Wednesday, July 26, 2017

BHUSA17: Fighting the Previous War

This talk is brought to us by the folks at Thinkst. Back in 2009, they worked on various attacks in the cloud. Attacks like taking extra resources from Amazon. Amazon limited each account to 20 machines, but then they'd get their 20 machines to each get 20 machines... and so on. Cloud is different and needs different thinking.

People still think SaaS as "another webapp" or "just a Linux host", but it is very different and should be treated as such.

Footprinting is under-valued. While pentesting a network, they'd spend the bulk of the time finding all the machines - often long forgotten boxes.

Hardly anybody is setting up sendmail anymore, but their apps are sending emails. They need microservices for this, but where do the responsibilities live?  Who is processing your email, and who is making sure the services you integrate with are behaving properly (or used correctly). (reference: White Hats - Nepal: Bug Bounty from Uber, read).

Canary tokens is a framework released in 2015 is a framework to make honeytokens easy to get. It can help you learn about attacks on your systems.

You have to keep in mind that attacks don't look like they used to - devices are getting harder, but boundaries are fuzzier.

Looking at the Atom editor, there are lots of plugins available - it's easy to put in a malicious plugin. You can then easily steal keystrokes or get a user to unknowingly run commands for you. The plugins are not screened and can be very complicated.

This is no longer just hosted virtual machines. Look at how WordPress Hosting on AWS works - it only touches one virtual machine, but there is a very big graph of very complicated issue.

To attack AWS a good bit of recon is to find account ids. It is a 12-digit number, considered private (but not secure).  You can make one call with a valid account ID and an invalid ID and get different responses.  It works, but it is very sloooooow.

But you can find these more easily by looking at github or on help forums. Even though Amazon says to not post them, people do. Easy!

Another area to do recon is on the S3 bucket discovery, similar discovery vectors. Areas of potential compromise are around the APIs, for example it is possible to enumerate permissions with a variety of calls without actually knowing what the permissions should be.

Sadly running out of battery.... posting now!