- tl;dr sec
- Posts
- [tl;dr sec] #151 - Why Security Products Fail, Pentesting.Cloud, CVE North Stars
[tl;dr sec] #151 - Why Security Products Fail, Pentesting.Cloud, CVE North Stars
Why security products can be ineffective, cloud pen testing exercises, review CVEs to learn vulnerability discovery.
Clint Gibler
September 21, 2022
Hey there,
I hope you’ve been doing well!
Product’s Back, Alright!
I’ve recently been learning a lot about Product thinking from my bud Luke O’Malley, and I’ve always loved an apt diagram, so this one tickled my fancy:
Sponsor
📢 The Benefits of Using Python to Write SIEM Detections
Legacy SIEM solutions have offered a number of operational challenges for a security team. One of the key pillars contributing to these challenges is the usage of proprietary SIEM languages within the tools. In this blog, learn about the challenges of proprietary SIEM coding languages, ways to optimize threat detection with Python-based rules, and the impacts on mean-time-to-detection (MTTD) and overall SIEM costs.
📜 In this newsletter...
AppSec: Use CVEs to learn vulnerability discovery, time to deprecate C/C++, threat intel should just say "use webauthn"
Web Security: XSS scanning tool, tool to use AWS API Gateway as a proxy to enable web scraping, Spring actuator security, how to bypass Cloudflare
Supply Chain: White House guidance on software supply chain security, a criticism of CISA/NSA's supply chain security guide, case study of finding exposed and vulnerable jQuery versions
Apple: Apple is killing the password with passkeys, iOS 16 security and privacy features overview
Cloud Security: Debug AWS Lambda functions locally, cloud pentesting challenges, tool to gain understanding and find attack paths in AWS environments, some useful cloud design patterns
Container Security: PCI guidance for containers and container orchestration tools, Kubernetes security for CISOs
Misc: Hamilton has been translated to German, Cloudflare's replacement HTTP proxy written in Rust, tech workers are paying for leg-lengthening surgery
The Long Haul: What we're learning about long COVID
Why do security products fail?: Four reasons why security products can fail and principles every security product should consider
AppSec
CVE North Stars
By @clearbluejar: Leveraging CVEs as North Stars in vulnerability discovery and comprehension. Learn:
A practical method to focus on a set of CVEs to discover and generalize a vulnerability class.
How to apply patch diffing (with Ghidra) to relevant security updates to determine what changes were made to fix a specific vulnerability.
Perform Root Cause Analysis to determine whether a specific security patch was effective.
Mark is the CTO of Microsoft Azure.
Web Security
hahwul/dalfox
An open source XSS scanning tool and parameter analyzer, by Hahwul.
Ge0rg3/requests-ip-rotator
By George O: A Python library to utilize AWS API Gateway’s large IP pool as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing.
Spring Actuator Security, Part 2: Finding Actuators using Static Code Analysis with Semgrep
In Part 1, iteratec’s Max Maass walked through how Spring Actuators can be used to steal secrets. In this post, Max shows how to write Semgrep rules to find all Actuators, filter out intentionally exposed actuators, and ignore cases when a specific port and address have been specified. Nice example of iterating on a custom rule and easily analyzing YAML files.
How to Bypass Cloudflare: A Comprehensive Guide
This post from ZenRows discusses what Cloudflare Bot Management is, how it works (passive and active bot detection techniques), walks through reverse engineering Cloudflare’s JavaScript challenge, and how to bypass Cloudflare’s bot detection.
Supply Chain
Enhancing the Security of the Software Supply Chain to Deliver a Secure Government Experience
Guidance published by the White House. (PDF)
Securing the Supply Chain of Nothing
In tl;dr sec #149, I referenced the document Securing the Software Supply Chain – Recommended Practices Guide for Developers, by CISA, NSA, and ODNI. In this post, Kelly Shortridge writes a rebuttal in the form of ten objections.
The document’s guidance contains a mixture of impractical, confusing, confused, and even dangerous recommendations.
Software Dependency Failures: jQuery, a Canary in the Coal Mine
An interesting case study in how many public web apps are affected by a CVE in a popular library. Lari Huttunen chose a jQuery CVE that affects most jQuery versions and then used a jQuery UI dork on Shodan to find affected hosts. Based on a sample of 100K hosts, he found that:
~26% of all the publicly reachable jQuery UI web apps contain a vulnerable version
~21% of jQuery UI instances are end-of-life (no longer supported versions)
Apple
Apple’s Killing the Password. Here’s Everything You Need to Know
With iOS 16 and macOS Ventura, Apple is introducing passkeys—a more convenient and secure alternative to passwords. Under the hood, Apple’s passkeys are based on the Web Authentication API (WebAuthn), and can be synced across devices using iCloud’s Keychain.
iOS 16 Security and Privacy Features: Everything You Need to Know
I love to see all of these.
Safety Check: Quickly reset all of the data and location access that they have granted to other people (aimed at people in domestic or intimate partner violence situations).
Emergency Reset: One-tap option that immediately stops sharing everything with all people and apps. It also lets you remove all emergency contacts and reset your Apple ID and password so no one can log into your account.
Manage Sharing: See an overview of what you’re sharing so you can’t be secretly tracked or monitored using location sharing, shared albums, or other iPhone features.
In the iOS 16 Photos app, the Hidden and Recently Deleted albums are not able to be opened up without authentication.
Rapid Security Response: With iOS 16, Apple can send out security updates without needing to update the entire operating system.
Apps in iOS 16 need explicit user permission before accessing the clipboard.
Passkeys: Described above.
Lockdown Mode: Limits or disables functionality of many iPhone features for activists, journalists, and others who are targeted by sophisticated cyberattacks.
Cloud Security
thundra-io/merloc
By Thundra: A live AWS Lambda function development and debugging tool. MerLoc allows you to run AWS Lambda functions on your local while they are still part of a flow in the AWS cloud remote.
PenTesting.Cloud
Free cloud-focused security challenges, covering: bypassing IMDSv2 meta-data controls, S3 buckets, leaky CloudFormation templates, etc.
Introducing CloudFox
Bishop Fox’s Seth Art and Carlos Vendramini describe CloudFox, a CLI tool that helps you gain situational awareness in unfamiliar cloud environments. It was created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure.
Container Security
New Information Supplement: Guidance for Containers and Container Orchestration Tools
The PCI Council has published their best practice guidance for containers and container orchestration tools. See also Rory McCune’s blog post that gives an excellent overview, calls out important points, and some of the implications of the recommendations.
Kubernetes Security For CISOs
KSOC’s Jimmy Mesta describes the top five security measures that CISOs should be thinking about for any Kubernetes implementation.
Secure authentication solutions
Kubernetes habits: single vs multi tenancy, observability, namespaces
Scanning and verifying container images
Compliance Audits
Multi-environment flexibility
Sponsor
📢 20 Tips to Make the Most of Your Pen Test
Penetration tests are an essential weapon in your offensive security arsenal. But not all pen tests are created equal. There are common pitfalls that can cost you in terms of quality, project delays, or unnecessary expense. Learn how to avoid them with these 20 tips curated from our team of expert pen testers, with thousands of security engagements under their belts. Whether you’re a pen test veteran, or are about to contract your first one, this eBook will help get you on the right track — and stay on it throughout the process.
Speaking as a former penetration tester, these are good tips 👍
Misc
They Translated ‘Hamilton’ Into German. Was It Easy? Nein.
Eee!! 🙌😍 H/T r2c’s Emily Fortuna.
How we built Pingora, the proxy that connects Cloudflare to the Internet
Cloudflare discusses Pingora, a new HTTP proxy they’ve built in-house using Rust that serves over 1 trillion requests a day, boosts performance, and enables many new features for Cloudflare customers, all while requiring only a third of the CPU and memory resources of our previous proxy infrastructure (NGINX). They plan to open source Pingora in the future.
Google cancels half the projects at its internal R&D group Area 120
From 14 projects -> 7. The division is now focusing its efforts to only AI-first projects.
Tech Workers Are Paying $75K for Leg-Lengthening Surgery
Ow. How it works: the doctor breaks the patients’ femurs, or thigh bones, and inserts metal nails into them that can be adjusted. The nails are extended a tiny bit every day for three months with a magnetic remote control. Growing 3-6 inches costs $70 - $150K.
There may be no correlation between the severity of your COVID case and the lasting effect on your brain. You thought COVID felt like having a cold? Great, but you still may not know what the virus has done, or is doing, to your body. “Acute COVID-19 is a respiratory disease,” Koralnik says. “But long COVID is mostly about the brain.”
Long COVID is now the country’s third leading neurological disorder, the American Academy of Neurology declared in July. As of the end of May, there were 82.5 million COVID survivors in the United States, and 30 percent of them — about 24.8 million — were considered “long-haulers.” A recent study of Northwestern’s Neuro COVID-19 Clinic patients showed that most neurological symptoms persist for an average of nearly 15 months after the disease’s onset.
“There is brand-new data showing that if you’ve been double vaccinated and boosted, then the risk of developing long COVID, if you get COVID, is probably more like 16%.”
“Turns out people with the mild cold-like symptoms are the people with the neurological manifestations.”
The Brookings Institution reported in August that between two million and four million Americans aren’t working because of the effects of long COVID.
While technology has advanced, security is still dealing with the same problems of the past. Datadog CISO Emilio Escobar weighs in on why security products can fail:
They introduce toil
Lack of attention to user experience
They’re built for security, by security
Lack of measurable effectiveness
Principles every security product should consider:
Time to decision
Think of all the customer personas
Use what’s already there
Your security product will not be the one product that rules them all nor will you have Frodo as a customer (and you should not want there to be) to carry the burden of pushing your product into Mordor. Understand the real pains of your customers and how they make decisions. Provide paths into these decision systems so that you can have cross-collaboration between the persona that pays for your product and the personas that have to deal with it.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,
Clint
Hey there,
I hope you’ve been doing well!
Product’s Back, Alright!
I’ve recently been learning a lot about Product thinking from my bud Luke O’Malley, and I’ve always loved an apt diagram, so this one tickled my fancy:
Sponsor
📢 The Benefits of Using Python to Write SIEM Detections
Legacy SIEM solutions have offered a number of operational challenges for a security team. One of the key pillars contributing to these challenges is the usage of proprietary SIEM languages within the tools. In this blog, learn about the challenges of proprietary SIEM coding languages, ways to optimize threat detection with Python-based rules, and the impacts on mean-time-to-detection (MTTD) and overall SIEM costs.
📜 In this newsletter...
AppSec: Use CVEs to learn vulnerability discovery, time to deprecate C/C++, threat intel should just say "use webauthn"
Web Security: XSS scanning tool, tool to use AWS API Gateway as a proxy to enable web scraping, Spring actuator security, how to bypass Cloudflare
Supply Chain: White House guidance on software supply chain security, a criticism of CISA/NSA's supply chain security guide, case study of finding exposed and vulnerable jQuery versions
Apple: Apple is killing the password with passkeys, iOS 16 security and privacy features overview
Cloud Security: Debug AWS Lambda functions locally, cloud pentesting challenges, tool to gain understanding and find attack paths in AWS environments, some useful cloud design patterns
Container Security: PCI guidance for containers and container orchestration tools, Kubernetes security for CISOs
Misc: Hamilton has been translated to German, Cloudflare's replacement HTTP proxy written in Rust, tech workers are paying for leg-lengthening surgery
The Long Haul: What we're learning about long COVID
Why do security products fail?: Four reasons why security products can fail and principles every security product should consider
AppSec
CVE North Stars
By @clearbluejar: Leveraging CVEs as North Stars in vulnerability discovery and comprehension. Learn:
A practical method to focus on a set of CVEs to discover and generalize a vulnerability class.
How to apply patch diffing (with Ghidra) to relevant security updates to determine what changes were made to fix a specific vulnerability.
Perform Root Cause Analysis to determine whether a specific security patch was effective.
Mark is the CTO of Microsoft Azure.
Web Security
hahwul/dalfox
An open source XSS scanning tool and parameter analyzer, by Hahwul.
Ge0rg3/requests-ip-rotator
By George O: A Python library to utilize AWS API Gateway’s large IP pool as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing.
Spring Actuator Security, Part 2: Finding Actuators using Static Code Analysis with Semgrep
In Part 1, iteratec’s Max Maass walked through how Spring Actuators can be used to steal secrets. In this post, Max shows how to write Semgrep rules to find all Actuators, filter out intentionally exposed actuators, and ignore cases when a specific port and address have been specified. Nice example of iterating on a custom rule and easily analyzing YAML files.
How to Bypass Cloudflare: A Comprehensive Guide
This post from ZenRows discusses what Cloudflare Bot Management is, how it works (passive and active bot detection techniques), walks through reverse engineering Cloudflare’s JavaScript challenge, and how to bypass Cloudflare’s bot detection.
Supply Chain
Enhancing the Security of the Software Supply Chain to Deliver a Secure Government Experience
Guidance published by the White House. (PDF)
Securing the Supply Chain of Nothing
In tl;dr sec #149, I referenced the document Securing the Software Supply Chain – Recommended Practices Guide for Developers, by CISA, NSA, and ODNI. In this post, Kelly Shortridge writes a rebuttal in the form of ten objections.
The document’s guidance contains a mixture of impractical, confusing, confused, and even dangerous recommendations.
Software Dependency Failures: jQuery, a Canary in the Coal Mine
An interesting case study in how many public web apps are affected by a CVE in a popular library. Lari Huttunen chose a jQuery CVE that affects most jQuery versions and then used a jQuery UI dork on Shodan to find affected hosts. Based on a sample of 100K hosts, he found that:
~26% of all the publicly reachable jQuery UI web apps contain a vulnerable version
~21% of jQuery UI instances are end-of-life (no longer supported versions)
Apple
Apple’s Killing the Password. Here’s Everything You Need to Know
With iOS 16 and macOS Ventura, Apple is introducing passkeys—a more convenient and secure alternative to passwords. Under the hood, Apple’s passkeys are based on the Web Authentication API (WebAuthn), and can be synced across devices using iCloud’s Keychain.
iOS 16 Security and Privacy Features: Everything You Need to Know
I love to see all of these.
Safety Check: Quickly reset all of the data and location access that they have granted to other people (aimed at people in domestic or intimate partner violence situations).
Emergency Reset: One-tap option that immediately stops sharing everything with all people and apps. It also lets you remove all emergency contacts and reset your Apple ID and password so no one can log into your account.
Manage Sharing: See an overview of what you’re sharing so you can’t be secretly tracked or monitored using location sharing, shared albums, or other iPhone features.
In the iOS 16 Photos app, the Hidden and Recently Deleted albums are not able to be opened up without authentication.
Rapid Security Response: With iOS 16, Apple can send out security updates without needing to update the entire operating system.
Apps in iOS 16 need explicit user permission before accessing the clipboard.
Passkeys: Described above.
Lockdown Mode: Limits or disables functionality of many iPhone features for activists, journalists, and others who are targeted by sophisticated cyberattacks.
Cloud Security
thundra-io/merloc
By Thundra: A live AWS Lambda function development and debugging tool. MerLoc allows you to run AWS Lambda functions on your local while they are still part of a flow in the AWS cloud remote.
PenTesting.Cloud
Free cloud-focused security challenges, covering: bypassing IMDSv2 meta-data controls, S3 buckets, leaky CloudFormation templates, etc.
Introducing CloudFox
Bishop Fox’s Seth Art and Carlos Vendramini describe CloudFox, a CLI tool that helps you gain situational awareness in unfamiliar cloud environments. It was created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure.
Container Security
New Information Supplement: Guidance for Containers and Container Orchestration Tools
The PCI Council has published their best practice guidance for containers and container orchestration tools. See also Rory McCune’s blog post that gives an excellent overview, calls out important points, and some of the implications of the recommendations.
Kubernetes Security For CISOs
KSOC’s Jimmy Mesta describes the top five security measures that CISOs should be thinking about for any Kubernetes implementation.
Secure authentication solutions
Kubernetes habits: single vs multi tenancy, observability, namespaces
Scanning and verifying container images
Compliance Audits
Multi-environment flexibility
Sponsor
📢 20 Tips to Make the Most of Your Pen Test
Penetration tests are an essential weapon in your offensive security arsenal. But not all pen tests are created equal. There are common pitfalls that can cost you in terms of quality, project delays, or unnecessary expense. Learn how to avoid them with these 20 tips curated from our team of expert pen testers, with thousands of security engagements under their belts. Whether you’re a pen test veteran, or are about to contract your first one, this eBook will help get you on the right track — and stay on it throughout the process.
Speaking as a former penetration tester, these are good tips 👍
Misc
They Translated ‘Hamilton’ Into German. Was It Easy? Nein.
Eee!! 🙌😍 H/T r2c’s Emily Fortuna.
How we built Pingora, the proxy that connects Cloudflare to the Internet
Cloudflare discusses Pingora, a new HTTP proxy they’ve built in-house using Rust that serves over 1 trillion requests a day, boosts performance, and enables many new features for Cloudflare customers, all while requiring only a third of the CPU and memory resources of our previous proxy infrastructure (NGINX). They plan to open source Pingora in the future.
Google cancels half the projects at its internal R&D group Area 120
From 14 projects -> 7. The division is now focusing its efforts to only AI-first projects.
Tech Workers Are Paying $75K for Leg-Lengthening Surgery
Ow. How it works: the doctor breaks the patients’ femurs, or thigh bones, and inserts metal nails into them that can be adjusted. The nails are extended a tiny bit every day for three months with a magnetic remote control. Growing 3-6 inches costs $70 - $150K.
There may be no correlation between the severity of your COVID case and the lasting effect on your brain. You thought COVID felt like having a cold? Great, but you still may not know what the virus has done, or is doing, to your body. “Acute COVID-19 is a respiratory disease,” Koralnik says. “But long COVID is mostly about the brain.”
Long COVID is now the country’s third leading neurological disorder, the American Academy of Neurology declared in July. As of the end of May, there were 82.5 million COVID survivors in the United States, and 30 percent of them — about 24.8 million — were considered “long-haulers.” A recent study of Northwestern’s Neuro COVID-19 Clinic patients showed that most neurological symptoms persist for an average of nearly 15 months after the disease’s onset.
“There is brand-new data showing that if you’ve been double vaccinated and boosted, then the risk of developing long COVID, if you get COVID, is probably more like 16%.”
“Turns out people with the mild cold-like symptoms are the people with the neurological manifestations.”
The Brookings Institution reported in August that between two million and four million Americans aren’t working because of the effects of long COVID.
While technology has advanced, security is still dealing with the same problems of the past. Datadog CISO Emilio Escobar weighs in on why security products can fail:
They introduce toil
Lack of attention to user experience
They’re built for security, by security
Lack of measurable effectiveness
Principles every security product should consider:
Time to decision
Think of all the customer personas
Use what’s already there
Your security product will not be the one product that rules them all nor will you have Frodo as a customer (and you should not want there to be) to carry the burden of pushing your product into Mordor. Understand the real pains of your customers and how they make decisions. Provide paths into these decision systems so that you can have cross-collaboration between the persona that pays for your product and the personas that have to deal with it.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,
Clint