[tl;dr sec] #115 - Mac Malware of 2021, Preventing SSRF, Moxie on web3
Patrick Wardle's analysis of a year of Mac malware, library to safely make HTTP requests, and Moxie experiments with distributed apps.
I hope you’ve been doing well!
The Matrix has You
With the fourth Matrix coming out over the holidays, my family and I did the only rational thing one could do: watch one movie a night each night leading up to the release.
The first movie definitely stood the test of time and is a masterpiece, and the second and third were better than I remembered.
The fourth I give a 🤷👍: overall I enjoyed it, but probably not in my top two of the four.
Watching so much of the Matrix back to back did cause phrases to slip into our normal speech… and our actions, like my sister doing Trinity’s flying kick, standing on one of our kitchen counters.
Some people say my sister and I look alike, but I don’t see it.
📢 Mitigating log4j with Runtime-based Kubernetes Network Policies
New critical vulnerabilities have been found in log4j, a popular open-source utility used to generate logs inside Java applications. Read our latest blog where we discuss mitigation strategies and offer best practices to discover and remediate critical Log4j vulnerabilities. You’ll learn:
Why WAFs are not enough
The value of run time analysis
K8 network policy mitigation
📜 In this newsletter...
Machine Learning: A neural network that can do your math homework, deep learning job interview questions and answers
AppSec: Preventing SSRF in Python, effectively exploiting Python deserialization in restricted situations
MacOS: Mac malware of 2021
Web Security: Exploiting inconsistencies in URL parsers
Cloud Security: GCP asset inventory in a Google Sheet, securely accessing AWS resources from GitHub Actions, AWS SCP guide, OAuth2 proxy, security scanner for Heroku environments
Container Security: Sync container images from one registry to another, automatically remove cloud managed services and k8s resources based on a TTL tag, destroy your Kubernetes pods via a video game
Politics / Privacy: The $94 Trillion world economy in one chart, understand the sensitive info your iOS apps are accessing, Signal adding cryptocurrency money transfer may invite legal challenge
Cryptography: Moxie's impressions of web3
OSINT / Recon: Build your own reconnaissance system
Misc: Business and tech predictions that were way off, browse Hacker News via CLI, collection of best paper awards from top CS conferences, RSAC submission trends, open source alert system for high impact vulnerabilities, see where flights are being delayed
A Neural Network Solves and Generates Mathematics Problems by Program Synthesis: Calculus, Differential Equations, Linear Algebra, and More
Academic paper showing how the authors trained a neural network to successfully solve university-level problems from MIT’s math courses.
Deep Learning Interviews book: Hundreds of fully solved job interview questions from a wide range of key topics in AI.
Advocate is basically drop-in replacement for the Python requests library that makes it easy to safely make HTTP requests on behalf of a third party. Specifically, it aims to prevent common techniques that enable SSRF attacks (internal IPs, URLs or hosts you want to deny, deals with DNS rebinding, handles redirects sanely).
Simpler unpickle payloads with the walrus operator
Google’s Calle Svensson describes how to effectively exploit a Python Pickle deserialization vulnerability when you don’t get any STDOUT data from the unpickling and outbound connections are blocked, so you can’t do a reverse shell.
The Mac Malware of 2021
Objective-See’s Patrick Wardle provides an in-depth technical analysis of the year’s new Mac malware, covering infection vector, persistence mechanism, and payload and capabilities for each, plus samples to download.
Exploiting Url Parsers: The Good, Bad, And Inconsistent
Researchers from Claroty and Snyk examined 16 URL parsing libraries and found:
Five categories of inconsistencies (scheme confusion, slashes confusion, backslash confusion, URL encoded data confusion, and scheme mixup)
Which they were able to translate to SSRF, XSS, open redirect, filter bypass, and DoS.
This project by Peter Collins uses Google App Script inside of Google sheets to collect daily useful audit data from GCP - publicly exposed buckets, VMs, functions, and more. Reduce your attack surface by discovering unused service accounts, permissions, firewall rules, and even entire projects.
Securely Access Your AWS Resources From Github Actions
Benoît Bouré describes how by creating an OpenID Connect identity provider in AWS. I appreciated the tip on locking down the IAM role to only a specific repo, or even only a specific branch or tag.
Identity Guide – Preventive controls with AWS Identity – SCPs
AWS post describing how to get started with Service Control Policies, common use cases, and how to write your own SCPs. Use cases discussed include limiting geographic regions, preventing changes to security controls, and more.
A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers. An easy thing to put in front of web apps that you don’t want exposed to randos on the Internet.
By Plex Systems: A tool to sync container images from one registry to another, for example, when you rely on images that exist in a public container registry but need to pull from a private registry.
A chaos engineering style game where you seek out and destroy Kubernetes pods, twinstick shoot-em-up style. The game interfaces with your Kubernetes cluster and allows you to explore your cluster nodes and destroy live, running pods on those nodes. Powered by the Unity engine.
Politics / Privacy
Visualizing the $94 Trillion World Economy in One Chart
Together, the U.S. and China account for 42% of global GDP.
How to Read Your iOS 15 App Privacy Report
In iOS 15.2, turn it on via Settings > Privacy > App Privacy Report, and see what networks and domains your iOS apps are connecting to, and how frequently they access your device data (contacts, location, camera and microphone).
📢 Monad: Enabling workflows from security driven insights
Build your modern security program, to consider how your tools can work together and save your team the burden of managing tools separately in silo. Aggregating the data from vulnerability management tools and modeling it, Monad enables your security team to ask questions to better understand operational risk.
Moxie is also stepping down as Signal’s CEO.
OSINT / Recon
Trung Phan: Twitter thread on very wrong business and tech predictions
Interesting anecdotes of how even very informed people can be quite wrong. Paul Krugman, Bill Gates, Steve Ballmer, and more.
Best Paper Awards in Computer Science
A collection of best paper awards for 30 computer science conferences (the main conferences in each subfield), starting from 1996, by Brown University HCI professor Jeff Huang et al.
RSAC: 2022 Trends Observed in Call for Speakers Submission Review
By RSA Conference’s Britta Glade and Kacy Zurkus. Trends: Zero Trust, ripple effects of the SBOM, supply chain challenges, passwordless, back to basics and starting security programs from scratch, cloud (DevOps, APIs, authentication mechanisms, hybrid cloud, specific cloud capabilities), AI and ML, risk (third-party, privacy, KPIs and metrics tied to business outcomes), career advice, and the rise of more frameworks.
We desperately need a way to rapidly notify people of high-impact vulnerabilities, so I built one: BugAlert.org
A free and open-source service for alerting security and IT professionals of high-impact and 0day vulnerabilities by email, SMS, phone calls, and Twitter, by Matthew Sullivan.
FlightAware: Misery Map
See a breakdown of the flight delays and cancellations across major U.S. airports.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!