Hey there,
I hope you’ve been doing well!
Man’s Best Friend Cryptocurrency
Sometimes life can feel like a bit much. One minute you’re disrupting the automotive industry, the next you’re trying to send humans to Mars.
You just need some time and the right activity to recharge the ol’ internal battery.
So you bust out MS Paint and crank out a meme hyping a joke cryptocurrency:
I too hope to one day use my $Billions and social influence for good the lulz and to troll the finance industry.
Also, I may have come across the most #peak2021 picture: the above meme on a mask.
India Needs Help
India has been experiencing a massive surge in coronavirus cases, with some reports indicating some 300,000 new infections daily.
People are dying due to lack of medical supplies.
Question: how bad is it?
Answer: there are news articles with “round-the-clock mass cremations” in the title.
Daniel Miessler shared a New York Times article with a number of resources on how you can donate.
I donated to UNICEF here.
Also, many employers offer donation matching, which is an easy way to double your contributions! Check for an internal employer portal.
Sponsor
📢 Burp Suite as you've never seen it before
Burp Suite Enterprise Edition is the automated web vulnerability scanner built to help you shift left. By enabling you to scale and accelerate security testing, it frees time to do more.
Using the same Burp Scanner trusted by over 50,000 pentesters worldwide, Burp Suite Enterprise Edition can help you find and eliminate bugs before they reach production.
View live demođź“ś In this newsletter...
- AppSec: Initial Rust support in Semgrep
- Supply Chain Security: Tool to check for dependency confusion exposure across many languages, dep confusion in Unity games and Bundler, CISA's recommended defenses
- Web Security: Open source tool for out-of-band vuln testing, exploiting race conditions with Nuclei
- Cloud Security: Free SRE conference, automate AWS patching, guide to AWS cost control
- Container Security: Docker tag and pinning overview, mirror images for Kubernetes internally, offense-focused Docker tool, talk on backdooring and hardening Docker build processes
- Blue Team: What's new in ATT&CK v9
- Career: How to start in bug bounty, landing your first job as a bootcamp grad, getting your first cybersecurity job, find remote jobs, a list of security engineer interview questions
- Politics / Privacy: Amazon used seller data to boost their own sales, history of FAANG acquisitions
- Misc: The dangers of not taking a break, what's Salesforce?
- Differentiating: For Companies and VCs: The importance of differentiating and the death of the middle
AppSec
Advancing Rust Support in Semgrep
This post by Kudelski Security describes how
they’ve been furthering Semgrep’s Rust support via contributions to the tree-sitter-rust
grammar and other parts of Semgrep core.
Not only is Semgrep’s community contributing new rules, they’re also helping Semgrep support more languages. I don’t know of any other commercial grade static analysis tool where this is the case. Pretty cool.
Supply Chain Security
salesforce/DazedAndConfused
A tool to help determine dependency confusion
exposure that currently works on 12+ types of dependency files (more than any
other tool I’ve seen). Also has support for scanning GitHub and GitLab
servers. H/T Emre Saglam.
Dependency Confusion Vulnerabilities in Unity Game Development
By IncludeSec’s Jason Kielpinski: “A game studio
that uses a private package registry configured to also pull from the public
npmjs registry (which is the default configuration of Verdaccio) is
vulnerable… Because the Unity package manager client doesn’t support package
namespaces, the standard way of preventing this attack doesn’t work with Unity.
Instead, mitigations have to be applied at the package registry server level.”
Bundler is Still Vulnerable to Dependency Confusion Attacks
By @Zofrex: “Bundler will fetch implicit
dependencies (dependencies of your explicit dependencies) from any declared
source in the Gemfile, even if their parents are limited to a particular
source.” Potential mitigations: virtual namespacing, scope all gems, publicly
register all of your gems, or explicitly provide source for each dependency.
Defending Against Software Supply Chain Attacks
16 page PDF by guide by CISA, covering supply
chain risks, common attack techniques, recommendations to customers (mitigating
deployed malicious or vulnerable software, increasing resilience to a successful
exploit), and recommendations for vendors (preventing supplying malicious or
vulnerable software, post-deployment mitigations).
Web Security
Interactsh: Open-Source Solution for OOB Testing
New tool by Project Discovery that can help you identify blind out-of-band (OOB) vulnerabilities by generating dynamic URLs, which when requested by the target, trigger a callback. Interactsh comes with a server that can emulate HTTP, DNS, and SMTP with wildcards enabled. Nuclei integration coming!
See this Portswigger article for more info about OOB vulnerabilities.
Exploiting Race conditions with Nuclei
Project Discovery describes how to use nuclei to
test for race conditions against a single HTTP request or even chaining multiple
HTTP requests together.
Cloud Security
cloud-native-sre.wtf
A free virtual conference (May 20, 2021) about site reliability engineering,
DevSecOps, observability, multicloud, and working with complex distributed
systems at scale.
Automate Patching Using AWS Systems Manager
ByteCheck’s Nick McLaren describes
patch baselines, setting up automated patches, patching groups based on tags,
and monitoring compliance.
My Comprehensive Guide to AWS Cost Control
GumGum’s Corey Gale describes three
stages of managing AWS costs that has lead his company to save millions of
dollars per year:
- Tracking and understanding costs.
- Using those insights to reduce costs and the risk of making cost-saving changes.
- Integrating these cost insights into our processes.
Container Security
Winning with Docker Pinning
This post by Atomist’s James Carnegie explores
how Docker tags work, the risks and benefits of using them, and a mechanism for
pinning to specific digests to bring us closer to reproducible builds.
estahn/k8s-image-swapper
By Enrico Stahn: “A mutating webhook for
Kubernetes, downloading images into your own registry and pointing the images to
that new location.” It will transparently consolidate all images into a single
registry without the need to adjust manifests, reducing the impact of external
registry failures, rate limiting, network issues, change or removal of images
while reducing data traffic and therefore cost.
cr0hn/dockerscan
By Daniel Garcia and Roberto
Munoz: An offense-focused Docker tool that
can scan a network looking for Docker registries, look for sensitive info within
a Docker image, or inject a reverse shell into a Docker image.
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker
Daniel and Roberto’s talk in which they announced dockerscan. Includes an
overview of Docker, CI, and manipulating Docker images. Their recommendations for
hardening build processes include:
- Do not trust name or tags, use digests instead in
FROMdeclarations. - Always check the integrity of anything downloaded at build time.
- Ideally only build servers are allowed to push images to registries.
- Implement signing (Notary) and don’t execute unsigned images.
Blue Team
- Updated: revamp of data sources, refreshes to macOS techniques.
- New: consolidation of IaaS platforms, the Google Workspace platform, ATT&CK for Containers (and not the kind on boats).
Career
How To Start Bug Bounty For Beginners
A number of talks and resources by @securibee.
How to land your first job as a bootcamp grad
By Netflix Senior Engineer Scott Moss.
How I Would Get My First Cybersecurity Job If I Had Zero Experience Or Education!
By Cybersecurity Meg.
Remote Hunt
Find remote jobs.
tadwhitaker/Security_Engineer_Interview_Questions
By Tad Whitaker: A deduplicated list of
questions asked during security engineer interviews based on Glassdoor.com,
covering: encryption and authentication, networking and logging, OWASP Top 10
and AppSec, databases, tools and games, programming and code, and compliance.
Politics / Privacy
Amazon knew seller data was used to boost company sales
I’ll take, “Things anyone could have seen coming a mile away” for $800, Alex(a).
An internal audit seen by POLITICO warned Amazon’s senior leadership in 2015 that 4,700 of its workforce working on its own sales had unauthorized access to sensitive third-party seller data on the platform — even identifying one case in which an employee used the access to improve sales.
Amazon, Apple, Facebook, and Google became big tech companies by acquiring hundreds of smaller companies
Pretty neat overview of the history of these companies and their acquisitions.
Misc
The dangers of not taking a break
Scary story by @TinkerSec on what happens when you work too hard and never take
a break: you can actually burn out all of the glucose in your brain and have
seizures. H/T Ishaq Mohammed for the
link.
What’s Salesforce?
This post by Taimur Abdaal on the history
of customer-relationship management (CRM) and how Salesforce came to be the
juggernaut it is today was quite fascinating.
Also, I saw this meme on Taimur’s Twitter and couldn’t not include it:
Differentiating: For Companies and VCs
Companies and their products must be so differentiated that no one else can copy them (the boutique coffee shop), or they must be “full stack” and 100% exactly what we want (Starbucks).
So what’s one to do? There are two options:
- Go as differentiated as possible and serve the customer exactly what they want.
- Power law everything — don’t pick the winners; have the winners all pick you.
Build a “pointy business” that’s purely differentiated, or “no stack”. Or build a “utility business” that does all of the underlying work as a truly “full stack” company/product.
Don’t get stuck in the middle.
Playing Different Games
Fascinating breakdown by Everett Randle of why
Tiger Global is eating other VC’s lunch. Tiger is attractive to founders (more
money, less dillution, less involved - you run your company), and because they
do more deals faster, each deal doesn’t need to be as profitable (less due
diligence -> faster deals -> more deals, by pre-empting other VCs).
The article also focuses on the core mechanics of successful investing, and shows how eschewing cultural norms that don’t actually matter can give you a significant competitive advantage.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,Clint
@clintgibler