Release Date: 29/09/2019 | Issue: 5
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


Container Runtime Security Bypasses on Falco
A blog post describing some of the nuances of auditing Falco during security assessments, and demonstrating how to think through some bypasses. The post goes through common approaches taken while auditing runtime security tools, and, as bonus points, even provide a couple of bypasses (for terminal alert, sensitive volume alert, and privileged container alert).


The Path Less Traveled: Abusing Kubernetes Defaults
Slides from the talk @iancoldwater and @mauilion presented at Black Hat USA 2019. Takeaway: 'check your assumptions, neither kubernetes nor the apps deployed on it are secure by default'.


Azure Sentinel is now GA
Azure Sentinel, a cloud-native SIEM that provides intelligent security analytics at cloud scale for enterprises of all sizes and workloads, is now generally available. It is also interesting to read design considerations related to Sentinel.


Container Image Squatting in a Multi-Registry World
Another interesting piece of research by @raesene, this time on attackers squatting on common Docker Hub accounts to try and trick users into pulling malicious images. A process made somewhat easier by the fact that you can register organization names on Quay.io. Some mitigations are provided if you’re planning to adopt podman.


Abusing VPC Traffic Mirroring in AWS
PoC script by @rhinosecurity that uses AWS VPC Traffic Mirroring to mirror and exfiltrate network traffic in AWS VPCs. Malicious VPC traffic mirroring can be extremely impactful because network traffic moving around within VPCs often contains sensitive information. The likelihood of malicious VPC traffic mirroring is also very high because there are often large amounts of cleartext traffic flowing through a VPC. One reason for the common use of cleartext traffic is that before traffic mirroring, it was very unlikely that the traffic would be sniffed, so it wasn’t very risky (think ok TLS termination for NLBs). Related script: https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/malmirror/.


CVE-2019-8451 Unauthorized SSRF via REST API
As pointed out by Dino Dai Zovi: 'If you're running JIRA on AWS, consider this SSRF to be RCE'.


SSRF_Vulnerable_Lab
A repository that contains sample code vulnerable to Server-Side Request Forgery attacks. But, why in PHP?!




How to keep your Kubernetes secrets secure in Git
If you really really really want to store your secrets within your source code, this post describes techniques useful to use Git to keep your Kubernetes secrets secure.

Website
Twitter
Sponsor Me
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.