[tl;dr sec] #115 - Mac Malware of 2021, Preventing SSRF, Moxie on web3

Hey there,

I hope you’ve been doing well!

The Matrix has You

With the fourth Matrix coming out over the holidays, my family and I did the only rational thing one could do: watch one movie a night each night leading up to the release.

The first movie definitely stood the test of time and is a masterpiece, and the second and third were better than I remembered.

The fourth I give a 🤷👍: overall I enjoyed it, but probably not in my top two of the four.

Watching so much of the Matrix back to back did cause phrases to slip into our normal speech… and our actions, like my sister doing Trinity’s flying kick, standing on one of our kitchen counters.

Some people say my sister and I look alike, but I don’t see it.

Machine Learning

A Neural Network Solves and Generates Mathematics Problems by Program Synthesis: Calculus, Differential Equations, Linear Algebra, and More
Academic paper showing how the authors trained a neural network to successfully solve university-level problems from MIT’s math courses.

BoltzmannEntropy/interviews.ai
Deep Learning Interviews book: Hundreds of fully solved job interview questions from a wide range of key topics in AI.

AppSec

PyPI: advocate
Advocate is basically drop-in replacement for the Python requests library that makes it easy to safely make HTTP requests on behalf of a third party. Specifically, it aims to prevent common techniques that enable SSRF attacks (internal IPs, URLs or hosts you want to deny, deals with DNS rebinding, handles redirects sanely).

Simpler unpickle payloads with the walrus operator
Google’s Calle Svensson describes how to effectively exploit a Python Pickle deserialization vulnerability when you don’t get any STDOUT data from the unpickling and outbound connections are blocked, so you can’t do a reverse shell.

MacOS

The Mac Malware of 2021
Objective-See’s Patrick Wardle provides an in-depth technical analysis of the year’s new Mac malware, covering infection vector, persistence mechanism, and payload and capabilities for each, plus samples to download.

Web Security

Exploiting Url Parsers: The Good, Bad, And Inconsistent
Researchers from Claroty and Snyk examined 16 URL parsing libraries and found:

• Five categories of inconsistencies (scheme confusion, slashes confusion, backslash confusion, URL encoded data confusion, and scheme mixup)

• Which they were able to translate to SSRF, XSS, open redirect, filter bypass, and DoS.

Cloud Security

Simple CSPM
This project by Peter Collins uses Google App Script inside of Google sheets to collect daily useful audit data from GCP - publicly exposed buckets, VMs, functions, and more. Reduce your attack surface by discovering unused service accounts, permissions, firewall rules, and even entire projects.

Securely Access Your AWS Resources From Github Actions
Benoît Bouré describes how by creating an OpenID Connect identity provider in AWS. I appreciated the tip on locking down the IAM role to only a specific repo, or even only a specific branch or tag.

Identity Guide – Preventive controls with AWS Identity – SCPs
AWS post describing how to get started with Service Control Policies, common use cases, and how to write your own SCPs. Use cases discussed include limiting geographic regions, preventing changes to security controls, and more.

oauth2-proxy/oauth2-proxy
A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers. An easy thing to put in front of web apps that you don’t want exposed to randos on the Internet.

heroku/heroku-guardian
CLI tool by Salesforce’s Ashish Patel to validate baseline security configurations for your own Heroku deployments against best practices, and to reduce unwanted attack surface.

Container Security

plexsystems/sinker
By Plex Systems: A tool to sync container images from one registry to another, for example, when you rely on images that exist in a public container registry but need to pull from a private registry.

Qovery/pleco
Automatically remove Cloud managed services and Kubernetes resources based on tags with TTL, by Qovery.

Shogan/kube-chaos
A chaos engineering style game where you seek out and destroy Kubernetes pods, twinstick shoot-em-up style. The game interfaces with your Kubernetes cluster and allows you to explore your cluster nodes and destroy live, running pods on those nodes. Powered by the Unity engine.

Politics / Privacy

Visualizing the $94 Trillion World Economy in One Chart
Together, the U.S. and China account for 42% of global GDP.

How to Read Your iOS 15 App Privacy Report
In iOS 15.2, turn it on via Settings > Privacy > App Privacy Report, and see what networks and domains your iOS apps are connecting to, and how frequently they access your device data (contacts, location, camera and microphone).

How Signal is playing with fire

Cryptography

My first impressions of web3
Some insightful perspective from Moxie Marlinspike on centralization vs decentralization, and what he found after making some distributed apps. Fun fact:

Moxie is also stepping down as Signal’s CEO.

OSINT / Recon

j3ssie/osmedeus
Build your own reconnaissance system with Osmedeus, a workflow engine for offensive security, by Ai Ho.

Misc

Trung Phan: Twitter thread on very wrong business and tech predictions
Interesting anecdotes of how even very informed people can be quite wrong. Paul Krugman, Bill Gates, Steve Ballmer, and more.

donnemartin/haxor-news
Tool by Donne Martin to view/filter/browse Hacker News via CLI.

Best Paper Awards in Computer Science
A collection of best paper awards for 30 computer science conferences (the main conferences in each subfield), starting from 1996, by Brown University HCI professor Jeff Huang et al.

RSAC: 2022 Trends Observed in Call for Speakers Submission Review
By RSA Conference’s Britta Glade and Kacy Zurkus. Trends: Zero Trust, ripple effects of the SBOM, supply chain challenges, passwordless, back to basics and starting security programs from scratch, cloud (DevOps, APIs, authentication mechanisms, hybrid cloud, specific cloud capabilities), AI and ML, risk (third-party, privacy, KPIs and metrics tied to business outcomes), career advice, and the rise of more frameworks.

We desperately need a way to rapidly notify people of high-impact vulnerabilities, so I built one: BugAlert.org
A free and open-source service for alerting security and IT professionals of high-impact and 0day vulnerabilities by email, SMS, phone calls, and Twitter, by Matthew Sullivan.

FlightAware: Misery Map
See a breakdown of the flight delays and cancellations across major U.S. airports.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint