Phew, what a week. I hope you and your loved ones are safe, and not feeling too cooped up. Let’s get gather around a metaphorical security fireplace and share links.
On Monday I had the opportunity to join John Kinsella and Mike Shema for episode #100 of the Application Security Weekly podcast. We chatted about modern AppSec best practices, DevSecOps, asset inventory, and more.
Obligatory COVID-19 Section
If you’re like me, you’re probably feeling COVID-19 going on 100 years old with the relentless news coverage and social media armchair theorizing. So I’ll be brief.
- Avoid touching your face, wash your hands (often) for 20 seconds, practice social distancing, consider having 2 weeks of food.
- https://www.flattenthecurve.com/, arch nemesis of the connoisseur of curves, Sir Mix-A-Lot.
- This SF Chronicle article has a bit more local Bay Area context about the events leading up to the “shelter in place” directive.
- This Coronavirus II Last Week Tonight with Jon Oliver summarizes the commonly agreed upon best practices you probably already know. But you might find it interesting to watch, as they filmed it in a different location with minimal crew/set/effects (their normal location was evacuated).
Don’t Let Congress Kill Encryption
Between being slow to act on the pandemic and potentially giving each other coronavirus, Congress thought: how can we make things even better?
Enter the Graham-Blumenthal “EARN IT” Act, which “opens the door for the government to require new measures to screen users’ speech and even backdoors to read your private communications- a stated goal of one of the bill’s authors.”
Congress has tried to pass crappy Internet bills before, but online campaigns actually worked to stop them! (e.g. SOPA/PIPA).
Please take 2 minutes to sign the petitions:
📜 In this newsletter...🔗 Links:
- Web Security: Using CSP with multiple policies
- Cloud Security: Visual summary of several AWS services, 7 ways AWS can fix the public S3 bucket problem, an open source AWS cyber range, Sigma detection rules for AWS events, cloud WAF comparison, AWS's new open source OS for container hosting
- Red Team: Writing forensic and attribution resistant malware, a malware family using Cloudflare workers for C2, published former Black Hat course on C/C++ vulnerability discovery, a fake SSH backdooring tool
- Blue Team: A free malware repository for researchers, tool to spam phishing domains with fake creds
- Politics / Privacy: Clearview uses before it became a popular punching bag, leaked docs describe censorship policies on TikTok, Russian trolls trying to fuel racial tensions in the US, Trail of Bits' assessment of a mobile voting platform
- Compensation: How to calculate and communicate your desired total compensation, lengthy guide on equity, a stream of verified tech salaries
- Misc: View a file in VS Code -> code execution 😅
Excellent, practical, and fun advice from Latacora on making your SOC2 journey easier.
Using Content-Security-Policy with multiple policies
“tl;dr; all policies are enforced equally, any of the polices can block the overall resource/request.”
As always, thanks Marco Lancini for sharing some great links that informed this section 🙏
The good parts of AWS - A visual summary
Nice entry level tl;dr of DynamoDB, S3, EC2, Lambda, SQS & Kinesis, and ELB: core features, when to use, when not to use, etc., with some nice visualizations, by Hassen Chaieb.
7 Ways AWS Can Fix Its Public S3 Bucket Problem
I like the meta ideas behind this post. Specifically:
- Secure defaults and making the secure things easy
- (#1) Decouple public access from buckets entirely
- (#7) Disable public buckets that have never received public traffic
- Adding friction to make the insecure things hard
- (#5) Require a two-person developer opt-in to make a bucket public
- (#6) Enforce a waiting period: for existing buckets with data, require that the user re-confirms their choice to make a bucket public after 24 hours
The first was a consistent theme in my BSidesSF 2020 talk (slides, video), but I didn’t touch on the latter much.
Trying to only ban something engineers want to do will likely cause them to work
around you. Instead, consider doing a combination of a) making the secure way easy and
b) making the insecure way hard. Easier said than done, but I think it’s a useful
frame of reference to have.
The Open-Source AWS Cyber Range
“A bootstrap framework for a complete offensive, defensive, reverse engineering, & security intelligence tooling in a private research lab using the AWS Cloud.” It contains vulnerable systems and a toolkit of the most powerful open-source / community edition tools and provides a researcher with a disposable offensive / defensive AWS-based environment in less than 5 minutes.
Detection Rules for AWS events
Some Sigma rules for detecting important AWS events, including disabling, deleting or updating a (Cloud) trail, disabling the AWS Config Service, and detecting usage of the root account.
Cloud WAF Comparison Using Real-World Attacks
The authors tested the Azure Application Gateway WAF (using CRS 3.1 rules from OWASP), Barracuda WAF-as-a-Service (using Barracuda managed rules), and the AWS WAF using Amazon and Fortinet managed rules.
Azure WAF (with OWASP CRS 3.1 rules) was the clear winner and the only service that performed well. What comes to the AWS and Barracuda offerings, the security benefit for protecting against some of the most common attack types is flaky at best.
Looking at the payloads and rejected responses, it is difficult to draw many conclusions on the internal workings of the WAFs. Sometimes the behavior is downright confusing and hilarious.
Bottlerocket – Open Source OS for Container Hosting
AWS released Bottlerocket, a new Linux-based OS designed and optimized specifically for use as a container host. Instead of a package update system, Bottlerocket uses a simple, image-based model that allows for a rapid & complete rollback if necessary. It’s update system includes an implementation of The Update Framework (TUF).
Offensive threat modeling & IOC-proof ID generation
Developmental tradecraft for offensive software development: how to write forensic and attribution resistant software.
BlackWater Malware Abuses Cloudflare Workers for C2 Communication
This approach makes sense: gives you global distribution, hides the actual C2 from easy inspection, and makes blocking the C2 traffic difficult unless the whole Cloudflare worker space is banned.
Modern Memory Safety: C/C++ Vulnerability Discovery, Exploitation, Hardening
Slides and code examples for Chris Rohlf’s Black Hat USA training class. The original training focused mainly on browser vulnerability discovery and exploitation; the current version also covers custom memory allocators, hardening concepts, and exploitation at a high level.
“A fakessh-client that manipulates the TTY input/output to execute arbitrary commands and upload itself through the SSH connection.”
A free malware repository providing researchers access to samples, malicious feeds, and Yara results. Related: https://vxug.fakedoma.in/.
utkusen / jeopardize
“Detects registered phishing domain candidates (typosquatting, homograph etc.), analyzes them and assigns a risk score to them. Then, it sends valid-looking credentials to the login forms on those phishing sites” to waste the attacker’s time 🤣
Politics / Privacy
Before Clearview Became a Police Tool, It Was a Secret Plaything of the Rich
Some billionaires were using Clearview AI before it blew up in the news for important purposes like finding out who’s on a date with your daughter, stopping people from stealing Haagen-Dazs from your grocery store, and as a party trick.
TikTok: Invisible Censorship
In an article that should surprise exactly no one, The Intercept describes internal TikTok documents that instructed moderators to “suppress posts created by users deemed too ugly, poor, or disabled for the platform” and “censor political speech in TikTok livestreams, punishing those who harmed ‘national honor’.”
“Other moderation documents obtained by The Intercept indicate that TikTok has influenced content on its platform not just by censoring videos and disappearing users, but by padding feeds with content from ‘shadow accounts’ operated by company employees posing as regular users.”
Russian trolls are running fake news operations out of Africa to fuel racial tensions in US
“Russian-linked accounts have been posing as non-governmental organisations and posting celebrity gossip in a sophisticated operation designed to stoke racial tensions in the US, Facebook has said. Both Facebook and Twitter overnight removed accounts which were attempting to sow discord around issues such as race and civil rights.”
Our Full Report on the Voatz Mobile Voting Platform
Report by Trail of Bits. Includes the security assessment’s technical findings and a threat model containing architectural and operational findings.
How to Calculate and Communicate Your Desired Total Compensation
Nice blog post by Daniel Miessler on important aspects when considering your total compensation, including benefits, sign-on bonus, recurrinig bonuses, 401K, recurring RSUs, sign-on RSUs, and salary.
The Holloway Guide to Equity Compensation
A lengthy, detailed guide on stock options, RSUs, job offers, taxes, and more, explained from the ground up. Impressively useful.
levels.fyi Salary Stream
“A digest of verified salaries sent weekly. Users upload Offer Letters, W2s, etc. We extract the relevant numbers and share the anonymous data back with you.”
Don’t Clone That Repo: Visual Studio Code^2 Execution
From Doyensec’s Filippo Cremonese: “VScode may use code from a virtualenv found in the project folders without asking the user, for things such as formatting, autocompletion, etc. This insecure design leads to arbitrary code execution by simply cloning and opening a malicious Python repository.” PoC repo with malicious code buried deep at site-packages/pylint/lint.py.
Attack vectors like these seem (currently) underexploited, high value, and pretty tough to detect. I actually called out hiding backdoors in common language package directories in Noah Beddome and I’s BlackHat 2017 talk “Developing Trust and Gitting Betrayed” (slides, video).
📚 The SOC2 Starting Seven
This no-nonsense, snarky post by Latacora is one of the best articles I’ve read recently about practical, high ROI steps to improve your company’s security posture. It is excellent and worth your time reading.
The post focuses on seven things you can do to simplify your SOC2 journey, which you’ll need if you want to sell your product to big companies. The earlier you can do these, the easier it will be.
- Single sign-on: Use something like Okta or Google Cloud Identity, tie as many first and third-party apps to it, and force 2FA.
- PRs, Protected Branches, and CI/CD: Lock your deploy branch and require PRs approval to merge to it. Automate deployment.
- Centralized Logging: Pick a logging service with alerting and use it for everything.
- Terraform or something: Do your cloud provisioning with something like Terraform, keep the configs in Github, and use the same PR process as you do for code.
- CloudTrail and
AssumeRole: Enable CloudTrail logs and require your team to use
AssumeRoleto get to anything interesting in your AWS configuration.
- MDM: Pick an MDM system (like Jamf Pro. I’ve heard good things about Fleetsmith), install it on all your desktops and laptops, and then use it to make sure everyone’s got encrypted disks and up-to-date patches.
- VendorSec: Track all the software you subscribe to, buy, or install in a spreadsheet and start doing some simple risk tracking.
- For SAAS subscriptions, review their security documentation and ask for the report from their last public penetration test and and their SOC2 report.
Bonus snark / advice:
“SOC2 will help you get your security house in order and build a foundation for security engineering”. No. Go outside, turn around three times, and spit. Compliance is a byproduct of security engineering. Good security engineering has little to do with compliance.
If there is one thing to understand about SOC2 audits, it’s: SOC2 is about documentation, not reality. SOC2 audits are performed by accountants, not pentesters. You’ll tell your audit team what security things you try to do. They’ll call upon the four cardinal directions of ontology in a ceremony of shamanic accountancy. They’ll tell you those security things are just fine.
Every CSO we’ve asked has SSO in their top 5 “first things they’d do at a new company”.
Other high ROI security activities:
- Force AWS MFA, and get your engineering team to use aws-vault. aws-vault stores AWS credentials in your OS keychain and mints new sessions from them as needed. It’s actually easier to use than the AWS “credentials” file, and much more secure.
- VPN to Admin Console and SSH: Put your admin consoles behind a VPN, link the VPN to SSO, and then nobody gets any admin rights anywhere without going through SSO.
- Incident Response: Any time anything security relevant happens, make a private Slack channel named for the incident and document your response.
- Access Reviews: You could hold a monthly meeting, recorded in a spreadsheet or whatever, reviewing everyone’s access (hopefully this is just a walk of your SSO config and IAM role permissions).
- An SSH CA: The cool kids use CAs instead of ad-hoc SSH keypairs to gate access to servers. This generates evidence, demonstrates control, and streamlines engineering.
- Host Hardening: You should harden your hosts, set up auditd or EBPF perf events, and tune up a seccomp-bpf profile.
Things to not do: IDS/IPS, firewalls, WAFs, endpoint protection and AV, DLP, threat feeds, and risk management platforms.
Psst! If you’ve read to the end and still haven’t signed the petitions to protect encryption and free speech online, please consider doing so now:
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!Cheers,