[tl;dr sec] #112 - re:Invent, Python Security, Cloud Service Provider Mistakes
Round-up articles about re:Invent, examining Python package security, Scott Piper's repo of AWS, GCP, and Azure mistakes and vulnerabilities.
I hope you’ve been doing well!
I gained a lot from my time in grad school. Like how raw ore gains a lot from being melted down in a kiln at ~1,800 degrees, molded, and struck repeatedly with a hammer until it’s strong.
Periodically I come across some humor about academia that gives me a chuckle. I recently stumbled across this Associate Deans Twitter account that’s pretty good:
And I couldn’t help but laugh out loud at this brutal GIF.
If you have any good academia jokes or memes, feel free to send ‘em my way!
🧪 Experimental Results
Some results from my experiments last week.
Table of Contents
Some people preferred I cut it, some didn’t care, but more people wanted it to stay.
Interestingly, the people who wanted it to stay tended to be CISOs, Directors or VPs of Security, or other senior security leaders. I hypothesize this is because they tend to be very busy, so they want to be able to quickly pick out the parts that are most relevant.
Big shout-out to Caleb Sima, who advised me early on to include it.
Despite the fact that I was sweating bullets before sending the last email, nobody flamed me for having a secondary sponsor. In fact, several people reached out and encouraged me to keep it 🤷
A flood of companies kindly expressed interest (thanks so much!), and in probably the next week or two, tl;dr sec will be about half sold out for 2022 🤯
Relatedly, bringing on someone to run sales for tl;dr sec is potentially the best thing I’ve ever done. This way I get to focus on what I love: nerding out over great security work.
Big thank you again to all of the companies who reached out!
📢 API Security Best Practices Guide
APIs drive today’s modern apps. Bad actors know the benefit of targeting APIs to get at valuable data, so API attacks are on the rise. Existing security tooling can’t stop API attacks - you need a new approach. Salt Security has compiled a set of API security best practices, drawn from customer experiences, to help you in this journey. Download the guide here to build your plan for securing your external, internal, and partner APIs.
📜 In this newsletter...
AppSec: Use Semgrep to find dropped reverse shells, app-level and searchable encryption for databases
Python: 10 years of Python package vulnerabilities, two tools to audit dependencies for known vulnerabilities
Mobile Security: Ease proxy connection set up between rooted Android and Burp Suite
Web Security: Exploiting ad blockers with CSS, implementation vulns in Microsoft and GitHub OAuth
Cloud Security: Cloud service provider security mistakes
re:Invent: Top announcements from AWS, a one pager overview, a recap with snark, the top 12 security announcements
Container Security: A container image to extract underlying container runtimes, awesome Kubernetes security repo
Politics / Privacy: FBI document shows what data can be obtained from encrypted messaging apps
Misc: Mindblowing gymanstics, browser extension to demarcate private-label brands on Amazon, testing Firefox more efficiently with ML, learn regex step by step
Acra 0.90.0: application-level encryption and searchable encryption for any SQL and NoSQL databases
Cossack Labs’ Anastasiia Voitova describes Acra, a database security suite for data protection. Features that are newly open source include: transparent database encryption, searchable encryption, data masking & tokenization, cryptographically signed audit logs, and encryption-as-a-service API.
There were 100 more High Severity CVEs in 2021 so far, than total CVEs in 2019.
CWE-79 (XSS) and CWE-20 (Improper Input Validation) are by far the most common weakness types.
New tool to audit Python environments and dependency trees for known vulnerabilities, by Trail of Bits’ William Woodruff and colleagues. It uses the Python Packaging Advisory Database via the PyPI JSON API as a source of vulnerability reports.
A command line tool for detecting vulnerabilities in Python dependencies and doing safe package installs, by Andrew Scott. Uses its own vulnerability database (here) which uses data from NIST NVD, the Github Advisory Database, vendor disclosures and blog posts, and most recently, from the PyPA Advisory DB.
Proxy Agent — a tool for mobile penetration testers!
GovTech Singapore’s Kang Hao describes Proxy Agent, a tool to ease the proxy connection setup process between a rooted Android device to a computer that is running Burp Suite.
uBlock, I exfiltrate: exploiting ad blockers with CSS
uBlock Origin uses community-provided filter lists of CSS selectors to dictate which elements to block. Portswigger’s Gareth Heyes describes how he was able to bypass uBlock Origin’s selector restrictions, allowing a malicious CSS selector to extract data from scripts and attributes, and even steal passwords from Microsoft Edge.
He also walks through creating a keylogger in only CSS (code) 🤯
Microsoft and GitHub OAuth Implementation Vulnerabilities Lead to Redirection Attacks
Classic open redirection attacks include the redirection target in the URL itself. Proofpoint’s David Krispin and Nir Swartz describe how in some cases, if expected OAuth parameters are mangled or missing, the identity provider will try to helpfully send error responses to the application’s redirect URL so the app can handle them.
However, this can cause a user to be redirected to an attacker-controlled redirect URL after clicking a legitimate-looking URL belonging to a trusted party (e.g. Microsoft). This malicious redirect URL will not be present in the original link, and therefore pass most phishing and email security solutions.
Cloud service provider security mistakes
Cloud historian Scott Piper has created a GitHub repo to catalogue security mistakes by cloud service providers (AWS, GCP, and Azure); that is, public mistakes on the cloud providers’ side of the shared responsibility model. Includes CVEs, SOC 2 Type 2 failures, security researchers compromising managed services, and more.
Top Announcements of AWS re:Invent 2021
Round-up from the AWS blog.
The top 12 security announcements at AWS re:Invent 2021
By VentureBeat’s Kyle Alspach. Some themes: “bringing more automation to many security processes, new capabilities to enable secure access to data, enhanced network and IoT security, and improved security for containers.” I thought this was a nice overview of a bunch of things 👍
A container image that extracts the underlying container runtime and sends it to a remote server, by Palo Alto Networks’s Yuval Avrahami. Has modes for dynamically and statically linked container runtimes. Poke at the underlying container runtime of your favorite CSP container platform!
Politics / Privacy
FBI document shows what data can be obtained from encrypted messaging apps
The Record’s Catalin Cimpanu shares info gleaned from a document obtained by a FOIA request:
When you clearly understand the Law of Physics
This 11 second display of timing and gymnastics blew my mind.
Introducing Amazon Brand Detector
Amazon has registered more than 150 private-label brands in the U.S., and it often gives its own brands and exclusive products a leg up in search results over better-rated competitors. This new browser extension by the The Markup shows you which products are from Amazon by highlighting them in orange.
Testing Firefox more efficiently with machine learning
Mozilla has around 85,000 unique test files. Running every test on every push is infeasible, slow, and expensive, so they’d previously been using human input and heuristics to determine what subset of tests to run. In this post, Andrew Halberstadt and Marco Castelluccio describe how they were able to reduce the number of test tasks on their integration branch by 70% using machine learning.
Regex Learn - Step by step, from zero to advanced
Neat step by step tutorial with interactive challenges. I wish I had found a site like this when I was first learning regex.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!