You installed very cool container security tool on every Kubernetes cluster in your enterpise. Some containers crush or hang, REST calls don’t work. Can we decompile the software to analyze what’s wrong? Yes, provided that we are in EU (see: https://eur-lex.europa.eu/EN/legal-content/summary/computer-programs-legal-protection.html) Decompilation * Prior authorisation from the rights-holder is not…

Incident Response on AWS EC2 instance is easy. You need remote access and you just execute Incident Response script. What about EC2 instance hosting Kubernetes node without remote access to host OS? We can use privileged pod with host filesystem mounted. CONTAINERD=$(ps aux | grep -c “/usr/bin/containerd-shim-runc-v2”) INSIDE_PRIV_CONTAINER=0 [ $CONTAINERD -gt 0…

Mature organization uses internal reusable Malware Scanning API. Except clamav and standard command-line anti-virus Cyber Defence Center can expose as API malware detonation sandbox. Malware should not be run in a standard container because it can escape and infect the host. It should be run in the Firecracker or Kata…

The observation that people using complex, heavy and formal security frameworks miss and don’t understand very basic security gaps of modern IT ecosystem led me to the decision to write about the need for simple cloud threat modelling. Well established security frameworks are very formal and resemble waterfall. In ever…

What does it mean that an ideal malware tool should not be detected by a standard anti-virus? It means that a very basic detection mechanism via file hash should be evaded. Having enough money an attacker mounting a targeted attack can create a compilation pipeline generating a unique malware executable…