Hey there,
I hope youâve been doing well!
đ Sponsor Slots Filled Through 2020!
Whoa! tl;dr sec is sponsored all the way through the rest of 2020, and even a bit into 2021!
Iâm incredibly honored and humbled by this. A big thank you to all of the sponsors, and even bigger thank you to you, dear reader đ
Hearing from people that they find tl;dr sec useful or that theyâve put some of the tools and ideas to good use makes all the work worth it, and puts a spring in my step. Or maybe thatâs me limping. Either way, it feels good đ
The Social Dilemma
Like everyone and their cousin (who works in tech), I watched The Social Dilemma (trailer).
In a nutshell, itâs a set of interviews with a bunch of OG senior tech people from popular social media platforms (Facebook, Youtube, Twitter, Instagram, etc.) who created many of the now common UX tricks to maximize engagement and user growth, woven in with an overarching narrative and reflections.
I thought the movie did a surprisingly good job at explaining technical topics to a non technical audience, and somehow making interviews with a bunch of nerds engaging đ¤
(paraphrased) On one side of the screen thereâs you, a human whose brain largely hasnât changed in thousands of years. On the other side, thereâs an advanced AI composed of thousands of servers constantly learning and improving their model of you, by watching your every scroll, click, and behavior. Who do you think is going to win in that fight?
Itâs been interesting to see so many representations of the tech industry in media: The Social Network, Silicon Valley, Steve Jobs movies, Theranos, etc.
I hope that one day I can burn enough bridges and make enough powerful enemies that my life also gets made into a trendy movie (Netflix, you know how to reach me đ).
Sponsor
đ˘ Jobs @ Praetorian
If you are modest about your extraordinary brilliance, Praetorian is hiring. Their team is comprised of some of the worldâs brightest cybersecurity minds, who humbly put customers first and have fortitude towards making the world a safer and more secure place. A default-to-open, take-the-initiative work culture has earned them Incâs Best Places to Work, and they've been on Inc's Fastest Growing Companies for 7 years running. Praetorian is hiring for a range of positions from security engineers to director level.
đ In this newsletter...
đ Links:- AppSec: Finding C-type bugs in memory safe languages, find bugs by looking for dangerous words in source code, code scanning on GitHub
- Web Security: HTTP desync attacks in the wild and how to defend against them, sending arbitrary MDM commands via HTTP request smuggling, tool to test for HTTP request smuggling/desync vulnerabilities, Cloudflare's write-up on a massive DDoS attempt, JWT security anti-patterns and best practices, updated RFC on OAuth 2.0 security
- Cloud Security: Write-up of some complex authentication bugs in Vault
- Blue Team: Autodeploy a Windows Domain RDP honeypot, Salesforce policy deviation checker, fingerprinting exploit developers by their work, detection as code
- Hardware: List of hardware and IoT security tools
- Red Team: An overview of the various Metasploit components
- Politics / Privacy: Academic study of the manipulative tactics used in campaign emails requesting donations
- Misc: "Smart" bluetooth male chastity belt is totally secure, Grocery Store Argument: The Musical
AppSec
Now you C me, now you donât: An introduction to the hidden attack surface of interpreted languages
Just because youâre using an interpreted language, doesnât mean youâre safe from
memory safety issues. Bas Alberts describes the attack surface of
targeting interpreters, and gives 3 case studies: Perl format strings,
deserialization in PHP, and Pythonâs socket.recvfrom_into.
How to Find Vulnerabilities in Code: Bad Words
Will Butler describes an underrated technique
for finding serious security vulnerabilities in code: words that âsound
dangerous.â Myself and others found this surprisingly effective as security
consultants. Examples include: raw, eval, permission, insecure, and
more.
GitHub: Code scanning is now available!
CodeQL / Semmle is now in general availability on GitHub. In another blog
post,
GitHub also announced a number of third-party static analysis and developer
security training GitHub Actions and Apps available on the GitHub Marketplace.
Itâll be interesting to see how GitHub handles third-party SAST tools, given
that they compete with CodeQL, and if theyâll have to pay an Apple App
Store-esque extortion market fee.
Web Security
HTTP Desync Attacks in the Wild and How to Defend Against Them
Imperva describes several types of HTTP desync attacks theyâve observed in
practice and several defenses theyâve implemented to protect against it.
The Powerful HTTP Request Smuggling
Detailed write-up on how Ricardo Iramar dos
Santos was able to exploit HTTP Request
Smuggling in some Mobile Device Management (MDM) servers and send any MDM
command to any device enrolled on them for a private bug bounty program.
defparam/smuggler
An HTTP Request Smuggling / Desync testing tool written in Python 3 by Evan Custodio.
The DDoS That Almost Broke the Internet
Rather than attacking our (Cloudflare) customers directly, they started going after the network providers CloudFlare uses for bandwidth.
Anycast means that if the attacker attacked the last step in the traceroute then their attack would be spread across CloudFlareâs worldwide network, so instead they attacked the second to last step which concentrated the attack on one single point. This wouldnât cause a network-wide outage, but it could potentially cause regional problems.
JWT (in)security
Great overview of common JWT issues and how to use JWTs safely, by MichaĹ
Sajdak.
OAuth 2.0 Security Best Current Practice
Updated working document from the Internet Engineering Task Force (IETF)
describing security best practices for OAuth 2.0. âIt updates and extends the
OAuth 2.0 Security Threat Model to incorporate practical experiences gathered
since OAuth 2.0 was published and covers new threats relevant due to the broader
application of OAuth 2.0.â
Cloud Security
Enter the Vault: Authentication Issues in HashiCorp Vault
Two serious bugs in Vaultâs aws and gcp authentication methods,
by Project Zeroâs Felix Wilhelm.
In my experience, tricky vulnerabilities like this often exist where developers have to interact with external systems and services. A strong developer might be able to reason about all security boundaries, requirements and pitfalls of their own software, but it becomes very difficult once a complex external service comes into play. Modern cloud IAM solutions are powerful and often more secure than comparable on-premise solutions, but they come with their own security pitfalls and a high implementation complexity. As more and more companies move to the big cloud providers, familiarity with these technology stacks will become a key skill for security engineers and researchers and it is safe to assume that there will be a lot of similar issues in the next few years.
Blue Team
tothi/ad-honeypot-autodeploy
By @an0n_r0: Deploy a small, intentionally
insecure, vulnerable Windows Domain as an RDP Honeypot fully automatically.
nccgroup/SFPolDevChk
Salesforce policy deviation checker by NCC Groupâs Jerome
Smith. The tool reveals which Profiles
have become desynchronised from Organization level policies, and reviews each
oneâs password policies and session settings to highlight any deviations from
those set at the Organization level.
Graphology of an Exploit - Hunting for exploits by looking for the authorâs fingerprints
Fascinating blog post by Check Pointâs Itay
Cohen and Eyal
Itkin in which they differentiate between the
people writing malware and those developing the exploits malware uses, and
fingerprint two exploit developers. The post analyzes the exploit authorsâ
clientele, how they improve technically over time, and more.
There is also much to learn by looking at these exploit authorsâ clientele. The list of Volodyaâs clients is diverse and includes banker trojan authors such as Ursnif, ransomware authors such as GandCrab, Cerber and Magniber, and APT groups such as Turla, APT28 and Buhtrap (which started from cyber-crime and later shifted to cyber-espionage). Interestingly, we can see that Volodyaâs 0-days are more likely to be sold to APT groups while 1-days are purchased by multiple crimeware groups. Without further intel, we can only assume that once a 0-day is detected by the security industry, the exploit is then recycled and sold at a lower price as a non-exclusive 1-day.
The APT customers, Turla, APT28, and Buhtrap, are all commonly attributed to Russia and it is interesting to find that even these advanced groups purchase exploits instead of developing them in-house. This is another point which further strengthens our hypothesis that the written exploits can be treated as a separate and distinct part of the malware.
While the earlier Volodya exploits were sold as source code to be embedded in the malware, the later exploits were sold as an external utility that accepts a certain API. This change can suggest that Volodya is taking more precautions.
Moreover, the code of the exploits became more modular, as large functions were split into smaller sub-routines. Also, their technique to search and access specific offsets in various structs was also improved and in recent implementations it became more dynamic and safe, as it better-handled changes in minor versions of Windows.
Our research methodology was to fingerprint an exploit writerâs characteristics and later on use these properties as a unique hunting signature. We deployed this technique twice when tracking down Volodyaâs exploits and those of PlayBit. Having these two successful test cases, we believe that this research methodology can be used to identify additional exploit writers.
Can We Have âDetection as Codeâ?
Anton Chuvakin makes the case for making
detection logic automated, systematic, repeatable, predictable, and shareable.
- Detection content versioning: understand what specific rule or model triggered an alert, even in the past.
- Proper âQAâ for detection content: test for broken alerts (e.g. those that never fire, false positives/negatives) and gaps in detection overall.
- Content (code) reuse and modularity of detection content: rules, signatures, analytics, algorithms, etc.
- Cross-vendor content: e.g. Sigma, YARA, YARA-L
- Cross-tool detection content: e.g. looking for a hash in EDR data and also in NDR; and in logs as well.
- Metrics and improvement: Get better over time
- Goal: build a full CI/CD pipeline for detections to continuously build, refine, deploy and run detection logic in various product(s).
Hardware
IoT-PTv/List-of-Tools: List of the tools and usage
A list of various hardware and IoT security tools: firmware reverse engineering,
dynamic analysis, bluetooth, radio assessment, etc.
Red Team
Metasploit â A Walkthrough Of The Powerful Exploitation Framework
Nice overview by Manish Shivanandhan of the
various components in Metasploit.
Politics / Privacy
Academic study by Arvind Narayaran et al
At Princeton CITP, we were concerned by media reports that political candidates use psychological tricks in their emails to get supporters to donate. So we collected 250,000 emails from 3,000 senders from the 2020 U.S. election cycle. Hereâs what we found. https://electionemails2020.org
Misc
Smart male chastity lock cock-up
A smart Bluetooth male chastity lock - what could go wrong? In a twist that
should surprise precisely no one, the API had flaws allowing anyone to remotely
lock all devices and prevent users from releasing themselves (removal then
requires an angle grinder or similar), and the API also leaks precise user
location data, personal info, and private chats. Also, TIL
internetofdon.gs exists, a project dedicated to
testing the security and privacy of⌠adult IoT devices.
Grocery Store Argument: The Musical
Twitter thread: A guy records himself dramatically singing in a grocery store,
and then a bunch of other users add themselves to his base video with various
harmonizing parts. Pretty impressive and fun.
âď¸ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them đ
Thanks for reading!
Cheers,Clint
@clintgibler @tldrsec