Researcher. Builder. Hacker. Traveler.

Category: Uncategorized

The Books I loved in 2019

Publish Date255 Views

I had a new years resolution to Read More Books this past year and actually read around 20 books this year. Out of those books here is a quick list of some of my favorites from the past year that I really enjoyed.

Stillness Is the Key

This book was probably one of the most impactful books I read this year. It walks through how the great and the good spent time alone and in thought in order to make their most momentous decisions. It really inspired me to take 30 minutes a day to disconnect to journal and meditate.

GCHQ 2

I love these puzzle books. I spent many hours on planes and on the couch walking through this book and trying to figure out these puzzles. I am looking forward to the thrid installment that will hopefully come out shortly.

Zero Trust Networks: Building Secure Systems in Untrusted Networks 

Zero trust has been an overused buzzword for the last few years in security. This book is the ground truth about what zero trust really is and how to implement it correctly. This is a must-read for anyone in security.

People-Centric Security: Transforming Your Enterprise Security Culture 

This book was a great reminder that you cant fix security in any organization through technology alone and you have to concentrate on how to get people at all levels of the organization to care about security.

The Moscow Rules: The Secret CIA Tactics That Helped America Win the Cold War 

This was a really interesting, entertaining and quick read. Here are the Moscow Rules:

  • Assume nothing.
  • Never go against your gut.
  • Everyone is potentially under opposition control.
  • Do not look back; you are never completely alone.
  • Go with the flow, blend in.
  • Vary your pattern and stay within your cover.
  • Lull them into a sense of complacency.
  • Do not harass the opposition.
  • Pick the time and place for action.
  • Keep your options open.

Our Man in New York: The British Plot to Bring America into the Second World War 

This book is about how England used the media in the 1940s to change American’s opinions about entering world war 2 by doing everything from bribing a radio psychic to predict Hitler’s death to slightly changing public opinion polling questions to make it look like Americans were more open to joining the war.

Gray Day: My Undercover Mission to Expose America’s First Cyber Spy

This is a great story about how Eric O’Neill and the role he played in hunting down Robert Hanssen and how he hacked his bosses Palm III to download and decode its encrypted contents.

AWS re:Invent 2019

Publish Date454 Views

I spent the last week at AWS re:Invent 2019 in Las Vegas with over 65,000 other AWS users. This conference is always jammed packed with announcements and interesting discussions with people both inside and outside of my normal security bubble. Overall I really enjoy this conference even though it is ridiculously large and I spent over 6 hours on the shuttles this week going between the 3 campuses of the conference.

I was glad to see Amazon finally get serious about security that matters to both practitioners and audit teams. While Encrypted by Default only applies to their Nitro Enclaves at this point I hope this is the start of moving this principal to all of their services.

Image


Here are some roughly organized notes and thoughts about some of the services that were launched or announced this week that I was impressed or really confused about.

General Cloud

  • AWS Outpost
    • It is a rack full of AWS equipment they install in your data center and then you manage it through the AWS console. It only costs $225,504.81 for the entry-level model.
  • AWS Nitro Enclaves
    • Nitro Enclaves enables you to create isolated compute environments to further protect and securely process highly sensitive data such as personally identifiable information.
  • AWS ARM Processors
    • Amazon is launching its own Arm-based processors. You have wonder if at least part of this isn’t to hopefully avoid future side-channel attacks.
  • AWS Compute Optimizer
    • You pay AWS to tell you how to pay AWS less or something.
  • Ubuntu Pro
    • This is a customized version of Ubuntu to run on EC2 that comes with LivePatch and will have preinstalled hooks into the AWS security hub soon. On the downside, it does cost $.03 an hour to run which will end up costing about $25 a month per instance.

Security

Machine Learning

¯\_(ツ)_/¯

General & Uncategorized Thoughts

Hacking Holiday Lights

Publish Date331 Views

This week I gave a talk on Hacking Holiday Lights at Kenna Security and here is the promised accompanying blog that outlines the hardware and software I demoed for easy reference for anyone who wants to build their own holiday lights.

Controller Boards

I looked at a bunch of different boards that ended up having a variety of technical hurdles and ended up really liking the first two boards for ease of use and the last one for the “Real Hacker Experience”.

LED Lights

Getting the right lights for your project is probably one of the most important parts of building out your project. Below are the lights I have used and really like.

Software

Tips

Closing

This has been an amazingly fun project that I was able to do with my son and my hardware hacking is not always that easy. You can easily build more complex and complicated displays using these tools and I hope you have fun exploring these systems and finding the right fit for you. If you have any questions please ping me on twitter @jgamblin.

Lyft Cartography Docker Container

Publish Date870 Views

I have been meaning to look at Cartography since I saw their talk at BSidesSF last year and I finally had a chance to start looking at it today. One of the first things I noticed was that is was not containerized so I built a quick container for it and decided to document my progress here.

Prerequisites

Build The Cartography Container

  • Create a local cartography directory.
  • Create a Dockerfile and copy this into it: 
# syntax = docker/dockerfile:experimental
FROM ubuntu:latest
# Install Python
RUN apt-get update \
  && apt-get install -y python3-pip python3-dev wget apt-utils \
  && cd /usr/local/bin \
  && ln -s /usr/bin/python3 python \
  && pip3 install --upgrade pip
RUN pip install awscli \
    &&  pip install cartography
  • In your terminal open the cartography directory.
  • Build the container using: DOCKER_BUILDKIT=1 docker build -t cartography .

Run Neo4J Container

docker container run \
  -e NEO4J_AUTH=none \
  -v neo4j-data:/data \
  -p 7474:7474 \
  -p 7687:7687 \
  -d \
  neo4j:3.5.12

Run Cartography Container

docker run --rm -v $HOME/.aws:/root/.aws --net=host cartography cartography --neo4j-uri bolt://127.0.0.1:7687

This step will take a few minutes depending on the size of your environment.

Accessing The Interface

Once the container is done building you can access the web interface at http://127.0.0.1:7474/browser/

Closing Thoughts & ToDo List

Github Account Recovery After 2FA Failure.

Publish Date1484 Views

I just spent a day and a half recovering my Github account after the code in my 2FA application stopped working for authentication. GitHub has a good support article on how to recover your account that has this ominous warning on it:

Warning: For security reasons, GitHub Support may not be able to restore access to accounts with two-factor authentication enabled if you lose your two-factor authentication credentials or lose access to your account recovery methods.

I was worried that I wasn’t going to get access to my account back since I didn’t have a copy of my recovery codes so I reached out to GitHub support and was able to work with them to get access using my verification token from an SSH session.

If you have 2FA enabled on your account you should make sure you have the following:

Hopefully, no one else has to go through this but I figured I would write up my notes since they were fresh in mind.

Automatically Build Kali VM’s in VirtualBox

Publish Date363 Views

About once a month I need a Kali VM to use for an hour or so, and I am terrible at keeping a VM up-to-date, so this weekend I took a few hours and built a tool to download automatically, provision and update a Kali Linux VM in Virtualbox.

All the code for this project is in this Github Project.

Here is what the output looks like:

This script meets my needs but if you have any questions or suggestions please feel free to ping me on twitter at @JGamblin

Vulnerablecontainers.org

Publish Date337 Views

Recently I have been working on a project to use the Trivy container scanner to scan large swath of containers for open vulnerabilities that I wanted to quickly post here. There is a full blog about the project here on the Kenna site.

Here are some of the pages I have built out so far:

As always reach out to me on twitter if you have any questions.

LoCoMoCoSec 2019

Publish Date450 Views

I had the chance to attend LoCoMoCoSec this year and had a fantastic time. It was a well-run conference that was extremely focused on being friendly for families and being inclusive of the diverse group of people who make up our community.

It also doesn’t hurt that it was in one of the most beautiful places I have ever seen.


Many of the attendees and speakers had brought their families with them, and this helped the conference have a fantastic family feel to it.

The organizers decided to keep the inclusiveness going by only offering a cash bar and asking anyone who was planning on over drinking to please move to another bar.


LoCoMoCoSec is the only conference I have attended that is hyper-focused on real-world product security. With talk after talk full of actionable or relatable stories that I will take back to work with me to help improve our security posture. I will highlight some of the key takeaways I will be bringing back to work with me.

Open Source Security

Neil and Adam both had amazing presentations on open source security and I had a ton of conversations with people around the subject at this conference.

Neil talked about how Github struggled with getting from an out of date forked version of Rails to the latest current version. It was one of those rare talks where the presenter was open and honest about how hard it was to get up to date even in a technology company. I am looking forward to this presentation video being uploaded to share with my dev teams.

Adam from NPM talked about framework security and how little code is actually written in modern node apps. This slide shows that 97% of modern node apps are made up of underlying frameworks was one of the most talked about at the conference.

Outside of these talks, I spent a lot of time talking with people about how we can better understand and help the security of the many open source frameworks that companies build their applications on. This is a problem that everyone is obviously thinking about but no one has found an answer to yet.

DevSecOps

I saw three really good talks about DevSecOps from James Wickett, Tanya Janca, and Dave Lindner all of who I really respect as leaders in our industry. They each had a very unique approach to this topic but they all ended up with DevSecOps is really hard and we all have a lot of work left to do. I have some thoughts on this topic and am working on a talk that I am hoping to be able to share later this summer.

James Wickett talk was one of the most entertaining of the conference, and he is writing a DevSecOps book that he is looking for material for. You can check out his slide deck here that includes contact information.

Tanya Janca is a high energy presenter and talked about the DevSecOps in sprints. She also talked about how great organizations have a ratio of 100 Devs to 10 Ops to 1 security person.

David Lindner who works at Contrast and is a friend of mine talked on Friday about the challenges of adapting appsec at a startup and balancing that with business needs. I empathized with him as we both come from startups of about the same size.

Bug Bounties

Bug Bounties are always a touchy subject at these conferences but there was a bunch of great discussions around them and how to improve them to make them more actionable.

Google in their talk about fixing CSP talked about 75% of their web payouts are for XSS bugs and how they are working on fixing that.

Katie Moussouris gave a talk about how bug bounties work and my biggest take away from her talk was that there is likely less than 500 bug bounty hunters who find the majority of all bugs.

CTF

Matt Langlois put together an amazing collabrtive CTF for the last day of the confrence and open sourced all the puzzles.

Dive Track

Melanie Ensign from Uber put together an amazing Dive Track with the ability for people to take a few hours and explore some of the best diving in the world. I took a morning and went out for an amazing drive.

Bubble, bubble.
I loved watching these turtles.

Closing

Overall I had an amazing time and I didn’t talk to anyone who wasn’t looking forward to LoCoMoCoSec 20202. I know if at all possible I will be going back. 🤙

My 2019 RSA Guide

Publish Date278 Views

With the 2019 RSA Conference fastly approaching I thought I would take a few minutes and put together a quick list of what I am excited to see this year.

Sunday

Monday

Tuesday

Wednesday

Thursday


Did I miss something cool? If so, let me know Twitter at @jgamblin.

Run Bundle Audit Against A Github Org

Publish Date313 Views

Bundle Audit is a great tool to check if the Ruby Gems used in your project have any known vulnerabilities. Most DevOps teams I know run this tool against their builds in their CI/CD process when deploying. This can mean that code that is not updated often can have vulnerable gems unless you have a way to continually monitor your projects.

I spent some time looking at a few solutions this week and I thought I might be able to do this with a crappy shell script™ and the GitHub API. So, this morning while watching cartoons (The new Carmen San Deigo series is excellent.) I wrote this:

https://gist.github.com/jgamblin/e91d25acec689e2cad1ff4b8b4a6e13c

After you grab a github token and update the scirpt, running it is as simple as:

./bundleauditgithub.sh OrgToTest

Since I was watching Netflix while writing this tool I decided to use them since they run a great bounty program on bugcrowd.

Their ruby repos where all up to date outside of Workflowable which they have archived but it makes a good example. Here are complete findings for that repo.

Overall this turned out to be a fairly simple project that I will get a lot of use out of.
If you have any questions let me know twitter at @jgamblin.

Older Posts
Newer Posts

Site Footer