Hey there,
I hope you’ve been doing well!
An Auspicious Visit
I’ve been quite cautious the past year and change, with most of my outside the house activities being taking walks or going on hikes, going to the grocery store, and staring pensively out the window, like a cat.
But last weekend my brother visited from Utah with his wives partner, and it
was awesome catching up.
I hope you and yours are doing well, and here’s to an eventual back to normal ✊
Sponsor
📢 Scan Google Workspace for exposed files in <5 minutes
Concerned about your company's file security?
One-click security scans for Google Workspace, now available on Vectrix.io. In just a few minutes, detect exposed files, insecure settings, user access issues, and more.
With Vectrix, security and IT teams get instant visibility into business-critical apps, including Google Workspace, O365 (coming soon), Slack, Zoom, GitHub, and more.
Get started for free, no credit card required!
Get started scanning📜 In this newsletter...
- Conferences: DEF CON 2021 videos, Pwnie awards, Black Hat and DEF CON roundup
- AppSec: End-to-end encryption through Kafka, securing XML implementations, Slack's static analysis program
- Cloud Security: GCP Goat, orienting yourself in a new cloud, new AWS org checklist, building an AWS perimeter
- Container Security: Threat hunting with Kubernetes audit logs, Kubernetes IDE
- Blue Team: Protect domains that do not send email
- Red Team: Kernel pwning with eBPF
- Reverse Engineering: Reverse engineering for beginners, collection of RE workshops, Android app reversing 101
- Politics / Privacy: Community to promote privacy-preserving AI tech, iOS will start scanning photos on your phone, Pentagon using AI to "see days in advance"
- Misc: Talking to an AI version of a lost loved one, global warming's impact on big tech company campuses, open source alternative tools, the impact of explosive satellite grow
- Twitter: Tracking down a stolen scooter with Airtags
Conferences
DEF CON 29 Videos
2021 videos are posted.
All of the 2021 Pwnie Awards
In this Twitter thread by Dhiraj Mishra.
Top Hacks from Black Hat and DEF CON 2021
The Daily Swig’s John Leyden nicely references a number of presentations, including attacking Let’s Encrypt, FragAttacks, request smuggling with HTTP/2, moar Microsoft Exchange bugs by Orange Tsai, hacking humans using AI as a service, hacking rooms in a capsule hotel, e-books that compromise your Kindle, and more.
AppSec
End-to-End Encryption through Kafka
Ockam’s Mrinal Wadhwa describes how two programs can send end-to-end encrypted messages over the network, via a cloud service, through Kafka. The programs will mutually authenticate each other and have a cryptographic guarantee that the integrity, authenticity, and confidentiality of their messages is protected end-to-end. Ockam seems neat: Apache 2 Rust and Elixir libraries to make E2EE easier. More open source secure primitives ftw 👍
Securing XML implementations across the web
Mattermost’s Juho Nurminen found XML round-trip
parsing errors in four popular XML parsing libraries (in Ruby, NPM, Java, and .NET), and was able to confirm
authentication bypasses in major SAML implementations and web applications for
two of them. Juho doesn’t hold back:
Don’t get distracted by something like Golden SAML, when SAML itself is the problem. It’s a relic from an age when enterprise software meant XML and software that wasn’t built on top of XML was ridiculed and shunned.
SAML is inherently fragile, exceedingly complex, and nearly impossible to implement correctly. There are plenty of well-documented SAML vulnerability types predating my research yet still prevalent today: XEE, XML Signature Wrapping, Duo’s text node splitting attack etc.
Free as in Beer: Creating a Low-Cost Static Analysis Program
Slack’s Erin Browning and Tim
Faraci have built out static analysis
programs at multiple companies, using commercial and open source tools. In this
DEF CON AppSec Village talk
(slides), they discuss
why at Slack they’re building their program around Semgrep.
I’ve written several Semgrep rules, and it takes me longer to write the developer guidance than the actual rule.
We’re finding similar true positive numbers running our open source Semgrep rules as I am comparing it to commercial offerings.
How easy is it to add a new language to Semgrep? Well, an intern can do it! Actually two interns who almost done with their CS degrees. (Slack interns David Frankel and Nicholas Lin have been adding Hacklang support this summer.)
Cloud Security
GCP Goat
An intentionally vulnerable GCP environment to learn and practice GCP security, by Joshua Jebaraj.
Cloud Security Orienteering
Excellent DEF CON Cloud Village talk by Cedar’s Rami
McCarthy on how to rapidly find the
information necessary to familiarize yourself with a new cloud environment, dig
in to identify the risks that matter, and put together remediation plans that
address short, medium, and long term goals.
AWS Organizations - Checklist for 2021
Chris Farris provides a great checklist of what
you should do when setting up a new AWS Organization from scratch.
Building an AWS Perimeter
Whitepaper by AWS covering perimeter objectives, identity, resource, and network
boundaries, preventing access to internal credentials, and cross-region
requests.
Container Security
Threat Hunting with Kubernetes Audit Logs
Square’s Ramesh Ramani walks through the basics of Kubernetes audit logs and how one can use these audit logs effectively to hunt for attackers in Kubernetes clusters. Ramesh covers specific log fields to focus on and why.
nevalla/lens-resource-map-extension
An extension for Lens - The Kubernetes IDE that displays Kubernetes resources and their relations as a real-time force-directed graph, by Lauri Nevala.
Blue Team
Protect domains that do not send email
Make sure that domains that do not send email cannot be used for spoofing, using SPF and DMARC.
Red Team
Kernel Pwning with eBPF: a Love Story
Grapl’s Valentina Palmiotti covers eBPF
basics & verifier internals, exploiting CVE-2021-3490 for local privilege
escalation, debugging eBPF bytecode, exploitation techniques for DoS, info leak,
and LPE, and weaknesses still in eBPF. Super detailed write-up 🤘.
Reverse Engineering
Reverse Engineering for Beginners
New free workshop by Guardicore’s Ophir
Harpaz covering an
x86 overview, a short intro to IDA, and a number of exercises with hints.
Reverse Engineering Workshops by Malware Unicorn
Malware Unicorn’s workshops include
reverse engineering 101 and 102, PE injection, macOS Dylib Injection,
anti-analysis techniques, and more.
Android App Reverse Engineering 101
Maddie Stone’s workshop focuses on static
analysis, covering DEX bytecode, native libraries, obfuscation, and more.
Politics / Privacy
OpenMined is an open-source community whose goal is to make the world more privacy-preserving by lowering the barrier-to-entry to private AI technologies.
With OpenMined, people and organizations can host private datasets, allowing data scientists to train or query on data they “cannot see”. The data owners retain complete control: data is never copied, moved, or shared.
Apple confirms it will begin scanning iCloud Photos for child abuse images
iOS will start scanning pictures on your device to look for known bad images. It tries to do this in a privacy preserving-ish way, but some security professionals view this as a step in the direction of giving law enforcement backdoors. More: Wired, Stratechery, must read Alex Stamos thread.
The Pentagon Is Experimenting With Using Artificial Intelligence To “See Days In Advance”
Basically they’re feeding ML/AI real-time data gathered by a network of sensors around the globe, including “commercially available information.” The AI can detect changes, and will trigger additional intelligence gathering to take a closer look at what might be ongoing in a location. Well on our way to Westworld Season 3.
Misc
The Jessica Simulation: Love and loss in the age of A.I.
By Jason Fagone. Your partner passes away before
their time. You upload their text messages, email, and other communications to
Project December, which is powered by GPT-3. Soon, you’re talking to “them”
again. Wow, this was quite a read.
Rising Seas Are Coming For Big Tech Campuses. Who Will Pay To Protect Them?
Some pretty neat visualizations by NPR. Basically, a number of Bay Area
communities around Google, Facebook, and others are likely going to get flooded
due to global warming. Mitigations will be expensive, but who will pay for it?
Open Source Alternatives
A curated list of 200+ open source alternatives to tools that businesses require in day-to-day operations.
How the explosive growth in satellites could impact life on Earth
Satellites can be used for a variety of purposes, including: counting the number
of cars in retail parking lots (like Walmart, Home Depot, etc.), monitoring
activity at metal processing and storage facilities to predict metal prices and
related trends, analyzing car numbers at certain hospitals to predict future
pandemics, identifying and preventing illegal deforestation, assessing disasters
like floods and oil leaks, provide Internet to the world, and more.
Downsides: potential surveillance abuse, space debris falling to Earth, potential interference with astronomers and current weather prediction services.
Man, what a story.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,Clint
@clintgibler