On-Demand Container Scanning API

Last summer I launched vulnerablecontainers.org to help shed light on the number of vulnerabilities in the 1,000 most popular containers on docker hub.  While it was an interesting project, right after I launched the project I had multiple people ask if it was able to scan other public containers. Initially, it wasn’t but I wanted to offer the ability, so over the last two weeks, I decided to not sleep and built my first API that I am publicly releasing today.  

scan.vulnerablecontainers.org is an open python API built using TrivyFlask, Gunicorn, and Nginx that for now has two public endpoints (more endpoints and tools coming). From the start, I designed it to be easy to use in the browser or on the command line for integration with CI/CD.

Trivy Scan Report

The most useful endpoint provides a trivy report of all opened vulnerabilities for the container and is available at: 
https://scan.vulnerablecontainers.org/scan?name=

Usage Example:
https://scan.vulnerablecontainers.org/scan?name=centos:6.6

Example Output:

CVE List

This endpoint provides a list of open CVEs on the container and is available at:
https://scan.vulnerablecontainers.org/cves?name=

Usage Example:
https://scan.vulnerablecontainers.org/cves?name=centos:6.6

Example Output:

Advanced Usage:

Closing Notes:

  • This is a work in process and is in EARLY beta.  Please do not build this into production systems.
  • The API will only work on containers built using Alpine, RHEL, CentOS, Oracle Linux, SUSE, Amazon Linux, Debian, Ubuntu, and Photon OS.
  • I have attempted to implement some caching but it may take up to 120 seconds to return results.
  • I will release source code, a docker container, and a build guide after some more testing and hopefully adding more endpoints.
  • Notice Something Boken? Please Let Me Know on twitter @JGamblin

What To See At RSA 2020

With the RSA Conference less than a week away I figured I would spend a few minutes and write a quick post about what I am excited to see this year in San Francisco.

Not At RSA

Like most security conferences these days while the conference itself is the reason I go the auxiliary events end up providing a majority of the value and information I take away.

Here is what I am looking forward to seeing not at RSA.

At RSA

RSA has a reputation for being an “industry” event and while that isn’t totally untrue you can find great content if you look.

Fun Stuff:

Xaxxon OpenLidar Install

One of my personal projects this year is to understand and build a SLAM (Simultaneous localization and mapping) robot. To get started I bought the Xaxxon OpenLidar and after a few struggles getting it to work correctly in a VM I finally did and decided to throw together my build notes for future reference.

Virtual Platform

While I would have liked to use (and tested) Virtualbox there is a known issue with RVIZ that isn’t present in VMWare Fusion, so while I hate not keeping this open-source I could not get it to work.

Ubuntu Install

You want to start with a new Ubuntu18.04 Install (ROS isn’t Ubuntu 19.0 compatible yet with the VM tools installed.

Run these commands to update and install the need utilities:

sudo apt update -y
sudo apt upgrade -y
sudo apt install git curl screen

ROS Install

ROS is the Robot Operating System (ROS) is a set of software libraries and tools that helps you build robot applications. You need it installed to run the OpenLidar hardware.

Here are the commands to install it:

sudo sh -c 'echo "deb http://packages.ros.org/ros/ubuntu $(lsb_release -sc) main" > /etc/apt/sources.list.d/ros-latest.list'
sudo apt-key adv --keyserver 'hkp://keyserver.ubuntu.com:80' --recv-key C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654
sudo apt-get update
sudo apt install ros-melodic-desktop-full -y
sudo rosdep init
rosdep update
echo "source /opt/ros/melodic/setup.bash" >> ~/.bashrc
source ~/.bashrc
sudo apt install python-rosinstall python-rosinstall-generator python-wstool build-essential mesa-utils

OpenLidar Install

The last step is to install the software for the OpenLidar system and configure all of the variables and reboot.

Here are those commands:

mkdir -p ~/catkin_ws/src
cd ~/catkin_ws/src
git clone https://github.com/xaxxontech/xaxxon_openlidar.git .
cd ~/catkin_ws/src
catkin_init_workspace
cd ~/catkin_ws/
catkin_make
echo "source $HOME/catkin_ws/devel/setup.bash" >> ~/.bashrc
source ~/.bashrc
sudo adduser $USER dialout
sudo reboot now

Running

Once your VM reboots and you connect the Uart Bridge to the VM and you are now ready to fire up the software. That can be done with these commands:

roslaunch xaxxon_openlidar xaxxon_openlidar.launch &
roscd xaxxon_openlidar
./rvizlidar &

You should then see the RVIZ window load and data start populating the screen like this:

Troubleshooting

If you run into any problem you can always serial into the Lidar and check it with some of the commands on this page.

screen /dev/ttyusb0 115200
Unnecessary gif of the OpenLidar Spinning

The Ten Security Stories That Shaped The Decade

As the 2010s come to an end I started to think about what security stories from the last ten years changed how we think about security in this decade and the next. While this list is in no way complete these are the ten stories that I think had a lasting impact on security in the last decade and the next.

Stuxnet – 2010

Stuxnet targeted SCADA systems and was responsible for causing substantial damage to Iran’s nuclear program. It has been the subject of many books and even a movie.

It has been publically confirmed that Stuxnet was created and built by the NSA in partnership with the CIA and Israeli intelligence.

LulzSec – 2011

LulzSec was a high profile hacktivist group that hacked Sony Pictures, HBGary, and PBS along with many other organizations. Its history and reputation are complicated with many of its members’ serving prison sentences and others have become members of the security research community.

Heartbleed – 2014

Heartbleed was an improper input validation bug in the OpenSSL library that allowed a malformed heartbeat request with a small payload and large length field to permit attackers to read up to 64 kilobytes of the victim’s memory that was likely to have been used previously by OpenSSL.

One of the humorous takeaways from this bug is that it was submitted at 11:59 on New Years’ Eve 2011.

Probably the most lasting takeaway is after this vulnerability Google established Project Zero.

The Shadow Brokers – 2016

The Shadow Brokers were a hacker group that published several leaks containing hacking tools from the National Security Agency including several Microsoft zero-day exploits that lead directly to WannaCry.

It is widely believed that Russia was responsible for these leaks although how they obtained the information is still unknown.

WannaCry – 2017

The WannaCry ransomware attack targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin. It propagated through EternalBlue, an exploit developed by the National Security Agency and stolen and leaked by The Shadow Brokers a few months prior to the attack.

Marcus Hutchins discovered the kill switch domain hardcoded in the malware and registered the domain which limited the spread of the ransomware.

Sony Pictures Hack – 2014

In 2014 sony pictures were hacked and personal information about Sony Pictures employees and their families, e-mails between employees, information about executive salaries at the company, and copies of Sony films were stolen and released on the internet. The attackers then released a disk wiper bot that formated a large number of hard drives at Sony.

It is widely believed that North Korea was behind this attack because Sony had made the movie The Interview which plot revolved around trying to assassinate Kim Jong-un.

US law enforcement agencies have charged Park Jin Hyok with this attack and for masterminding WannaCry.

DNC Hack – 2016

Russia hacked and released DNC internal communications to WikiLeaks in the run-up to the 2016 presidential election. While the technical details of these attacks are not impressive, America and the rest of the world have been dealing with the fallout from these breaches and will continue to do so for the foreseeable future.

Chelsea Manning – 2010

In 2010, Chelsea Manning gave WikiLeaks 500,000 documents that became known as the Iraq War and Afghan War logs along with numerous Diplomatic cables. She was arrested in May of 2010 but the information she had given to Wikileaks which made them a household name and allowed them to play a role in the DNC Hack and releasing the information that Edward Snowden leaked.

OPM – 2015

 In 2015, the United States Office of Personnel Management (OPM) had a data breach that affected approximately 21.5 million people. These included an unknown number of SF-86 (Questionnaire for National Security Positions) forms and over 5 million fingerprints.

Most experts have blamed China for this breach but no public proof of this has been shared.

Equifax – 2017

This was a huge data breach that ended up exposing the data of roughly 200 million consumers using a vulnerability in the Apache Struts framework. The House Oversight Committee has released a full report on the breach. Many security experts see this attack as an eyeopener for companies to look closely at their internally developed software along with their OS and Network patching.

No one has taken responsibility for this attack and none of the stolen data has ever been reported to have been used.

Closing

Six of these stories come directly from State actors attacking either another country or a large corporation, one of them was an insider threat, one was a determined group of motivated external attackers and one was a really nasty bug a developer submitted at 11:59 on New Year’s Eve and Park Jin Hyok is probably the most dangerous hacker in the world.

Did I miss a story that should have been on this list? Let me know on Twitter at @JGamblin.

The Books I loved in 2019

I had a new years resolution to Read More Books this past year and actually read around 20 books this year. Out of those books here is a quick list of some of my favorites from the past year that I really enjoyed.

Stillness Is the Key

This book was probably one of the most impactful books I read this year. It walks through how the great and the good spent time alone and in thought in order to make their most momentous decisions. It really inspired me to take 30 minutes a day to disconnect to journal and meditate.

GCHQ 2

I love these puzzle books. I spent many hours on planes and on the couch walking through this book and trying to figure out these puzzles. I am looking forward to the thrid installment that will hopefully come out shortly.

Zero Trust Networks: Building Secure Systems in Untrusted Networks 

Zero trust has been an overused buzzword for the last few years in security. This book is the ground truth about what zero trust really is and how to implement it correctly. This is a must-read for anyone in security.

People-Centric Security: Transforming Your Enterprise Security Culture 

This book was a great reminder that you cant fix security in any organization through technology alone and you have to concentrate on how to get people at all levels of the organization to care about security.

The Moscow Rules: The Secret CIA Tactics That Helped America Win the Cold War 

This was a really interesting, entertaining and quick read. Here are the Moscow Rules:

  • Assume nothing.
  • Never go against your gut.
  • Everyone is potentially under opposition control.
  • Do not look back; you are never completely alone.
  • Go with the flow, blend in.
  • Vary your pattern and stay within your cover.
  • Lull them into a sense of complacency.
  • Do not harass the opposition.
  • Pick the time and place for action.
  • Keep your options open.

Our Man in New York: The British Plot to Bring America into the Second World War 

This book is about how England used the media in the 1940s to change American’s opinions about entering world war 2 by doing everything from bribing a radio psychic to predict Hitler’s death to slightly changing public opinion polling questions to make it look like Americans were more open to joining the war.

Gray Day: My Undercover Mission to Expose America’s First Cyber Spy

This is a great story about how Eric O’Neill and the role he played in hunting down Robert Hanssen and how he hacked his bosses Palm III to download and decode its encrypted contents.

AWS re:Invent 2019

I spent the last week at AWS re:Invent 2019 in Las Vegas with over 65,000 other AWS users. This conference is always jammed packed with announcements and interesting discussions with people both inside and outside of my normal security bubble. Overall I really enjoy this conference even though it is ridiculously large and I spent over 6 hours on the shuttles this week going between the 3 campuses of the conference.

I was glad to see Amazon finally get serious about security that matters to both practitioners and audit teams. While Encrypted by Default only applies to their Nitro Enclaves at this point I hope this is the start of moving this principal to all of their services.

Image


Here are some roughly organized notes and thoughts about some of the services that were launched or announced this week that I was impressed or really confused about.

General Cloud

  • AWS Outpost
    • It is a rack full of AWS equipment they install in your data center and then you manage it through the AWS console. It only costs $225,504.81 for the entry-level model.
  • AWS Nitro Enclaves
    • Nitro Enclaves enables you to create isolated compute environments to further protect and securely process highly sensitive data such as personally identifiable information.
  • AWS ARM Processors
    • Amazon is launching its own Arm-based processors. You have wonder if at least part of this isn’t to hopefully avoid future side-channel attacks.
  • AWS Compute Optimizer
    • You pay AWS to tell you how to pay AWS less or something.
  • Ubuntu Pro
    • This is a customized version of Ubuntu to run on EC2 that comes with LivePatch and will have preinstalled hooks into the AWS security hub soon. On the downside, it does cost $.03 an hour to run which will end up costing about $25 a month per instance.

Security

Machine Learning

¯\_(ツ)_/¯

General & Uncategorized Thoughts

Hacking Holiday Lights

This week I gave a talk on Hacking Holiday Lights at Kenna Security and here is the promised accompanying blog that outlines the hardware and software I demoed for easy reference for anyone who wants to build their own holiday lights.

Controller Boards

I looked at a bunch of different boards that ended up having a variety of technical hurdles and ended up really liking the first two boards for ease of use and the last one for the “Real Hacker Experience”.

LED Lights

Getting the right lights for your project is probably one of the most important parts of building out your project. Below are the lights I have used and really like.

Software

Tips

Closing

This has been an amazingly fun project that I was able to do with my son and my hardware hacking is not always that easy. You can easily build more complex and complicated displays using these tools and I hope you have fun exploring these systems and finding the right fit for you. If you have any questions please ping me on twitter @jgamblin.

Lyft Cartography Docker Container

I have been meaning to look at Cartography since I saw their talk at BSidesSF last year and I finally had a chance to start looking at it today. One of the first things I noticed was that is was not containerized so I built a quick container for it and decided to document my progress here.

Prerequisites

Build The Cartography Container

  • Create a local cartography directory.
  • Create a Dockerfile and copy this into it:
# syntax = docker/dockerfile:experimental
FROM ubuntu:latest
# Install Python
RUN apt-get update \
  && apt-get install -y python3-pip python3-dev wget apt-utils \
  && cd /usr/local/bin \
  && ln -s /usr/bin/python3 python \
  && pip3 install --upgrade pip
RUN pip install awscli \
    &&  pip install cartography
  • In your terminal open the cartography directory.
  • Build the container using: DOCKER_BUILDKIT=1 docker build -t cartography .

Run Neo4J Container

docker container run \
  -e NEO4J_AUTH=none \
  -v neo4j-data:/data \
  -p 7474:7474 \
  -p 7687:7687 \
  -d \
  neo4j:3.5.12

Run Cartography Container

docker run --rm -v $HOME/.aws:/root/.aws --net=host cartography cartography --neo4j-uri bolt://127.0.0.1:7687

This step will take a few minutes depending on the size of your environment.

Accessing The Interface

Once the container is done building you can access the web interface at http://127.0.0.1:7474/browser/

Closing Thoughts & ToDo List

Github Account Recovery After 2FA Failure.

I just spent a day and a half recovering my Github account after the code in my 2FA application stopped working for authentication. GitHub has a good support article on how to recover your account that has this ominous warning on it:

Warning: For security reasons, GitHub Support may not be able to restore access to accounts with two-factor authentication enabled if you lose your two-factor authentication credentials or lose access to your account recovery methods.

I was worried that I wasn’t going to get access to my account back since I didn’t have a copy of my recovery codes so I reached out to GitHub support and was able to work with them to get access using my verification token from an SSH session.

If you have 2FA enabled on your account you should make sure you have the following:

Hopefully, no one else has to go through this but I figured I would write up my notes since they were fresh in mind.

Automatically Build Kali VM’s in VirtualBox

About once a month I need a Kali VM to use for an hour or so, and I am terrible at keeping a VM up-to-date, so this weekend I took a few hours and built a tool to download automatically, provision and update a Kali Linux VM in Virtualbox.

All the code for this project is in this Github Project.

Here is what the output looks like:

This script meets my needs but if you have any questions or suggestions please feel free to ping me on twitter at @JGamblin

Site Footer