• tl;dr sec
  • Posts
  • [tl;dr sec] #142 - OAuth Security, Cryptocurrency, Being Able to Speak Business

[tl;dr sec] #142 - OAuth Security, Cryptocurrency, Being Able to Speak Business

OAuth bugs that lead to single-click account takeovers, crypto wallet exploits and Ethereum smart contract best practices, the importance of being able to communicate in business metrics and outcomes.

Author

Clint Gibler
July 20, 2022

Hey there,

I hope you’ve been doing well!

Bay Area Romance

Love is universal.

It brings us together across geographies, cultures, races, religions, beliefs, and more.

It can give us the highest of highs, or the lowest of lows. Make us feel on top of the world, or dashed to bits on the treacherous rocks of unrequited love.

While love is universal, there are regional cultural differences in what’s expected, what’s allowed, and what isn’t.

And like accents, the language of love can vary. This Avril Lavigne parody rings true of the Bay Area 🤣

I also enjoyed the additional verses by @joeypohie or this excellent life/relationship advice by @ooolzhas:

If you’re not there for me at my Pre-Seed, you don’t deserve me at my IPO

Relatedly, I’m thinking about starting to work on a tl;dr sec guide on communication, dating, relationships, marriage, etc. (not a joke)

I’d love to hear if you’d find this interesting or useful, and if so, what you’d love to be in it, questions or challenges you have, really anything. Thanks in advance 🙏

Sponsor

📢 How to protect your APIs from modern security risks

APIs are difficult to secure and traditional methods like WAFs and Gateways are simply not enough. Today’s security strategies need to consider the evolution of app development and a new era of attackers who target APIs. Only Salt Security provides the advanced security capabilities to ensure your APIs, applications, and sensitive data are protected. Read the Protecting APIs from Modern Security Risks white paper and learn how to secure your organization from today's threats.

📜 In this newsletter...

  • Cryptocurrency: Two novel crypto wallet exploits explained, Ethereum smart contract best practices, overview of recent U.S. crypto bill

  • Web Security: GraphQL automated security testing toolkit, account hijacking using "dirty dancing" in sign-in OAuth flows, OAuth 2.0 security cheat sheet

  • Blue Team: 3 mistakes at the beginning of an incident, think like a detection engineer

  • OSINT / Recon: Subdomain discovery through RNN, ProjectDiscovery-driven Attack Surface Management bot, fast and configurable TLS grabber

  • Cloud Security: Awesome cloud native trainings, get a free MFA security key from AWS, Open Roles Anywhere PoC, tracking the effectiveness of cloud adoption and speaking business

  • Container Security: On the security risks of exposing the Prometheus server, overview of the first four threat vectors in ATT&CK for Kubernetes

  • Misc: How to keep your houseplants from dying this summer, create a 3D city from your GitHub contributions, create a personalized poster of your trip routes, watch Anna Karenina film adaptation, reviews of historical sandwiches

Cryptocurrency

Two Novel Crypto Wallet Exploits, Explained
At the last ‘Off the Chain’ Web3 security conference, colocated with RSA, Unciphered- a cryptocurrency asset recovery company– unveiled three novel exploits impacting popular (and once-popular) crypto wallets Electrum Bitcoin Wallet, Trezor One, and Ethereumwallet.com.

Eric Michaud showed an Electrum RCE via malicious QR code that would let you access all the Bitcoins stored in the wallet, and brute-forcing improvements that enable you to determine a Trezor One’s pin.

Ethereum Smart Contract Best Practices
By ConsenSys Diligence: This guide provides a baseline knowledge of security considerations for intermediate Solidity programmers, covering the smart contract security mindset, development recommendations with examples of good patterns, known attacks and classes of vulnerabilities to avoid, security tools, and a list of bug bounty platforms in the ecosystem.

Web Security

gsmith257-cyber/GraphCrawler
A GraphQL automated security testing toolkit by Grant Smith. Checks if mutation is enabled, available sensitive queries, and if authentication is required. If introspection is not enabled on the endpoint, it will check if it is an Apollo Server and then can run Clairvoyance to brute force the schema.

See also graphql-path-enum to look for paths to certain types, like user IDs, emails, etc.

TL;DR Combining response-type switching, invalid state and redirect-uri quirks using OAuth, with third-party javascript-inclusions has multiple vulnerable scenarios where authorization codes or tokens could leak to an attacker. This could be used in attacks for single-click account takeovers. Frans Rosén, Security Advisor at Detectify goes through three different scenarios found in the wild below and also suggests ways to reduce the risk.

koenbuyens/oauth-2.0-security-cheat-sheet
An OAuth 2.0 security cheat sheet by Koen Buyens covering architectural decisions, client credentials, tokens, authorization code grant, PKCE, resource owner password grant, client credentials grant, and OIDC.

See also Koen’s Vulnerable-OAuth-2.0-Applications repo for hands-on practice.

Blue Team

3 mistakes I’ve made at the beginning of an incident (and how not to make them)
FireHydrant’s Robert Ross shares three mistakes he’s made during those stressful moments during the beginning of an incident: we didn’t have a plan, we weren’t production ready, and we fell down a cognitive tunnel.

The fewer rote decisions you have to make, the less context shifting you have to do, the faster you can remediate and get to making sure it doesn’t happen again.

Think Like a Detection Engineer, Pt. 1: Logging
Panther’s Jack Naglieri steps through the thought process of a Detection Engineer in the context of collecting security data.

  • Common sources of audit logs: infrastructure, host, network, application, database

  • Optimize for relevant, high-signal logs, consolidate data in a single place, and monitor the log pipeline to ensure there are no breakages, which creates blindspots.

OSINT / Recon

Affinis - Subdomain Discovery Through RNN (Recurrent Neural Network)
Affinis takes a list of subdomains generated from passive and active tools and formulates its own list of potential subdomains that the target may be using based off the ones that it already knows about. It’s found obscure subdomains that were never found with traditional passive and active subdomain discovery tooling.

pry0cc/pdiscovery-bot
A ProjectDiscovery-driven Attack Surface Management (ASM) bot by Ben Bidmead. Uses subfinder, httpx, dnsx, nuclei and notify!

projectdiscovery/tlsx
A fast and configurable TLS grabber focused on TLS based data collection, by ProjectDiscovery

Sponsor

📢 Complete vendor security assessments in ⅕ the time it used to take

Have a backlog of vendor reviews to complete? Or a large pipeline of new ones? Conveyor helps knock out security reviews in 79% less time. Find, connect, and assess all your vendors from a single platform. Fast, easy, accurate. Sign up for today & see if you qualify for your first review on us!

Cloud Security

joseadanof/awesome-cloudnative-trainings
A list of free trainings with and without certificates released for different companies supporting Cloud Native Computing Foundations Projects and Kubernetes, by Akamai’s Jose Adan Ortiz.

Eligible customers can now order a free MFA security key
U.S.-based AWS account root users who have spent more than $100 each month over the past 3 months can order a free MFA security key.

aidansteele/openrolesanywhere
An open-source proof-of-concept client for AWS IAM Roles Anywhere by Aidan Steele. Unlike the official client, this project lets you use private keys stored in an SSH agent. This is more flexible - and more secure if you use something like Secretive which stores unexportable keys in the macOS Secure Enclave hardware.

Tracking the Effectiveness of Cloud Adoption
AWS’s Nurani Parasuraman discusses how best to track the effectiveness of a company’s cloud adoption.

I’m including additional content and quotes from this one because I think it’s critical, as security professionals, to be able to speak to business goals and metrics (not just technical ones) as well as get executive buy-in for security initiatives you believe are important.

Try swapping “security” for “cloud” in some of the places below.

The post discusses:

  • Selecting the right KPIs

  • Nailing the “Why” we are adopting cloud

  • Driving Alignment

  • Focus on Business Value Measurement, Not just Technology Metrics

  • Rethink Legacy Metrics in Cloud

  • Measure activities that drive performance and not just the “output”

  • Picking Relevant Actionable Measures and the Importance of Baselining

  • Leverage cloud capabilities to automate data collection and building dashboards

The cloud is not a strategy in itself; it’s a remarkably powerful tool for accomplishing business outcomes. A common error is to think of cloud adoption merely as a “technology” initiative, while your real objectives are to improve business agility, operational resilience, and staff productivity and to reduce costs. In this case any attempt to measure progress of cloud adoption has to be broader than just IT operational metrics and should be tied to your primary business objectives.

The only KPIs for determining the success of cloud adoption are those that measure whether it is accomplishing the purpose you set for adopting the cloud in the first place. Cost savings are often the initial catalyst for considering the cloud, but broader business impacts such as customer value, business agility, operational resilience and staff productivity are the more compelling benefits of cloud adoption. Setting and communicating unambiguous business objectives is the first step that will drive what needs to be measured to track progress.

Requesting the CFO or CEO to prioritize investments that would reduce technical debt or modernize technology often goes nowhere. We would be more successful if we can explain how not solving Technical Debt has consequences that include risks, a lack of agility, and increased costs for future IT work . Our focus needs to shift from process-driven metrics to result-driven metrics. For example, measuring the business impact (failed customer transactions or revenue impact of failures or lost employee hours) due to system unavailability, is far more important than measuring just uptime or downtime hours.

Container Security

How attackers use exposed Prometheus server to exploit Kubernetes clusters
Sysdig’s Miguel Hernandez and David de Torres share a write-up of their KubeCon Valencia 2022 talk (and link the recording and slides), in which they discuss the risk of having an exposed Prometheus server, and how attackers can use this information to successfully access a Kubernetes cluster. Kubernetes cluster info that can be extracted via Prometheus includes:

MITRE ATT&CK Matrix for Kubernetes: Tactics & Techniques Part 1
By Weaveworks: Learn about the first four threat vectors in Kubernetes: initial access, execution, persistence, and privilege escalation.

Misc

GitHub City
Create a 3D city from your GitHub contributions.

Paperad - Souvenir printer
Create personalized posters that trace the routes of your road trips, travels, marathons, etc.

Watch an 8-Part Film Adaptation of Tolstoy’s Anna Karenina Free Online
I still need to read Anna Karenina, but this sounds epic.

Meet the Man Reviewing Historical Sandwiches on TikTok
Barry Enderwick is eating his way through the past, one pan bagnat at a time.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint