Hey there,
I hope youâve been doing well!
If youâre curious, I wrote a few responses to questions re: my scaling security BSidesSF talk on Reddit, discussing new lessons learned in killing bug classes, visualizing security and dashboards, and new areas/themes on my radar.
Costly Mistakes
One of several reasons Iâm glad my job title doesnât have âcloudâ in the name. (H/T Jon Hawes)
The power of modern computing - by @tomgauld
— New Scientist (@newscientist) January 4, 2021
More cartoons: https://t.co/M2o5ypJndu pic.twitter.com/p4rObJdLWb
Sponsor
đ˘ Is your SaaS Security keeping up with your SaaS Adoption?
Enterprises are adopting SaaS faster than ever with Gartner estimating that 95% of new enterprise application purchases will be in the cloud. But most organizations havenât invested similarly in SaaS security. Many donât even have a clear owner when it comes to securing their SaaS platforms. AppOmni can help determine whether your SaaS security is on track. Our risk assessment can determine whether you have exposed data and/or critical vulnerabilities in only 1 hour.
Learn Moređ In this newsletter...
đ Links:- AppSec: Black Hat USA videos released, Netflix Security's Youtube channel, study of secret detection on GitHub, enforcing Golang struct fields are properly initialized
- Cloud Security: Compliance as Code resources, Checkov updates, building securely on AWS as a small team, AWS Well-Architected Labs and tool, JSFiddle but for AWS Step Functions
- Container Security: Leverage Windows 10 Sandbox for arbitrary processes, Helm's 2nd security audit
- Blue Team: Using Windows Service canaries against ransomware
- Red Team: Extracting Python source code from Py2App packed Mac-O binaries, universal loader for Go
- Non-fungible Tokens (NFTs): Overview, why they're a dangerous trap
- Deepfakes: A number of sites/products for creating and detecting them
AppSec
Black Hat USA 2020 Videos Released
Lots of neat talks, including a number on machine learning and influence operations / âHacking Public Opinion.â
YouTube: Netflix Security
Apparently the Netflix Security team has a YouTube channel of all of their
talks. Thanks Astha Singhal for the heads
up.
The state of Secrets Sprawl on GitHub
Report by GitGuardian, who scans 2.5M public commits a day, almost 1B public commits a year.
- Over 5K secrets detected daily, over 2M in 2020 (+20% compared to 2019).
- 85% of leaks occur on developersâ personal repos, 15% within public repos owned by organizations.
- Secret types: ~28% Google keys, ~16% development tools (Django, RapidAPI, Okta), 15% data storage (MySQL, Mongo, âŚ), 12% other (CRM, crypto, identity provider, payments systems, monitoring), âŚ
- GitGuardian has a mean time to detect of 4 seconds, developers have a 25 minute median time to react to the alert.
Today's experiment: write a tool to validate that all fields of a particular struct are set during initialization.
— Damian Gryski (@dgryski) March 10, 2021
Spoilers: semgrep + reflect + unit tests
đ§ľ#golang
rules:
- id: struct-missing-initialized-fields
patterns:
- pattern-either:
- pattern: |
foo{...}
- pattern-not: |
foo{bar:..., baz:..., zot:...}
message: |
struct foo initializer missing fields
severity: ERROR
/**
* @kind problem
* @problem.severity warning
* @id go/missing-struct-init
*/
import go
from StructLit lit, Field f
where
f = lit.getType().getField(_) and
not exists(Write w |
w.writesField(DataFlow::exprNode(lit).getASuccessor*(),
f, _))
select lit,
"This literal is missing an assignment to field $@.",
f, f.getName()
Cloud Security
Compliance as Code
CloudSecDocs page by Marco Lancini covering
a variety of tools and resources, including OPA, static analysis tools for
Terraform, CloudFormation, Docker, and Kubernetes, and Pipeline / Supply Chain
security.
Checkov updates
- Inline IaC scanning and fixes with the Checkov Visual Studio Code extension (requires a valid Bridgecrew API token to invoke real-time scans and fixes from Bridgecrew)
- You can now easily share organization-specific, custom Checkov checks youâve written hosted in git repos using the
--external-checks-gitflag.
Essential security for everyone: Building a secure AWS foundation
Byron Pogson provides a nice overview of how small teams can build securely on AWS using the Well-Architected Framework. The post discusses security foundations, identity and access management, detection, infrastructure and data protection, and incident response.
AWS Well-Architected Labs
Documentation and code in the form of hands-on labs to help you learn, measure,
and build using architectural best practices. One of the labs: Quest: Quick
Steps to Security
Success.
AWS Well-Architected Tool
Free tool available in the AWS Management console that helps you review the
state of your workloads and compares them to the latest AWS architectural best
practices. Define your workload and answer a set of questions regarding
operational excellence, security, reliability, performance efficiency, and cost
optimization. This tool then provides a plan on how to architect for the cloud
using established best practices.
𤯠stepfn.dev
A site by Aidan Steele for rapidly iterating on
AWS Step Function designs. Change a few characters, hit Cmd+Enter, see result
~300ms later. Itâs intended to be like JSFiddle, but for AWS Step Functions, and
you can create links for easy sharing and troubleshooting.
Container Security
Wubes: Leveraging the Windows 10 Sandbox for Arbitrary Processes
By NCC Groupâs Cedric Halbronn: Like Qubes but
for Windows. Wubes leverages the Windows Sandbox to spawn applications in
isolation; that is, an attacker would need additional exploits, not just one in
the target application, to compromise your host. Currently supports Firefox,
but more programs can be added.
Helm 2nd Security Audit
Audit performed by Trail of Bits, which
looked at the source code for the Helm client along with a threat model for the
use of Helm. Two consultants, three person-weeks. Findings: 3 Medium, 7 Low, 3 Informational.
Blue Team
Deception Engineering: exploring the use of Windows Service Canaries against ransomware
By NCC Groupâs Ollie Whitehouse (source
code):
We prototyped a Windows Service Canary in order to target parts of the ransomware kill chain to minimize impact and overall success of operations. Multiple instances are installed masquerading as common Windows services that are targeted by threat actors prior to encryption. If multiple instances of these services are stopped then a Canary token is triggered and the host hibernated.
Red Team
How to extract Python source code from Py2App packed Mach-O Binaries
By Taha Karim: Mount the .dmg using hdiutil,
find the Py2App packed file,
binwalk, patch
the target bytecode with the proper header using a tool like Hex
Fiend, then
decompyle3.
The Universal Loader for Go
By Symbol Crash: A Golang library that
provides a consistent interface across all platforms for loading shared
libraries from memory without using CGO. Linux, Windows, and OSX, including the
new M1 Apple chip.
Non-fungible Tokens (NFTs)
Why NFTs are suddenly selling for millions of dollars
Nice overview by Zachary Crockett: What
exactly is an NFT? What makes them so valuable? And what might the future hold
for these digital assets? Personally, I donât think NFTs make sense to purchase, but đ¤ˇ
NFTs are a dangerous trap
Marketing legend Seth Godin argues against NFTs because he feels a) they are a trap
for creators (e.g. focusing on creating the feeling of scarcity and hustling
people vs doing more great work) and b) that they require a vast amount of
electricity, which is bad for the environment.
Deepfakes
A few deepfake creation and detection sites / tools have crossed my radar recently, so Iâm listing a few for easy reference.
Given that a significant percent of the U.S. population already believes things without any proof and in the face of significant counterevidence (e.g. the election being âstolen,â QAnon), things donât look great đ
Creating:
Impressions.app
âCreate high quality celebrity face swap videos right from your phone!â
Deepfake App
Deepfake as a Service, just upload your source and target videos.
Detecting:
Amber: fake video solved.
âFingerprint videos & track provenance as itâs distributed. AI detection of
malicious deepfakes sowing disinfo and deception.â
Sensity.ai
âSensity collects detailed visual threat intelligence from hundreds of source
across the open and dark web. We use deep learning to detect malicious visual
media and reveal a comprehensive view of the risks associated with audio-visual
content targeting individuals and companies.â You can upload your own image and
video files, or submit URLs to be analyzed.
Truepic
âTruepic pioneered Controlled Capture technology, which allows anyone to take
photos and videos whose origin, pixel contents, and metadata are verifiable.
Using cutting-edge artificial intelligence, cryptography, and computer vision
technologies, we are bolstering the value of authentic photos and videos, while
leading the fight against deceptive ones.â
âď¸ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them đ
Thanks for reading!
Cheers,Clint
@clintgibler