• tl;dr sec
  • Posts
  • [tl;dr sec] #112 - re:Invent, Python Security, Cloud Service Provider Mistakes

[tl;dr sec] #112 - re:Invent, Python Security, Cloud Service Provider Mistakes

Round-up articles about re:Invent, examining Python package security, Scott Piper's repo of AWS, GCP, and Azure mistakes and vulnerabilities.

Hey there,

I hope you’ve been doing well!

Academic Humor

I gained a lot from my time in grad school. Like how raw ore gains a lot from being melted down in a kiln at ~1,800 degrees, molded, and struck repeatedly with a hammer until it’s strong.

Periodically I come across some humor about academia that gives me a chuckle. I recently stumbled across this Associate Deans Twitter account that’s pretty good:

And I couldn’t help but laugh out loud at this brutal GIF.

If you have any good academia jokes or memes, feel free to send ‘em my way!

🧪 Experimental Results

Some results from my experiments last week.

Table of Contents
Some people preferred I cut it, some didn’t care, but more people wanted it to stay.

Interestingly, the people who wanted it to stay tended to be CISOs, Directors or VPs of Security, or other senior security leaders. I hypothesize this is because they tend to be very busy, so they want to be able to quickly pick out the parts that are most relevant.

Big shout-out to Caleb Sima, who advised me early on to include it.

Sponsors
Despite the fact that I was sweating bullets before sending the last email, nobody flamed me for having a secondary sponsor. In fact, several people reached out and encouraged me to keep it 🤷

A flood of companies kindly expressed interest (thanks so much!), and in probably the next week or two, tl;dr sec will be about half sold out for 2022 🤯

Relatedly, bringing on someone to run sales for tl;dr sec is potentially the best thing I’ve ever done. This way I get to focus on what I love: nerding out over great security work.

Big thank you again to all of the companies who reached out!

Sponsor

📢 API Security Best Practices Guide

APIs drive today’s modern apps. Bad actors know the benefit of targeting APIs to get at valuable data, so API attacks are on the rise. Existing security tooling can’t stop API attacks - you need a new approach. Salt Security has compiled a set of API security best practices, drawn from customer experiences, to help you in this journey. Download the guide here to build your plan for securing your external, internal, and partner APIs.

📜 In this newsletter...

  • AppSec: Use Semgrep to find dropped reverse shells, app-level and searchable encryption for databases

  • Python: 10 years of Python package vulnerabilities, two tools to audit dependencies for known vulnerabilities

  • Mobile Security: Ease proxy connection set up between rooted Android and Burp Suite

  • Web Security: Exploiting ad blockers with CSS, implementation vulns in Microsoft and GitHub OAuth

  • Cloud Security: Cloud service provider security mistakes

  • re:Invent: Top announcements from AWS, a one pager overview, a recap with snark, the top 12 security announcements

  • Container Security: A container image to extract underlying container runtimes, awesome Kubernetes security repo

  • Politics / Privacy: FBI document shows what data can be obtained from encrypted messaging apps

  • Misc: Mindblowing gymanstics, browser extension to demarcate private-label brands on Amazon, testing Firefox more efficiently with ML, learn regex step by step

AppSec

lapt0r/border-collie
New tool by Chegg’s Kurt Boberg that uses Semgrep and the Python watchdog package to detect potential reverse shells being dropped in your environment.

Acra 0.90.0: application-level encryption and searchable encryption for any SQL and NoSQL databases
Cossack Labs’ Anastasiia Voitova describes Acra, a database security suite for data protection. Features that are newly open source include: transparent database encryption, searchable encryption, data masking & tokenization, cryptographically signed audit logs, and encryption-as-a-service API.

Python

The Python Vulnerability Landscape
Andrew Scott presents trends from over 10 years of Python package vulnerability data. A few takeaways:

  • There were 100 more High Severity CVEs in 2021 so far, than total CVEs in 2019.

  • CWE-79 (XSS) and CWE-20 (Improper Input Validation) are by far the most common weakness types.

trailofbits/pip-audit
New tool to audit Python environments and dependency trees for known vulnerabilities, by Trail of Bits’ William Woodruff and colleagues. It uses the Python Packaging Advisory Database via the PyPI JSON API as a source of vulnerability reports.

ochronasec/ochrona-cli
A command line tool for detecting vulnerabilities in Python dependencies and doing safe package installs, by Andrew Scott. Uses its own vulnerability database (here) which uses data from NIST NVD, the Github Advisory Database, vendor disclosures and blog posts, and most recently, from the PyPA Advisory DB.

Mobile Security

Proxy Agent — a tool for mobile penetration testers!
GovTech Singapore’s Kang Hao describes Proxy Agent, a tool to ease the proxy connection setup process between a rooted Android device to a computer that is running Burp Suite.

Web Security

uBlock, I exfiltrate: exploiting ad blockers with CSS
uBlock Origin uses community-provided filter lists of CSS selectors to dictate which elements to block. Portswigger’s Gareth Heyes describes how he was able to bypass uBlock Origin’s selector restrictions, allowing a malicious CSS selector to extract data from scripts and attributes, and even steal passwords from Microsoft Edge.

He also walks through creating a keylogger in only CSS (code) 🤯 

Microsoft and GitHub OAuth Implementation Vulnerabilities Lead to Redirection Attacks
Classic open redirection attacks include the redirection target in the URL itself. Proofpoint’s David Krispin and Nir Swartz describe how in some cases, if expected OAuth parameters are mangled or missing, the identity provider will try to helpfully send error responses to the application’s redirect URL so the app can handle them.

However, this can cause a user to be redirected to an attacker-controlled redirect URL after clicking a legitimate-looking URL belonging to a trusted party (e.g. Microsoft). This malicious redirect URL will not be present in the original link, and therefore pass most phishing and email security solutions.

Cloud Security

Cloud service provider security mistakes
Cloud historian Scott Piper has created a GitHub repo to catalogue security mistakes by cloud service providers (AWS, GCP, and Azure); that is, public mistakes on the cloud providers’ side of the shared responsibility model. Includes CVEs, SOC 2 Type 2 failures, security researchers compromising managed services, and more.

re:Invent

Top Announcements of AWS re:Invent 2021
Round-up from the AWS blog.

awscon-onepager/reinvent-2021.md
Concise list of link announcements by Victor Grenu, tagged by if it’s a launch or new service, new features or enhancement, or preview.

re:Invent 2021 Recap
Chris Farris provides overview snippets from interesting announcements + a healthy dose of snark.

AWS Marketplace, otherwise known as the Amazon Bypass-Corporate-Procurement-and-Vendor-Risk-Management-as-a-Service now supports k8s. Because if you don’t do Kubernetes you should be shopping for a casket grandpa.

The top 12 security announcements at AWS re:Invent 2021
By VentureBeat’s Kyle Alspach. Some themes: “bringing more automation to many security processes, new capabilities to enable secure access to data, enhanced network and IoT security, and improved security for containers.” I thought this was a nice overview of a bunch of things 👍

Container Security

twistlock/whoc
A container image that extracts the underlying container runtime and sends it to a remote server, by Palo Alto Networks’s Yuval Avrahami. Has modes for dynamically and statically linked container runtimes. Poke at the underlying container runtime of your favorite CSP container platform!

ksoclabs/awesome-kubernetes-security
A curated list of awesome Kubernetes security resources, by KSOC. Open source projects, general resources, and Twitter accounts.

Politics / Privacy

FBI document shows what data can be obtained from encrypted messaging apps
The Record’s Catalin Cimpanu shares info gleaned from a document obtained by a FOIA request:

A recently discovered FBI training document shows that US law enforcement can gain limited access to the content of encrypted messages from secure messaging services like iMessage, Line, and WhatsApp, but not to messages sent via Signal, Telegram, Threema, Viber, WeChat, or Wickr.

Misc

When you clearly understand the Law of Physics
This 11 second display of timing and gymnastics blew my mind.

Introducing Amazon Brand Detector
Amazon has registered more than 150 private-label brands in the U.S., and it often gives its own brands and exclusive products a leg up in search results over better-rated competitors. This new browser extension by the The Markup shows you which products are from Amazon by highlighting them in orange.

Testing Firefox more efficiently with machine learning
Mozilla has around 85,000 unique test files. Running every test on every push is infeasible, slow, and expensive, so they’d previously been using human input and heuristics to determine what subset of tests to run. In this post, Andrew Halberstadt and Marco Castelluccio describe how they were able to reduce the number of test tasks on their integration branch by 70% using machine learning.

Regex Learn - Step by step, from zero to advanced
Neat step by step tutorial with interactive challenges. I wish I had found a site like this when I was first learning regex.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint