Hey there,
I hope youâve been doing well!
Undefeated
Like seemingly most people who attended BSidesSF and/or RSA, Iâve come down with a bit of cold. Fortunately, it hasnât been that bad and Iâve tested negatively for COVID.
Random shower thought: as long as youâre still alive, your body has had a 100% success rate at defeating every single virus and bacteria thatâs tried to attack you.
Thatâs impressive. Meanwhile, weâre all impressed at computer systems that have 5 9âs of reliability.
Fifth tl;dr sec Sponsor Acquired
DJ Khaled voice: Another one!
Randori, an attack surface management (ASM) and offensive cyber security provider, was acquired by IBM for an undisclosed amount. Congrats!
Hadestown
If youâre like me, youâre probably subscribed to this newsletter because you like musicals.
If you live in the Bay Area, consider checking out Hadestown at BroadwaySF, which won eight 2019 Tony Awards, including Best Musical.
HADESTOWN intertwines two mythic tales â that of young dreamers Orpheus and Eurydice, and that of King Hades and his wife Persephone â as it invites you on a hell-raising journey to the underworld and back.
Hereâs the original cast performing âWait For Meâ, guaranteed to get you turnt up, and âAll Iâve Ever Knownâ to make you melt a bit. *Subtly wipes away a solitary, manly hacker tear*
Sponsor
đ˘ The Top Five Myths in API Security
Think your WAF and API gateways have you protected from API attacks? Think your APIs are protected by your Cloud provider? It's time to take another look. As many organizations experience API security incidents, security leaders are learning traditional approaches and assumptions do not protect against the new forms of attacks. The Top 5 Myths in API Security white paper from Salt Security helps you understand what might be putting your critical data at risk.
Download the white paper now!đ In this newsletter...
- Mobile Security: Awesome iOS security, mobile forensic and network traffic analysis platform
- Database Security: Making JDB attacks brilliant again, Apache Pinot SQLi and RCE cheat sheet
- Cryptography: Remote timing attacks on constant-time crypto code + a new vuln logo
- Cloud Security: Cloud Security Engineer book, some unintuitive aspects of SCPs, AWS threat simulation and detection, securing cloud services against squatting attacks, the philosphy of prevention
- CI/CD: CDK construct to create ephemeral self-hosted GitHub runners in your AWS account
- Supply Chain: How SUSE is preparing for SLSA L4, examining malicious Terraform modules and providers, NPM domain checker, how GitHub uses Dependabot
- Blue Team: Democratizing security detection
- Red Team: Time travel debugging IDA plugin
- Politics / Privacy: Bluetooth signals can be fingerprinted to track smartphones
- Misc: Watercolor basics, pizza order rap, what should you do with your options during a downturn?, sheet music encryption, spicy takes on Gartner's Magic Quandrant for Application Performance Monitoring and Observability, revenue-valuation multiples for 3 Israeli start-ups
Mobile Security
Cy-clon3/awesome-ios-security
A collection of awesome tools, books, courses, blog posts, and cool stuff about
iOS application security and penetration testing, by
@Cyclon3.
PiRogue tool suite
By Esther: An open-source tool suite that provides
a comprehensive mobile forensic and network traffic analysis platform targeting
Android and iOS, IoT devices that are connected to mobile apps, and in general
any device using WiFi to connect to the Internet.
Database Security
Make JDBC Attacks Brilliant Again II
@pyn3rd gave a âMake JDBC Attacks Brilliant Againâ talk at HITB Singapore 2021 (slides). This blog post goes into PostgreSQL and demonstrates popping calculators left and right.
Apache Pinot SQLi & RCE Cheat Sheet
Doyensecâs Ben Caller shows how a classic SQL injection bug in a Pinot-backed (an Apache database platform) API can be escalated to Remote Code Execution, and then discusses post-exploitation.
Pinot trusts anyone who can query the database to also execute code on the Server, as root đ˛. This
featuregaping security hole is enabled by default in all released versions of Apache Pinot.
Cryptography
Hertzbleed Attack
Riccardo Paccagnella, Yingchen
Wang et al describe a way to mount remote
timing attacks on constant-time cryptographic code running on modern x86
processors by targeting dynamic frequency scaling.
Cloud Security
The CloudSec Engineer
Iâm a big fan of Marco Lancini and his
newsletter, CloudSecList, so Iâm excited to see
that heâs writing a book about how to enter cloud security, establish yourself,
and thrive in the cloud security industry as an individual contributor. Sign up
on this site for free samples and updates.
A Deep Dive into Temporalâs Access Control Strategy in AWS
Temporalâs Brandon Sherman describes how they were trying to secure their cloud environment via segmented AWS accounts, and how the behavior of Service Control Policies was unintuitive.
sbasu7241/AWS-Threat-Simulation-and-Detection
A walkthrough of using Datadogâs Stratus Red
Team in an AWS account, monitoring
using CloudTrail and CloudWatch and ingesting those logics into SumoLogic for
further analysis.
Securing Cloud Services against Squatting Attacks
Penn Stateâs Eric Pauley and Patrick McDaniel discuss cloud squatting attacks (for example, when IP addresses are reused across tenants), the impact, and potential solutions. In their research, they received real-time location data, PII (virtually anything on a driverâs license or government document), and web tracking data and browsing history from different organizations.
The Philosophy of Prevention
Chris Farris shares some great examples of the
real world challenges in trying to prevent or auto-remediate cloud security
issues.
Prevention via Service Control Policy must be limited to security invariants, but even then, prevention is limited by the granularity of IAM Actions and the availability of the necessary Condition keys.
Auto-remediation only works to fix high security and low operational risk misconfigurations and only where a simple and operationally safe action can be taken.
See also The Tar Pit of CSPM:
Every requirement of a security team on the business is like a tax. It slows things down and makes us less competitive. If you canât articulate the risk, you donât understand the risk, and if you donât understand the risk, youâre engaging in security theater and taxing the business for no real gain.
Except in a few small pockets or the organization cloud security never moved beyond a basic vulnerability management function. Where pocket did move beyond a VM function it was the teams that moved to auto-remediation and GuardRails, not CloudSec.
CI/CD
CloudSnorkel/cdk-github-runners
By CloudSnorkelâs Amir Szekely: Use this CDK
construct to create ephemeral self-hosted GitHub runners on-demand inside your
AWS account. Supports CodeBuild, Fargate and Lambda.
Supply Chain
SLSA: Securing the Software Supply Chain
SUSEâs Marcus Meissner and Jana
Jaeger provide a detailed
breakdown of how SUSE is preparing for SLSA L4 compliance.
Terraform as part of the software supply chain, Part 1 - Modules and Providers
Part one of a three-part series by GitLabâs Joern Schneeweisz examining the supply chain aspects of Terraform, discussing malicious Terraform modules and providers and recommendations on securing the process of running Terraform against modules and providers gone rogue.
firefart/npmdomainchecker
By Christian Mehlmauer: Checks every maintainer
from every package in the NPM registry for unregistered domains or unregistered
MX records on those domains. If a domain is unregistered you can grab the domain
and initiate a password reset on the account if it has no 2 factor auth enabled.
How we use Dependabot to secure GitHub
A two-part story by Phil Turnbull about how GitHubâs Product Security Engineering team rolled out Dependabot internally to track vulnerable dependencies, and how GitHub tracks and prioritizes technical debt. This is an excellent post about effectively rolling out any security tooling at a company and integrating into existing engineering orgs and processes, great read.
We use a number of guiding principles when evaluating tools and designing a rollout plan. For example, Does the security benefit of this new process outweigh the impact on engineering teams? How do we roll this out incrementally and gather feedback? What are our expectations for engineers, and how do we clearly communicate these expectations?
We aimed to answer, clearly and succinctly, the most important questions in our communications: What are we doing? Why are we doing this? When are we doing this? Lastly, what do I need to do?
Sponsor
đ˘ Access and Security Trade-Offs for DevSecOps Teams
How to stay secure while your team ships at scale. This tech paper by Teleport looks at recent advancements in access technologies available to reduce the tension between engineering and DevSecOps teams.
Learn MoreBlue Team
Democratizing Security Detection
Palantir shares their learnings on scaling
their detection program through democratization of security alerts and provide
actionable detection strategies that should be considered in most environments.
They have a team of <10 responsible for monitoring, alert triage, and incident
response for over 3,000 employees and contractors. Tons of great detail and
examples in this post.
Red Team
airbus-cert/ttddbg
An IDA plugin that adds a new debugger which supports loading Time Travel Debugging traces generated using WinDBG Preview. By Airbus CERTâs Sylvain Peyrefitte, Simon Garrelou, and Arioch.
Politics / Privacy
Researchers Find Bluetooth Signals Can be Fingerprinted to Track Smartphones
UC San Diego researchers found
(paper) that
Bluetooth signals can be fingerprinted to track smartphones (and therefore,
individuals). The trick is imperfections in the Bluetooth chipset hardware
introduced during the manufacturing process, resulting in a âunique
physical-layer fingerprint.â
Misc
tombetthauser/watercolor-basics
Basic tips for developing an open-ended everyday watercolor practice.
The Greatest Pizza Order Ever
An amusing pizza order rap.
What Should You Do With Your Options During a Downturn?
Compoundâs Adam Keesling provides some useful perspective on how to think about if you should exercise your options, walks through several example scenarios and the actions you could or might want to take. See also Stock Options 101.
Kenn White on Sheet Music Encryption
âWhat a wild story. Soviet-era dissidents & exiled jewish expats were able to
smuggle information in & out of country thanks to U.S. saxophonist Merryl
Goldberg, who came up with an ingenious encryption scheme using sheet music.â
More details in the thread by Kenn White.
Gartnerâs Magic Quadrant for Application Performance Monitoring and Observability is out
Corey Quinnâs đśď¸ take tweet thread.
Israelâs most overvalued cybersecurity startups exposed
Using previously undisclosed figures, The Information has calculated the revenue-valuation multiples for several companies.
- Wiz: Multiple of 150 on revenue
- Axonius: Multiple of 87 on revenue
- Snyk: Muliple of 85 on revenue
âď¸ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them đ
Thanks for reading!
Cheers,Clint
@clintgibler