No-Slop Research & Human Thoughts on Security

Topic

vuln

A collection of 2 issues

Working as Intended - The Unauditable, Unmanageable Keys in Google Cloud

This blog outlines three vulnerabilities with user-associated HMAC keys in Google Cloud. Vulnerability #1 - Insufficient Logging Vulnerability #2 - Unmanagable Long-Term Credentials Vulnerability #3 - Unauditable Long-Term Credentials TLDR; * HMAC keys serve a practical purpose. They can be used to create Sigv4 signed headers used to authenticate against the

Abusing the Replicator: Silently Exfiltrating Data with the AWS S3 Replication Service

But how would you distinguish between legitimate backup activity and malicious data exfiltration on AWS S3? In this blog post, I walkthrough a malicious use of the S3 Replication service and how selective data event logging on the S3 service will result in a gap in S3 exfiltration visibility since