• tl;dr sec
  • Posts
  • [tl;dr sec] #102 - Why AuthZ is Hard, Vendor Security 2.0, TruffleHog Chrome Extension

[tl;dr sec] #102 - Why AuthZ is Hard, Vendor Security 2.0, TruffleHog Chrome Extension

Detailed breakdown of why authorization is hard, how we should approach vendor security going forward, a Chrome extension to find secrets.

Author

Clint Gibler
September 22, 2021

Hey there,

I hope you’ve been doing well!

Whisper Me Sweet Crypto Nothings

Shall I compare thee to a summer’s day? Thou art more lovely and more temperate. … So long as men can breathe, or eyes can see, So long lives this, and this gives life to thee.

Shakespeare may have set a high bar, but I don’t think we’ve collectively lost our ability to woo romantically.

The world has just changed a bit.

There are new forms of art and ways to express that you’ll be a loving partner and provider. Like:

Next Thursday, Sept 30, I’ll be joining StackHawk CSO Scott Gerlach to discuss What’s New with SAST + DAST. Hope to see you there!

This must mean I’ve #madeit, as my friend Daghan shared with me:

Sponsor

📢 Understanding Salesforce Flows and Common Security Risks: An AO Labs Whitepaper

Salesforce’s Flow Builder is built on the Lightning Platform and allows end-to-end process automation by leveraging reusable components known as Flow Actions. This whitepaper discusses the security nuances unique to Salesforce Flow development, as well as permission management pitfalls and how to combat them. AO Labs is the research arm of AppOmni and produces in-depth research and content written by security researchers and engineers. To see more AO Labs content visit: appomni.com/aolabs.

📜 In this newsletter...

  • AppSec: TruffleHog the Chrome extension, BSidesSF CFP is open

  • Mobile Security: Android automatically removes permissions from unused apps

  • Web Security: Web security roadmap, add payload position support to Turbo Intruder, React security slides

  • Cloud Security: Use GitHub Actions without long lived AWS creds, OMIGOD Azure bugs, permissions reference for AWS IAM

  • Machine Learning: Applying OpenAI in cyber tooling, GitHub Copilot generated insecure code 40% of the time

  • Container Security: Anonymous and ephemeral Docker image registry, critical review of NSA's k8s guidance

  • It's Time for Vendor Security 2.0: Vendor Security Questionnaires are ineffective, what to do instead

  • Red Team: Reverse engineering and binary exploitation challenges

  • Politics / Privacy: America should fight back against ransomware, Facebook plans to use News Feed for its own PR, five-part WSJ Facebook investigation, how US police use Google to track you

  • Misc: Remember Norm Macdonald, time travel debugging web apps

  • Why Authorization is Hard: Real world challenges, trade-offs, and different approaches in building authorization

AppSec

TruffleHog The Chrome Extension
Truffle Security’s Dylan Ayrey has released a Chrome extension for finding secrets that have made their way into JavaScript, as well as exposed .git and .env files. This happens more often then you’d think. See Dylan’s Hacktivity talk for more details.

BSidesSF CFP Open until October 11
BSidesSF is one of my favorite cons- great talks and excellent hallwaycon. Highly recommend!

Mobile Security

Google will extend Permission Auto-Reset feature to older Android versions
Apparently Android has a Permission Auto-Reset feature that automatically removes user permissions from apps that haven’t been opened and used for a few months. Neat!

Web Security

Web Security Roadmap
Detailed guide by HolyBugx on how to become a web security researcher, broken down by levels, topics, and resources.

defparam/haptyc
A Python library which was built to add payload position support and Sniper/Clusterbomb/Batteringram/Pitchfork attack types into Turbo Intruder, by Evan Custodio.

Better Security Through Code Hygiene
React security slides by Philippe De Ryck, including using DOMPurify to sanitize user input if you have to use dangerouslySetInnerHTML, and using Semgrep to flag insecure code. H/T Rami for the link. Big +1 on Philippe’s conclusions:

• Developers should focus on development, not on fine-grained security rules

• Encapsulate dangerous features in secure components

• Use code analysis techniques to flag direct use of dangerous features

Cloud Security

AWS federation comes to GitHub Actions
By Aidan Steele: GitHub Actions has new functionality that can vend OpenID Connect credentials to jobs running on the platform. Meaning: CI/CD jobs no longer need any long-term secrets to be stored in GitHub! PoC:

“Secret” Agent Exposes Azure Customers To Unauthorized Code Execution
Great research by Wiz: Microsoft Azure silently install management agents on your Linux VMs, which now have RCE and local privilege escalation vulnerabilities. Mostly requires manual updates. Great play-by-play thread from Kevin Beaumont, and to quote Ami Luttwak:

The RCE is the simplest RCE you can ever imagine. Simply remove the auth header and you are root. remotely. on all machines. Is this really 2021?

If you want to play around with it, there’s this BugHuntr.io lab, this nuclei template, this Python PoC, or watch IppSec’s video.permissions.cloud: Permissions Reference for AWS IAMSuper cool work by Ian Mckay: the IAM dataset maps SDK calls to IAM actions, which are then displayed nicely on this site. Also, iamfast-js and related repos aim to generate IAM policies based on analyzing your source code. Baller.

Machine Learning

Down the Rabbit Hole: Unusual Applications of OpenAI in Cybersecurity Tooling
Eugene Lim discusses his experiments with using OpenAI not just for human-based attacks like phishing and misinformation, specifically: reverse engineering assembly, analyzing Metasploit payloads, code reviews (e.g finding XSS), etc.

GitHub Copilot Generated Insecure Code In 40% Of Circumstances During Experiment
Out of 1,692 programs generated in 89 different code-completion scenarios.

Container Security

ttl.sh
An anonymous & ephemeral (and free) Docker image registry, by Replicated.

NSA & CISA Kubernetes Security Guidance – A Critical Review
NCC Group’s Iain Smart provides on feedback on what he views the NSA and CISA guidance doc outlined well, as well as some parts he views as misleading or incorrect.

Strong agree from me on this useful and snarky article by Daniel Miessler. Vendor Security Questionnaires seem ineffective at determining security posture and business needs often trump security recommendations.

Understanding a vendor’s risk to your business if compromised and working to limit it - this is the way.

A few people had comments I liked on Twitter.

SOC2 exerts the same forcing pressure to organize security; of course, SOC2 is just the Boss Fight version of a dumb security questionnaire.

tl;dr: assume breach of every thing across a trust boundary and that includes vendors whether you give them money or not.

Start with identifying data sent and/or held by that vendor and how much ability you have to reduce data risk while preserving value of using that vendor.

Identify security maturity of vendor relative to sensitivity and volume of data sent/stored with them.

Measure that downside of data at risk against the upside value of using that vendor. If upside > downside, continue using them. If downside > upside, don’t use that vendor.

Most of vendor security IMHO is matching data at risk to security maturity of the vendor.

Red Team

Deus X64: A Pwning Campaign
A series of increasingly difficult computer security challenges pertaining to reverse-engineering and binary exploitation, by RET2 Systems.

Politics / Privacy

Opinion | America Is Being Held for Ransom. It Needs to Fight Back.
Crowdstrike co-founder Dmitri Alperovitch argues that sanctions and defense alone will not be sufficient against ransomware, as it’s unrealistic to expect that every American hospital, school, fire department and small business to defend itself against highly sophisticated criminals. Instead, like with ISIS, the U.S. should pursue an aggressive campaign targeting the foundation of ransomware criminals’ operations: their personnel, infrastructure and money.

Inside Facebook’s Push to Defend Its Image
Facebook has kicked off a new internal project to use the News Feed, its most important digital real estate, to promote articles about how Facebook is about political polarization making you sad invading your privacy promoting vaccine skepticism bringing us all closer together ❤️. Cutting off external parties from analyzing engagement data? Don’t worry about it 🤫 

The Facebook Files
Oh boy, what a drop by the WSJ, a five-part investigation covering:

  1. Facebook has a secret VIP list for whom standard policy enforcements do not apply.

  2. An internal investigation found Instagram usage increased anxiety and depression, especially in teenage girls. more

  3. Facebook’s algorithm changes increased engagement, but made users angrier. The Zuck resisted proposed fixes because he was worried they would lead people to interact with Facebook less.

  4. Facebook employees flag drug cartels and human traffickers leveraging the platform, but the company’s response is often inadequate or nothing at all.

  5. Company documents show antivaccine activists undermined Zuckerberg’s ambition to support the rollout by flooding the site and using Facebook’s own tools to sow doubt about the Covid-19 vaccine.

The new warrant: how US police mine Google for your location and search history
Article from The Guardian on geofence and keyword warrants. The fundamental challenge is that companies that depend on ad revenue slurp up user data for targeting purposes, but then they have a rich set of data that police can subpoena.

Misc

From Norm Macdonald’s memori: Based on a True Story
Right in the feels. Also, here’s Norm on SNL’s Celebrity Jeopardy.

It can be difficult to define yourself by something that happened so long ago and is gone forever. It’s like a fellow at the end of the bar telling no one in particular about the silver medal he won in high school track, the one he still wears around his neck.

The only thing an old man can tell a young man is that it goes fast, real fast, and if you’re not careful it’s too late. Of course, the young man will never understand this truth.

The Time Travel Debugger for Web Development
Replay.io is building a new tool that enables you to record web app execution flow and go backwards and forwards. Sounds awesome for tracking down tricky bugs. Time travel debugging is one of the coolest concepts I wished I saw more of. Python, Java, and Ruby support coming.

As a security consultant at NCC Group, I saw how a number of companies implemented authorization in their monolith or across their fleet of microservices.

Nearly universally, they had made some decisions early that ended up making things painful several years later.

This detailed post by Oso’s Sam Scott may be one of the best I’ve read on covering the real world challenges, trade-offs, and different approaches in building authorization in real companies.

The post also links to blog posts other companies have written about their authorization approach: Carta, Slack, Airbnb, Intuit.

Oso has also put together an even more lengthy write-up in their Authorization Academy. Nice!

Finally, check out the HN thread on this post for various people weighing in, and posts by a number of other authorization-focused start-ups, including Authzed (YC W21), Cerbos, Aserto, and Warrant (YC S21). Open source libraries referenced: Casbin, and ory/keto, an implementation of Google’s Zanzibar.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint