• tl;dr sec
  • Posts
  • [tl;dr sec] #145 - Defending Against Phishing, iOS Privacy, DEF CON Advice

[tl;dr sec] #145 - Defending Against Phishing, iOS Privacy, DEF CON Advice

Cloudflare's write-up on a sophisticated phishing campaign, examining Meta apps' privacy implications and iOS16's Lockdown Mode, be yourself and find your tribe at DEF CON

Hey there,

I hope you’ve been doing well!

Garbage Collection that Sparks Joy

If you’ve been reading tl;dr sec for awhile, you probably have an (accurate) mental model that I live a hardcore, rocker lifestyle.

You know, like going hard Friday nights: reading about building AppSec programs with a glass of red wine, with notes of oak, subtle Italian leather, and nerd tears that have fallen into the glass.

As an example of the crazy things I get up to, I give you my latest experiment: trying a series of trash cans to see which ones are the right size and have the right aesthetic.

My colleagues definitely respected this experiment and did not tease me in any way.

Join Me at sec4dev

I love the idea behind sec4dev: a security conference for developers!

And I couldn’t be more excited to be giving a 2-day workshop and keynote 😀 (Sidenote: it feels weird going to a conference’s home page and seeing your face right there.)

There are a bunch of other great speakers and trainers who I’m a fan of and have been looking forward to meeting.

sec4dev is coming up soon: hope to see you or some of the developers you support in Vienna, this September 6-9.

Sponsor

📢 Faraday security- Open Source Vulnerability Manager

The new version of our open source platform is here!

Faraday was built from within the CyberSec community. We think of security as an integrated ecosystem where every part counts. This is our contribution: a renewed open-source community version. With a complete new dashboard, and UI experience to improve pentesters' day-to-day work.

Hate spending time on manual tasks? You can now focus on discovering vulnerabilities while we help you with the rest.

📜 In this newsletter...

  • AppSec: Mapping STRIDE to OWASP ASVS, catching security vulnerabilities with Semgrep

  • Web Security: How to hack web apps in 2022, customizable security middleware for Apollo GraphQL servers

  • Supply Chain: CloudSecDocs supply chain pages, a private Terraform registry, adopting Sigstore incrementally

  • AWS IAM Roles Anywhere: Setting it up with GitHub Codespaces, walkthrough of using it with your own CA and signing client certs

  • Cloud Security: HashiCorp State of Cloud Survey survey, cloud DNS security overview

  • Blue Team: Open sourced YARA and endpoint behavior rules from Elastic, Python library to parse .NET PE files, how to objectively measure a detection rule's strength, the mechanics of a sophisticated phishing scam and how we stopped it

  • Politics / Privacy: Fraud charges against Uber ex-CISO dropped, Instagram and Facebook apps can track anything you do on any website in their in-app browser, analyzing iOS 16 Lockdown mode browser features and performance

  • Misc: Summarize HN with GPT-3, convert English to cron expressions, an argument for why Amazon's One Medical acquisition is OK, the Disney World for bodybuilders

  • Ean Meyer's DEF CON Advice: Be yourself, find your tribe

AppSec

mllamazares/STRIDE-vs-ASVS
Tecdata Engineering’s Miguel Llamazares’s repo aims to bridge threat modeling and the security controls definition by providing an equivalence table that maps the STRIDE model against OWASP Application Security Verification Standard (ASVS) chapters.

Catching Security Vulnerabilities With Semgrep
Santosh Bhandari shares a write-up of his PenTester Nepal talk as a blog post, giving an intro to writing Semgrep rules, including examples of rules to flag command injection or missing authentication on a controller.

If you have a bug bounty program where you receive a submission then you can write a rule to find similar vulnerabilities across your code base before others find them. Every organization has its own coding and development patterns. Once we understand the methodology, we can write rules to catch common programming bugs and security loopholes.

Web Security

How To Hack Web Applications in 2022: Part 2
Hakluke provides an overview of several vulnerability classes, including SSRF, business logic flaws, insecure direct object references (IDORs), authentication issues, CSRF, directory traversal, file inclusion and more.

Escape-Technologies/graphql-armor
A customizable security middleware for Apollo GraphQL servers and Envelop, by Escape. Plugins: disable Apollo Server stacktraces and batched queries (enabled by default), enforce a character limit on queries, cost analysis that attempts to block queries that appear too expensive, disable field suggestions (can leak the schema), and more.

Interesting, I hadn’t heard of Envelop before, which is a GraphQL plugin system that lets you build and share plugins that are usable with any GraphQL server framework or schema.

Supply Chain

CloudSecDocs: Supply Chain
My bud Marco Lancini has a few pages on his great CloudSecDocs wiki for supply chain security. They provide a nice overview, breakdown, and useful references for topics like SLSA, Sigstore, and more.

valentindeaconu/terralist
By Sector Labs’s Valentin Deaconu: A private Terraform registry for providers and modules following the published HashiCorp protocols. It provides a secure way to distribute your confidential modules and providers, and soon a management interface to visualize documentation.

Adopting Sigstore Incrementally
Hayden Blauzvern outlines strategies to ease adoption of Sigstore while still using existing signing approaches.

  • Signing with self-managed, long-lived keys

  • Signing with self-managed keys with auditability

  • Self-managed keys in identity-based code signing certificate with auditability

  • Identity-based (“keyless”) signing

AWS IAM Roles Anywhere

Setup GitHub Codespaces with AWS IAM Roles Anywhere
Nathan Glover describes configuring IAM Roles Anywhere to work with GitHub Codespaces, a GitHub feature that allows you to spin up a fully powered VS Code instance in the cloud and write code there.

Calling AWS from Your On-Premises with IAM Roles Anywhere
CyberArk’s Roy Ben Yosef walks through using IAM Roles Anywhere, including rolling your own CA and signing client certificates using OpenSSL. See also AWS’ monitoring guide for IAM Roles Anywhere.

Cloud Security

HashiCorp State of Cloud Strategy Survey
Insights from HashiCorp’s 2022 State of Cloud Strategy Survey, commissioned by HashiCorp and conducted by Forrester Consulting. Forrester surveyed more than 1,000 technology practitioners and decision makers from around the world, drawn from random samplings as well as the HashiCorp opt-in contact database.

Some stats that stuck out to me:

  • 81% of companies are or are planning to use multiple cloud providers

  • 86% have a centralized function or group responsible for cloud operations or strategy

Cloud DNS Security - How to protect DNS in the Cloud
Sysdig’s Brett Wolmarans describes some deployment options for DNS security and some security best practices for DNS in the Cloud.

Sponsor

📢 Malware Detection In Less Than 180 Seconds

Crytica Security introduces a Zero-Day Detection™ so you have one less thing to “dwell” on.

Architected specifically to observe any unauthorized change to a system’s operation, be it benign, malignant, or fatal, Crytica’s detection engine will continuously scan your system’s entire internal infrastructure; providing rapid notifications, within seconds, of all detection alerts.

Blue Team

elastic/protections-artifacts
Elastic released 1000+ YARA rules (targeting trojans, ransomware, cryptominers, attack penetration frameworks, and more) and 200+ endpoint behavior rules, mapped to MITRE ATT&CK tactic and technique.

dotnetfile Open Source Python Library: Parsing .NET PE Files Has Never Been Easier
Palo Alto Networks’s Yaron Samuel describes dotnetfile a Common Language Runtime (CLR) header parser library for Windows .NET files built in Python. In addition to parsing, it supports more advanced functionality like a new original fingerprinting technique (MemberRef Hash) that can be used to cluster samples, discovering potential entry points, and detecting anomalies in .NET metadata structures (often used by packers and protectors to break parsing).

How To Objectively Measure A Detection Rule’s Strength
CDW’s Tareq Alkhatib walks through a number of considerations when evaluating the effectiveness of a detection rule.

Summary: Rule strength is a function of the level of control the attacker has over the rule fields, blacklisting vs. whitelisting, data source coverage, host coverage, and data volume.

The mechanics of a sophisticated phishing scam and how we stopped it
Cloudflare’s Matthew Prince, Daniel Stinson and Sourov Zaman share details about a phishing attack targeting Twilio, Cloudflare, and likely others. Nice breakdown, and it was neat to see how Cloudflare dogfoods its own security products to protect itself.

Over the course of less than 1 minute, at least 76 employees received text messages on their personal and work phones. Some messages were also sent to the employees family members.

We’re adjusting the settings for Cloudflare Gateway to restrict or sandbox access to sites running on domains that were registered within the last 24 hours. We will also run any non-whitelisted sites containing terms such as “cloudflare” “okta” “sso” and “2fa” through our browser isolation technology. We are also increasingly using Cloudflare Area 1’s phish-identification technology to scan the web and look for any pages that are designed to target Cloudflare. Finally, we’re tightening up our Access implementation to prevent any logins from unknown VPNs, residential proxies, and infrastructure providers. All of these are standard features of the same products we offer to customers.

Like Google, we have not seen any successful phishing attacks since rolling hard keys out.

If you’re an organization interested in how we rolled out hard keys, reach out to [email protected] and our security team would be happy to share the best practices we learned through this process.

Politics / Privacy

Fraud charges in hacking case against Uber ex-security chief are dismissed
This case will set an interesting precedent for what CISOs are on the hook for legally.

iOS Privacy: Instagram and Facebook can track anything you do on any website in their in-app browser
Felix Krause outlines how Meta’s apps bypass various privacy features. Great example of writing that both provides technical details and “why should I care / what does this mean” for nontechnical readers.

The post lists a number of potential solutions, but the easiest is: whenever you open a link from Instagram (or Facebook or Messenger), make sure to click the dots in the corner to open the page in Safari instead.

The iOS Instagram and Facebook app render all third party links and ads within their app using a custom in-app browser. This causes various risks for the user, with the host app being able to track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap.

Analyzing iOS 16 Lockdown Mode: Browser Features and Performance
Nice overview of what Lockdown Mode entails, with a focus on browser features that are disabled (WebRTC, WebGL, some HTML5 features, doesn’t render PDFs by default, etc.) and performance (2x-20x hit in JavaScript benchmarks).

The JavaScript performance doesn’t impact all aspects of web use - rendering and such is still just as fast. Anecdotally, Russell Graves found the performance acceptable unless it was a very JavaScript-heavy site. Note that you can disable Lockdown Mode for specific trusted sites.

The cat and mouse game has gone on for a while, but the latest wave of exploits against Apple were rather embarrassing. Various iMessage exploits were being used, so Apple added a sandbox called BlastDoor. And then attackers worked around it. The sandboxing was a classical example of “Solving the problems caused by complexity by adding complexity,” and it didn’t work. Whoops.

So Lockdown is, as I see it, going the other way. Instead of trying to parse all sorts of crazy stuff for a user’s convenience, you simply don’t do those things. Anywhere you can, you reduce the attack surface, and reduce the attacker’s ability to chain things together to create an exploit. But it’s an admission that the complexity of a modern phone operating system (or tablet, or desktop OS) have just gotten too much to handle, so the best path forward is to offer the option to not do those things.

Misc

Autosummarized HN
GPT-3 created summaries of Hacker News stories.

Cron Prompt
Convert English to Cron Expressions.

Amazon will be better at securing medical data than One Medical or any other medical startup. And they’re not likely to abuse that power because of how bad it would be for their business.

Welcome to Alphaland, the Disney World for Bodybuilders
I’ve found the location for the first TL;DR SECon 💪 #SwoleSec

Meatheads from around the country fly in to the 30,000-square-foot gym in the Houston suburbs where you’re no one if you’re not flexing, vlogging, or networking.

 

Great thread, love the positivity.

You don’t have to drink to be welcomed by people. If you don’t feel welcome move on. There are plenty of folks to meet.

You do not need a burner phone and to throw your gear into the sun after returning. If you want to do that, you do you. Good advice: Update your equipment and make a backup that you leave at home or in the cloud before you leave. Turn off Bluetooth and Wifi when not in use.

Use a VPN when you are on a network you don’t trust or your own LTE hotspot.

Every ATM in Vegas isn’t hacked.

You can not and will not be able to see everything. Make a small list of things you must do: Talks, Meet Ups with people, and make plans to do those things. If you don’t make a solid plan you will get distracted and they won’t happen.

Be yourself and find the people that have your vibe. You don’t need to change yourself to fit in. Trying to be “the hacker DEF CON expects you to be” will be exhausting. Be the person you are that makes DEF CON what it is: a diverse set of very curious people.

Revel in curiosity, meet those that are curious like you, and stay in touch with them. Then next year it will feel like a reunion! You have no ones expectations to live up to including your own. Be unequivocally you. Authentic people gravitate to each other. Happy Summer Camp!

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint