Showing posts from August, 2017

Disrupting AWS S3 Logging

This post continues the series of highlights from our recent BlackHat USA 2017 talk. An index of all the posts in the series is here . Introduction Before today's public clouds, best practice was to store logs separately from the host that generated them. If the host was compromised, the logs stored off it would have a better chance of being preserved. At a cloud provider like AWS, a storage service within an account holds your activity logs. A sufficiently thorough compromise of an account could very well lead to disrupted logging and heightened pain for IR teams. It's analogous to logs stored on a single compromised machine: once access restrictions to the logs are overcome, logs can be tampered with and removed. In AWS, however, removing and editing logs looks different to wiping logs with  rm -rf . In AWS jargon, the logs originate from a service called CloudTrail. A Trail is created which delivers the current batch of activity logs in a file to a pre-defined

All your devs are belong to us: how to backdoor the Atom editor

This is the first post in a series highlighting bits from our recent BlackHat USA 2017 talk. An index of all the posts in the series is  here . Introduction In this post we'll be looking at ways to compromise your developers that you probably aren't defending against, by exploiting the plugins in their editors. We will therefore be exploring  Atom , Atom plugins, how they work and the security shortfalls they expose. Targeting developers seems like a good idea (targeting sysadmins is so 2014 ). If we can target them through a channel that you probably aren't auditing, thats even better! Background We all need some type of editor in our lives to be able to do the work that we do. But, when it comes to choosing an editor, everyone has their own views. Some prefer the modern editors like Atom or Sublime , while others are more die-hard/ old school and prefer to stick to Vim or Emacs. Whatever you chose, you'll most likely want to customize it in some way ( if

BlackHat 2017 Series

[Update: jump to the end of the page for the series index] Late July found Haroon and I sweating buckets inside an 8th storey Las Vegas hotel room. Our perspiration was due not to the malevolent heat outside but to the 189 slides we were building for  BlackHat 2017 . Modifications to the slidedeck continued until just before the talk, and we're now posting a link to the final deck. Spoiler alert: it's at the bottom of this post. A few years ago (2009, but who's counting) we spoke at the same conference and then at DEF CON on Clobbering the Cloud . It's a little hard to recall the zeitgeist of bygone times, but back then the view that "the Cloud is nothing new" was prominent in security circles (and, more broadly, in IT). The main thrust of the previous talk was taking aim at that viewpoint, showing a bunch of novel attacks on cloud providers and how things were changing: Eight years on, and here we are again talking about Cloud. In the intervening ye