Hey there,
I hope youâve been doing well!
The Real MVPs
Iâm busy this week with Global AppSec SF and other stuff, so imagine a really clever intro and build up that logically progresses to this:
Sponsor
đ˘ Forget everything you know about SSH
Say hello to Tailscale SSH â and say goodbye to managing SSH keys, setting up bastion jump boxes, and unnecessarily exposing your private production devices to the open internet. Never deploy an infrastructure bastion again.
SSH from mobile devices, and across OSes. Tailscale SSH works where Tailscale works. Code from an iPad to your Linux workstation, without having to figure out how to get your private SSH key onto it. Answer an on-call emergency from anywhere, which means you can leave your desk now.
Use Tailscale for freeđ In this newsletter...
- Web Security: HTTP/3 connection contamination explainer, exploiting static site generators, Firebase exploiter, Burp extension that hijacks Burp's HTTP/TLS stack
- Supply Chain: OpenSSL as example of supply chain security challenges, finding malicious PyPi packages with static analysis, attack trees for attacking GitHub
- Cloud Security: Tool to find secrets in S3 buckets, AWS SSO reporter, AWS IAM roles are unnecessarily complex, have an AWS account just for getting into other AWS accounts
- Politics / Privacy: What happens when everything becomes TikTok
- Misc: Spreadsheet escape room, see the inside of the CIA museum virtually, Clippy Christmas sweater, edible rescue drone, USENIX Security '22 program, Q3 2022 ThinkstScapes, don't give your kids an allowance
- Twitter and Mastodon: Mastodon intro and overview, why scaling Mastodon is hard, some details on the inside of Twitter, stealing passwords from infosec Mastodon with HTML injection
Web Security
HTTP/3 Connection Contamination Made Simple
Portswiggerâs James Kettle describes this new
attack in a 5 minute video and one slide. See the
blog for more.
Exploiting Static Site Generators: When Static Is Not Actually Static
Assetnoteâs Shubham Shah describes a
persistent XSS issue they discovered on Next.js websites on Netlify and an SSRF
on GatsbyJS.
securebinary/firebaseExploiter
By SecureBinary: A vulnerability
discovery tool that discovers Firebase databases that are open and can be
exploited. Primarily built for mass hunting bug bounties and penetration
testing.
sleeyax/burp-awesome-tls
By @Sleeyax: A Burp Suite extension that hijacks
Burpâs HTTP/TLS stack and allows you to spoof any browser fingerprint in order
to make it more powerful and less prone to fingerprinting by all kinds of WAFs.
Supply Chain
Challenges with the Supply Chain Security Ecosystem - An OpenSSL Story
Sherif Mansour describes the current
challenges in understanding: newly published vulnerabilities, your companyâs
exposure, remediation, monitoring and preventative controls, as well as
promising developments and what heâd like to see in the future.
Finding malicious PyPI packages through static code analysis: Meet GuardDog
Datadogâs Ellen Wang and
Christophe Tafani-Dereeper announce
GuardDog, a new tool that can identify
malicious PyPi packages with Semgrep and package metadata analysis. They also
released a corpus of 140+ actual malicious packages they found in the wild
here.
See also Ellenâs Global AppSec SF talk this Friday at
4:30pm in Bayview A.
SLSA dip â At the Source of the problem!
François Proulx discusses different strategies for attacking GitHub, from a red team and blue team perspective. Then he combines all of the attacks and mitigations into an attack tree built using Deciduous, an open-source security decision tree tool. The attacks focus on three malicious end goals:
- Submit malicious source code
- Delete source code
- Push a release tag pointing to vulnerable commit
Cloud Security
Eilonh/s3crets_scanner
A tool to find secrets in public S3 buckets. Lists public buckets in an account,
lists textual or sensitive files (e.g. .p12, .pgp, etc.) and downloads and
scans files using truffleHog3.
onemorepereira/aws-sso-reporter
A tool that uses the AWS SSO API to list all users, accounts, permission sets
etc. and dumps it into a CSV file for additional parsing or viewing, by Miguel
Pereira.
AWS IAM Roles, a tale of unnecessary complexity
Latacoraâs Xavier
Garceau-Aranda describes the
unnecessary complexity around AWS IAM, compares it to GCPâs model, and proposes
changes heâd like to see.
An AWS account just for getting into other AWS accounts
Some great perspective on AWS account architecture.
Odd though it may sound, it takes lots of AWS accounts to have lots of AWS accounts. Your first account is the one you use to configure AWS Organizations, which consolidates billing and gives you access to the APIs for opening and closing additional accounts â thatâs your management account. Most folks suggest opening a second account to store audit logs from CloudTrail et al. You might choose to open a third account to host VPCs to share into your service accounts.
And the supporting cast of accounts needs one more player â your administrative access account. The purpose of this account is to help you and your coworkers access all the rest of your accounts. Thatâs it! This is the AWS account that makes having lots of AWS accounts efficient and safe.
Politics / Privacy
What Happens When Everything Becomes TikTok
The shape of our politics, our ideology, and even our fundamental grasp of how the world works is, in some substantial way, up to the algorithms. According to a recent survey from the Pew Research Center, a quarter of people under 30 in the U.S. regularly get their news from TikTok clips. That number is growing. People are even turning to social-media video as a replacement for Google search.
Whether the results of such swipes and searches lead us to enlightenment or drag our worldviews further down toward their least reconciliatory, most conspiratorial depths depend in part on AI. In an experiment from September, the fact-checking company NewsGuard found that the top results on TikTok for a range of terms often included misleading, hateful, and in some cases extremely dangerous videos.
The issue is that an AI optimized for engagement canât tell the difference between a clip that you enjoyed watching and one that you hate-watched, or watched passively. If you watched a clip multiple times, the AI wonât be able to discern whether it was because it gave you joy or because it boiled your blood. (Even if it could, a company might end up promoting infuriating content anyway because itâs so compellingâFacebook supposedly did exactly that after introducing emoji-based reactions a few years ago.)
Sponsor
đ˘ Two new tools from Trail of Bits
Trail of Bits has two new tools that allow developers to generate zero-knowledge proofs, which can ensure your program is executing correctly. Amarna is a static analyzer and linter for the Cairo programming language, allowing for analysis of any security-sensitive operations that need to be reviewed. Circomspect is a static analyzer for zero-knowledge proofs developed using Circom, which gives developers the chance to identify a wide range of issues. Both of these tools are open source and available for download on our GitHub page.
Get these tools!Trail of Bits does seriously cool work. I highly recommend checking out their GitHub for all of the neat tools theyâve released over the years, and their blog is đĽ too.
Misc
Spreadsheet Escape Room
An escape room built in⌠Google Sheets.
See Inside the Rarely Seen and Newly Reimagined CIA Museum
Off-limits to all but a few in-person visitors, the museum is starting to
welcome the public, online at least.
Windows Ugly Sweater: Clippy Edition
The Christmas gift guaranteed to go over well.
You can eat this rescue droneâs rice cake wings
But couldnât you just⌠rescue them instead?
In order to make the round rice cakes fit together, they were cut into hexagons with a laser cutter. The glue that holds them together also needs to be edible. The scientific team tested different adhesives made out of gelatin, chocolate, or cornstarch.
The scientific team shared the research paper at a recent robotics conference. The design is part of the RoboFood project, a European initiative aiming to make edible robots.
USENIX Security â22 Technical Sessions
Papers, slides, and talk recordings from one of the top academic security
conferences.
Q3 2022 ThinkstScapes Quarterly
Another great round-up from Thinkst Canary,
this time highlighting the following three budding trends: using AI/ML to
amplify side-channel attacks, clever cryptography that goes beyond simple data
protection, and software analysis at scale.
The latter covers some particularly interesting work:
- TLS-Anvil: Adapting Combinatorial Testing for TLS Libraries
- Arbiter: Bridging the Static and Dynamic Divide in Vulnerability Discovery on Binary Programs
- In Need of âPairâ Review: Vulnerable Code Contributions by GitHub Copilot
- Catch Me If You Can: Deterministic Discovery of Race Conditions with Fuzzing
Twitter vs Mastodon
A Twitter Userâs Guide to Mastodon
Marcus Hutchins provides a nice quick-start guide on using Mastodon.
Scaling Mastodon is Impossible
Some reflections on the technical challenges of scaling Mastodon instances to
many users, as well as fundamental questions around what weâre solving for,
content moderation, federation, and more.
Gergely Orosz on what heâs hearing inside Twitter
Several people who were let go on Friday, then asked to come back were given less than an hour as a deadline.
Software engineers who got this call I know of all said ânoâ and the only ones who could eventually say âyesâ are on visas.
Inside Twitter, managers I hear are getting desperate, trying to call back more people. People are saying ânoâ + more sr engineers are quitting.
Twitter has a complex architecture for a reason. And it needs some level of institutional knowledge to maintain.
This institutional knowledge both got fired + is walking out the door.
Stealing passwords from infosec Mastodon - without bypassing CSP
Portswiggerâs Gareth Heyes describes how he
could steal credentials on Infosec Mastodon with a HTML injection vulnerability,
without needing to bypass CSP. The attack could easily be wormable, by
collecting credentials and re-posting the vector for each user.
âď¸ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them đ
Thanks for reading!
Cheers,Clint
@clintgibler