Hey there,
I hope youâve been doing well!
#2021_Problems
A tech billionaire sharing crypto memes on Twitter. Oh the world we live in. From a tweet by Elon Musk:
Dream Team
I get why Netflix writes about it in their culture doc, itâs super cool and invigorating getting to work with a top notch team.
This week my company had an internal lunch and learn, and together developers and the security team alike worked on solving an intro reverse engineering challenge using Ghidra, lead by someone (Isaac Evans) who contributed to building Ghidra! đ¤Ż
Sponsor
đ˘ All-in-one cloud security with Bridgecrew
Bridgecrew delivers comprehensive security from commit to cloud. Powered by policy-as-code, our platform gives you instant visibility into your cloud security posture and equips you with automated remediation. By embedding security earlier in the development lifecycle, we enable teams to proactively secure their infrastructure without slowing them down.
Try Bridgecrew for free!đ In this newsletter...
đ Links:- Web Security: GraphQL resources, new OAuth attack vectors, HTTP/2 request smuggling against major cloud providers, protecting users via running browsers in the cloud
- Cloud Security: Continuously validate and monitor IAM best practices via SQL, AWS machine-to-machine authn recommendations, differences in how IAM treats Groups and Users
- Network Security: Networking fundamentals: from Zero to HTTP
- Career Advice: Interview prep for security managers, how to advance your career
- Politics / Privacy: Public audit of NYT's anonymous submission platform, Google shuts down Western democracy doing an active counterterrorism operation
- Misc: Thoughts on selling to security leaders, Chrome extension to hide Twitter's Trends, consumer authentication strength maturity model
- Quote: Esther Perel on criticism and relationships
Web Security
Want to learn about GraphQL hacking?
A Twitter thread by @drunkrhin0 with useful talks, resources, and tools.
Hidden OAuth attack vectors
Very cool work by Portswiggerâs Michael
Stepankin: âIn this post weâre going to present
three brand new OAuth2 and OpenID Connect vulnerabilities: âDynamic Client
Registration: SSRF by designâ, âredirect_uri Session Poisoningâ, and âWebFinger
User Enumerationâ. Weâll go over the key concepts, demonstrate these attacks on
two open-source OAuth servers (ForgeRock OpenAM and MITREid Connect), and
provide some tips on how you can detect these vulnerabilities yourself.â
H2C Smuggling in the Wild
AssetNoteâs Sean Yeoh tested CloudFlare, Azure, GCP, and a number of other cloud providers for H2C smuggling, which uses an obscure feature of HTTP/2 to allow an attacker to bypass authorization controls on reverse proxies. H2C smuggling was previously described by Bishop Foxâs Jake Miller.
Browser Isolation for teams of all sizes
Cloudflare has released a new product, Browser Isolation, that runs potentially malicious website code in a remote cloud browser and then streams the results to you, protecting users from drive-by-download malware, browser 0days, etc. I havenât tried this personally so I canât comment, but it has a number of properties I like in a security solution:
- Transparent to the end user: it âjust worksâ without educating the user, forcing them to change their processes, or relying on them to remember not to click on sketchy links.
- Kills classes of bugs/attacks by construction.
Cloud Security
Continuous AWS IAM Security Best Practices
Yevgeny Pats describes how to validate and
monitor official AWS IAM best practices using SQL.
Approaches for authenticating external applications in a machine-to-machine scenario
AWSâ Patrick Sard describes the pros and cons of
a number of approaches, including AWS Signature v4, OpenID Connect, SAML 2.0,
and Kerberos.
AWS Authorization Bypass - Security Risk You Should Be Aware Of
Lightspinâs Or Azarzar describes how an explicit âDenyâ in an IAM Group only affects Group actions, not User actions, which can lead to subtle
bugs. They also released
red-shadow a tool that scans IAM
configurations for shadow admins based on misconfigured deny policies not
affecting users in groups. Also, IAM- go home, youâre drunk đ
Network Security
Networking Fundamentals: From Zero to HTTP
These slides (and video) by
Detectifyâs Tom Hudson are a great overview and
intro to networking fundamentals: MAC addresses, ARP, hubs, switches, subnets,
CIDR, routing, TCP/IP, DNS, load balancers, NAT, etc.
Career Advice
Interview Prep for Cybersecurity Managers
Reddit post by Mike Privette of topics you should prepare to speak on.
How far you can go in a management career will always be bounded by your ability to convince all the people involved that you know the best way to navigate to a successful outcome.
How Do I Advance My Career in the Cybersecurity Field?
Also by Mike Privette.
- First figure out for yourself what âadvancementâ means (i.e., more money,
better title, more autonomy, more challenging problems to solve, etc.).
- Early in your career, you end up getting all of those things as you move from Jr analyst/engineer/operator into more senior-level roles, but you need to consider the path you want to take a few jobs/roles out.
- Look at your skills and current role, look at what you want (future
roles/jobs), then figure out how to close those gaps.
- Make your intentions known - people canât help you if they donât know what youâre aiming for.
- Build an audience in AND outside of your sphere of control and influence.
You want people outside of the cybersecurity group at your company to know of you and what you can bring to the table and help them do.
Politics / Privacy
Second independent audit of SecureDrop Workstation completed
The SecureDrop Workstation is an open source platform by the NYT, based on Qubes
OS, which allows journalists to safely retrieve, decrypt, open and export
anonymous submissions. Some solid, thorough work by Trail of
Bits. I liked the appendix on attack surface
analysis, and woo, Appendix D is a Semgrep query to find potentially dangerous
TarFile.extractall usage.
Googleâs unusual move to shut down an active counterterrorism operation being conducted by a Western democracy
An interesting example of when the right thing to do isnât crystal clear (in my opinion). Project Zero disclosed a campaign using 11 0days for iOS, Android, and Windows over a 9 month period.
- Great, letâs patch and make everyone safer đ
- That operation was a Western democracy conducting a counterterrorism operation. Theyâll need to regain this level of access, and a successfull terrorist attack could kill many innocent people đ
- If one player knows about these 0days, another, authoritarian regime may also and use it to target dissidents đ°
Misc
Thoughts on Selling to Security Leaders
Tips by Netflixâs VP of Information Security, Jason Chan.
DevMoath/hide-twitter-trends
By @Dev_Moath: Chrome extension to hide
âTrending now,â âWho to follow,â and âTopics to followâ tabs on Twitter. My
happiness just 10Xâd.
The Consumer Authentication Strength Maturity Model v5
By Daniel Miessler.
Quote
Couples Under Lockdown: Bavaria, Germany
Podcast episode by Esther Perel:
Behind every criticism there is a wish. So say what you want, donât say what the other person does wrong.
âď¸ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them đ
Thanks for reading!
Cheers,Clint
@clintgibler