• tl;dr sec
  • Posts
  • [tl;dr sec] #115 - Mac Malware of 2021, Preventing SSRF, Moxie on web3

[tl;dr sec] #115 - Mac Malware of 2021, Preventing SSRF, Moxie on web3

Patrick Wardle's analysis of a year of Mac malware, library to safely make HTTP requests, and Moxie experiments with distributed apps.

Hey there,

I hope you’ve been doing well!

The Matrix has You

With the fourth Matrix coming out over the holidays, my family and I did the only rational thing one could do: watch one movie a night each night leading up to the release.

The first movie definitely stood the test of time and is a masterpiece, and the second and third were better than I remembered.

The fourth I give a 🤷👍: overall I enjoyed it, but probably not in my top two of the four.

Watching so much of the Matrix back to back did cause phrases to slip into our normal speech… and our actions, like my sister doing Trinity’s flying kick, standing on one of our kitchen counters.

Some people say my sister and I look alike, but I don’t see it.

Sponsor

📢 Mitigating log4j with Runtime-based Kubernetes Network Policies

New critical vulnerabilities have been found in log4j, a popular open-source utility used to generate logs inside Java applications. Read our latest blog where we discuss mitigation strategies and offer best practices to discover and remediate critical Log4j vulnerabilities. You’ll learn:

  • Why WAFs are not enough

  • The value of run time analysis

  • K8 network policy mitigation

📜 In this newsletter...

  • Machine Learning: A neural network that can do your math homework, deep learning job interview questions and answers

  • AppSec: Preventing SSRF in Python, effectively exploiting Python deserialization in restricted situations

  • MacOS: Mac malware of 2021

  • Web Security: Exploiting inconsistencies in URL parsers

  • Cloud Security: GCP asset inventory in a Google Sheet, securely accessing AWS resources from GitHub Actions, AWS SCP guide, OAuth2 proxy, security scanner for Heroku environments

  • Container Security: Sync container images from one registry to another, automatically remove cloud managed services and k8s resources based on a TTL tag, destroy your Kubernetes pods via a video game

  • Politics / Privacy: The $94 Trillion world economy in one chart, understand the sensitive info your iOS apps are accessing, Signal adding cryptocurrency money transfer may invite legal challenge

  • Cryptography: Moxie's impressions of web3

  • OSINT / Recon: Build your own reconnaissance system

  • Misc: Business and tech predictions that were way off, browse Hacker News via CLI, collection of best paper awards from top CS conferences, RSAC submission trends, open source alert system for high impact vulnerabilities, see where flights are being delayed

Machine Learning

A Neural Network Solves and Generates Mathematics Problems by Program Synthesis: Calculus, Differential Equations, Linear Algebra, and More
Academic paper showing how the authors trained a neural network to successfully solve university-level problems from MIT’s math courses.

BoltzmannEntropy/interviews.ai
Deep Learning Interviews book: Hundreds of fully solved job interview questions from a wide range of key topics in AI.

AppSec

PyPI: advocate
Advocate is basically drop-in replacement for the Python requests library that makes it easy to safely make HTTP requests on behalf of a third party. Specifically, it aims to prevent common techniques that enable SSRF attacks (internal IPs, URLs or hosts you want to deny, deals with DNS rebinding, handles redirects sanely).

Simpler unpickle payloads with the walrus operator
Google’s Calle Svensson describes how to effectively exploit a Python Pickle deserialization vulnerability when you don’t get any STDOUT data from the unpickling and outbound connections are blocked, so you can’t do a reverse shell.

MacOS

The Mac Malware of 2021
Objective-See’s Patrick Wardle provides an in-depth technical analysis of the year’s new Mac malware, covering infection vector, persistence mechanism, and payload and capabilities for each, plus samples to download.

Web Security

Exploiting Url Parsers: The Good, Bad, And Inconsistent
Researchers from Claroty and Snyk examined 16 URL parsing libraries and found:

  • Five categories of inconsistencies (scheme confusion, slashes confusion, backslash confusion, URL encoded data confusion, and scheme mixup)

  • Which they were able to translate to SSRF, XSS, open redirect, filter bypass, and DoS.

Cloud Security

Simple CSPM
This project by Peter Collins uses Google App Script inside of Google sheets to collect daily useful audit data from GCP - publicly exposed buckets, VMs, functions, and more. Reduce your attack surface by discovering unused service accounts, permissions, firewall rules, and even entire projects.

Securely Access Your AWS Resources From Github Actions
Benoît Bouré describes how by creating an OpenID Connect identity provider in AWS. I appreciated the tip on locking down the IAM role to only a specific repo, or even only a specific branch or tag.

Identity Guide – Preventive controls with AWS Identity – SCPs
AWS post describing how to get started with Service Control Policies, common use cases, and how to write your own SCPs. Use cases discussed include limiting geographic regions, preventing changes to security controls, and more.

oauth2-proxy/oauth2-proxy
A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers. An easy thing to put in front of web apps that you don’t want exposed to randos on the Internet.

heroku/heroku-guardian
CLI tool by Salesforce’s Ashish Patel to validate baseline security configurations for your own Heroku deployments against best practices, and to reduce unwanted attack surface.

Container Security

plexsystems/sinker
By Plex Systems: A tool to sync container images from one registry to another, for example, when you rely on images that exist in a public container registry but need to pull from a private registry.

Qovery/pleco
Automatically remove Cloud managed services and Kubernetes resources based on tags with TTL, by Qovery.

Shogan/kube-chaos
A chaos engineering style game where you seek out and destroy Kubernetes pods, twinstick shoot-em-up style. The game interfaces with your Kubernetes cluster and allows you to explore your cluster nodes and destroy live, running pods on those nodes. Powered by the Unity engine.

Politics / Privacy

Visualizing the $94 Trillion World Economy in One Chart
Together, the U.S. and China account for 42% of global GDP.

How to Read Your iOS 15 App Privacy Report
In iOS 15.2, turn it on via Settings > Privacy > App Privacy Report, and see what networks and domains your iOS apps are connecting to, and how frequently they access your device data (contacts, location, camera and microphone).

“Signal and WhatsApp have effectively protected end-to-end encryption from multiple legal attacks at the state and federal level,” said Alex Stamos, who worked on encryption issues while serving as Facebook’s chief security officer. “But the addition of pseudo-anonymous money transfer functions greatly increases their legal attack surface, while creating the possibility of real-life harms (extortion, drug sales, CSAM sales) that will harm them in court, legislatures and public opinion.”

Sponsor

📢 Monad: Enabling workflows from security driven insights

Build your modern security program, to consider how your tools can work together and save your team the burden of managing tools separately in silo. Aggregating the data from vulnerability management tools and modeling it, Monad enables your security team to ask questions to better understand operational risk.

Cryptography

My first impressions of web3
Some insightful perspective from Moxie Marlinspike on centralization vs decentralization, and what he found after making some distributed apps. Fun fact:

Instead of storing the data on-chain, NFTs instead contain a URL that points to the data. What surprised me about the standards was that there’s no hash commitment for the data located at the URL. Looking at many of the NFTs on popular marketplaces being sold for tens, hundreds, or millions of dollars, that URL often just points to some VPS running Apache somewhere. Anyone with access to that machine, anyone who buys that domain name in the future, or anyone who compromises that machine can change the image, title, description, etc for the NFT to whatever they’d like at any time (regardless of whether or not they “own” the token). There’s nothing in the NFT spec that tells you what the image “should” be, or even allows you to confirm whether something is the “correct” image.

Moxie is also stepping down as Signal’s CEO.

OSINT / Recon

j3ssie/osmedeus
Build your own reconnaissance system with Osmedeus, a workflow engine for offensive security, by Ai Ho.

Misc

Trung Phan: Twitter thread on very wrong business and tech predictions
Interesting anecdotes of how even very informed people can be quite wrong. Paul Krugman, Bill Gates, Steve Ballmer, and more.

donnemartin/haxor-news
Tool by Donne Martin to view/filter/browse Hacker News via CLI.

Best Paper Awards in Computer Science
A collection of best paper awards for 30 computer science conferences (the main conferences in each subfield), starting from 1996, by Brown University HCI professor Jeff Huang et al.

RSAC: 2022 Trends Observed in Call for Speakers Submission Review
By RSA Conference’s Britta Glade and Kacy Zurkus. Trends: Zero Trust, ripple effects of the SBOM, supply chain challenges, passwordless, back to basics and starting security programs from scratch, cloud (DevOps, APIs, authentication mechanisms, hybrid cloud, specific cloud capabilities), AI and ML, risk (third-party, privacy, KPIs and metrics tied to business outcomes), career advice, and the rise of more frameworks.

We desperately need a way to rapidly notify people of high-impact vulnerabilities, so I built one: BugAlert.org
A free and open-source service for alerting security and IT professionals of high-impact and 0day vulnerabilities by email, SMS, phone calls, and Twitter, by Matthew Sullivan.

FlightAware: Misery Map
See a breakdown of the flight delays and cancellations across major U.S. airports.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint