Hey there,
I hope youâve been doing well!
Security Vendor Marketing Pro-tips
Itâs not easy to market something as complex as a security product.
You need to highlight your productâs salient features, differentiate from the competition, and do so in a way thatâs detailed but not too opaque for people who arenât domain experts in your area.
Fortunately, Matt Fuller shared a cheatsheet of how to do it đ¤Ł
Open Security Summit Workshop
Iâm giving a workshop starting a few hours after you receive this email!
If you canât attend, no worries, itâll be recorded.
Sponsor
đ˘ The Cloud Security Endgame and How To Really Shift Left
A âshift leftâ approach to cloud security means testing your code earlier in the development process. Studies show that fixing issues in code can take 10x less effort before deployment and 100x less effort before the project goes into maintenance. Discover how to achieve continuous security while building your cloud environment.
Read moređ In this newsletter...
- Program Analysis: Query C++ code bases via SQL, auto-patching 100K+ Python code
- AppSec: Securing Ansible configs, handling CLI secrets, building systems to protect sensitive data
- Web Security: Testing 2FA implementations, brute-forcing Flask cookies
- Cloud Security: Retrieving AWS security creds from the AWS console, tools for cloud visibility and enforcement, top 10 AWS identity health checks
- Blue Team: Detecting outdated shared libraries, detecting malicious network traffic using incremental machine learning
- Politics / Privacy: Securely erasing your iOS device, Google's efforts to protect slander victims
- TikTok: China appreciates you sharing your voice and faceprints, influencer burnout, the altar of the algorithm
- Misc: Atlassian security team's 20% ritual, fully homomorphic encryption resources by Google
Program Analysis
frabert/ClangQL
A proof-of-concept SQLite extension for querying C++ codebases that have been indexed using clangd.
Abstract Syntax Tree for Patching Code and Assessing Code Quality
Sorocoâs Abdul Qadir describes scalably patching hundreds of thousands of lines of Python code using Pythonâs ast package. Use cases: upgrading deprecated pandas function calls, flagging single character variable names, and except clauses that donât log exceptions.
AppSec
Hack Series: Is your Ansible Package Configuration Secure?
Include Securityâs Laurence Tennant describes his top 10 tips for auditing Ansible code as well as two subtle ways in which package managers may not verify signatures. Also, Ansible doesnât natively provide a way to see the exact commands that are being run, but Laurence provides a handy strace command (in this case, looking for calls to apt)
$ sudo strace -f -e trace=execve ansible-playbook \
playbook.yml 2>&1 | grep apt
How to Handle Secrets on the Command Line
smallstepâs Carl Tashian describes three methods for handling secrets on the command line, their risks, and how to use them as safely as possible: using piped data, credential files, and environment variables.
Protecting sensitive data at Gusto with HAPII â Part 1
Gustoâs Iain McGinniss describes the Hardened PII store (HAPII), a system built to further lock down how Gusto handles sensitive user data like SSNs. A few takeaways:
- Make sensitive data access explicit - easier to audit, donât pull in data unless required.
- Return partial data where possible (e.g. last 4 digits of SSNs).
- Use usage data to engage engineering teams to understand the minimal set of PII they need.
Web Security
Testing Two-Factor Authentication
NCC Groupâs @aschmitz provides an excellent walkthrough of three categories of checks to perform when assessing a 2FA implementation: general 2FA issues, authentication code-based issues, and
WebAuthn security key issues. In general, WebAuthn > authentication code-based (e.g. Google Authenticator) > SMS.
Baking Flask cookies with your secrets
Flask by default signs but does not encrypt cookies. Luke Paris describes how you can bypass authentication if you can bruteforce the serverâs signing secret. He scraped published secrets from GitHub and Stack Overflow to create a wordlist, used Shodan to find 1242 valid sessions, of which he was able to crack 28%. Luke has released Flask-Unsign to ease this attack.
Cloud Security
Retrieving AWS security credentials from the AWS console
Christophe Tafani-Dereeper describes how to
retrieve AWS security credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and
AWS_SESSION_TOKEN) when authenticated in the AWS Console, using a valid
session cookie and an undocumented API. This could be useful for red teams and pen tests.
CloudSecDocs: Visibility & Enforcement
A cheatsheet of a number of useful tools for getting visibility into your cloud
environment and continuously enforcing security policies, by Marco
Lancini.
Top ten AWS identity health checks to improve security in the cloud
k9 Security breaks down the identity health checks into 3 categories:
- Build foundations for identity and access management
- Establish necessary IAM users and roles for people and applications
- Evolve IAM permissions towards least privilege
Blue Team
cloudlinux/kcare-uchecker
A simple tool to detect outdated shared libraries still linked to processes in memory, by CloudLinux.
Incremental Machine Learning by Example: Detecting Suspicious Activity with Zeek Data Streams, River, and JA3 Hashes
In academic papers, the machine learning models used for security applications are usually trained on bounded datasets â where the dataset has a clear start and end. NCC Group and Fox-ITâs Data Science team describe how incremental learning techniques can be applied for novelty detection (the first time something has happened) and outlier detection (rare events) on data streams derived from Zeek (the network analysis tool formely known as bro).
Politics / Privacy
Securely Erasing Your iPhone or iPad â With a Power Drill
How to take off the screen and where to drill, by The Intercept.
Google Seeks to Break Vicious Cycle of Online Slander
Google also recently created a new concept it calls âknown victims.â When people report to the company that they have been attacked on sites that charge to remove posts, Google will automatically suppress similar content when their names are searched for. âKnown victimsâ also includes people whose nude photos have been published online without their consent, allowing them to request suppression of explicit results for their names.
TikTok
*world weary sigh as I realize I created a âTikTokâ section*
TikTok just gave itself permission to collect biometric data on US users, including âfaceprints and voiceprintsâ
The Chinese government has access to face and voice data on millions of
Americans, as well as what they like, donât like, and what affects them
emotionally. What could go wrong? đ
TikTokers know that their fame will likely fade unless they work very, very hard to cultivate themselves into something solidly monetizable. They seamlessly toggle between their two identities â the real person and the online persona â and speak with a kind of cynicism about tying their livelihoods to a platform that could disappear in an instant.
Theyâre afraid of branching out from whatever the algorithm decides it likes for fear of becoming a has-been, and theyâre burned out by the churn of endlessly creating content they barely even like. Some have public meltdowns, others quit for good, while even the appâs biggest star Charli DâAmelio said she often feels overwhelmed by the constant negative attention.
The influencer industry is simply the logical endpoint of American individualism, which leaves all of us jostling for identity and attention but never getting enough.
The Anxiety of Influencers
Writer and English professor Barrett Swanson describes his experience spending five days at Clubhouse, the collective of dozens of college-aged social media hopefuls living in a smattering of content mansions in Los Angeles.
The truth is that the influencer economy is just a garish accentuation of the economy writ large⌠weâve become cheerfully indentured to the idea that our worth as individuals isnât our personal integrity or sense of virtue, but our ability to advertise our relevance on the platforms of multinational tech corporations.
If we sneer and snicker at influencersâ desperate quest to win approval from their viewers, it might be because they serve as parodic exaggerations of the ways in which we are all forced to bevel the edges of our personalities and become inoffensive brands. It is a logic that extends from the retailerâs smile to the professorâs easy A to the politicianâs capitulation to the co-workerâs calculated post to the journalistâs virtue-signaling tweet to the influencerâs scripted photo. The angle of our pose might be different, but all of us bow unfailingly at the altar of the algorithm.
Misc
Innovation Week - Atlassian Security Teamâs 20% Time Ritual
The Atlassian Product Security team was finding they were having trouble
consistently making time for 20% projects. Marisa
Fagan describes how they decided to set aside 1 week
every 5 weeks (20%) for everyone to spend on side projects. Neat
way to ensure 20% time is taken, and I bet thereâs even more energy and progress
during it than if it were portioned out over time. Interesting idea!
google/fully-homomorphic-encryption
By Google: Libraries and tools to perform fully homomorphic encryption (FHE) operations on an encrypted data set. FHE has nice privacy benefits, but as far as I know, thereâs still research being done to make it efficient enough to be practical at scale in the real world.
âď¸ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them đ
Thanks for reading!
Cheers,Clint
@clintgibler