Hey there,
I hope youâve been doing well!
InfoSec đ Musicals
Itâs not often I get to do this, so Iâm going to savor it.
If youâve been reading tl;dr sec long, you know that Iâm one of the (at least!) five people in security who also love musicals.
Do I have tattoos of my favorite lyrics? Not yet, my mom doesnât approve of tattoos, and she reads this newsletter. One day.
But I loved Triciaâs parody of Dr. Horribleâs âOn the Riseâ duet, juxtaposing someone starting in security and then a year later.
See also tl;dr sec 86 for Rachel Tobacâs infosec sea shanty.
If you know of any other security + musical or song content, please let me know!
Exeunt stage right, jazz hands a-flourishinâ
Sponsor
đ˘ Integrating Faraday into the software development process.
Usually, software companies see security as an afterthought, which can be generally added when the product is completely operative. What if you could automate your security process. And be able to reach Time-To-Market securely instead of fixing live? No matter which technology you use.
Well, we are going to explain with simple steps how to integrate our Faraday Platform in your software development process. Whether you use Github, Jenkins, Travis or Gitlab.
Plus be the first one to experience our newest version releasing in a few days.
Download your white paper nowđ In this newsletter...
- AppSec: Awesome OPA
- Web Security:
sqlmapbut for server-side template injection and code injection, testing authentication flows - Cloud Security: Prevent SSRF in AWS via enforcing IMDSv2, how to secure an inherited AWS account, S3 backups and other strategies to survive ransomware attacks
- Container Security: Kubernetes hardening advice from NSA and CISA
- Blue Team: Account takeover checklist
- Red Team: TLS traffic inspection via dynamic instrumentation, what you can do with a stolen full disk encrypted laptop, tunneling/pivoting tool that uses TUN, statically linked SSH server with a reverse connection feature
- COVID-19: Tool to search for the latest info by geo, more info on the Delta variant
- Crypto: Study of vulnerabilities in cryptographic libraries
- Supply Chain: Find malicious dependencies with Falco, how Twilio addressed dependency confusion
- Machine Learning: Microsoft competition to test evasion of AI-based malware and phishing detectors, Twitter's algorithmic bias bounty
- Misc: Dubai is using laser-beam-shooting drones to shock rain out of the sky
AppSec
anderseknert/awesome-opa
A curated list of awesome Open Policy Agent (OPA) related tools, frameworks and articles by Anders Eknert et al.
Web Security
epinna/tplmap
By Emilio Pinna: Like sqlmap but for Server-Side
Template Injection and Code Injection. Tplmap supports over 15 template engines
and contains a number of sandbox escape techniques to get access to the
underlying operating system.
DigeeX/raider
A framework designed to test authentication for web applications by DigeeX. While web proxies like ZAProxy and Burpsuite allow authenticated tests, they donât provide features to test the authentication process itself, i.e. manipulating the relevant input fields to identify broken authentication.
Raider treats authentication as a finite state machine. Each authentication step is a different state, with its own inputs and outputs, which can be cookies, headers, CSRF tokens, or other pieces of information. The testing can be arbitrarily flexible, using a Lisp like configuration language.
Cloud Security
salesforce/metabadger
By Salesforceâs Ashish Patel and Kinnaird McQuade: Prevent SSRF attacks on AWS EC2 via automated upgrades to the more secure Instance Metadata Service v2 (IMDSv2).
So You Inherited an AWS Account. A 30-day security guide for engineersâŚ
A guide to help you filter through the mess, isolate the changes you need to make, and start to tame your environment by Matt Fuller. He proposes: get stable access, stop using the root user, update billing info, enable CloudTrail logging and monitoring, clean up IAM entities, locate exposed services, lock down your domains, find expiring certificates, untangle the web of services, and monitor and migrate.
S3 backups and other strategies for ensuring data durability through ransomware attacks
By Scott Piper: âThis post will discuss options for ensuring the durability of data stored on S3, through protections in place and backup strategies. The AWS backup service on AWS unfortunately does not backup S3 buckets and a lot of discussions of backups and data durability on AWS do not describe the implementation in sufficient detail, which allows a number of potential dangers. This post will show you the two best options (s3 object locks and replication policies), explains how to use these, and what to watch out for.â
Container Security
Kubernetes Hardening Guidance
By the NSA and CISA. Discusses Pod security, network separation and hardening,
authentication and authorization, log auditing, and more.
Blue Team
magoo/ato-checklist
A checklist of practices for organizations dealing with account takeover (ATO), by Ryan McGeehan (@Magoo).
Red Team
Introducing hallucinate: One-stop TLS traffic inspection and manipulation using dynamic instrumentation
SySSâs Moritz Bechler describes hallucinate, a new tool that lets you easily intercept and modify clear-text TLS network traffic by instrumenting the target process (uses Frida or a custom agent for Java). Rather than having to deal with TLS at the network layer, hallucinate uses dynamic instrumentation to perform the traffic inspection or manipulation before data is encrypted and after it is decrypted.
From Stolen Laptop to Inside the Company Network
Dolos Group describes what they were able do with only a Lenovo laptop preconfigured with the standard security stack for a client organization, no additional info. In summary, they took a locked down FDE laptop, sniffed the BitLocker decryption key coming out of the TPM, backdoored a virtualized image, and used its VPN auto-connect feature to attack the internal corporate network.
tnpitsecurity/ligolo-ng
By TNP IT Security: âAn advanced, yet
simple, tunneling/pivoting tool that uses a TUN interface. Instead of using a
SOCKS proxy or TCP/UDP forwarders, Ligolo-ng creates a userland network stack
using Gvisor. This allows running tools like nmap without the use of proxychains
(simpler and faster).â
Fahrj/reverse-ssh
A statically-linked SSH server with a reverse connection feature for simple yet
powerful remote access. Useful during pen tests, CTFs, or similar.
COVID-19
Letâs beat this thing together! đŞ
Covid Act Now
Pull up a ton of stats on any city, county, state, or zip, and see the risk level, infection rate, vaccination rate, and a number of other interesting info.
C.D.C. Internal Report Calls Delta Variant as Contagious as Chickenpox
Current evidence suggests that vaccinated people who catch the Delta variant
(âbreakthrough infectionsâ) are much less likely to get seriously ill, but can
still spread it about as readily as the unvaccinated.
There are roughly 35,000 symptomatic infections per week among 162 million vaccinated Americans, according to data collected by the C.D.C. as of July 24.
Crypto
You Really Shouldnât Roll Your Own Crypto: An Empirical Study of Vulnerabilities in Cryptographic Libraries
Interesting to see that the data backs up common wisdom: non memory safe languages should be replaced, and complexity can negatively impact security.
In this work, we conduct the first comprehensive analysis of cryptographic libraries and the vulnerabilities affecting them. We collect data from the National Vulnerability Database, individual project repositories and mailing lists, and other relevant sources for eight widely used cryptographic libraries.
Among our most interesting findings is that only 27.2% of vulnerabilities in cryptographic libraries are cryptographic issues while 37.2% of vulnerabilities are memory safety issues, indicating that systems-level bugs are a greater security concern than the actual cryptographic procedures. In our investigation of the causes of these vulnerabilities, we find evidence of a strong correlation between the complexity of these libraries and their (in)security, empirically demonstrating the potential risks of bloated cryptographic codebases.
Supply Chain
Meet Package Hunter: A tool for detecting malicious code in your dependencies
GitLabâs Dennis Appelt describes their newly
released Package
Hunter tool,
which analyze a programâs dependencies for malicious code and other unexpected
behavior by installing the dependencies in a sandbox environment and monitoring
system calls executed during the installation using Falco.
Currently supports testing NodeJS modules and Ruby Gems.
Dependencies, Confusions, and Solutions: What Did Twilio Do to Solve Dependency Confusion
Twilioâs Laxman Eppalagudem describes the steps they took:
- Introduced & enforced naming conventions for all internal packages published and consumed in Twilio
- Blocked proxying of external packages that collide in the specified naming convention
- Mandated all package installs come through internal package manager proxies
- Restrict deployed hosts from accessing the registry
- Delete all old packages that did not follow the introduced naming conventions
Machine Learning
Attack AI systems in Machine Learning Evasion Competition
Microsoft and partners are launching MLSEC.IO, an educational Machine Learning Security Evasion Competition (MLSEC) for the AI and security communities to exercise their muscle to attack critical AI systems in a realistic setting. The competition rewards participants who efficiently evade AI-based malware detectors and AI-based phishing detectors.
Introducing Twitterâs first algorithmic bias bounty challenge
Occurring during DEF CONâs AI Village.
Misc
Dubai Is Using Laser-Beam-Shooting Drones to Shock Rain Out of the Sky
Sometimes I see an article and think, âThe future is now.â Maybe this could
helpful California with its now annual fire season.
âď¸ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them đ
Thanks for reading!
Cheers,Clint
@clintgibler