[tl;dr sec] #109 - Breaking Stateless Authentication, Secrets, Unicode Chicanery

Hey there,

I hope you’ve been doing well!

Password Advice

As you know, secrets and passwords are critical for security.

You’ll see some great work in that space further down this issue.

But I wanted to start straight out of the gate with some helpful advice from this TikTok:

r2c and Semgrep Updates

A bit ago my colleagues wrote about our Fall Updates.

tl;dr: Semgrep’s taint mode has been improved, Terraform support has been added, and the new mode --config=auto automatically, dynamically selects relevant Semgrep Registry rules for you based on your project’s language and frameworks.

But most of all, I wanted to share with you this line by my bud Bence Nagy, which is probably one of my favorite sentences I’ve read in awhile 🤣

AppSec

OWASP Global AppSec Virtual 2020
YouTube playlist with talks on AppSec, web security, threat modeling, IoT, machine learning, cloud and container security, and more.

A Beginner’s Guide to Understanding Game Hacking Techniques
Free ~500 page PDF covering the basics, debugging and reversing, RTS and FPS hacks, multiplayer, tool development, and more, by Game Hacking Academy.

Secrets

Secrets exposed in Docker images: Hunting for secrets in Docker Hub
GitGuardians’s Henri Hubert describes scanning 2,000 public Docker containers and finding secrets in ~7% of them. The post has some useful tips in how secrets can make their way into Docker containers, and how to search them: use the Docker manifest file to focus on layers where either files are manually added or copied, or environment variables are modified.

H/T Daniel Bilar for the heads-up on this related talk:

Driftwood: Know if Private Keys are Sensitive
Excellent work by Truffle Security’s Dylan Ayrey in determining the impact and blast radius of leaked secrets. Basically, they found 50,000 secret keys using TruffleHog, then compiled a database of billions of TLS (from certificate transparency) and SSH (from GitHub, which lets you authenticate via SSH) public keys.

By comparing these, you find a bunch of TLS certs you can now transparently intercept, and GitHub repos you can push to.

Interestingly, a number of the keys were found in repos totally unrelated to the impacted user, and in some cases were in directories marked as “test” or “tutorial.” They’ve open sourced driftwood, a tool that lets you look up if a private key is used for things like TLS or as a GitHub SSH key for a user.

Unicode Chicanery

Dropbox’s April King’s Semgrep rule for the Trojan Source bug
It flags bidirectional characters in source code. See the rule on GitHub here, play with it in your browser here. Run it on your source code via CLI:

$ semgrep --config "p/supply-chain"

The Invisible JavaScript Backdoor
Certitude Consulting’s Wolfgang Ettlinger points out other Unicode subtleties, including an invisible Unicode character that can be interpreted as an identifier/variable in JavaScript, and mentions a potential homoglyph attack involving Unicode characters that look like various operators (e.g. “／”, “−”, etc.).

Web Security

niespodd/browser-fingerprinting
By Dariusz Niespodziany: This is probably one of the most detailed breakdowns I’ve seen about evading bot detection and scraping the web without getting blocked.

Introducing CookieMonster: a tool for breaking stateless authentication
Very cool work by Ian Carroll. CookieMonster is a high performance tool for detecting misconfigured session implementations in web apps. It can rapidly find misconfigured secret keys in applications using Laravel, Flask, Django, JWTs, and more.

Viralmaniar/Passhunt
By Viral Maniar: Search default credentials for network devices, web applications and more. 523 vendors and their 2084 default passwords.

Cloud Security

pistazie/cdk-dia
By Tom Roshko: Automatically generate diagrams for your AWS CDK provisioned infrastructure. Uses Graphviz.

tenchi-security/camp
A tool that automatically downloads and keeps a local copy of all AWS IAM Managed Policies, and runs Cloudsplaining on them. By Victor Grenu and Tenchi Security’s Alexandre Sieira.

ChaosDB Explained: Azure’s Cosmos DB Vulnerability Walkthrough
Great walkthrough example of exploring attack surface, escalating privileges, and lateral movement by Wiz’s Nir Ohfeld and Sagi Tzadik.

Continuous Compliance

Streamline Fifteen SOC 2 Controls with AWS Config and AWS Security Hub
ByteChek’s AJ Yawn provides a detailed list of controls and its associated SOC 2 criteria, AWS Config Rule, and AWS Security Hub CIS Benchmark.

Continuous compliance on AWS
8th Light’s Connor Mendenhall provides a nice overview. I like how Connor compares how many orgs treat compliance audits to the old, bad ways of building software: a focus on point in time testing when the stakes are high (quarterly audits, the “big launch”), viewing software systems and compliance requirements as static, even though both may have changed by the end of the process, etc.

Container Security

A Kubeconfig Canarytoken
Thinkst Canary has released a new Kubeconfig Token, which emulates a kubeconfig file, the configuration text file that ordinarily contains credentials to interact with a Kubernetes cluster. If an attacker uses it, you get an alert.

Kubernetes API Access Security Hardening
Teleport’s Sakshyam Shah provides quite a detailed list of things to consider, including securing access to the Kubernetes control plane (API server), Kubelet, and additional security considerations for API access control.

Politics

How the Super Rich Changed a City, For Better or Worse
With many small times having budget difficulties, some are being funded by wealthy philanthropists, who then gain (implicit) significant say over public policy. “One dollar one vote,” as the saying goes 😆

Misc

The Cognitive Bias Codex
A neat visual diagram on 188 biases, grouped by category (what should we remember, too much info, not enough meaning, and need to act fast), linked to their Wikipedia pages.

Humor

Things to say when you are losing a tech argument
70 ideas, including:

• That won’t scale.

• That’s been proven to be O(N^2) and we need a solution that’s O(NlogN).

• There are, of course, various export limitations on that technology.

• I don’t think that’s altogether clear. Please write it up in UML for me.

• I don’t think you’re considering the performance trade-offs.

• What kind of benchmarks have you been running?

Corey Quinn: name a company and I’ll assign them a more appropriate motto
A fun thread. A few of my favorites:

• Palo Alto: “We named our company after the most expensive city in the US because we don’t do subtle.”

• Costco: When your snack cupboard has its own loading dock.

• Electronic Arts: “AWS Billing for Games”

• Tesla: “Theranos for Cars”

• Tupperware: “Docker for Vegetables.”

• Palantir: “Facebook for Governments”

• Coinbase: “First Bank of Libertarianism.”

• Huawei: “A publicly traded NSA”

• Salesforce: “Naming rights to a bus station couldn’t be wrong!”

• Datadog: “Tinder for Pets”

• Wizards of the Coast: “You’re Pretending It Wrong”

• Rust Foundation: “A vi vs. emacs holy war now accepts donations.”

• Y Combinator: “A training program for lottery winners.”

• Alibaba: “Uber for manufacturing designs you don’t own”

• Enron: “The parts of bitcoin cryptobros don’t want to talk about”

• Taco Bell: “Low latency egress”

• Activision Blizzard: “We love everyone except our customers, our employees, and women.”

Aphorism

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint