I hope you’ve been doing well!
Programming or security themed parodies can be hit or miss, but this parody of Aladdin’s “A Whole New World” is 👌
Thanks Malware Unicorn for sharing!
I’m tempted to include some lines, but I don’t want to spoil it, so here’s a taste:
I’ve had the privilege of chatting with some awesome people recently.
I joined Lewis Ardern on one of the best named British
Bake Off security podcasts, SecuriTEA & Crumpets. See this video for the Semgrep demo portion with minute markers, and the beginning of the full video for how I got into improv comedy, the origin of tl;dr sec and some lessons learned growing it, career thoughts, and more.
I also chatted with John Kinsella and Adrian Sanabria on Application Security Weekly #156 on scaling security programs via secure defaults, how modern AppSec teams work with their engineering counterparts 🤝, and other good stuff.
📢 Live Workshop: Cloud DevSecOps with Terraform and Bridgecrew
Gain hands-on experience implementing an automated Terraform security workflow from code to cloud. Don’t miss the live step-by-step walkthrough with Bridgecrew and HashiCorp on July 29th! You’ll leverage infrastructure as code and your favorite dev tools to find, fix, and prevent misconfigs and cloud drift.Save your spot!
📜 In this newsletter...
- AppSec: Massive list of resources, Orange Tsai's CTF exercises, web app decision tree generator, finding oversharing in Salesforce, guide to determine if you should run a bug bounty
- Authorization: Carta's highly scalable permissions system inspired by Google's Zanzibar, code patterns for API authz, layering authz into an existing web app
- Cloud Security: Getting partial AWS account IDs for any Cloudfront website, defending against DNS exfiltration in AWS, building an attribute-based access control strategy with AWS SSO and Okta
- Container Security: AWS Lambda deep dive, two resources on hardening AWS EKS, Red Hat State of Kubernetes Security Report 2021
- Ransomware: Inside the ransomware economy, site tracking ransomware profits, political methods to stop ransomware
- Politics / Privacy: Iran's government planned kidnapping in the U.S.
- OSINT: Find profiles across 350 sites by username
- Misc: Drama inside Blizzard
Deciduous: A Security Decision Tree Generator
Ryan Petrich and Kelly Shortridge describe a web app they’ve released (source) that lets you focus on attacker actions, potential mitigations, and how attackers will respond, and Deciduous will dynamically generate an organized and styled graph.
Are you oversharing (in Salesforce)? Our new tool could sniff it out!
NCC Group’s Jerome Smith has released raccoon, an open source tool to identify potential misconfigurations that could expose sensitive data within Salesforce. It establishes which Profiles and Permissions Sets (with active users) have some combination of read/edit/delete permissions to ALL records for a given set of objects, based on their effective sharing and objects settings.
Is a Bug Bounty Program Right for You?
Chapter 2 from the Bug Bounty Community of Interest is probably one of the most detailed, practical guides about real world concerns and best practices of running a bug bounty program at your company. Factors to consider, vulnerability management details, leadership buy-in, communications, internal processes, operationalizing, and more.
AuthZ: Carta’s highly scalable permissions system
Carta’s Aaron Tainter describes how they went from JWT-based authorization, decided against OPA, to building their own system inspired by Google’s Zanzibar. Great example of building an MVP and iterating quickly based on internal customer feedback (your engineering colleagues).
The HN discussion
contains some interesting anecdotes from other companies and links to a number
of open source and commercial authz tool options.
Code Patterns for API Authorization: Designing for Security
NCC Group’s Tanner Prynn describes four different common patterns when implementing authorization for web apps and APIs, and compares their security trade-offs: ad hoc, route-based, centralized, and object-based.
I saw many different authorization schemes as a security consultant, including
many legacy ones that companies were struggling with or revamping after it was
making new development painful. This is tough to do well, and I appreciated seeing
this overview of different approaches in one place.
Layering authorization into a web application
Gusto’s Flora Jin discusses introducing granular authorization into their app and API (2019). They used the CanCanCan authorization gem, and their authorization specification (in a separate file) looks like:
subject(Payroll, company_id: params(:company_id)) do can [:read], with: Permissions::READ_PAYROLLS can [:create, :update, :destroy], with: Permissions::MANAGE_PAYROLLS end # Route annotation authorize :read, resource # raises 401 if you don’t have access to the resource
Getting Partial AWS Account IDs for any Cloudfront Website
Chime’s Arkadiy Tetelman describes how using a new Cloudfront API and a crypto trick.
If we want to find the partial AWS account ID for some domain, we can fetch the real public certificate for that domain, generate a random private key, and update the precomputed public key parameters on our private key to be the same as the public key on the certificate we want to impersonate. ACM has a bug in that it does not validate the private key truly corresponds to the public key - it only checks the precomputed values on the private key, which are under our control.
- VPCs by default use the Amazon-provided DNS which can be used to bypass some network-level protection mechanisms (e.g. NACLs or SGs) or monitoring (e.g. VPC Flow Logs)
- Recently a new service has been released: the Route 53 Resolver DNS Firewall which allows for blocking and monitoring DNS queries to Amazon DNS.
- GuardDuty can also detect malicious DNS traffic, but only in a limited manner.
Build an end-to-end attribute-based access control strategy with AWS SSO and Okta
By AWS’ Louay Shaat: “This blog post discusses the benefits of using an attribute-based access control (ABAC) strategy and how to use ABAC with AWS SSO when you’re using Okta as an identity provider. With ABAC, you can simplify your access control strategy by granting access to groups of resources, which are specified by tags, instead of managing long lists of individual resources.”
Hardening AWS EKS security with RBAC, secure IMDS, and audit logging
Snyk’s Kamil Potrec provides a nice overview of how to harden default AWS EKS settings: authentication/authorization, restricting access to the Kubernetes API and the instance metadata service, and enabling logging.
Guide to Designing EKS Clusters for Better Security
Excellently detailed guide by StackRox’s Karen Bruner including: VPC layout, dedicated IAM role for cluster creation, managed vs self-managed node groups, controlling SSH access, EC2 Security Groups for nodes, and more.
Red Hat: State of Kubernetes Security Report 2021
A few of the things that stuck out to me:
- 94% of respondents experienced at least one security incident in their Kubernetes environments in the last 12 months (Kubernetes, so easy to use! 😂).
- 88% of respondents use Kubernetes as their container orchestrator, with 74% in production.
- Six different open source security tools are used by at least 20% of respondents, with KubeLinter and OPA as the top two.
Ming Zhao: Inside the Ransomware Economy
Fascinating thread, highly recommend reading.
This crowdsourced payments tracker wants to solve the ransomware visibility problem
Krebs Stamos Group’s Jack Cable has built Ransomwhe.re, a site keeps a running tally of ransoms paid out to cybercriminals in Bitcoin, made possible thanks to the public record-keeping of transactions on the blockchain and self-reported incidents. Filter by time, ransomware group, and more.
If Moscow wanted to stop Russia’s cybercriminals from hacking American targets, experts say, it would. That is why, some Russia experts argue, the United States needs take aim at Russia’s kleptocracy, either by leaking details of Mr. Putin’s financials or by freezing oligarchs’ bank accounts.
“The only language that Putin understands is power, and his power is his money,” said Garry Kasparov, the Russian chess grandmaster and a Putin critic. “It’s not about tanks; it’s about banks. The U.S. should wipe out oligarchs’ accounts, one by one, until the message is delivered.”
Insider leak on the current happenings inside Blizzard
StarCraft and Warcraft brought me countless of hours of joy (and swearing) with my friends growing up. Sounds like Blizzard has been having trouble.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!Cheers,