Monthly archives of “October 2018

comment 0

GitHub webhooks with Serverless

GitHub Webhooks
with Serverless

Just because you have webhook, doesn’t mean you need a webserver.

With serverless AWS Lambdas you’ve got a free (as in beer) and always on ability to receive webhooks callbacks without the need for pesky servers. In this post, I’ll setup a serverless solution to accept incoming POST from a GitHub webhook.

comment 0

govScan.info now has DNS records

DNS Queries on GovScan.Info

This post is a very quick brain-dump  of stuff I did over the weekend, in the hopes that I don’t forget it :). Will post more in-depth material if time permits over the weekend.

govScan.info, a site I created as a side hobby project to track TLS implementation across .gov.my websites — now tracks DNS records as well. For now, I’m only tracking MX, NS, SOA and TXT records (mostly to check for dmarc) but I may put more record types to query.

DNS Records are queried daily at 9.05pm Malaysia Time (might be a minute or two later, depending on the domain name) and will be stored indefinitely. Historical records can be queried via the API, and documentation has been updated.

comment 0

Supply Chain Woes

The security community has been abuzz with an absolutely shocker of story from Bloomberg. The piece reports that the Chinese Government had subverted the hardware supply chain of companies like Apple and Amazon, and installed a ‘tiny chip’ on motherboards manufactured by a company called Supermicro. What the chip did — or how it did ‘it’ was left mostly to the readers imagination.

Supermicro’s stock price is down a whooping 50%, which goes to show just how credible Bloomberg is as a news organization. But besides the Bloomberg story and the sources (all of which are un-named), no one else has come forward with any evidence to corroborate the piece. Instead, both Apple and Amazon have vehemently denied nearly every aspect of the story — leaving us all bewildered.

But Bloomberg are sticking to their guns, and they do have credibility — so let’s wait and see. For now, let’s put this in the bucket called definitely could happen, but probably didn’t happen.

I can only imagine how hard it must be to secure a modern hardware supply chain, but the reason for this post is to share my experience in some supply chain conundrums that occurred to a recent project of mine.

I operate (for fun) a website called GovScan.info,  a python based application that scans various gov.my websites for TLS implementation (or lack thereof). Every aspect of the architecture is written in Python 3.6, including a scanning script, and multiple lambda functions that are exposed via an API, with the entirety of the code available on github.

And thank God for GitHub, because in early August I got a notification from GitHub alerting me to a vulnerability in my code. But it wasn’t a vulnerability in anything I wrote — instead it was in a 3rd-party package my code depended on. 

comment 0

Hosting a static website on S3 and Cloudflare

Hosting an S3 site via Cloudflare

From my previous post, you can see that I hosted a slide show on a subdomain on hitbgsec.keithrozario.com. The site is just a keynote presentation exported to html format, which I then hosted on an S3 bucket.

The challenge I struggled with, was how to point the domain which I hosted on Cloudflare to the domain hosting the static content.

The recommended way is to just create a simple CNAME entry and point it to the S3 bucket, but that didn’t work because the ‘crypto’ settings on Cloudflare apply to the entire domain — and not individual subdomains.

And since my website at www.keithrozario.com had a crypto setting of ‘Full’, the regular CNAME entry kept failing. I could have downgraded to ‘Flexible’ but that would mean my blog would be downgraded as well — which wasn’t ideal.

Why downgrade my main blog to accommodate a relatively unimportant sub-domain.

Instead found that the solution is to overlay a CloudFront Distribution in front of S3 Bucket — and then point a CNAME entry to the Distribution.

The solution looks something like this:

comment 0

Keith’s on #HITBGSEC

I haven’t blogged in a long while — but I have a good(ish!) excuse. I spent most of August prepping for the #HITBGSEC conference in Singapore. It was my first time presenting at a security conference, and I had an…