[tl;dr sec] #117 - WebSocket Security, Securing Dependencies, Authorization Approaches

Hey there,

I hope you’ve been doing well!

WiFi Passwords and… Romance?

A good movie poster or trailer inspires more questions than it answers. And man is that true here.

Like, did he change his network name to “HeyCutie” as a way to flirt?

Is she an international cyber criminal who cracked his WiFi password (because he was using WEP like a noob) to access her C2 servers through his home network to deflect attribution? And he’s a lonely sys admin, locking down his network on a Friday night, only to discover this unexpected traffic, leading him to find The One to fill the pi-hole in his heart?

Did she shine a laser through his window and use the vibrations as a side channel to recover his GitHub creds and SSH password so she could push a cryptominer to his widely popular NPM package? But he’s actually a former CIA agent and has the OPSEC to understand this is happening, so he starts typing her romantic poems in the git commit messages on his private dotfiles repo that he knows she can see read, until they fall in love?

SO MANY QUESTIONS.

Also, Netflix employees, if you like these premises and know someone that needs some screen writing assistance, hit me up, you know where to find me.

No, not curled up under my desk in a fetal position (though true), I mean you can reply to this email.

Mac

Webcam Hacking (again) - Safari UXSS
Excellently detailed write-up by BugPoC’s Ryan Pickren, which lead to 4 0days and a $100,500 bounty from Apple.

Career

5 questions you should ask your future manager when interviewing for a job
Great thread by Lily Konings.

1. When was the last time you promoted someone on your team? How did it happen?

2. Why did the last person in this role leave?

3. How do you nurture psychological safety in your team?

4. When was the last time you supported a direct report’s growth, even if it meant leaving your team or company?

5. Most/all of my interviewers were men. Can I speak to some women on the team to hear more about their experience?

AppSec

Hackers, what is your craziest pentest story?
Twitter thread with a number of war stories, by Luke Tucker.

Python NaN Injection
Bit Discovery’s Robert Hansen (RSnake) describes how supplying NaN for input in Python can lead to unexpected and/or insecure behavior. For example, math operations with an int or float + NaN outputs NaN, so NaN spreads through the execution flow. This could cause unexpected sorting behavior, integer overflows/underflows, business logic bypasses, and more.

This repo has slides and example vulnerable code and validation logic.

Brendan Dolan-Gavitt Receives NSF Career Award
Congrats! The grant is for automatically creating highly realistic vulnerability corpora, which will be super useful for test cases for security tooling or manual learning. That is, this research may preempt the need to rely on manually created Goat apps, which are often simple and not necessarily representative of complex, real code bases. See the NSF page or the LAVA: Large-scale Automated Vulnerability Addition paper for more details.

Supply Chain

What does your code use, and is it vulnerable? It-depends!
Tool release by Trail of Bits: it-depends, which can automatically build a dependency graph and Software Bill of Materials (SBOM) for packages and arbitrary source code repositories.

You can use it to enumerate all third party dependencies for a software package, map those dependencies to known security vulnerabilities, as well as compare the similarity between two packages based on their dependencies (e.g. Wait, why are we using 3 libraries that do a similar thing?). Handles a bunch of languages, can determine dependencies on native libraries using dynamic analysis, and other fancy things.

The best free, open-source supply-chain security tool? The lockfile
r2c’s Isaac Evans describes why lockfiles are essential for supply-chain security: in the face of a malicious new version of a dependency, they empower you to know exactly which systems were affected and when, which is critical during incident response.

The post also details setting up lockfiles properly across ~9 different package managers, compares their security properties, and includes some open source Semgrep rules to check if you’re using lockfiles effectively. Here are some snippets from two useful tables, more in the post:

Authorization

resyncgg/dacquiri
A strong, compile-time enforced authorization framework for Rust applications, by @resync_gg. That is, Dacquiri turns authorization vulnerabilities into compile-time errors.

Patterns for Authorization in Microservices
Oso’s Graham Kaemmer provides an overview of 3 popular approaches and their relative trade-offs, with some nice diagrams.

1. Leave the data where it is, and have services ask for it directly.

2. Use a gateway to attach the data to all requests, so it’s available everywhere.

3. Centralize authorization data into one place, and move all decisionmaking to that place.

Web Security

paazmaya/shuji
Tool for reverse engineering JavaScript and CSS sources from sourcemaps, by Juga Paazmaya.

Abusing Reverse Proxies, Part 1: Metadata
Project Discovery’s Chris Sullo discusses in part 1 and part 2 how misconfigured reverse proxies can be abused to access cloud metadata services, port scan other ports on the proxy, and scan the proxy’s internal network. A number of accompanying nuclei templates have been open sourced as well.

We’re not in HTTP anymore: Investigating WebSocket Server Security
Excellent OWASP Global AppSec US 2021 talk by Palindrome Technologies’s Erik Elbieh. Erik provides an overview of how WebSockets differ from HTTP, does a survey of prior WebSocket security work, describes how to find websites that support WebSockets at scale, releases a tool (STEWS) that fingerprints the likely WebSocket implementation being used, and then tests if the server is vulnerable to a number of known CVEs.

Good talks have an original idea or two or a useful trick you can use. Great talks provide an overview of the problem space, do a deep dive of related work, examine the issue at scale, and release a tool to make it all easier. This is a great talk.

Erik also released:

• awesome-websocket-security: a collection of WebSocket security resources.

• WebSockets-Playground: a script to easily jump start multiple local WebSocket servers in parallel.

See also Portswigger’s Web Security Academy WebSocket labs.

Cloud Security

awslabs/aws-lambda-powertools-typescript
A suite of utilities for AWS Lambda Functions that makes structured logging, creating custom metrics asynchronously and tracing with AWS X-Ray easier.

Weeknotes: s3-credentials prefix and Datasette 0.60
Simon Willison describes s3-credentials, a tool for creating limited scope AWS credentials that can only read and write from a specific S3 bucket. The latest release adds the ability to specify a prefix and get credentials that are only allowed to operate on keys within a specific folder within the S3 bucket.

Top 10 security best practices for securing backups in AWS
By AWS’ Ibukun Oyewumi.

Container Security

cybersecsi/RAUDI
A repo to automatically generate and keep updated a series of Docker images through GitHub Actions, by SecSI.

Red Team

mufeedvh/moonwalk
A small, standalone binary for covering your tracks on a Linux box by capturing the state of system logs and filesystem timestamps pre-exploitation and reverting them after you’re done, by Mufeed VH.

Politics / Privacy

Offense will win some battles, but cyber defense will win the war
Proofpoint’s Selena Larson argues that while offensive efforts do impose some costs on ransomware operators, ultimately investment in defense and resolving underlying weaknesses is required for moving the needle long term. I enjoyed the details and context provided in this post.

AI is quietly eating up the world’s workforce with job automation
It seems that great inequality leads to political polarization, unrest, and other bad stuff. One of the things that concerns me most right now is how quickly so many people are (or will be) out of work, yet few are sounding the alarm.

• AI job automation has already replaced around 400,000 factory jobs in the U.S. from 1990 to 2007, with another 2 million on the way.

• ~85% of customer interactions are already handled without human interaction. There are currently ~3 million customer service reps in the U.S.

• A 2020 research paper showed that a Transformer-based deep learning system could outperform human language translators.

OSINT / Recon

HOUDINI: Hundreds of Offensive and Useful Docker Images for Network Intrusion
What a backronym 🙌 A big set of Docker images for security tools, maintained by SecSI, including OSINT and recon tools (e.g. Amass), web security scanners (e.g. Arachni, ffuf), dirbusting, spiders, mobile app reversing tools, and more.

Humor

Sean Wright: Worst snake oil cybersecurity pitch you’ve ever had?
Congrats to all vendors named 🤣 

The Academic Journal Nature does Open Access
Short comedic video skewering the economics of academic publishers. As they deserve in my opinion.

Misc

The sprawling, must-read history of Maxis’ former “serious games” division
Huh, apparently the company that made SimCity also made serious games, like SimRefinery.

GitHub Actions by Example
An introduction through a series of annotated examples, by Ted Summer.

Stripe and YCombinator, the Mob Bosses of Silicon Valley, a thread
Bolt CEO Ryan Breslow accuses Stripe of strategically getting investors in a way that precludes future finance-related start-ups from being successful, HN of burying posts about Bolt, and more. Your weekly 🌶️ take and hot goss.

Aidan Steele on Security <-> Developer Messaging
To move the security needle, we (security professionals) need buy-in, support, and mutual respect with developers. How can we make things secure by default and not expect developers to also be security experts?

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint