Hey there,
I hope you’ve been doing well!
WiFi Passwords and… Romance?
A good movie poster or trailer inspires more questions than it answers. And man is that true here.
Like, did he change his network name to “HeyCutie” as a way to flirt?
Is she an international cyber criminal who cracked his WiFi password (because he was using WEP like a noob) to access her C2 servers through his home network to deflect attribution? And he’s a lonely sys admin, locking down his network on a Friday night, only to discover this unexpected traffic, leading him to find The One to fill the pi-hole in his heart?
Did she shine a laser through his window and use the vibrations as a side
channel to recover his GitHub creds and SSH password so she could push a cryptominer to his
widely popular NPM package? But he’s actually a former CIA agent and
has the OPSEC to understand this is happening, so he starts typing her romantic
poems in the git commit messages on his private dotfiles repo that he knows
she can see read, until they fall in love?
SO MANY QUESTIONS.
Also, Netflix employees, if you like these premises and know someone that needs some screen writing assistance, hit me up, you know where to find me.
No, not curled up under my desk in a fetal position (though true), I mean you can reply to this email.
Sponsor
📢 Build internal tools faster without risking security
Internal tools—like the custom security tools you use at work—help you work faster. And they touch your most important data and systems, so they need to be secure. Retool makes building secure internal tools remarkably fast—you create any UI you want via drag and drop, and then securely connect it to any data source. Access controls and audit logs are built in, so you can focus on what matters.
Get started for freeđź“ś In this newsletter...
- Mac: Four 0days and UXSS in Safari write-up
- Career: 5 questions to ask your prospective manager when interviewing
- AppSec: Crazy pen test war stories, Python NaN injection, autogenerating realistic vulnerable code
- Supply Chain: Tool to automatically build a dependency graph/SBOM/more, and the power of lockfiles
- Authorization: Rust library that turns authz bugs into compile errors, patterns for authorization in microservices
- Web Security: Tool for reversing JS and CSS from sourcemaps, abusing reverse proxies, WebSocket security talk
- Cloud Security: AWS Lambda powertools, create limited scope AWS creds that can only read/write a specific bucket (and prefix), best practices for securing backups
- Container Security: Automatically generate and keep up to date Docker images through GitHub Actions
- Red Team: Tool to cover your tracks on a Linux box
- Politics / Privacy: Cyber defense will win the war, AI is eating the world's workforce through job automation
- OSINT / Recon: Hundreds of prepackaged offense-focused Docker images
- Humor: Worst snake oil cybersecurity pitches you've heard, Nature on open access
- Misc: SimRefinery, GitHub Actions by example, Stripe and YC are the mob bosses of Silicon Valley, security <-> developer messaging
Mac
Webcam Hacking (again) - Safari UXSS
Excellently detailed write-up by BugPoC’s Ryan
Pickren, which lead to 4 0days and a
$100,500 bounty from Apple.
Gaining unauthorized camera access via Safari UXSS: the story of how a shared iCloud document can hack every website you’ve ever visited.
Career
5 questions you should ask your future manager when interviewing for a job
Great thread by Lily Konings.
- When was the last time you promoted someone on your team? How did it happen?
- Why did the last person in this role leave?
- How do you nurture psychological safety in your team?
- When was the last time you supported a direct report’s growth, even if it meant leaving your team or company?
- Most/all of my interviewers were men. Can I speak to some women on the team to hear more about their experience?
AppSec
Hackers, what is your craziest pentest story?
Twitter thread with a number of war stories, by Luke Tucker.
Python NaN Injection
Bit Discovery’s Robert Hansen (RSnake) describes how supplying NaN for input in Python can lead to unexpected and/or insecure behavior. For example, math operations with an int or float + NaN outputs NaN, so NaN spreads through the execution flow. This could cause unexpected sorting behavior, integer overflows/underflows, business logic bypasses, and more.
This repo has slides and example
vulnerable code and validation logic.
Brendan Dolan-Gavitt Receives NSF Career Award
Congrats! The grant is for automatically creating highly realistic
vulnerability corpora, which will be super useful for test cases for security
tooling or manual learning. That is, this research may preempt the need to rely
on manually created Goat apps, which are often simple and not necessarily
representative of complex, real code bases. See the NSF
page
or the LAVA: Large-scale Automated Vulnerability
Addition paper for more details.
Supply Chain
What does your code use, and is it vulnerable? It-depends!
Tool release by Trail of Bits:
it-depends, which can automatically
build a dependency graph and Software Bill of Materials (SBOM) for packages and
arbitrary source code repositories.
You can use it to enumerate all third party
dependencies for a software package, map those dependencies to known security
vulnerabilities, as well as compare the similarity between two packages based on
their dependencies (e.g. Wait, why are we using 3 libraries that do a similar
thing?). Handles a bunch of languages, can determine dependencies on native
libraries using dynamic analysis, and other fancy things.
The best free, open-source supply-chain security tool? The lockfile
r2c’s Isaac Evans describes why lockfiles are
essential for supply-chain security: in the face of a malicious new version of a
dependency, they empower you to know exactly which systems were affected and
when, which is critical during incident response.
The post also details setting up lockfiles properly across ~9 different package managers, compares their security properties, and includes some open source Semgrep rules to check if you’re using lockfiles effectively. Here are some snippets from two useful tables, more in the post:
Authorization
resyncgg/dacquiri
A strong, compile-time enforced authorization framework for Rust applications,
by @resync_gg. That is, Dacquiri turns
authorization vulnerabilities into compile-time errors.
Patterns for Authorization in Microservices
Oso’s Graham Kaemmer provides an overview
of 3 popular approaches and their relative trade-offs, with some nice diagrams.
- Leave the data where it is, and have services ask for it directly.
- Use a gateway to attach the data to all requests, so it’s available everywhere.
- Centralize authorization data into one place, and move all decisionmaking to that place.
Web Security
paazmaya/shuji
Tool for reverse engineering JavaScript and CSS sources from sourcemaps, by
Juga Paazmaya.
Abusing Reverse Proxies, Part 1: Metadata
Project Discovery’s Chris Sullo discusses in
part 1 and part
2
how misconfigured reverse proxies can be abused to access cloud metadata
services, port scan other ports on the proxy, and scan the proxy’s internal
network. A number of accompanying nuclei
templates
have been open sourced as well.
We’re not in HTTP anymore: Investigating WebSocket Server Security
Excellent OWASP Global AppSec US 2021 talk by Palindrome Technologies’s Erik Elbieh. Erik provides an overview of how WebSockets differ from HTTP, does a survey of prior WebSocket security work, describes how to find websites that support WebSockets at scale, releases a tool (STEWS) that fingerprints the likely WebSocket implementation being used, and then tests if the server is vulnerable to a number of known CVEs.
Good talks have an original idea or two or a useful trick you can use. Great talks provide an overview of the problem space, do a deep dive of related work, examine the issue at scale, and release a tool to make it all easier. This is a great talk.
Erik also released:
- awesome-websocket-security: a collection of WebSocket security resources.
- WebSockets-Playground: a script to easily jump start multiple local WebSocket servers in parallel.
See also Portswigger’s Web Security Academy WebSocket labs.
Cloud Security
awslabs/aws-lambda-powertools-typescript
A suite of utilities for AWS Lambda Functions that makes structured logging,
creating custom metrics asynchronously and tracing with AWS X-Ray easier.
Weeknotes: s3-credentials prefix and Datasette 0.60
Simon Willison describes
s3-credentials, a tool for creating
limited scope AWS credentials that can only read and write from a specific S3
bucket. The latest release adds the ability to specify a prefix and get
credentials that are only allowed to operate on keys within a specific folder
within the S3 bucket.
Top 10 security best practices for securing backups in AWS
By AWS’ Ibukun Oyewumi.
Container Security
cybersecsi/RAUDI
A repo to automatically generate and keep updated a series of Docker images
through GitHub Actions, by SecSI.
Red Team
mufeedvh/moonwalk
A small, standalone binary for covering your tracks on a Linux box by capturing
the state of system logs and filesystem timestamps pre-exploitation and
reverting them after you’re done, by Mufeed VH.
Politics / Privacy
Offense will win some battles, but cyber defense will win the war
Proofpoint’s Selena Larson argues that while
offensive efforts do impose some costs on ransomware operators, ultimately
investment in defense and resolving underlying weaknesses is required for moving
the needle long term. I enjoyed the details and context provided in this post.
AI is quietly eating up the world’s workforce with job automation
It seems that great
inequality leads to political polarization, unrest, and other bad stuff. One of the things that concerns me
most right now is how quickly so many people are (or will be) out of work, yet few are sounding the alarm.
- AI job automation has already replaced around 400,000 factory jobs in the U.S. from 1990 to 2007, with another 2 million on the way.
- ~85% of customer interactions are already handled without human interaction. There are currently ~3 million customer service reps in the U.S.
- A 2020 research paper showed that a Transformer-based deep learning system could outperform human language translators.
Sponsor
📢 Register for ZAPCon 2022 ⚡️
ZAPCon 2022 is a free virtual event for ZAP users and those looking to level-up their automated application security testing game.
Register now to hear from speakers like Jim Manico and ZAP creator Simon Bennetts.
Save My SpotOSINT / Recon
HOUDINI: Hundreds of Offensive and Useful Docker Images for Network Intrusion
What a backronym 🙌 A big set of Docker images for security tools, maintained by
SecSI, including OSINT and recon tools (e.g.
Amass), web security scanners (e.g. Arachni, ffuf), dirbusting, spiders, mobile
app reversing tools, and more.
Humor
Sean Wright: Worst snake oil cybersecurity pitch you’ve ever had?
Congrats to all vendors named 🤣
The Academic Journal Nature does Open Access
Short comedic video skewering the economics of academic publishers. As they
deserve in my opinion.
Misc
The sprawling, must-read history of Maxis’ former “serious games” division
Huh, apparently the company that made SimCity also made serious games, like SimRefinery.
GitHub Actions by Example
An introduction through a series of annotated examples, by Ted
Summer.
Stripe and YCombinator, the Mob Bosses of Silicon Valley, a thread
Bolt CEO Ryan Breslow accuses Stripe of strategically getting investors in a way that
precludes future finance-related start-ups from being successful, HN of burying
posts about Bolt, and more. Your weekly 🌶️ take and hot goss.
Aidan Steele on Security <-> Developer Messaging
To move the security needle, we (security professionals) need buy-in,
support, and mutual respect with developers. How can we make things secure by
default and not expect developers to also be security experts?
I feel like it’s unfair and hurtful to characterise committing secrets as a result of “careless developers” though.
When I built something similar a few months back, there was a clear pattern: the majority of leaks were due to templates that set newbies up to fail. e.g. encouraging credentials to be copy-pasted into a config.js file and not gitignoring it.
I don’t think that a junior developer following a tutorial is being careless. I don’t think we can expect them to be intimately familiar with ever-evolving infosec best practices.
And I don’t think it helps them feel welcome when they are called careless for learning new things.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,Clint
@clintgibler