Blog Posts

Leaking Sensitive Data Through Google Groups

Recently I have noticed that companies that use Google Suite have a fairly common misconfiguration that is making their internal groups public.  In some cases it is just the name of the groups but in some extreme cases the content of the posts are public.

Testing for this misconfiguration on your domain is as easy as looking at:
https://groups.google.com/a/%yourdomain.tld%/forum/#!forumsearch/

Google has (not really clear) instructions here on how to lock down your groups so they are not public. I have notified as many of the domains that I can that they have a misconfiguration but I am not able to notify everyone and Google has seemed to file this under It's not a bug, it's a feature.

60 Second Kali Box

I am a fan of Kali Linux and AWS so I love the fact that they have an official AMI.  While spinning up a Kali instance in AWS is fairly easy, I had a long flight today so I wrote a script that will spin up a Kali instance in about 60 seconds.

The script does the following:

  • Builds a security group that only allows SSH access from your current public IP.
  • Writes a new SSH Key in ~/Documents/instantkali/
  • Creates a t2.medium EC2 instance.

Here is the output: 

 

Here is the code:

Dependency Check A Github Organization

Recently while working on a project I wanted to run OWSAP Dependency Check against a Github Organization to find any out of date frameworks but I couldn’t find an easy way to do it so I built a tool. Right now it will check Node and Ruby applications and put all the out of date frameworks in a single CSV.

As an example I ran the tool against the Netflix Open Source Project and here are the results from today.  They have 35 out of date frameworks in all their public projects.

Here is what it looks like running:

 

Here is the code:

#!/bin/bash
username="[email protected]"
passwordtoken="get from here: https://github.com/settings/tokens"
org="$1"
repos=$(curl -u $username:$passwordtoken -s https://api.github.com/orgs/$org/repos?per_page=200 | jq -r .[].name | sort )

mkdir results

for repo in $repos
do
#Find Default Branch
defaultbranch=$(curl -u $username:$passwordtoken -s https://api.github.com/repos/$org/$repo | jq -r .default_branch)
node=$(curl -u $username:$passwordtoken -s -o /dev/null -I -w "%{http_code}" https://raw.githubusercontent.com/$org/$repo/$defaultbranch/package.json)
  if [ $node -eq "200" ]; then
    printf "Testing %s. \n" "$repo"
    curl -s -u $username:$passwordtoken https://raw.githubusercontent.com/$org/$repo/$defaultbranch/package.json > package.json
    dependency-check --scan ./package.json --project "$repo" --format CSV --out results/$repo.csv
    printf "\n\n"
  else
    ruby=$(curl -u $username:$passwordtoken -s -o /dev/null -I -w "%{http_code}" https://raw.githubusercontent.com/$org/$repo/$defaultbranch/Gemfile.lock)
    if [ $ruby -eq "200" ]; then
    printf "Testing %s. \n" "$repo"
    curl -s -u $username:$passwordtoken https://raw.githubusercontent.com/$org/$repo/$defaultbranch/Gemfile.lock > Gemfile.lock
    dependency-check --scan ./Gemfile.lock ---project "$repo" --format CSV --out results/$repo.csv
    printf "\n\n"
  fi
  printf "%s is not a Node or Ruby Project. Unable to run dependency-check. \n\n" "$repo"
  fi
done

#Consulidate The Report
 cat results/*.csv > results/temp.csv
 awk '!x[$0]++' results/temp.csv > results/temp2.csv
 cut -d',' -f1-4,6- results/temp2.csv > githubvulns.csv
 rm results/*.csv

Some Quick Notes:

  • There was a bug that was just fixed that stopped me from releasing this earlier.
  • I will try to expand this to scan more types of code in the future.
  • Let me know on twitter if you have any questions.

My Year With Yoga

On Friday, January 6th 2017  I walked into the first Yoga class of my life at YogaSol  as part of fulfilling a new years resolution.

I was in the best shape of my life. I was running, swimming and lifting weights multiple times a week. I weighed 165 pounds and was at 9% body fat. I was also really stressed at work, my blood pressure had moved into the hypertension range and I felt like my life was stuck in permanent decision paralysis.

Mark was my teacher that day for a “Gentle Flow” class that lasted 60 minutes and was one of the hardest things I have ever done. The flow made me feel childish (What hand is my left?) and weak (Downward Dog is a resting position?) but more importantly it showed me I couldn’t turn off my brain for 5 minutes for shavasana  ( inhale- ‘Did I send that email?’  Exhale- ‘I should submit a CFP for Defcon this year.’).

I could also tell it would be one of the most fulfilling things I had ever done and stuck with it even when I didn’t want to. I now feel at home on the mat and practice yoga 4 or 5 times a week.

Here are a few things that have stuck with me this year:

Yoga taught me that if I am do not control of my life it controls me.

“Jerry, You didn’t breathe during that sun salutation.”
“…or that one.”
“…Are you trying to hold your breath?”

I really thought my teacher was being hard one me for no reason. I was doing what she asked, when she asked and how she asked. I soon came to understand that if I couldn’t pay mindful attention to the one thing that keeps me alive and control it I am not running my life. My life is running me.

Yoga taught me that more strength I have the less power I want.

I work in security and with that comes the need for power and control. We let this run our lives to the point that we have Brazilian Jiu Jitsu meet-ups at our biggest conferences (which I love).

Yoga quickly taught me that all the power in the world doesn’t matter if you don’t have strength. On Sunday’s I take an afternoon class with Lisa and she loves to say when we are in Downward Dog  “OK Class, we will be resting here for 5 breaths”.

I can bench press 100%+ of my weight multiple times so I thought I should be able to stay in Downward Dog for 60 seconds with no problem. I couldn’t, the 60 year old woman next to me could… and probably could have for 15 minutes.

It took me a few months to start building that strength and at the same time letting go of some of that unneeded power,

Yoga has taught me to disconnect.

I get up at 0415 most mornings and start working and don’t really stop working until I go to bed. I answer emails on  vacation. I write code on the weekends. I.ALWAYS.HAVE.MY.PHONE.

…except at Yoga class. It is the only time of the day that I am not sleeping that I don’t check my phone for an hour plus and the world doesn’t end. I need to get a lot better at this.

Yoga has taught me to slow down.

When I first started yoga I loved the high energy workouts and leaving yoga with the feeling of being totally exhausted. Then one day I took a yin class with Megan and realized that taking the time to slow down really makes me feel complete both mentally and physically.

Yoga has taught me the only way to improve your balance is to practice.

When I first I started yoga I could not do the tree pose at my ankle for 10 seconds without falling down. As I practiced over the last year I have gotten better but not perfect. As with most things in life you have to be willing to fail to get better.

If you ever get to LA check out YogaAqua.

Yoga has taught me to find comfort in discomfort.

If you want to be successful in life you can not stop when things get uncomfortable.  If you can stop yourself from going into Balasana because your arms are tired when your teacher decides in the middle of the downward dog during the fifth sunsultion is the best time to give the complete oral history of a sanskrit word you didn’t hear you can also send that difficult email, ask for a raise and have that hard discussion.

I found Yoga at the perfect time in my life and I look forward to learning the lessons it will have for me in 2018.

Automating Digicert Certificates Into AWS ACM

Like most security professionals I am spending a large amount of time helping my company move securely to AWS.

Certificate management in AWS is done with AWS Certificate Manager  and while they do offer *free* certificates, ACM generated certs are outside your direct control. You don’t get the keys which, at least for some things, should probably be a non-starter (granted, for plenty of other things it’s likely  ¯\_(ツ)_/¯).

I also really like digicert and have been using them for TLS certificates for over 10 years but I could not find any automation already built for Digicert to AWS ACM so I spent some time this week and hacked a script together to do it.

Here is a link to the script  (also embedded at the bottom of the post). On the host running the script you will need AWS CLI  configured and a Digicert API Key.  You also need to configure the first 15 lines of the script with your information.

To Run The Script:

./awasacm.sh your.fdqn.com

Script Output:

Here is what the script looks like running:

Here is the cert uploaded to ACM:

The script also saves all of the commands, keys and certs on the host running the script for auditing and backup:

Full Script:

Closing:

I will be making improvements to this script as we implement it in production and will likely move it to a full GitHub repo soon.   If you have any questions please reach out to me on twitter at @JGamblin. 

Update:  I have built a full Github repo here.

Site Footer