[tl;dr sec] #163 - Rebuilding Detection and IR at LinkedIn, CVEs and Misaligned Incentives, 2022 in Review and 2023 Predictions

Hey there,

I hope you’ve been doing well!

Welcome to 2023 🎉

If you’re reading this, you have successfully survived until 2023. Congratulations!

I hope you enjoyed some good food and relaxing time with friends and family over the holidays.

I did lots of working out with my siblings (including a blacklight boxing session), played the very fun card game Dutch Blitz for the first time, saw snow, learned about new words the youth are using these days (like “baddie”), and ate lots of raw cookie dough. I’ve heard it’s potentially dangerous to eat raw cookie dough, but I’ve never gotten sick*.

If your company does annual reviews in December, I hope they went well! If not**:

* tl;dr sec is not your doctor and takes no responsibility if you also eat raw cookie dough.

** This is also called, “Extreme Programming.”

Annual Review - Resources You Like?

One thing I’ve wanted to do, but haven’t really done in the past, is an annual review.

To reflect on what went well last year and create a game plan for the upcoming year.

If you have any blog posts, videos, checklists, books, or other resources you like related to doing an annual review, please send them to me!

Next week I’ll share a collection of resources based on what I’ve found and what you share. Thanks in advance!

Rain in San Francisco

San Francisco has recently had record rainfall, which has lead to some bonkers videos.

Like submerged cars and some guy on a raft and two people on surfboards in the street.

Container Security

aws-samples/hardeneks
Runs checks to see if an EKS cluster follows EKS Best Practices.

Learning by auditing Kubernetes manifests
Nicolas Fränkel walks through running Checkov on Kubernetes manifests and highlights some of the interesting findings.

Attacker persistence in Kubernetes using the TokenRequest API: Overview, detection, and prevention
The TokenRequest API can be used to create long-lived and hard-to-detect privileged access to Kubernetes clusters. Datadog’s Rory McCune outlines how this feature works, how attackers can abuse it, and how you can detect its misuse by monitoring Kubernetes audit logs.

AppSec

google/osv-scanner
Vulnerability scanner written in Go which uses the data provided by https://osv.dev. It finds all the transitive dependencies that are being used by analyzing manifests, SBOMs, and commit hashes.

safeurl for Go
Doyensec’s Alessandro Cotto and Viktor Chuchurski announce safeurl, a one-line drop-in replacement for Go’s net/http client with built-in SSRF and DNS rebinding protection.

See also this post by Include Security that describes SafeURL libraries they created for PHP, Python, and Scala that similarly protect against SSRF.

Turning Google smart speakers into wiretaps for $100k
Matt Kunze walks through his methodology in finding security issues in the Google Home smart speaker (earning a $107,500 bounty) that allowed an attacker within wireless proximity to install a “backdoor” account on the device.

Great detailed walkthrough of understanding how a device you own works, using tools like dns-sd, nmap, intercepting the Android app’s HTTPS traffic using mitmproxy, decoding protobuf messages with protoc, aireplay-ng, and more.

ReDoS “vulnerabilities” and misaligned incentives
Trail of Bits’s William Woodruff argues that most ReDoS “vulnerabilities” are indistinguishable from malicious noise because of:

• Misaligned incentives in the security reporting (security researchers want fame) and vulnerability reporting ecosystems (supply chain security vendors want to differentiate).

• They produce security fatigue in engineers by making them waste time on low impact bugs.

Cloud Security

How to use Amazon Verified Permissions for authorization
AWS’ Jeremy Ware shows how to use Amazon Verified Permissions to define permissions within custom applications using the Cedar policy language.

Heads-Up: Amazon S3 Security Changes Are Coming in April of 2023
S3 will automatically enable S3 Block Public Access and disable access control lists for all nw buckets starting in April 2023. Secure 👏 defaults 👏 for the win!

Cloud penetration testing: Not your typical internal penetration test
Bishop Fox’s Seth Art walks through how doing an internal (assume breach) cloud pen test is different than a typical pen test, with examples of increasingly useful things to look for.

AWS Security Bulletins and Cloud Security Researcher Trends
Luke Tucker shares what he learned from reviewing 10-years of AWS Security Bulletins, focusing on cloud security research trends: more security researchers are testing the security of cloud providers, and AWS is doing a better job at acknowledging contributions from the researcher community.

Blue Team

Open Sourcing Chronicle Detection Rules
Algbra’s Mikail Tunç announces the release of a collection of detection rules for Google’s cloud-native SIEM, Chronicle. The detections target GitHub, Okta, Google Workspace and Slack; with AWS, Kubernetes and others coming soon.

Making an SSH client the hard way
Tailscale’s Mihai Parparita describes building a web-based SSH client, so your browser becomes a Tailscale client. They did this by porting to WebAssembly: the Tailscale client, WireGuard, a complete userspace network stack (from gVisor), and an SSH client.

(Re)building Threat Detection and Incident Response at LinkedIn
LinkedIn’s Sagar Shah and Jeff Bollinger describes how LinkedIn was able to reduce incident investigation times by 50%, increase threat detection coverage expansion by 900%, and reduce their time to detect and contain security incidents from weeks or days to hours.

Great example of thoughtful security engineering, automation, reducing toil, and more.

Politics / Privacy

Sudden Russian Death Syndrome
A number of rich and/or important Russians have had dangerous encouters with open windows or committed “suicide,” across a number of countries.

Reverse Engineering Tiktok’s VM Obfuscation (Part 1)
@blastbots walks through deobfuscating and understanding some of TikTok’s JavaScript.

EXCLUSIVE: TikTok Spied On Forbes Journalists

Misc

GIF Baskets
F*ck inflation, send GIFs. This year, it’s better to GIF than to receive.

Querying the GitHub archive with the ClickHouse playground
Simon Willison walks through using the ClickHouse playground, which provides a CORS-enabled API that can query a decade of history from the GitHub events archive in less than a second.

Obsidian Canvas
A new Obsidian feature that lets you organize notes visually. Embed your notes alongside images, PDFs, videos, audio, and even fully interactive web pages. Obsidian is so cool, and it keeps getting cooler 😍 

The future our grandchildren deserve
Inspiring, detailed note from Bill Gates, reflecting on what’s been accomplished and what’s left to do, discussing investing in education in the U.S., pandemic prevention, progress on polio, saving moms and babies, curing diseases like AIDS and others with gene therapy, climate change, and more.

What Comes Next for San Francisco’s Emptied Downtown
More remote-friendly companies + high cost of living and high cost of office space = unsurprisingly, an emptier downtown. But this hits local restaurants hard, and SF relies on wealthy tech companies to bankroll its massive budget. It’ll be interesting to see what the city does about that. Cut services? Tax remaining people and businesses higher?

Annual Review and Predictions

The State of Cybersecurity in 2022 and Trends and Predictions for 2023
Mike Privette lists the largest security funding events and acquisitions in 2022, and discusses overall trends. He also makes 11 product predictions for 2023, including the importance of securing no-code and products focused on measuring a company’s cybersecurity investments and decisions.

Frontview Mirror: 2023 Edition
(Note: members only post) Really neat musings by Daniel Miessler on what 2023 may have in store.

One of the through themes that I personally spend a lot of time thinking about as well is the combination of:

• Companies don’t owe people jobs- their goal is to be as profitable as possible, and only hire because they have to.

  • If a company doesn’t optimize for operational efficiency, they will likely be surpassed by a company that does.

• Machine learning is becoming more and more effective at replicating tasks that used to require people.

There will likely be a K-shaped recovery of the economy, exacerbated by machine learning, where one segment does better (people leveraging machine learning, some segments of knowledge workers), and many will do worse.

Daniel argues that one of the keys to being on the top of the K curve is to write/learn in public and build a name for yourself in your field.

Inspiration

From Steven Pressfield’s The War of Art:

2023, let’s get after it!

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint