• tl;dr sec
  • Posts
  • [tl;dr sec] #183 - The 3 Metrics to Focus On, Build a Purple Team Lab, Damn Vulnerable Android and iOS Apps

[tl;dr sec] #183 - The 3 Metrics to Focus On, Build a Purple Team Lab, Damn Vulnerable Android and iOS Apps

If you can only choose 3 metrics, what to choose? How to build a Kubernetes purple teaming lab, vulnerable Android and iOS apps to learn on.

Hey there,

I hope you’ve been doing well!

Once More, with Swag

Thank you everyone who took the time to fill out the quick swag survey I shared a few weeks ago!

I really appreciate your input, and your kind words put a massive smile on my face.

People shared some neat swag ideas that I didn’t originally include in the survey, including: socks, hats, cat toys, fidget toys, branded planters/mini succulents, D20 dice, a Clint plushie, a tl;dr sec bong, and “date-crashing as a service.”

Special shout-out to the person who left this wisdom:

Why is it you can tiptoe but you can’t tipfinger?

If you also want to influence the future of tl;dr sec swag, you can do so here.

Sponsor

📢 The 2023 Cloud Threat Report

The Wiz cybersecurity research team uncovered dozens of new cloud risks across multiple AWS, Azure, and Google Cloud services. We’ve compiled their findings in this 12-page report which includes the full list of breaches in 2022 and best practices to safeguard your cloud. Also included are:

  • The latest cloud security threats

  • Emerging cloud-native threat actors

  • API-based vulnerabilities

  • Bonus: Free checklist to implement strategies adopted by leading cloud security organizations in the world.

Get the complete report to adapt your security strategy in 2023 and beyond.

📜 In this newsletter...

  • AppSec: Secure Application Development for NGOs, The 3 Metrics to Focus On

  • Mobile Security: Damn vulnerable Android and iOS apps, Detecting Android Content Provider APIs with Semgrep Rules

  • Web Security: An impressive bug chain write-up, JavaScript Essentials for Beginning Pentesters

  • Cloud Security: Clean up over-permissioned GCP IAM accounts, malicious Google ads for AWS Console login pages

  • Container Security: Automate Docker container base image updates, Building Chainguard's Container Image Registry

  • Blue Team: Building a Kubernetes purple teaming lab, The Rambo Architecture and Third Party Risk

  • Red Team: Function call graph tracer for C, C++, Rust and Python

  • Conferences: Threat detection and IR track at re:Inforce 2023, Reflections on Black Hat Asia 2023, Momentum Cyber's RSA Conference 2023 Recap

  • Machine Learning: Quicklinks, drag and drop images, ChatGPT iOS, AI’s Next Big Thing is Digital Assistants, AI Influencer Goes Rogue, LLMs and plagiarism

  • Misc: Map bug bounty programs to GitHub orgs, breaking Trezor T wallets, Poverty Is 4th Leading Cause of Death in US

AppSec

Secure Application Development for NGOs and Others: Part I
Four part guide by Eleanor Saitta on developing for NGOs or other orgs who serve potentially high risk groups, covering software development lifecycle, organizational maturity, participatory design, security design, development documentation, requirements, and selecting a design team and security designer.

Subsequent parts cover threat modeling, architecture design, crytography, frameworks, testing, and much more.

You Only Get 3 Metrics - Which Ones Would You Pick?
If you could only pick 3 metrics that ideally maximize the coverage of other risks and are leading (rather than lagging) indicators, Google Cloud CISO’s Phil Venables recommends:

  1. What percentage of your software is continuously reproducible in a secure build pipeline?

  2. What percentage of your systems and business services have a predictable and tested cold-start recovery time?

  3. What percentage of your data is kept under an assured data governance regime?

Mobile Security

rewanthtammana/Damn-Vulnerable-Bank
An intentionally vulnerable Android application by Rewanth Tammana, Akshansh Jaiswal, and Hrushikesh Kakade.

prateek147/DVIA-v2
A purposefully vulnerable iOS app by Prateek Gianchandani with vulnerabilities and solutions tested up to iOS 11.

Detecting Android Content Provider APIs with Semgrep Rules
Dropbox’s Shivasurya S on how Semgrep can be a part of your mobile pentesting suite and a walkthrough of writing a Semgrep rule to find exported content providers that allow arbitrary file read and write within the app sandbox.

Sponsor

📢 Make tangible progress toward least privilege + practical advice on JIT access

Your company relies on you to keep your infrastructure secure — but it’s hard to manage safe, temporary access while moving quickly and staying above water.

With the Sym SDK, you can build temporary access workflows for AWS IAM and SSO, deployed in an easy-to-use requests app in Slack.

Sym gives you peer approval, privilege escalation and de-escalation, and all the integrations you need to automate decisions, getting you to least privilege, with the least hassle.

Web Security

A smorgasboard of a bug chain: postMessage, JSONP, WAF bypass, DOM-based XSS, CORS, CSRF…
Julien Cretel provides a comprehensive breakdown of a bug chain that included an insecure message event listener, a JSONP endpoint, a WAF bypass, a DOM-based XSS on an out-of-scope subdomain, and a permissive CORS configuration. These components were combined to execute a one-click CSRF attack on a public bug bounty program.

JavaScript Essentials for Beginning Pentesters
Luke Bremer from TrustedSec shares a few techniques, including setting browser breakpoints, formatting and unminifying JavaScript files, regex searches in the developer tools, and using Burp Suite’s match and replace functionality to alter site functionality.

Cloud Security

gojek/CureIAM
Tool by kd3vhck and Rohit Sehgal to clean up over-permissioned GCP IAM accounts in an automated way. It fetches the recommendations and insights from GCP IAM recommender, scores them and enforces those recommendations automatically.

Gather Round the Watering Hole, We have a Story to TellPermiso’s Ian Ahl writes about watering hole attacks and how attackers can purchase ad space for specific search terms in Google to deliver phishing pages. Using a recent AWS phishing campaign as an example, Ian investigates the attack flow and infrastructure used by the attacker to harvest account credentials.

 

Container Security

containrrr/watchtower
A process for automating Docker container base image updates.

Building Chainguard’s Container Image Registry
Chainguard’s Jason Hall describes a few changes to the way they host and distribute Images over the last year to increase security, give themselves more control over the distribution, and most importantly to keep costs under control using Cloudflare R2 (no egress fees!). Check out the “secure by design” section.

Sponsored Tool

📢 AppOmni Labs sees a 300+% rise in Salesforce Community attacks. Is your Salesforce data safe?

Threats to Salesforce instances are growing since Brian Krebs first reported on significant Salesforce data leaks in late April. And the AppOmni Labs team has noted a 300+% increase in threat activity on Salesforce Community sites, along with other major SaaS apps, shortly after Krebs’ story broke.

Understand your Salesforce data leak risks with AppOmni’s free Salesforce Community Cloud Scanner. AppOmni will evaluate your Salesforce instances for misconfigurations and data exposure, reveal if the recently disclosed issues are present, and provide clear steps for remediation.

Blue Team

Building a Kubernetes purple teaming lab
Anton Ovrutsky from Sumo Logic offers a comprehensive guide on setting up a Kubernetes purple team lab. This step-by-step tutorial will teach you how to gather relevant telemetry, track your testing activities, and explore a variety of techniques, tactics and procedures (TTPs).

Ultimately, I look at third party risk management as a classic operational security challenge that benefits from a pretty straightforward approach - you need to aggregate and operationalize distributed context. No AI or blockchain needed.

Can you confidently predict when and where security issues are going to occur in your own environment? Probably not, even though you have full knowledge of the environments you’re defending. Yet we think we can take an outside-in look at our vendors programs’ and use that incomplete, unvalidated, and likely out of date information as a crystal ball?

 

Red Team

namhyung/uftrace
A function call graph tracer for C, C++, Rust and Python programs by Google’s Namhyung Kim. It can trace both user and kernel functions, as well as library functions and system events providing an integrated execution flow in a single timeline.

Conferences

Your guide to the threat detection and incident response track at re:Inforce 2023
AWS’ Celeste Bishop and Himanshu Verma share a list of 30 talks, including hands-on sessions for the threat detection and incident response track at re:Inforce. Topics include: learn to detect suspicious activity in Amazon S3, simulate and detect unwanted IMDS access resulting from SSRF, and more.

Reflections on Black Hat Asia 2023: Learning, Networking, and Inspiration
Rewanth Tammana shares his thoughts on the presentations that stood out, arsenal tools, and more.

Momentum Cyber’s RSA Conference 2023 Recap
Momentum Cyber shares session trends and highlights, event highlights, Early Stage Expo companies, Innovation Sandbox participants and winners, and more.

Machine Learning

Quicklinks:

  • Snoop Dogg on AI risk: “Sh–, what the f—?” - You and me both man.

  • Introducing 100K Context Windows - Wow, Anthropic has expanded Claude’s context window to ~75,000 words. This means you can now submit hundreds of pages of materials for Claude to digest and analyze.

    • GPT-4 can currently handle ~25K words.

  • BarGPT - Describe what you want and it’ll give you a recipe.

  • Modding Age of Empires II with a Sprite-Diffuser - Neat examples of reimagining Age of Empires II buildings differently using Stable Diffusion.

  • imartinez/privateGPT - Interact privately with your documents. Built with LangChain, GPT4All, LlamaCpp, Chroma and SentenceTransformers.

  • DiagramGPT - Paste in a schema, infrastructure definition, or code snippet, or describe your diagram in plain language –> generate diagram.

  • Web LLM - LLM and LLM-based chatbot functionality in your browser. Private, everything runs inside your browser with no server support, accelerated with WebGPU.

DragGAN: A New Method for Manipulating Generated Images
Very impressive demos of “dragging” different points in an image to update it- opening or closing mouths or eyes, adjusting a dog’s ears or feet, rotating an object or person, etc.

Introducing the ChatGPT app for iOS
Syncs your history across devices, integrates Whisper, their open-source speech-recognition system, enabling voice input, and ChatGPT Plus subscribers can access GPT-4. Android app coming soon.

AI’s Next Big Thing is Digital Assistants
Neat thought piece by Daniel Miessler. “Your assistant will know everything about you and become your interface to the world.”

Influencer Rents Out AI Version of Herself Which Immediately Goes Rogue
23-year-old social media influencer Caryn Marjorie created Caryn.ai, an AI chatbot version of herself trained on her Youtube videos, which will act like a guy’s girlfriend for $1 per minute. However, it’s been going beyond the intended “flirty and fun” to sexually explicit conversations.

LLMs and plagiarism: a case study
Michal Zalewski walks through how Google Bard is plagiarizing exact sentences from his blog in some answers on niche topics he’s written about.

My goal here isn’t to downplay the utility of LLMs; I think they are powerful tools that will reshape the way we interact with computers and perform a variety of tasks. But I think we don’t grasp the vastness of the internet and don’t realize how often LLMs can rely on simply copying other people’s work, with some made-up padding and style transfer tricks thrown in here and there.

Misc 

nikitastupin/orgs-data
Mapping from bug bounty and vulnerability disclosure programs to respective GitHub organizations, by Nikita Stupin.

Crypto Security Firm Unciphered Claims Ability to Physically Hack Trezor T Wallet
Unciphered claims to have found an “unpatchable hardware vulnerability with the STM32 chip that allows us to dump the embedded flash and one-time programmable (OTP) data,” allowing them to retrieve the wallet’s seed phrase and pin. Check out the demo video for some soldering fun.

Research published this week in the Journal of the American Medical Association estimated that poverty was linked to at least 183,000 deaths in the United States in 2019 among people aged 15 or older, making inadequate income the nation’s fourth-leading mortality driver that year behind heart disease, cancer, and smoking.

“Poverty silently killed 10 times as many people as all the homicides in 2019,” Brady continued. “And yet, homicide, firearms, and suicide get vastly more attention.”

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint