I hope been doing well! Maybe even chill and folksy, like the new T Swift album.
📢 Datadog Security Monitoring
Detect security threats in minutes with Datadog Security Monitoring using 75+ OOTB detection rules and detailed observability data: metrics, traces and logs in one, integrated platform. Learn more by signing up for a live demo with one of their security engineers and receive a Datadog T-shirt.
📜 In this newsletter...🔗 Links:
- AppSec: Something special in the static analysis world, abusing privilege escalation in Salesforce, GitHub's security roadmap, zero knowledge proofs primer, regular expression denial-of-service cheatsheet
- OAuth: Two tools to walk step-by-step through OAuth flows
- Web Security: awesome-web-security repo
- Cloud Security: Detecting persistence via STS tokens, Kafka primer, CIS Amazon EKS benchmark, state of open source Terraform security report
- Network Security: Scan ports fast with Rust
- Red Team: Analyzing custom U-Boot bootloaders, awesome-red-teaming
- Reverse Engineering: Ghidra plugin for visualizing binaries, cross-platform code tracer based on Frida and Capstone
- Politics / Privacy: Tips on spotting deep faked people
- OSINT: rengine: automated reconnaisance framework for gathering info during a web app pen test
- Misc: Notes from a talk by Alan Kay, Markdown OSCP exam report template, use the worst tool for the job, PLTalk notes, reverse threat modeling for attribution, convert your photos to anime characters
Awesome post by Adam Youngberg on how Databricks secures their public S3 buckets, and they've open sourced their solution.
“There’s something truly special happening in the static analysis world”
Neat thread by OWASP ASVS co-author Daniel Cuthbert on how he sees static analysis currently changing, and its future 🚀
Abusing Privilege Escalation in Salesforce
Nitay Bachrach describes how a malicious insider with the
permission can escalate their privileges to take over an organization’s
Salesforce account and all data within it.
The Regular Expression Denial of Service (ReDoS) cheat-sheet
Great ReDoS overview by Purdue Professor Jamie Davis, including many links to tools and approaches to prevent and detect ReDoS, with bountiful links to other resources to learn more. See also his tool vuln-regex-detector to scan your projects for vulnerable regexes and google/re2 for a fast regex implementation. Also, the
re.DEBUG flag can be useful in identifying dangerous nested patterns, H/T Martín Obiols.
Regexper can be used to visualize regexes, and this regex visualizer, simulator and cross-compiler tool by Robert Elder Software is a neat tool that walks you through each step of the match.
Introducing the OAuth 2.0 Flow Simulator
Nifty web app by Philippe De Ryck that allows you to walk through OAuth 2.0 and OpenID Connect flows step-by-step, making backchannel requests visible, and showing frontchannel requests without you needing to dig through your browser’s developer tools.
OAuth 2.0 Playground
Similarly, helps you understand the OAuth authorization flows and shows each step of the process of obtaining an access token. Choose from several potential OAuth flows: authorization code, PKCE, implicit, device code, or OpenID Connect.
New tool detects AWS intrusions where hackers abuse self-replicating tokens
CyberArk and NetSPI have found that some attackers are now sneakily hiding their persistence by using the AWS Security Token Service (STS) to continually create short-lived tokens they can use. Omer Tsarfati has open sourced SkyWrapper, a tool that generates a spreadsheet that lists all the currently active temporary tokens and the access keys that were used to create them.
Introducing The CIS Amazon EKS Benchmark
The CIS Amazon EKS Benchmark consists of four sections on control plane logging configuration, node security configurations, policies and managed services. See also CIS EKS Benchmark Assessment Using
Introducing the State of Open Source Terraform Security Report
Bridgecrew scanned all 2.6K modules in the public Terraform Registry using their open source tool, checkhov, which currently contains 300 compliance and security checks across AWS, Azure, and Google Cloud.
Sinking U-Boots with Depthcharge
Depthcharge by Jon Szymaniak is an extensible Python 3 toolkit designed to aid security researchers when analyzing a customized, product-specific build of the U-Boot bootloader. This blog post details the motivations for Depthcharge’s creation, highlights some key features, and exemplifies its use in a “tethered jailbreak” of a smart speaker that leverages secure boot functionality.
List of red teaming resources by @yeyint_mth covering initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, exfiltration, command and control, device hacking, red team gadgets, ebooks, training, and certs.
Battelle Publishes Open Source Binary Visualization Tool
The newly released CantorDust Ghidra plugin enables the rapid visualization of unknown binary data, reducing the burden on digital forensics and reverse engineering teams.
“Self-optimizing cross-platform code tracer based on dynamic recompilation, powered by Frida and Capstone. Works at the machine code level, no source code needed. Tags threads based on which APIs they use, showing you in real-time what functions have been called, allowing you to study them by carefully injecting logging and other side-effecty code.”
Politics / Privacy
An automated reconnaissance framework meant for gathering information a web app pen test, by Yogesh Ojha. reNgine has customizable scan engines, which can be used to scan websites, endpoints, and gather info.
The best way to predict the future is to invent it.
Magnetic Fields: Find a central metaphor that’s so good that everything aligns to it. Design meetings are no longer necessary, it designs itself. The metaphor should be crisp and fun.
Turn up your nose at good ideas. You must work on great ideas, not good ones.
Better is the enemy of best
Relative judgements have no place in art
Systems programmers are high priests of a low cult
Point of view is worth 80 IQ points
Good ideas don’t often scale
Final advice: Content over form, go for fun.
If you need a tool, buy the cheapest one you can find. If it’s inadequate, or breaks, or you use it a lot, then buy the best one you can afford.
If you follow this strategy, you’ll sometimes waste a little money by buying a cheap tool before buying a good one. But you won’t waste money buying expensive tools that you rarely use. And you won’t waste money by buying a sequence of incrementally better tools until you finally buy a good one.
Refinement Types and Program Synthesis, Featuring Nadia Polikarpova
Last week I wrote a summary of a new Twitch stream (PLTalk) by Jean Yang and Hongyi Hu on making academic-y programming languages research more accessible. This week I was thrilled to see that my friend Quinn Wilton has started a newsletter where she will be summarizing the PLTalk videos.
The first step is to have a solid asset inventory (which I think is so important, I included it as one of my 3 “fundamentals” in my most recent scaling security talk, along with vulnerability management and continuous scanning)- determine all public S3 buckets. This can be done with Lyft’s Cartography tool or the commercial JupiterOne.
Do we have non-public files in intentionally public buckets?
For this, they repurpose Níels Ingi’s YAR tool, except instead of scanning GitHub repos for secrets, they spin up EC2 instances, synchronize the bucket contents, and scan them with YAR + additional patterns specific to their secrets.
Keeping buckets from becoming unintentionally public
They leverage Cloud Custodian, a real-time cloud security, governance, and management tool that uses AWS Lambda functions and CloudWatch events to detect changes to configuration.
They added a Cloud Custodian policy to automatically enable AWS public access blocks for buckets explosed publicly through any access control lists (ACLs).
If dev teams want an exception, they must follow an internal policy and process for intentionally public buckets that required this functionality to remain disabled.
In short: they use JupiterOne for alerting on publically accessible buckets, and Cloud Custodian for enforcement.
What if non public data gets later added to existing public buckets?
It’s not enough to point-in-time evaluable if the contents of a public bucket are safe, ideally you want real-time alerting if this were to ever change in the future.
Any time bucket objects are created or updated, an S3 event is triggered that goes to an SQS queue. Lambda functions then process these events inspecting, each file for secrets, using pattern matching similar to the YAR method.
If any matches are found, the output is sent to an alert queue, which the security team receives results from in near real-time.
Making this work in the Real World
So far, technically, this approach sounds great.
But there are important things about rolling out changes like this that are crucial to getting buy-in in your company, that the post and repo also address, which is what takes this post from “oh this is cool” to 🔥🔥 (yes, the elusive double fire).
- How do you address ownership and dependencies between resources?
- And how do you message these changes to the rest of the org?
The repo includes email templates, both for leadership as well as to a more broader audience, about the Cloud Custodian public access block and owner tag enforcement.
Nailing the workflow/process and communicating the changes to the rest of your company are key, so the fact that the post and repo share details about these components is 👌 in my book.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!Cheers,