I hope you’ve been doing well!
There are some longer sections at the bottom of this one, but some really good stuff I couldn’t leave out.
I don’t know about you, but I’ve been writing some YAML lately.
I hope this meme by Justin Yoo also cheers you up.
📢 Podcast: The Value of Agility and Education for Scaling Security
In a recent episode of the Detection at Scale podcast, Panther Labs CEO and Founder Jack Naglieri sat down with Matt Jezorek, VP of Security and Abuse at Dropbox, to discuss Matt’s perspective on the decisions security teams have to make that ultimately control how fast they can detect threats.Listen now
I actually joined Jack on the Detection at Scale podcast this week, look for our episode in a bit!
📜 In this newsletter...
- Conferences: Cybersecurity conferences in 2022, Global AppSec US 2021 videos
- AppSec: Free book on SSH tunneling, securing GitHub organizations
- Secrets: GitHub leaked secret search engine, secrets stored in environment variables, secret scanning tool by Salesforce
- CI/CD and Supply Chain: OpenSSF Scorecards v4, 10 real-world stories on compromising CI/CD pipelines, linting and securing GitHub Actions
- Cloud Security: SSH bastion host best practices, 2 serious vulnerabilities in AWS, free labs to learn cloud pen testing
- Fuzzing: Fuzzing LoRaWAN protocol stacks
- Red Team: Payload creation framework for fileless VBA scripts
- Privacy: Disable 2G option on new Android phones
- OSINT: 5 hour OSINT course, service to remove objects from images, lessons learned from 10 years building an open source OSINT tool
- Misc: Internet meme search engine, browser extension to inject SciHub links, create an RPG game for free without coding
- New Chrome security measure aims to curtail an entire class of Web attack: Protecting against CSRF and DNS rebinding
- Secrets of Successful Security Programs: A masterclass in building a scalable, modern security program
Global AppSec US 2021 Virtual
YouTube playlist of the talk recordings, covering AppSec, threat modeling, cloud security, supply chain, and much more.
Securing GitHub organizations
LaunchDarkly’s Alex Smolen presents his step-by-step process for securing your GitHub organization. See also the OpenSSF’s AllStar GitHub App for continuous enforcement of security best practices.
Introducing PinataHub: Explore the world of leaked secrets in GitHub
PinataHub is a new search engine for secrets leaked on GitHub. The post includes some interesting ideas regarding high signal secrets detection, using Algorithmically generated Domain (AGD) detection.
Awesome List Of Secrets In Environment Variables️
List of secrets, passwords, API keys, tokens stored inside a system environment variables, by Maciej Pulikowski. Useful if you have RCE or some exploit that lets you read a vulnerable app’s system environment.
CI/CD and Supply Chain
Reducing Security Risks in Open Source Software at Scale: Scorecards Launches V4
The OpenSSF announces that their Scorecards project now includes new security checks and a GitHub Action you can run to easily flag potentially risky supply-chain practices. Release notes.
10 real-world stories of how we’ve compromised CI/CD pipelines
Great write-up with tons of interesting examples, including several scenarios with
RCE-as-a-Service Jenkins, GitLab, Kubernetes, and what a pen tester can do
with a dev’s laptop. By NCC Group’s Aaron
Natesan and Jennifer
Linting your GitHub Actions
CipherStash’s Matt Palmer describes action-validator a new tool that lints GitHub Action and Workflow YAML files. It ensures they are well-formed by checking them against published JSON schemas and making sure that any globs used in
paths-ignore match at least one file in the repo.
For linting your GitHub Action YAMLs for security issues, see this post and open source Semgrep rules here.
SSH Bastion host best practices: How to Build and Deploy a Security-Hardened SSH Bastion Host
Teleport’s Sakshyam Shah provides a nice overview. Build a server with minimal packages installed, limit the services actively running, lock down OS network capabilities, limit user accounts and restrict account capabilities (e.g. SELinux), implement access logging, harden OpenSSH, and more.
2 Critical Cloud Vulnerabilities to Convince You to Move to the Cloud
The Orca Security Research Team discusses multiple critical zero-day vulnerabilities discovered in AWS Glue and CloudFormation. “These vulnerabilities could’ve allowed unauthorized access to customer data and/or sensitive code and data within the public cloud.” However, there’s been some discussion that Orca’s impact claims are a bit overblown, see this Scott Piper thread for more context.
- Scott Piper: flaws.cloud and flaws2.cloud
- OWASP Serverless Goat
- Mike McCambridge: AWS S3 CTF Challenges
- Francis Alexander: AWS Vulnerable Lambda
- James Wickett: lambhack, a vulnerable AWS Lambda
- Bishop Fox: iam-vulnerable, a vulnerable by design AWS IAM privilege escalation playground
- Rhino Security Labs: cloudgoat, a vulnerable by design AWS deployment tool
- Appsecco: A step-by-step walkthrough of CloudGoat 2.0 scenarios
- dvca a Damn Vulnerable Cloud Application
- OWASP Damn Vulnerable Serverless Application
- NCC Group: sadcloud, a tool for standing up (and tearing down!) purposefully insecure cloud infrastructure
- Appsecco: Breaking and Pwning Apps and Servers on AWS and Azure free courseware and labs
LoRaWAN’s Protocol Stacks: The Forgotten Targets at Risk
LoRaWAN is a low-power, wide area networking protocol often used for things like smart city security, environmental monitoring, industrial safety, and more. Trend Micro’s Sébastien Dudek discusses how to hunt for bugs in different LoRaWAN stacks, for example by fuzzing with AFL++. He explains how Qiling (based on the Unicorn Engine) can be used in fuzzing and debugging exotic architectures, and how Ghidra’s PCode emulation can be used when the architectures targeted are not supported by Unicorn or Qiling.
By Optiv’s Matt Eidelberg: A payload creation framework for the stealthy execution of arbitrary VBA (macro) source code directly in memory without dropping macro documents to disk, making it harder for EDR to detect it.
VICTORY: Google Releases “disable 2g” Feature for New Android Smartphones
The EFF describes a new feature in Android phones that lets you disable 2G at the modem level, a legacy, insecure protocol that is leveraged by some stingray interception devices via downgrade attacks. Disable by: Settings > Network & Internet > SIMs > Allow 2G and turn that setting off.
📢 Slash Cloud Cyber Risk with Security-as-Code
Existing cybersecurity architectures break down in public cloud. Why? Because cloud applications are being self-serviced by developers. John Steven, Concourse Labs CTO and co-author of the BSIMM study, explains how Security-as-Code enables developers to self-service the security of their infrastructure-as-code.WATCH NOW
Open-Source Intelligence (OSINT) in 5 Hours - Full Course
Free course by Heath Adams (@thecybermentor) covering a wide variety of topics, including reverse image searching, viewing EXIF data, discovering email addresses, hunting breached passwords, OSINT on platforms like Twitter, Facebook, Instagram, Reddit, LinkedIn, and much more.
Lessons learned from my 10 year open source project
Steve Micallef shares 10 lessons from developing his widely popular SpiderFoot OSINT tool for over a decade.
A browser extension that adds SciHub links to popular publisher websites, to make accessing science even easier, by Rick Wierenga. Seems like it’s been taken down, perhaps because it became too popular. Rick’s thread about it.
Make an RPG game without coding for free. tl;dr sec sends its apologies to your employer and spouse (hopefully separate parties) for your future lower productivity and attentiveness.
Starting in Chrome 98, website requests to internal network resources (e.g.
192.168.1.1) will trigger a CORS preflight request
Access-Control-Request-Private-Network). This will be a massive step forward in eliminating classes of vulnerabilities like CSRF and DNS rebinding. Google blog
Searching for vulnerabilities manually or with automated tools has value, and so does secure code training, but in my (and many people’s) opinion, secure defaults that prevent those classes of vulnerabilities from occuring in the first place is higher leverage.
And building protections into the platform (e.g. web browsers) can be even higher leverage, as that secures everything on the platform (there are only a handful of browsers vs billions of websites).
What security wins can you build into the platforms you control?
This post by Google Cloud CISO Phil Venables is probably one of the most useful and value-dense posts on lessons learned, best practices, and how to build a modern security program I’ve ever seen.
Here’s my attempt at not quoting the entire post:
A successful security program is made up of two distinct elements:
A series of episodic big bets that yield transformational improvements.
A set of management practices and approaches applied relentlessly, iteratively and subject to constant incremental improvement.
If you just do the first then the success that those improvements bring taper off or are a just a patch-work of bright spots amid a back drop of issues and instability. If you just do the second then you are condemned to operate in reactive catch-up mode in the face of events.
Aim for projects that:
- Mitigate whole classes of attacks. Not just picking off new tactics but dealing with whole sets of attack techniques.
- Eliminate sets of pain. Look for significant areas of pervasive toil for customers, end users or developers/engineers.
Security is an Endless Program not a Project
Secure Products not [just] Security Products
While developer education on security is important, even more important is reducing the extent of knowledge required by encapsulating security capabilities in highly assured tooling that all can use. This is an ongoing investment, not just in the tool variety, capability and assurance level but also in continued integration with other frameworks so that the secure path is always the easiest path. Every time application security or other teams find a vulnerability then, think, what can we do to reduce the potential for further instances of the vulnerability through the provision of good tooling.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!Cheers,