Hey there,
I hope youâve been doing well!
Baking, En Quarantine
Like everyone, Iâve been experimenting with making some new things whilst confined to my spacious one bedroom apartment.
One of the easier sets of experiments has been variations on âmug cakes,â which are essentially putting some flour, sugar, cocoa powder, and whatever else you want into a mug, and then microwaving it. Yup, Iâm fancy like that đ§âđł
Here are some things Iâve tried:
- Oats and peanut butter - pretty good, made it fairly chewy.
- Chunks of cookie dough inside - delicious buried treasure.
- Sea salt on top - a nice touch.
- Whole wheat flour - trick yourself into thinking youâre being healthy.
- Mochi rice flour - interesting, chewy texture.
- Closing your eyes and feeling like youâre in Saison - priceless.
Sponsor
đ˘ Sr Security Partner @ Netflix
Netflix is looking for an Infrastructure & Systems Security engineer to join the Appsec partnerships team. In this role, you will partner closely with engineering teams building infrastructure solutions for streaming and studio use cases, including Netflix's global CDN and virtual workstations for Netflix's studio.
Feel free to reach out to Astha Singhal on LinkedIn or Twitter with any questions about the role.
Apply now!You can learn more about how the Netflix partnership team supports dev teams from Scott Behrens and Esha Kanekarâs AppSec Cali 2019 talk, âAâ Pragmatic Approach for Internal Security Partnershipsâ, which Iâve written a summary of here.
đ In this newsletter...
đ Links:- AppSec: Play DEF CON CTF challenges, OWASP project to find secrets checked into version control
- Web Security: AMA with Burp Suite creator Dafydd Stuttard, bypass CSP via JS in a PNG
- Towards native security defenses for the web ecosystem: An overview of four new web security mechanisms
- Cloud Security: Mitigating DDoS attacks on Lambdas, IR in the cloud
- Container Security: 12 container image scanning best practices, container breakouts
- Blue Team: Procmon for Linux
- Politics / Privacy: UK tells Huawei GTFO and mind the gap, Russian spies target COVID-19 research, mishandling COVID-19 and discouraging international students could have long lasting economic impact, have celebs dissuade your conspiracy believing uncle, automation if coming for millions of jobs, a searchable map of surveillance tech deployed by police
- Explain Why Youâre Asking Your Team to Do Something: Ask in a way that's more likely to get buy-in
- Misc: Dark web price index, strong reject academic memes, a collection of bite-sized nuggests of wisdom, have GPT-3 write your JSX, how McKinsey is making $$$ due to U.S. government's coronafails
Learn about using formal methods in the Real World (no, not the TV show. Though that would be an awesome spin-off đ¤).
AppSec
./ OOO archive | DEF CON CTF
A live, playable archive of DEF CON CTF challenges by Order of the Overflow.
OWASP Sensitive Enterprise Data Analyzer To Eliminate Disclosure
Integrates with git to scan for secrets being pushed. Interestingly, its regexes appear to overlap with truffleHogâs, but not exactly. Seems like there should be some consolidation in regex-based tools to find secrets, but đ¤ˇ
Web Security
Ask me anything, with Burp Suite creator Dafydd Stuttard
Some interesting history about Burp Suite and the founding of Portswigger. Fun
facts include: Burp was the first tool Daf ever wrote in Java, he did a PhD in
philosophy and thought he might go into academia, and more.
How To Bypass CSP By Hiding JavaScript In A PNG Image
âUsing HTML Canvas you can hide any JavaScript code (or an entire library) into
a PNG image by converting each source code character into a pixel. The image can
then be uploaded onto a trusted website like Twitter or Google (usually
whitelisted by CSP) and then loaded as a remote image in a HTML document.
Finally, by using the canvas getImageData method, itâs possible to extract the
âhidden JavaScriptâ from the image and execute it.â
Towards native security defenses for the web ecosystem
Blog post by Google security information engineers Artur Janc and Lukas Weichselbaum on new web security mechanisms, specifically around injection vulnerabilities and isolation capabilities.
The root cause of injection vulnerabilities like XSS (and SQL injection, command injection, etc.) is a mixing of code and data. Web apps can separate data from code using two new security features:
- Trusted Types âmake JavaScript code safe-by-default by restricting risky operations, such as generating HTML or creating scripts, to require a special object â a Trusted Type. The browser will ensure that any use of dangerous DOM functions is allowed only if the right object is provided to the function.â Done properly, this can prevent all DOM-based XSS.
- Content Security Policy based on script nonces - the random nonce attribute for loaded scripts ensures that even if an attacker is able to inject scripts on the page, the browser will refuse to execute it, preventing reflected and stored XSS.
These protections can be implemented with the following headers:
Content-Security-Policy: require-trusted-types-for 'script'; report-uri /report
Content-Security-Policy: script-src 'nonce-{randomValue}'; object-src 'none'; base-uri 'none'
New isolation capabilities include:
- Fetch Metadata Request Headers - These
provide trustworthy info about the source of requests (e.g.
same-site,cross-site), whether itâs a navigation or resource request, and more. This allows the web server to apply security policies before processing the request, preventing vulnerabilities like CSRF or web-based info leaks (XS-leaks). - Cross-Origin Opener Policy (COOP) - âBy
default, the web permits some interactions with browser windows belonging to
another application: any site can open a pop-up to your webmail client and
send it messages via the
postMessageAPI, navigate it to another URL, or obtain information about its frames.â COOP allows you to lock down your app to prevent such interactions.
For more info, see the Securing Web Apps with Modern Platform Features Google I/O talk: slides, video.
Cloud Security
AWS Lambda Abuse
@luminousmen describes how to minimize the
damage of DDoS attacks on your AWS Lambdas.
- Make sure your code doesnât hang on bad inputs (e.g. ReDoS or long payloads).
- Set up billing alerts.
- You can set concurrency levels on a per-function basis.
- Using SQS as a broker for your Lambda function lets you batch process multiple events at a time.
- Use a CDN like CloudFront, or use AWS WAF.
- For internal apps, require an API key to hit API Gateway.
- Use the API Gateway usage plans (e.g. âToken Bucketâ model).
Incident Response in the Cloud
Ollie Green discusses the
IR phases (preparation, identification, triage, investigation, containment,
recovery, and lessons learned) and highlights some of the key differences
between âtraditionalâ IR and Cloud IR.
Container Security
12 Container image scanning best practices to adopt in production
- Bake image scanning into your CI/CD pipelines
- Adopt inline scanning to keep control of your privacy (only scan metadata sent to the scanning tool)
- Perform image scanning at registries
- Leverage Kubernetes admission controllers
- Pin your image versions
- Scan for OS vulnerabilities
- Make use of distroless images
- Scan for vulnerabilities in third-party libraries
- Optimize layer ordering
- Scan for misconfigurations in your Dockerfile
- Flag vulnerabilities in services already deployed and running in Kubernetes
Container Breakouts â Part 1: Access to root directory of the Host
First of a series of posts by Jan Harrie on
container breakout techniques. Future posts will cover privileged containers and
having access to the Docker socket.
Iâve collected links to a few tools that test container environments for common breakout bad practices here.
Blue Team
microsoft/ProcMon-for-Linux
This week in âThings I Never Thought Iâd See,â Microsoft releases Process
Monitor (Procmon) for Linux, a convenient way for Linux developers to trace the
syscall activity on their system.
Politics / Privacy
Huawei 5G kit must be removed from UK by 2027 - BBC News
Coronavirus: Russian spies target Covid-19 vaccine research
As I imagine China is doing as well. The first country to create a vaccine will get a nice PR boost.
Americaâs Innovation Engine Is Slowing
Between handling COVID-19 poorly and settings policies that discourage
international students, the U.S. could be damaging its economy for decades. More
than half of American startups that became companies valued at $1 billion
include immigrants among their founders and top executives, and international
students represent 12 percent public university enrollment but ~28% of total
tuition revenue. The problem is that these things compound: smart people go
where there are other smart people and opportunities, so if the U.S. stops being
that place, itâs quite hard to get it back.
The True True Truth
Jon Oliver got John Cena, Catherine OâHara, Billy Porter, Paul Rudd, and Alex
Trebek to record short messages that you can show to your friends or relatives
who believe in conspiracy theories, that encourages them to think critically
about the info they encounter, without talking down to them. See also Jon
Oliverâs episode on coronavirus conspiracy
theories.
More automation is coming, what are we going to do about it?
We are sprinting towards a future where certain classes of jobs, currently
employing millions of people are just not going to exist. And few people are
sounding the alarm, other than perhaps Andrew Yang. You canât just âbring back
coalâ or âbreak up big tech.â People are costly, and businesses are incentivized
to cut costs.
- UiPath raises $225 million to automate repetitive back-office tasks - the details on what it does and how is interesting.
- Verizonâs call center will start using Google Cloudâs Contact Center AI
EFF: Atlas of Surveillance
A searchable map of surveillance tech deployed by police including body camears,
drones, automated license plate readers, Ring partnerships, facial recognition,
cell-site simulators, predictive policing, and more. Data was crowdsource
gathered from
volunteers and OSINT over ~2 years.
Explain Why Youâre Asking Your Team to Do Something
When people know why theyâre being asked to do something, theyâre much more likely to do it.
So next time youâre preparing to deliver an important message to your team, make sure youâre clear on the âwhyâ behind it. Start by asking yourself a few âwhatâ questions, such as: What are the stakes? What will the future look like if we get this done? Next, figure out how to clearly articulate your reasoning. Think about what action youâre asking your team to take, and then follow it with a clear, well-practiced explanation.
For example: We need to improve our hiring practices, because our current process isnât attracting a diverse enough pool of candidates.
And be prepared to answer follow-up questions and explain the process that led to the decision. Youâll be more persuasive if you share ideas that you considered, explored, tested, and then abandoned. This level of transparency will keep your team motivated to pursue the task at hand.
Misc
Dark Web Price Index 2020
The Privacy Affairs team scanned dark web marketplaces, forums, and websites, to
create an index of the average prices for a range of specific products. Some
interesting stats on prices for credit card data / online banking logins,
payment processing services like PayPal, forged documents, social media
accounts, malware, and DDoS attacks.
Strong Reject
Apparently thereâs this meme floating around academia on getting rough peer
review. If youâve also spent time in academia, youâll probably get a laugh.
âConceptsâ by Daniel Miessler
Bite-sized nuggets of wisdom from books, articles, and more covering topics
ranging from psychology, to philosophy, reasoning, and more. A super dense and
quick way to get exposed to a bunch of interesting ideas.
đĽ Describe the Layout You Want -> Autogenerate with GPT-3
Impressive demo by Sharif Shameem of
entering text like âa button that looks like a watermelonâ or âa button for
every color of the rainbowâ and it generates JSX code that does it. And hereâs a video of
him describing and then generating the Google home
page.
How McKinsey Is Making $100 Million (and Counting) Advising on the Governmentâs Bumbling Coronavirus Response
Welp, good thing the U.S. coronavirus response is going so well đ
Here are some fun snippets:
- In April, McKinsey was penalized for refusing to comply with a General Services Administration audit. The firm went over the head of a contracting officer and found a GSA supervisor who was willing to accommodate them and improperly inflated contract prices.
- âThe firm effectively sells data it obtains from one government project to other agencies. McKinsey generally retains in its central databases anonymized work product from its engagements, so future consulting teams can get a head start on similar projects.â If the government did the work, they would share it with state and city governments for free.
A single junior consultant â typically a recent college or business school graduate â runs clients $67,500 per week, or $3.5 million annually. For $160,000 per week, you get two consultants, the second one mid-level.
âď¸ Security consultants be like đđ
đ PLTalk: Practical Formal Methods with Hillel Wayne
I stumbled across this Twitch stream (PLTalk) by Jean Yang and Hongyi Hu on making academic-y programming languages research more accessible.
This sort of thing is my jam - listen to some smart people discuss technical topics in approachable ways, covering ideas, tools, and techniques thatâll expand your knowledge of whatâs out there and possible đ¤
This week they were joined by guest Hillel Wayne, where they discussed using formal methods in the real world.
I wrote a summary of the ~1.5 hour video that includes points from the discussion, code snippets from Hillelâs live demo, and links to some neat academic papers and related tools.
Also check out this great summary by Leslie Lamport of the paper: Use of Formal Methods at Amazon Web Services.
Or read Jeanâs comparison of high fashion to programming languages research; and yes, the metaphor fits (and thus sits)!
âď¸ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them đ
Thanks for reading!
Cheers,Clint
@clintgibler