[tl;dr sec] #102 - Why AuthZ is Hard, Vendor Security 2.0, TruffleHog Chrome Extension
Detailed breakdown of why authorization is hard, how we should approach vendor security going forward, a Chrome extension to find secrets.
I hope you’ve been doing well!
Whisper Me Sweet Crypto Nothings
Shakespeare may have set a high bar, but I don’t think we’ve collectively lost our ability to woo romantically.
The world has just changed a bit.
There are new forms of art and ways to express that you’ll be a loving partner and provider. Like:
This must mean I’ve #madeit, as my friend Daghan shared with me:
📢 Understanding Salesforce Flows and Common Security Risks: An AO Labs Whitepaper
Salesforce’s Flow Builder is built on the Lightning Platform and allows end-to-end process automation by leveraging reusable components known as Flow Actions. This whitepaper discusses the security nuances unique to Salesforce Flow development, as well as permission management pitfalls and how to combat them. AO Labs is the research arm of AppOmni and produces in-depth research and content written by security researchers and engineers. To see more AO Labs content visit: appomni.com/aolabs.
📜 In this newsletter...
AppSec: TruffleHog the Chrome extension, BSidesSF CFP is open
Mobile Security: Android automatically removes permissions from unused apps
Web Security: Web security roadmap, add payload position support to Turbo Intruder, React security slides
Cloud Security: Use GitHub Actions without long lived AWS creds, OMIGOD Azure bugs, permissions reference for AWS IAM
Machine Learning: Applying OpenAI in cyber tooling, GitHub Copilot generated insecure code 40% of the time
Container Security: Anonymous and ephemeral Docker image registry, critical review of NSA's k8s guidance
It's Time for Vendor Security 2.0: Vendor Security Questionnaires are ineffective, what to do instead
Red Team: Reverse engineering and binary exploitation challenges
Politics / Privacy: America should fight back against ransomware, Facebook plans to use News Feed for its own PR, five-part WSJ Facebook investigation, how US police use Google to track you
Misc: Remember Norm Macdonald, time travel debugging web apps
Why Authorization is Hard: Real world challenges, trade-offs, and different approaches in building authorization
TruffleHog The Chrome Extension
BSidesSF CFP Open until October 11
BSidesSF is one of my favorite cons- great talks and excellent hallwaycon. Highly recommend!
Google will extend Permission Auto-Reset feature to older Android versions
Apparently Android has a Permission Auto-Reset feature that automatically removes user permissions from apps that haven’t been opened and used for a few months. Neat!
Better Security Through Code Hygiene
React security slides by Philippe De Ryck, including using DOMPurify to sanitize user input if you have to use dangerouslySetInnerHTML, and using Semgrep to flag insecure code. H/T Rami for the link. Big +1 on Philippe’s conclusions:
AWS federation comes to GitHub Actions
By Aidan Steele: GitHub Actions has new functionality that can vend OpenID Connect credentials to jobs running on the platform. Meaning: CI/CD jobs no longer need any long-term secrets to be stored in GitHub! PoC:
“Secret” Agent Exposes Azure Customers To Unauthorized Code Execution
Great research by Wiz: Microsoft Azure silently install management agents on your Linux VMs, which now have RCE and local privilege escalation vulnerabilities. Mostly requires manual updates. Great play-by-play thread from Kevin Beaumont, and to quote Ami Luttwak:
If you want to play around with it, there’s this BugHuntr.io lab, this nuclei template, this Python PoC, or watch IppSec’s video.permissions.cloud: Permissions Reference for AWS IAMSuper cool work by Ian Mckay: the IAM dataset maps SDK calls to IAM actions, which are then displayed nicely on this site. Also, iamfast-js and related repos aim to generate IAM policies based on analyzing your source code. Baller.
Down the Rabbit Hole: Unusual Applications of OpenAI in Cybersecurity Tooling
Eugene Lim discusses his experiments with using OpenAI not just for human-based attacks like phishing and misinformation, specifically: reverse engineering assembly, analyzing Metasploit payloads, code reviews (e.g finding XSS), etc.
GitHub Copilot Generated Insecure Code In 40% Of Circumstances During Experiment
Out of 1,692 programs generated in 89 different code-completion scenarios.
NSA & CISA Kubernetes Security Guidance – A Critical Review
NCC Group’s Iain Smart provides on feedback on what he views the NSA and CISA guidance doc outlined well, as well as some parts he views as misleading or incorrect.
Strong agree from me on this useful and snarky article by Daniel Miessler. Vendor Security Questionnaires seem ineffective at determining security posture and business needs often trump security recommendations.
Understanding a vendor’s risk to your business if compromised and working to limit it - this is the way.
A few people had comments I liked on Twitter.
And Dino Dai Zovi:
Politics / Privacy
Opinion | America Is Being Held for Ransom. It Needs to Fight Back.
Crowdstrike co-founder Dmitri Alperovitch argues that sanctions and defense alone will not be sufficient against ransomware, as it’s unrealistic to expect that every American hospital, school, fire department and small business to defend itself against highly sophisticated criminals. Instead, like with ISIS, the U.S. should pursue an aggressive campaign targeting the foundation of ransomware criminals’ operations: their personnel, infrastructure and money.
Inside Facebook’s Push to Defend Its Image
Facebook has kicked off a new internal project to use the News Feed, its most important digital real estate, to promote articles about how Facebook is about political polarization making you sad invading your privacy promoting vaccine skepticism bringing us all closer together ❤️. Cutting off external parties from analyzing engagement data? Don’t worry about it 🤫
The Facebook Files
Oh boy, what a drop by the WSJ, a five-part investigation covering:
Facebook has a secret VIP list for whom standard policy enforcements do not apply.
An internal investigation found Instagram usage increased anxiety and depression, especially in teenage girls. more
Facebook’s algorithm changes increased engagement, but made users angrier. The Zuck resisted proposed fixes because he was worried they would lead people to interact with Facebook less.
Facebook employees flag drug cartels and human traffickers leveraging the platform, but the company’s response is often inadequate or nothing at all.
Company documents show antivaccine activists undermined Zuckerberg’s ambition to support the rollout by flooding the site and using Facebook’s own tools to sow doubt about the Covid-19 vaccine.
The new warrant: how US police mine Google for your location and search history
Article from The Guardian on geofence and keyword warrants. The fundamental challenge is that companies that depend on ad revenue slurp up user data for targeting purposes, but then they have a rich set of data that police can subpoena.
From Norm Macdonald’s memori: Based on a True Story
Right in the feels. Also, here’s Norm on SNL’s Celebrity Jeopardy.
The Time Travel Debugger for Web Development
Replay.io is building a new tool that enables you to record web app execution flow and go backwards and forwards. Sounds awesome for tracking down tricky bugs. Time travel debugging is one of the coolest concepts I wished I saw more of. Python, Java, and Ruby support coming.
As a security consultant at NCC Group, I saw how a number of companies implemented authorization in their monolith or across their fleet of microservices.
Nearly universally, they had made some decisions early that ended up making things painful several years later.
This detailed post by Oso’s Sam Scott may be one of the best I’ve read on covering the real world challenges, trade-offs, and different approaches in building authorization in real companies.
Oso has also put together an even more lengthy write-up in their Authorization Academy. Nice!
Finally, check out the HN thread on this post for various people weighing in, and posts by a number of other authorization-focused start-ups, including Authzed (YC W21), Cerbos, Aserto, and Warrant (YC S21). Open source libraries referenced: Casbin, and ory/keto, an implementation of Google’s Zanzibar.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!