 Hey welcome back everyone for the Q&A of the cloud seg block. We are here with our speakers that you just listened to but also a newcomer, Magno Logan from Trend Micro. Magno, you're a security specialist and a threat researcher. You pretty much work with cloud containers and threat modeling but you're also doing a very interesting workshop right after this Q&A about Kubernetes and the best practices. Can you tell us a bit more about it? Sure Max, yeah thank you. So yeah in this workshop we're going to assume no prior knowledge of Kubernetes, we're going to build a cluster from scratch, we're going to deploy a vulnerable web application and we're going to attack it and understand what happened there with the attack and why was that possible and then we're going to implement certain countermeasures and protections on that cluster to avoid that attack attack from happening again. Thanks and you're doing that on a prototype of everyone on AWS ETS which is the semi-managed Kubernetes servers from Amazon. Yes that's right so yeah we're going to start with a couple for each of the talks so you go ahead Magno. Okay sorry yeah you're breaking up a little bit. Sure so yeah we're using EKS and to do that first we're going to create a cloud nine instance which is basically a virtual desktop inside AWS like a virtual VS code you may say so that we can everyone can have the same configurations and the same environment right so we don't run into any issues with VMs or any problems installing stuff on your machine so first we spin up the cloud nine instance and from there we create the EKS cluster right so everything is on AWS that's why it's important that prior to the workshop starts you have an AWS account right so at least that's that's all you need a valid AWS account of course it should be one that's separated from everything that you're doing don't use your work AWS or anything that you have any any production systems running right this is going to be a workshop we're going to play around with things so we don't want to make we want to make sure that we don't compromise any other systems there. Perfect thanks and further record the the word that workshop is at 3 p.m. eastern so in about 45 minutes so let's let's sort of some questions I have some regarding Evelyn's talk there's a we have a question about password managers and the questions as follow what do you see in a role of password managers in addressing in terms of password reuse but also shadow ITs and especially what you mentioned about zombie accounts like you call them yeah thank you for the question I think that's the great question so first of all password manager definitely helps solve the password reviews problem but only solve part of the problem not completely solving the zombie account problem and let's look at what are the problem is solved and what are the problem it does not so the good thing about a password manager is that it's a side unique and randomized password for the user for each application right and also feel the password for the user whenever they need to log on so periodically the only thing the user of the password manager we need to remember is the master password so that's significantly solved the problem of reusing password but then there are some professional great password manager but there are some really so and so acceptable to use the password manager so a professional one should store all the application passwords in a very secure location like the key train of your mobile device and like the credential manager of your window OS for example right this kind of key train should be tempo proof in the hardware chip but if that password manager is not the same right they can't just save all your password in a local storage in pink text no encryption which means that if your device like mobile or PC got compromised it's even worse because the attack can get all your application password in a single file so so so the problem is that the password manager also does not really solve the zombie problem completely unless you integrated with a centralized identity management inventory so I think the best way to do it is first choose a very good password manager and secondly integrate it with the centralized federation service in the corporate environment so which means that the employee should do a single password manager and then they single sign on into that password manager and this password manager will help to memorize all the external certification password for the actual user so the actual user does not need to remember anything more than the master password of the password manager just like the sign on the flip and password manager help to log on to everything they are so pretty good commercial product in the market to solve the problem if you look up cyber arc of your trust sometimes people also refer to the commercial version of the last class can help to solve the problem thank you um following to uh phillips um talk someone's asking if hrs applies to network appliances if you've seen it or if you've been able to exploit it as well there's a lot of enterprises a lot of businesses that put network appliances in front of their either their cloud or application and so on so is is hrs affected by those or is it mostly like software proxies like ha proxy and others yeah depends what we uh we mean by network appliances obviously it needs to have a proxy component for htp um the thing I would mention regarding appliance and provider in general at the moment uh if there you would have one thing to test either for your appliance or a provider is the last attack I mentioned regarding htp2 there was a recent article saying most cloud provider some have fixes where they simply block the htp2 upgrade but most providers at the moment have refused to respond to a question from a port trigger and they don't want to give a status of is it fixed or not so it's giving a good tip that most provider are not yet covering this so if it's a proxy that just detects and blocks requests that are malicious usually if it's requests that are initiated by your user internally you shouldn't be too much worry about request smuggling but if it's an appliance that is between the web to your web server then you should be testing for request smuggling because the the threat makes sense thanks and maybe I could following that the question really uh yeah go ahead Phil yeah I was going to answer the second question for hrs yeah sure somebody mentioned uh uh what the standard standards say regarding multiple content length I guess they refer to a htp standard I'm not sure what is the exact answer to this regarding what what the standards say but uh usually it's the kind of thing where it's not explicitly mentioned all the condition uh like this but uh one thing I could say there is a recent bounty where multiple content length could be accepted there there is a cv for it on a pylon component so it's a proxy for a python pylon framework the thing you need to be aware is that even though there's a cv and it's um saying it's exploitable with iris because it's hrs you need to have a back end server so your anginax or apache server that is supporting content length and since 2005 there is no uh a web server that support uh double content length they will mark those as uh for bad requests so uh even if your proxy is supporting double content length at the moment these are the kind of condition that uh are just not supported by most web container so uh you shouldn't be worried too much about the double content length even if your proxy is uh something that has a known cv but make sure you have you're doing your update but yeah so this is something if you are doing tests and you want to test the exploitability of certain uh cv uh sometime the proxy might be known to have a vulnerability but it will not be exploitable because the back end when it will see something fishing the request will just mark it as bad request so that was for the question from uh jeffrey yeah thanks um some questions for our friend renzon um have you used kpe or any other forensic tools um in in your research um i i always use kpe uh in some of the predominant cloud storage applications but some of the enterprise tools such as um axium and magnet forensics um celebrate can easily do the job on other platforms so i have to check if own cloud and next cloud has a separate module for these enterprise tools but um yeah give give eric zerman like a couple of months or probably just weeks and then he'll probably make a parser out of it so i have to check on that um tom thanks for the question thanks tom and following question regarding clouds you've tested have you tried that cloud um there there was a great presentation by a different um dfi our folks related to iCloud already so i just i can just share the link uh in our discord channel uh just to just to answer these questions so i'm primarily working on a windows environment right now but due to my uh new gigs i have to take time into the mac forensics so so probably i'll just do it um also this year thanks uh it would be great maybe you can show us uh next year you know yeah let's see um evlyn i had some some question regarding your work on authentication um we're starting to see a lot more of idp being centralized naming azure b2b for instance uh or iodcc and so on have you seen those being implemented in e or how do you see uh the way they can help centralize even better than that yeah i think uh centralized idp is extremely important but we also need some level of segregation right so um azure adb2c is meant for the external client uh to the company but i do think uh you know to manage the internal employee identity we need a segregated identity store so uh they're different technology we can leverage in terms of azure adb2b which is a very good example we try to solve the problem that um if there are two companies they are partner and i want to let for example my vendor to get into my company like work in the past is i would say it's quite messy right um and it's also really important to securely manage all the vendor that helping us to do the job and do some troubleshooting so um b2b solution in general not only azure is so important for us to centralize the manage or our supplier where they need to go into the corporate environment so they are not exactly the external client they are not internal employee they are the suppliers so um i think that's the new trend um very happy to see this kind of technology evolving great thanks um maybe more generalized questions uh for magno maybe renzen even and philip um more and more we see the apps developed in the cloud that are multi-tiered through different technologies kubernetes h proxy and so on in front presentation layers and so on um what do you feel like one side of uh of a tech is especially more emphasized towards security and one being left alone um we talked a lot about um uh storage being self-hosted here with i um the cloud now and uh even google drive and so on but uh azure buckets are being left alone in that category or same way with ikies versus a standalone um service like just running kubernetes on machine and virtual machines and so on um what i mean is that there's you know throughout layers of your application do you feel like especially for cloud security is one layer being more attributed to and emphasized on compared to others we should answer the question sorry yeah you're breaking up a little bit it's hard to it's a long question so if you can try to shorten it and that might be better so the question is you know when you consider a web application like philip described how uh do you feel that there people put emphasis on um on different technologies rather than others uh usually your security is as good as your weakest link uh and do you feel that there is a weakest link usually when you build web applications and so on oh okay yeah for sure yeah so there's something uh right when we start building the cloud and adding new layers right adding containers and kubernetes right all that stuff you need to understand what's behind it right what's in the background what what kind of uh dependencies you have libraries and and other services that you rely on so that you make sure that those are safe as well right so for example there is a recent vulnerability that was released i think uh two days ago about uh on run c right and run c is pretty much on on every docker container and pretty much on every kubernetes cluster right so uh almost every kubernetes cluster right so you need to realize that because your this is not a kubernetes vulnerability it's a run c vulnerability that makes your containers run right so you need to understand that so i think the the ability to have uh uh much more supply chain attacks right if you may say that it's it's larger in the cloud because it's harder for you to have a visibility on what's in the background so i think with the cloud and cloud native approach um they they say that to have a proper security you have to secure the four layers you have to secure the four c's so you have to secure the cloud right you have to secure the cluster you have to secure the container right and there's one more c i think that you have to secure the code so yeah cloud cluster container and code so those are the four c's or four layers that you need to focus on because it's not just protecting one layer you need to protect all of them right exactly i just want to yeah i just want to add something about that uh just couple of reminders that api keys are also being leveraged by by different adversaries and also misconfigurations and lastly the iam or the identity access management from the cloud perspective is so huge so you got to make sure that uh you're going to keep up on securing this this kind of approach thank you um following questions with uh philip stock you you talked about htp1 vulnerability you mentioned you didn't really have time to do a demonstration for htp2 are you able to talk more about this what's the difference between the two and are they so the main difference is that uh from what i've seen and uh from what i've tested htp1 there are multiple risk and attacks so when i mentioned cache poisoning um being able to bypass url filtering but also xss and connection hijacking in with htp2 a vector it's mainly bypassing uh url filtering so uh with the proof concept that were released late last year uh capability to let's say your host is uh company.com and you want to blacklist slash test or maybe a domain that is internal with the new exploit uh request modeling with htp2 what it allows you is to visit path that were blocked and um but also potentially host that are not exposed externally so that the way it works is really uh you're not affecting directly uh request from other user but you're getting a um a direct link with um the the web server so in a nutshell i won't do a long explanation but basically you're doing an in shake that is similar to web socket so all in clear text all in htp but at the end you're communicating in with htp2 and if your proxy recognize the upgrade from htp2 to clear text it will simply uh forward everything so if it has this feature uh and same goes for a web socket you'll probably be able to bypass filtering through internal host and path so that's the main vector for htp2 so no uh xss or no connection hijacking from what i saw great thanks um we have a question about uh kubernetes secrets um really uh magna what's your what's your take on this what's the way to uh do you have any thoughts on the way secrets are managing kss i'll use as well that would be great sure sure yeah i don't want to say too much or otherwise i might be spoiling for those attending the workshop right but yeah right just one thing to be aware is that uh secrets in kubernetes are not really secret by default right they're just base 64 encoded which basically as you may know already you can easily revert it right so to to properly uh secure your secrets and kubernetes you need to uh do some extra stuff that that's not enabled by default so you need to have uh create an encryption configuration object apply that to your hcd cluster uh where where all the the components of kubernetes are stored and that's when it's going to encrypt that sensitive information or secrets right so uh nowadays if you don't know how to do that or think that's that's going to be a problem you should probably use a third party uh secret management right either from your own cloud provider or or something like hashikarp vault or something like that right so that's the recommendation there uh thank you uh we have another question mixing again multiple subjects um on assuming you have a kubernetes infrastructure how does request modeling reacts is it easier harder to attack and use uh philip yeah to to benes i didn't have time to do any tests with the kubernetes so i'm not fully aware of the implication uh and all the communities proxy uh react to uh these type of payloads so uh sorry i can't response to to this question no worries thanks um i have uh more questions of my own if you guys if you guys allow me um maybe for uh you know when we talk about cloud storage cloud cloud storage as a whole as a service it's been around for almost 15 years now it's one of the very first service we've seen from aws for instance with three how do you feel and uh how do you feel about the they've evolved through time uh do you think it freshly improved do what do you think there's still to do regarding this um so i'm going to talk about or i'm going to answer this from a forensic standpoint so uh storage itself is um one of the things that we're trying to look for uh when we're trying to get um some fundamentals in artifacts when we're trying to analyze things and when you talk about cloud storage uh from from these cloud storage services that i've mentioned in my talk um there's actually a difference between uh different services such as google drive if you deleted something in google drive that would be there forever so once you delete it of course that's going to be on the recycle bin and then not every users are aware that it's not going to delete automatically it's going to be there unless you have um a full drive uh like you're going to max out your storage itself and then uh you probably empty the trash but um i just when i try and do some research um i saw some of my old files even 2013 or 2014 up until now so pretty much um maybe users needs to be aware of of of the retention policy of every um cloud providers out there so that you don't want to mess up with the old files that could potentially have sensitive informations or personal informations of of of yourself so that's that's going to be it great thanks uh maybe follow up on that uh we've seen in recent years the arrival of new services and new features such as the kesby a dlp feature data protection on office 365 you have it in google drive now and so on um have you had the chance to test those uh do you have any thoughts on how they evolved until today and what remains to be done with them um good question so uh from the enterprise side of these cloud storage services they're kind of flexible now on what you want to to log or um for example let's say aws in azure so like azure um as per my understanding correct me if i'm wrong um not everything could be logged but from the aws time point pretty much everything that you do from from from the cloud instance it will be logged and like even we modified something the literally urinim something it will be logged so it's it's still not perfect as of the moment from security's time point but um i think the granularity of different lab types could be a massive changes in the next feature thank you um maybe a question regarding all of you uh if we talk about it with evlyn's talk zero trust is becoming more and more popular uh with covid we have people working from home uh storage is now centralized in the cloud we're going to move towards zero trust towards bring your own devices and so on and decentralize their actual documents data and so on all right um may you repeat the question i i understand the problem statement that um yeah yeah the question is just do you see zero trust becoming more and more popular in the you know in 2022 and so oh yeah of course i'm considering you know covid itself there definitely i i would say yes um it's not a easy problem to solve but i think the good thing is that when we move a lot of things to cloud we can use the machine learning and intelligent better so we more ready to embrace the um zero trust model which we couldn't do it before because uh in the past we just shut our door we use firewall policy to to put the control and with the zero trust model we just do the same thing but smarter we enforce the policy dynamically instead of you know just some fixed firewall policy yeah definitely yes we're hoping yeah and on uh spending way more and easy to store more confidential data a lot of big enterprises are against using the cloud for these specific reasons right um i'm sorry can you repeat the question max yeah sure sure so i was just asking if if you see a cloud storage being expanded further further using confidential data by enterprises and so on do you think they're gonna go towards that path even though they have they're not necessarily open to it necessarily today yeah there there's actually a feature called files on demand so that's one of the great features of cloud storage services wherein essentially if you install an application of a cloud storage in an endpoint in um there's a yeah files on demand can be like most of the files that you have in cloud uh you don't need to store it locally so that saves you a lot of time but from the user side they can access it anytime they want so that's one thing that um potentially be a big thing uh as well they can expand it more further so cloud storage um i can see a huge um um or exponential growth into that this is not really a common topic that has been discussed from uh from from Infosa community but there could be a large footprints and also this could be a very good thing uh when we are dealing with different type of incidents um so and so far thanks Renzan um again thanks everyone for their for the Q&A and your talks um i hope people are interested in the Kubernetes workshop as well uh this looks super interesting thanks for your time and thanks for sharing your knowledge thank you very much thank you