Security

A recurring theme in my InfoSec career has been to expose people to how their seemingly-secure practices are actually very insecure. Today I will show one such practice that is quite common. The idea is insidious in that it lulls people into a false sense of security when it takes only a couple minutes to break. This is similar to the security awareness training I provide: I show the audience a physical lock that is heavy and has the words “Secure” engraved in it. Then I show how it can be picked in 8 seconds. Getting over this cognitive barrier – that something isn’t inherently secure just because it looks that way – is tough for people when they first encounter security. ...

At work I recently had to show our risk profile with Github vulnerability alerts and display them in Domo. Github’s APIv3 (REST) doesn’t allow you to query the vulnerability alerts, but APIv4 (GraphQL) does. I found the documentation around gathering those results very opaque due to being in Preview status, so here are some examples for pulling out the data you need. Github Vulnerability Alerts can be enabled in the Settings component of a repository. It will scan the dependencies listed in various package managers (requirements.txt, package.json, etc) and build a dependency graph (super cool!). From there, each dependency is checked for CVEs posted on public vulnerability websites. This is useful information but it is difficult to visualize when you have many (in my case, hundreds) of repositories to watch. ...

IAM provides a way for users and roles to become another role. This is known as IAM role switching and uses the underlying sts:AssumeRole action. You can restrict IAM role switching in one of two ways, what I like to call the single lock and double lock methods. With any IAM role switch, there involves a two-way handshake. The person (source) switching to the role (target) must be allowed to assume the role, plus the target must allow the source to assume it. That way, an IAM role switch can be used to switch between roles within the same account, or roles within different AWS account (maybe one that you don’t even own). ...

I don’t often talk of employer, mainly to keep an arm’s length distance between them and the writing on my blog. However, one of the great things about working at Unbounce is the concept of a Professional Development day (Pro-D). This is just like when you were in school and the teachers would take a day for themselves to improve. At Unbounce, every employee gets one day (8 hours) every 2 weeks to educate themselves and elevate their professional and career interests. Some of my best ideas have come out of things I learned on Pro-D day. Today, I decided to take a moment to learn about the AWS Systems Manager Session Manager (whoa, that’s a mouthful). ...

NB: Linebreaks (\) have been added to the CLI commands for readability. I am in the process of setting up an AWS account for my family and part of that initial setup is to create users and roles for family members. Everyone receives readonly privileges and has to assume an IAM to gain elevated privileges. The people who are allowed to assume these elevated privileges must have a valid MFA session. ...

Secrets management is a constant topic for debate in tech and security circles, even more so for users of cloud providers. There are solutions like Hashicorp Vault, Sneaker, and Credstash (even a locked down S3 bucket) that we have looked at using at Unbounce. Each solution has its own level of complexity to setup and maintain. All of these solutions suffer from the same problem, which I like to call “Step 0” or, how the heck do I manage the master key that unlocks everything? At some point in the encryption process, trust has to be established and that is the point where encryption cannot be used (Step 0). ...

This article demonstrates how you can quickly rotate your AWS keys in 2 minutes. Anything longer and I’m certain that nobody will do it. This is important as you should be in the habit of rotating these credentials often. Personally, I set reminders to change my keys every 30 days. Caveats You must have only one set of access keys created. Your IAM policy must allow you to manage your own keys. You must know where you store your AWS credentials (everyone is a bit different here). Key Rotation Process The process is thus: ...

Many people I speak with don’t have a security mindset, not because they aren’t aware of security, but rather that it doesn’t play a role in their life. As computers become more involved in our everyday lives, we all need to understand the security implications and defend against attacks. The only proper way to defend against something is to understand how it is attacked. I’ll paraphrase a tweet I saw on Twitter 1 about security, “An attacker uses maps, but defenders use lists.” To explain what this means in security terms, let’s look at the definition of those terms. ...

I am working with a client right now on their Web application. While creating an account to do testing, I noticed a glaring security issue that allows people to harvest usernames. This topic has been covered before, I am still surprised that it keeps popping up around the Web, but this time is a bit different. I should note that the client knows about the issue, but what I want to point out in this article is how insidious the issue becomes. ...