hosts

Yeah, I think a ssmagent update is in the backlog. If it works like Azure then it will be nice to be able to disable ssh

loren

New release enabling the ssm session manager, https://github.com/aws/amazon-ssm-agent/releases/tag/2.3.50.0

aws/amazon-ssm-agent

Agent to enable remote management of your Amazon EC2 instance configuration. - aws/amazon-ssm-agent

5
sarkis

Late to this… Looks interesting, I can’t think of use cases though. I gravitate more towards immutable infra these days so I can’t think of a reason I’d want to run a command on an ec2 instance , I’m prob not thinking hard enough!

aws/amazon-ssm-agent

Agent to enable remote management of your Amazon EC2 instance configuration. - aws/amazon-ssm-agent

5
loren

i gravitate there also… but sometimes it takes a while to get the immutable bits all just right, and maybe the instrumentation isn’t perfected yet. can be pretty valuable to poke around to see what failed and maybe try a couple options at fixing, before patching upstream

5
Erik Osterman

yea, for triaging/RCA, it’s difficult to escape

5
Erik Osterman

that said, teleport is still a better product IMO b/c it supports session logs

5
loren

my understanding was that this also captured the session, stored in cloudwatch logs?

5
loren

from the blog post:
Auditability – Commands and responses can be logged to Amazon CloudWatch and to an S3 bucket. You can arrange to receive an SNS notification when a new session is started.
https://aws.amazon.com/blogs/aws/new-session-manager

5
loren

is a session log something different in teleport?

5
Erik Osterman

No, that’s the same hung. i missed that. I thought it was slated as a later feature.

5
Erik Osterman

I wonder how it works if it is a raw log

5
Erik Osterman

E.g. replaying a vim transcript.

5
Erik Osterman

With teleport, you get a YouTube style playback

5
loren

looks like a textual log, not a video, according to screenshots later in that blog… not sure how it would work with vim

5

2018-09-11

Erik Osterman

Anyone using alpine as a base image should consider enabling TLS on repos to avoid MITM attacks

Erik Osterman

Surprised it’s not enabled by default

tamsky

is lol an appropriate response?

1
Erik Osterman

Yea, it is. Surprised me too.

2018-09-07

endofcake
09:30:04 PM

@endofcake has joined the channel

2018-09-02

07:32:11 AM

@ has joined the channel

2018-08-28

05:18:19 PM

@ has joined the channel

Arkadiy
06:21:56 PM

@Arkadiy has joined the channel

2018-08-27

11:17:38 AM

@ has joined the channel

loweryr
03:12:37 PM

@loweryr has joined the channel

2018-08-23

Erik Osterman


@adamstrawson says:
That did the trick, thanks. Next question i’m afraid, I’m struggling to see how you get the github-authorized-keys container and the bastion container to work together. They’re both running and working independently, but the bastion container doesn’t seem to want to do anything with the keys (eg. if I ssh to -p 1234, I get permission denied.) github-authorized-keys has synced the users and keys to the host machine (I can ssh fine to the host machine with a synced user), but via the bastion container it doesn’t detect any keys. Can’t see in the docs how the two work together

adamstrawson
10:55:36 PM

@adamstrawson has joined the channel

Erik Osterman

so in the bastion container, are you bind-mounting /etc/passwd from the host machine?

Erik Osterman

the other thing to check is that the github-authorized-keys command in the bastion container can talk to the host API

Erik Osterman
cloudposse/bastion

bastion - Secure Bastion implemented as Docker Container running Alpine Linux with Google Authenticator & DUO MFA support

Erik Osterman

you might need to change API_URL

Erik Osterman

since localhost in the container is not equal to localhost of the node

Erik Osterman

(when we deployed this, we deployed the github-authorized-keys container and bastion container in the same Pod in kubernetes - which allows them to talk over localhost)

aknysh
10:59:41 PM

@aknysh has joined the channel

loren
12:45:22 AM

@loren has joined the channel

2018-08-22

04:18:02 AM

@ has joined the channel

2018-08-21

tarrall
01:46:17 AM

@tarrall has joined the channel

2018-08-15

Dylan
07:39:13 PM

@Dylan has joined the channel

2018-08-08

03:06:32 PM

@ has joined the channel

2018-08-05

jylee
04:29:28 PM

@jylee has joined the channel

2018-08-04

tamsky

https://apple.stackexchange.com/questions/48502/how-can-i-permanently-add-my-ssh-private-key-to-keychain-so-it-is-automatically

  • this OSX feature lets users pick a high entropy passphrase and have ssh-add -K store the phrases in Keychain.
  • this also means we can’t easily type the passphrase (when requested) when geodesic shell starts
How can I permanently add my SSH private key to Keychain so it is automatically available to ssh?

It seems that ssh-add -K ~/.ssh/id_rsa will load your key but will ask for the password each time you reboot. I am looking for a solution that would not require me to re-enter the key password bet…

tamsky

all this makes me think that my ssh-agent should live on a secure device that prompts me on each use

Erik Osterman

yea, would be neat if the yubikeys could act as an SSH agent

Erik Osterman

Also, if adding UseKeychain yes, recommend also adding IgnoreUnknown UseKeychain because the UseKeychain extension is not supported by alpine linux.

Erik Osterman
cyberark/summon-aws-secrets

summon-aws-secrets - Summon provider for AWS Secrets Manager

Erik Osterman
cyberark/summon

summon - CLI that provides on-demand secrets access for common DevOps tools

Erik Osterman

it’s like chamber but for aws secrets manager.

Erik Osterman

So, I had kind of written off secrets manager because of the ease of use of chamber.

Erik Osterman

but the automatic key rotation feature using lambdas seems pretty sweet from a compliance POV

Erik Osterman
Rotate Amazon RDS database credentials automatically with AWS Secrets Manager | Amazon Web Services

Recently, we launched AWS Secrets Manager, a service that makes it easier to rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. You can configure Secrets Manager to rotate secrets automatically, which can help you meet your security and compliance needs. Secrets Manager offers built-in integrations for MySQL, PostgreSQL, and […]

Erik Osterman

@Jeremy Grodberg

Erik Osterman

Heh, far from “turnkey”

Erik Osterman
Secrets Manager Lambda Rotation Template: RDS MySQL Single User - AWS Secrets Manager

The following is the source code that’s initially placed into the Lambda rotation function when you choose the SecretsManagerRDSMySQLRotationSingleUser template option from the AWS Serverless Application Repository. This template is automatically used to create the function when you enable rotation by using the Secrets Manager console. (In the console, you specify that the secret is for an Amazon RDS MySQL database, and that you want to rotate the secret using the credentials that are stored in the same secret.)

Erik Osterman

Who know rotating a secret was that involved, but makes sense looking over it.

tamsky


yea, would be neat if the yubikeys could act as an SSH agent
they can act as an SSH agent by acting as a GPG agent:

https://github.com/drduh/YubiKey-Guide

this too reads as very far from “turnkey” && has the same “how can I plumb my agent into docker” problems as the current ssh-agent

drduh/YubiKey-Guide

YubiKey-Guide - Guide to using YubiKey as a SmartCard for GPG and SSH

2018-08-03

Erik Osterman

Then you pack your bags and prepare for rendition

2018-08-02

Erik Osterman
05:30:58 PM

This is something that is huge, and is hard to understand

It is as specific and specialist as anything we do

So I hope this channel helps us pull together the resources that help keep us all on tract for secure environments

Erik Osterman

Yea, it’s a never ending endeavor

Erik Osterman
Control government-backed attack alerts in G Suite

We’re adding a feature in the Admin console that can alert admins if we believe a user’s account has been targeted by a government-backed a…

1
Erik Osterman

Not a feature I was exactly asking for, but hey, why not!

Erik Osterman

That’s an alert that would freak me out.

tamsky

if they already have a good signal detector, it’s pretty nice that they share

pmuller

ahahah, so you get an alert saying a government is attacking you (does it includes the us gov? ;)) - then what ? you go to the police ?

2018-07-31

pmuller
03:20:31 AM

@pmuller has joined the channel

03:20:31 AM

@ has joined the channel

tamsky
03:20:32 AM

@tamsky has joined the channel

Jeremy Grodberg
03:20:32 AM

@Jeremy Grodberg has joined the channel

2018-07-30

fernando
02:25:21 AM

@fernando has joined the channel

2018-07-26

Erik Osterman
07:00:43 PM

@Erik Osterman has joined the channel

    keyboard_arrow_up