This Week’s Recap

4/4/2022

• Decided to not do anything security related since I had spent the entire previous weekend doing nothing but work/security stuff

4/5/2022

• Noticed I kept seeing people on twitter talking about “Zero Trust” but I couldn’t find anyone who could define what it actually was.
• Spent most of the day reading this fascinating document from NIST on Zero Trust Architecture. Which cleared up a lot of confusion
• Key takeaways
  • I 100% get why people dislike this.
    • A full “ZT” environment seems VERY expensive
    • Most company’s are not anywhere close to the security maturity level needed to even think about zero trust
    • Vendors saying it in every other sentence
    • Might have scaling issues
    • Complexity is usually not better
    • Most people who trash zero trust don’t really even know what it means.
  • I think it presents an interesting issue from a pentesting perspective. Take this logical diagram for example:
    • How can you bypass a policy engine (PE) or policy enforcement point(PEP)?
      • AKA: How can you make the PE trust you?
    • DOS suddenly becomes very scary(again?). If I can DOS your policy engine or enforcement point I can bring down your network very quickly .
  • There are a lot of similarities to other frameworks. This seems to be the “oh you reached security level 99, here is some bonus stuff you can do now.”
• With that being said, I still think its an interesting thing to keep an eye on.

4/6/2022

• Started working on a project called “Ear2Ground” that I plan on releasing within the next few weeks. Here is a sneak peak :)
• I wanted to create a project that wasn’t just a collection of scripts. The goal with this is to get better at breaking my code down into functions based on the objective of the code.

4/7/2022

• Added more functionality to e2g and fixed a lot of bugs. Also learned that python didn’t have a case switch statement until match was added in python3.10…

4/8/2022

• Worked more on e2g
• Discovered GreyHatWarfare which just shows you random public S3 buckets. Some of these are intentionally set to public but TONS of them are obviously not meant to be public.
• Just looking for a few minutes you can see contracts, legal documents, and more.

4/9/2022

• Decided to fully refactor e2g to be more… presentable(?) by actually breaking code functionality into functions. This way it’ll be much easier to add new companies and features.
• The homie @huskyhacksMK started releasing his notes which is very cool to see. Also part of the reason I started this roundup. Its a way to “focus on the process rather than the results”.

4/10/2022

• Added some more functionality to e2G and getting it ready for release on github. I will probably post it next week when I make it a little more “presentable”. Here is what the output current looks like

• Published this blog :)

Have any questions

Do you have any questions? Feel free to reach out to me on twitter. See you next Sunday. :)