Hey there,
I hope youâve been doing well!
A Taxing Season
Alright, Iâm going to rant for a second, apologies.
Every tax season I get quite frustrated. I donât mind paying taxes, the government does a lot of important things, like public education and ensuring most food doesnât poison you.
What frustrates me is how complicated it is.
Itâs like a freshman undergrad who has only done Matlab before was tasked to write a system in Perl, and then now everyone has to use it.
Clean encapsulation? LOL, this API returns UTF-7 unstructured text in a single blob,
and every rand(100) calls returns a slap in the face.
Tech, for all of its (many) flaws, does so much better at abstractions. You can search all of the worldâs information in a fraction of a second, from a device that fits in your pocket, using only your voice.
Proposal: all lawmakers and companies benefitting from tax code complexity from here on out canât use DNS, they have to use direct IPs. And type out each HTTP request by hand. And manually chunk those HTTP requests into sizes that fit into TCP packets, correctly numbering each packet.
Then maybe theyâd feel what itâs like when you push accidental complexity onto users đ¤ </end_rant>
đĽ Semgrep Community Meetup Next Wednesday
Want to hear about the latest and greatest in Semgrep?
Then come check out our community meetup next week.
Agenda:
- Iâll be speaking about some current trends in security.
- Community members will share cool things theyâve been doing with Semgrep.
- Weâll share some new features - capturing developer feedback and advanced analysis features like taint mode.
- A preview of Semgrepâs upcoming roadmap.
Check out the Eventbrite here.
Hope to see you there!
Sponsor
đ˘ Detect, investigate, and respond to threats across your applications, networks, and infrastructure
Datadog Security Monitoring is part of the Datadog Cloud Security Platform enabling DevOps and Security teams to collaborate together in a single pane of glass to protect an organization's production environment from outside security threats.
In Datadog's Security Monitoring product brief, learn the best practices for securing your environment from attacks. You will learn how to solve cloud complexity challenges with threat detection tools, detect and analyze security threats and deploy turnkey detection rules mapped to the MITRE ATT&CK framework.
Download the Security Monitoring Briefđ In this newsletter...
- Conferences: RVAsec CFP is open
- Supply Chain: 4 supply chain risks in Terraform and how to prevent them
- AppSec: Reading RFCs for bug bounty hunters
- GitHub: Finding and exploiting vulnerable GitHub Actions, auditing GitHub (Actions) security using OpenSSF Scorecards
- Mobile Security: Hardening Signal, applying zero trust to enterprise mobile security
- Web Security: Cross-platform web fuzzer, infosec mind maps
- Cloud Security: Automating IR in AWS, centrally managed identity for AWS
- Container Security: Updated Kubernetes hardening guide from NSA and CISA
- Blue Team: Autogenerate pseudo-malicious files from YARA, IR-related macOS tools, manage servers via a non-interactive local host agent
- Network Security: Tool that uses eBPF to monitor egress traffic
- Misc: Hacking a billionnaire, Avenue Q puppet wrangling, mobile app to identify birds, guess a country based on their exports, Netflix's most popular shows, why we listen to music with lyrics we don't understand, advertisers want to infiltrate your dreams
Conferences
RVAsec 2022
A Richmond, VA-based security conference whose CFP is open until March 31st. If you
have an idea in mind, feel free to email [email protected] for feedback.
Supply Chain
4 supply chain risks in Terraform and how to prevent them with Checkov
By Barak Schoster.
- Leaking secrets using Terraform HTTP data blocks
- Arbitrary code execution using a Terraform external data source
- Not using immutable modules
- Using old versions of misconfigured modules
AppSec
Reading RFCs for bug bounty hunters
Great post by EdOverflow.
- Check out the âSecurity Considerationsâ section.
- Review outdated RFCs (âObsoleted by:â link).
- Use Rfcdiff to diff outdated RFCs.
- Review âErrataâ for potential implementation mistakes.
GitHub
How we found vulnerabilities in GitHub Actions CI/CD pipelines
Cycodeâs Alex Ilgayev describes vulnerable patterns in GitHub Actions that can lead to an attacker being able to steal secrets, inject code, etc., as well as mitigations. The post has some great details on exploiting these weaknesses in practice.
For more on how/why these vulnerabilities occur and how to find them, see Grayson Hardawayâs blog post
here, which also includes a demo repo to practice on and open source Semgrep rules to find these issues in your GitHub Actions.
Automagically Auditing GitHub (Actions) Security using OpenSSF Scorecards
Jamie Tanna walks through setting up the OpenSSFâs Scorecard GitHub Action and the common GitHub repo settings and GitHub Action security issues you may see it raise.
Mobile Security
Hardening Signal
Short guide on settings and practices to harden your use of Signal, which is in
my opinion the best privacy-focused messaging app.
Applying Zero Trust Principles to Enterprise Mobility
~20 page PDF by CISA on mobile security tools and
technologies in relation to Zero Trust principles.
Web Security
d4rckh/vaf
A cross-platform web fuzzer written in Nim by
@d4rckh. Custom wordlists, fuzz any part of the
URL as well as POST data, and more.
Cyber-Guy1/API-SecurityEmpire
Infosec mind maps by Momen Eldawakhly and
Lucas Lundgren covering recon on APIs, attacking
RESTful and SOAP APIs, and attacking GraphQL.
Cloud Security
awslabs/aws-automated-incident-response-and-forensics
A framework that aims to facilitate automated steps for incident response and
forensics based on the AWS Incident Response White
Paper.
Tag an EC2 instance with a SecurityIncidentStatus value of Analyze, and a
Lambda will trigger that automatically starts isolation and memory/disk
acquisition, and ends with giving the instance a no INBOUND/OUTBOUND security
group and with an IAM role that disallows all access.
Centrally Managed Identity for AWS
Cartaâs Uttej Badwane describes how they migrated
from a handful of legacy AWS accounts to moving them under a newly created
master AWS account which was configured to use AWS SSO <=> Okta for identity,
with SCIM configured. âThe main objective was to handle the traditional IAM identity for multiple accounts with time based access for console & CLI.â
If you havenât heard of SCIM, itâs basically a way to keep users in sync between your identity provider and many other systems (vs manually onboarding/offboarding/updating). Pretty cool.
Container Security
NSA, CISA release Kubernetes Hardening Guidance
Updated ~66 page technical
report
on recommendations to harden Kubernetes systems.
Primary actions include the scanning of containers and Pods for vulnerabilities or misconfigurations, running containers and Pods with the least privileges possible, and using network separation, firewalls, strong authentication, and log auditing.
Blue Team
claroty/arya
By Claroty: Given a YARA rule, Arya can generate
pseudo-malicious files meant to trigger it. Useful for testing your detection
sensors such as AV or EDR.
The Mitten Mac: Tools
Several neat macOS tools by Jamfâs Jaron Bradley:
- TrueTree: an incident response tool for building a pstree like output on macOS.
- ESFPlayground: a tool that lets you print out the events of the Apple Endpoint
Security Framework as they happen in real time.
SansShell: A Non-Interactive Local Host Agent
Snowflakeâs Aaron Joyner, Jon Allie, and James Chacon announce the release of SansShell, a way to define complex server management actions in code and selectively expose those actions to remote clients. Each action is subject to an authorization policy that can limit access based on the caller, the type of action, and the content of the request.
Sponsor
đ˘ Why Single Sign On Sucks
Discover why SSO is such a pain and how different authentication architectures make it hard to achieve a true single sign-on nirvana. At Teleport we think the secret lies with certificate authorities and client certificates -- a path towards a seamless SSO experience.
Learn moreNetwork Security
ancat/egrets
A proof of concept tool that uses eBPF, raw sockets, and kprobes to monitor
egress traffic, by @ancat.
Misc
It Was Easy to Hack a Billionaire
SocialProof Securityâs Rachel Tobac successfully socially engineers and phishes Jeffrey Katzenberg, co-founder and former CEO of Dreamworks Animation. For the technical details on the hack, see Evan Tobacâs thread. Jeffrey was⌠not pleased đ¤Ł
Meet Avenue Qâs Puppet Wrangler
Some interesting behind the scenes. Man, what a good musical.
Merlin Bird ID
Mobile app to help you identify thousands of birds based on appearance or their
song.
OEC Tradle
Guess a country based on their exports.
These are Netflixâs Most Popular Shows (According to Netflix)
- TV shows account for ~75% of viewing.
- TV shows tend to stay in the top 10 a lot longer than movies.
- The average Netflix hit disappears after two weeks or less.
- Less than one-quarter of all shows stay in the top 10 for more than four weeks.
Why We Listen to Music With Lyrics We Donât Understand
âElements of sound and music like pitch, melody, harmony, timbre, and amplitude have an affective, emotional, psychological, cognitive, and even physical impact on listeners.â
My version of another quote from the post:
â
SongTwitter frees the voice from any burden of saying anything meaningful.â
Are advertisers going to infiltrate our dreams?
Major brands like Coors, Microsoft and Burger King are researching how they can
have you dream of their products. Cool, that seems like something they should be
allowed to do. With so many smart devices in homes these days, itâs possible
that sounds or messages could be played to you in your sleep without you even
knowing it. Itâs unclear how effective these approaches would be in practice though.
âď¸ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them đ
Thanks for reading!
Cheers,Clint
@clintgibler