Hey there,
I hope youâve been doing well!
Bay Area Romance
Love is universal.
It brings us together across geographies, cultures, races, religions, beliefs, and more.
It can give us the highest of highs, or the lowest of lows. Make us feel on top of the world, or dashed to bits on the treacherous rocks of unrequited love.
While love is universal, there are regional cultural differences in whatâs expected, whatâs allowed, and what isnât.
And like accents, the language of love can vary. This Avril Lavigne parody rings true of the Bay Area đ¤Ł
I also enjoyed the additional verses by @joeypohie or this excellent life/relationship advice by @ooolzhas:
If youâre not there for me at my Pre-Seed, you donât deserve me at my IPO
Relatedly, Iâm thinking about starting to work on a tl;dr sec guide on communication, dating, relationships, marriage, etc. (not a joke)
Iâd love to hear if youâd find this interesting or useful, and if so, what youâd love to be in it, questions or challenges you have, really anything. Thanks in advance đ
Sponsor
đ˘ How to protect your APIs from modern security risks
APIs are difficult to secure and traditional methods like WAFs and Gateways are simply not enough. Todayâs security strategies need to consider the evolution of app development and a new era of attackers who target APIs. Only Salt Security provides the advanced security capabilities to ensure your APIs, applications, and sensitive data are protected. Read the Protecting APIs from Modern Security Risks white paper and learn how to secure your organization from today's threats.
Download the white paper heređ In this newsletter...
- Cryptocurrency: Two novel crypto wallet exploits explained, Ethereum smart contract best practices, overview of recent U.S. crypto bill
- Web Security: GraphQL automated security testing toolkit, account hijacking using "dirty dancing" in sign-in OAuth flows, OAuth 2.0 security cheat sheet
- Blue Team: 3 mistakes at the beginning of an incident, think like a detection engineer
- OSINT / Recon: Subdomain discovery through RNN, ProjectDiscovery-driven Attack Surface Management bot, fast and configurable TLS grabber
- Cloud Security: Awesome cloud native trainings, get a free MFA security key from AWS, Open Roles Anywhere PoC, tracking the effectiveness of cloud adoption and speaking business
- Container Security: On the security risks of exposing the Prometheus server, overview of the first four threat vectors in ATT&CK for Kubernetes
- Misc: How to keep your houseplants from dying this summer, create a 3D city from your GitHub contributions, create a personalized poster of your trip routes, watch Anna Karenina film adaptation, reviews of historical sandwiches
Cryptocurrency
Two Novel Crypto Wallet Exploits, Explained
At the last âOff the Chainâ Web3 security conference, colocated with RSA,
Unciphered- a cryptocurrency asset recovery
companyâ unveiled three novel exploits impacting popular (and once-popular)
crypto wallets Electrum Bitcoin Wallet, Trezor One, and Ethereumwallet.com.
Eric Michaud showed an Electrum RCE via
malicious QR code that would let you access all the Bitcoins stored in the
wallet, and brute-forcing improvements that enable you to determine a Trezor
Oneâs pin.
Ethereum Smart Contract Best Practices
By ConsenSys Diligence: This guide
provides a baseline knowledge of security considerations for intermediate
Solidity programmers, covering the smart contract security mindset, development
recommendations with examples of good patterns, known attacks and classes of
vulnerabilities to avoid, security tools, and a list of bug bounty platforms in
the ecosystem.
Web Security
gsmith257-cyber/GraphCrawler
A GraphQL automated security testing toolkit by Grant
Smith. Checks if mutation is enabled,
available sensitive queries, and if authentication is required. If introspection
is not enabled on the endpoint, it will check if it is an Apollo Server and then
can run Clairvoyance to brute
force the schema.
See also graphql-path-enum to
look for paths to certain types, like user IDs, emails, etc.
Account hijacking using âdirty dancingâ in sign-in OAuth-flows
Impressive research by Detectifyâs Frans RosĂŠn:
TL;DR Combining response-type switching, invalid state and redirect-uri quirks using OAuth, with third-party javascript-inclusions has multiple vulnerable scenarios where authorization codes or tokens could leak to an attacker. This could be used in attacks for single-click account takeovers. Frans RosĂŠn, Security Advisor at Detectify goes through three different scenarios found in the wild below and also suggests ways to reduce the risk.
koenbuyens/oauth-2.0-security-cheat-sheet
An OAuth 2.0 security cheat sheet by Koen
Buyens covering architectural
decisions, client credentials, tokens, authorization code grant, PKCE, resource
owner password grant, client credentials grant, and OIDC.
See also Koenâs
Vulnerable-OAuth-2.0-Applications
repo for hands-on practice.
Blue Team
3 mistakes Iâve made at the beginning of an incident (and how not to make them)
FireHydrantâs Robert Ross shares three
mistakes heâs made during those stressful moments during the beginning of an
incident: we didnât have a plan, we werenât production ready, and we fell down a
cognitive tunnel.
The fewer rote decisions you have to make, the less context shifting you have to do, the faster you can remediate and get to making sure it doesnât happen again.
Think Like a Detection Engineer, Pt. 1: Logging
Pantherâs Jack Naglieri steps through the thought process of a Detection Engineer in the context of collecting security data.
- Common sources of audit logs: infrastructure, host, network, application, database
- Optimize for relevant, high-signal logs, consolidate data in a single place, and monitor the log pipeline to ensure there are no breakages, which creates blindspots.
OSINT / Recon
Affinis - Subdomain Discovery Through RNN (Recurrent Neural Network)
Affinis takes a list of subdomains generated from passive and active tools and
formulates its own list of potential subdomains that the target may be using
based off the ones that it already knows about. Itâs found obscure subdomains
that were never found with traditional passive and active subdomain discovery
tooling.
pry0cc/pdiscovery-bot
A ProjectDiscovery-driven Attack Surface Management (ASM) bot by Ben
Bidmead. Uses subfinder, httpx, dnsx, nuclei and
notify!
projectdiscovery/tlsx
A fast and configurable TLS grabber focused on TLS based data collection, by ProjectDiscovery.
Sponsor
đ˘ Complete vendor security assessments in â the time it used to take
Have a backlog of vendor reviews to complete? Or a large pipeline of new ones? Conveyor helps knock out security reviews in 79% less time. Find, connect, and assess all your vendors from a single platform. Fast, easy, accurate. Sign up for today & see if you qualify for your first review on us!
Try it for freeCloud Security
joseadanof/awesome-cloudnative-trainings
A list of free trainings with and without certificates released for different
companies supporting Cloud Native Computing Foundations Projects and Kubernetes,
by Akamaiâs Jose Adan Ortiz.
Eligible customers can now order a free MFA security key
U.S.-based AWS account root users who have spent more than $100 each month over
the past 3 months can order a free MFA security key.
aidansteele/openrolesanywhere
An open-source proof-of-concept client for AWS IAM Roles Anywhere by Aidan
Steele. Unlike the official client, this project
lets you use private keys stored in an SSH agent. This is more flexible - and
more secure if you use something like
Secretive which stores unexportable
keys in the macOS Secure Enclave hardware.
Tracking the Effectiveness of Cloud Adoption
AWSâs Nurani Parasuraman discusses how best to track the effectiveness of a companyâs cloud adoption.
Iâm including additional content and quotes from this one because I think itâs critical, as security professionals, to be able to speak to business goals and metrics (not just technical ones) as well as get executive buy-in for security initiatives you believe are important.
Try swapping âsecurityâ for âcloudâ in some of the places below.
The post discusses:
- Selecting the right KPIs
- Nailing the âWhyâ we are adopting cloud
- Driving Alignment
- Focus on Business Value Measurement, Not just Technology Metrics
- Rethink Legacy Metrics in Cloud
- Measure activities that drive performance and not just the âoutputâ
- Picking Relevant Actionable Measures and the Importance of Baselining
- Leverage cloud capabilities to automate data collection and building dashboards
The cloud is not a strategy in itself; itâs a remarkably powerful tool for accomplishing business outcomes. A common error is to think of cloud adoption merely as a âtechnologyâ initiative, while your real objectives are to improve business agility, operational resilience, and staff productivity and to reduce costs. In this case any attempt to measure progress of cloud adoption has to be broader than just IT operational metrics and should be tied to your primary business objectives.
The only KPIs for determining the success of cloud adoption are those that measure whether it is accomplishing the purpose you set for adopting the cloud in the first place. Cost savings are often the initial catalyst for considering the cloud, but broader business impacts such as customer value, business agility, operational resilience and staff productivity are the more compelling benefits of cloud adoption. Setting and communicating unambiguous business objectives is the first step that will drive what needs to be measured to track progress.
Requesting the CFO or CEO to prioritize investments that would reduce technical debt or modernize technology often goes nowhere. We would be more successful if we can explain how not solving Technical Debt has consequences that include risks, a lack of agility, and increased costs for future IT work . Our focus needs to shift from process-driven metrics to result-driven metrics. For example, measuring the business impact (failed customer transactions or revenue impact of failures or lost employee hours) due to system unavailability, is far more important than measuring just uptime or downtime hours.
Container Security
How attackers use exposed Prometheus server to exploit Kubernetes clusters
Sysdigâs Miguel Hernandez and David de Torres share a write-up of their KubeCon Valencia 2022 talk (and link the recording and slides), in which they discuss the risk of having an exposed Prometheus server, and how attackers can use this information to successfully access a Kubernetes cluster. Kubernetes cluster info that can be extracted via Prometheus includes:
MITRE ATT&CK Matrix for Kubernetes: Tactics & Techniques Part 1
By Weaveworks: Learn about the first four threat vectors in Kubernetes: initial access, execution, persistence, and privilege escalation.
Misc
How to keep your houseplants from dying this summer
Some tips from Popular Science.
GitHub City
Create a 3D city from your GitHub contributions.
Paperad - Souvenir printer
Create personalized posters that trace the routes of your road trips, travels, marathons, etc.
Watch an 8-Part Film Adaptation of Tolstoyâs Anna Karenina Free Online
I still need to read Anna Karenina, but this sounds epic.
Meet the Man Reviewing Historical Sandwiches on TikTok
Barry Enderwick is eating his way through the past, one pan bagnat at a time.
âď¸ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them đ
Thanks for reading!
Cheers,Clint
@clintgibler