WSR: #16: April 3rd - 10th 2022

Ear2Ground.py, Zero Trust, and Publicly Exposed S3 Buckets

Published: April 10, 2022

| Reading Time: 3 minutes

This Week’s Recap

4/4/2022

  • Decided to not do anything security related since I had spent the entire previous weekend doing nothing but work/security stuff

4/5/2022

  • Noticed I kept seeing people on twitter talking about “Zero Trust” but I couldn’t find anyone who could define what it actually was.
  • Spent most of the day reading this fascinating document from NIST on Zero Trust Architecture. Which cleared up a lot of confusion
  • Key takeaways
    • I 100% get why people dislike this.
      • A full “ZT” environment seems VERY expensive
      • Most company’s are not anywhere close to the security maturity level needed to even think about zero trust
      • Vendors saying it in every other sentence
      • Might have scaling issues
      • Complexity is usually not better
      • Most people who trash zero trust don’t really even know what it means.
    • I think it presents an interesting issue from a pentesting perspective. Take this logical diagram for example:
      • How can you bypass a policy engine (PE) or policy enforcement point(PEP)?
        • AKA: How can you make the PE trust you?
      • DOS suddenly becomes very scary(again?). If I can DOS your policy engine or enforcement point I can bring down your network very quickly .
    • There are a lot of similarities to other frameworks. This seems to be the “oh you reached security level 99, here is some bonus stuff you can do now.”
  • With that being said, I still think its an interesting thing to keep an eye on.

4/6/2022

  • Started working on a project called “Ear2Ground” that I plan on releasing within the next few weeks. Here is a sneak peak :)
  • I wanted to create a project that wasn’t just a collection of scripts. The goal with this is to get better at breaking my code down into functions based on the objective of the code.

4/7/2022

  • Added more functionality to e2g and fixed a lot of bugs. Also learned that python didn’t have a case switch statement until match was added in python3.10…

4/8/2022

  • Worked more on e2g
  • Discovered GreyHatWarfare which just shows you random public S3 buckets. Some of these are intentionally set to public but TONS of them are obviously not meant to be public.
  • Just looking for a few minutes you can see contracts, legal documents, and more.

4/9/2022

  • Decided to fully refactor e2g to be more… presentable(?) by actually breaking code functionality into functions. This way it’ll be much easier to add new companies and features.
  • The homie @huskyhacksMK started releasing his notes which is very cool to see. Also part of the reason I started this roundup. Its a way to “focus on the process rather than the results”.

4/10/2022

  • Added some more functionality to e2G and getting it ready for release on github. I will probably post it next week when I make it a little more “presentable”. Here is what the output current looks like

  • Published this blog :)

Have any questions

Do you have any questions? Feel free to reach out to me on twitter. See you next Sunday. :)