[tl;dr sec] #142 - OAuth Security, Cryptocurrency, Being Able to Speak Business
OAuth bugs that lead to single-click account takeovers, crypto wallet exploits and Ethereum smart contract best practices, the importance of being able to communicate in business metrics and outcomes.
I hope you’ve been doing well!
Bay Area Romance
Love is universal.
It brings us together across geographies, cultures, races, religions, beliefs, and more.
It can give us the highest of highs, or the lowest of lows. Make us feel on top of the world, or dashed to bits on the treacherous rocks of unrequited love.
While love is universal, there are regional cultural differences in what’s expected, what’s allowed, and what isn’t.
And like accents, the language of love can vary. This Avril Lavigne parody rings true of the Bay Area 🤣
Relatedly, I’m thinking about starting to work on a tl;dr sec guide on communication, dating, relationships, marriage, etc. (not a joke)
I’d love to hear if you’d find this interesting or useful, and if so, what you’d love to be in it, questions or challenges you have, really anything. Thanks in advance 🙏
📢 How to protect your APIs from modern security risks
APIs are difficult to secure and traditional methods like WAFs and Gateways are simply not enough. Today’s security strategies need to consider the evolution of app development and a new era of attackers who target APIs. Only Salt Security provides the advanced security capabilities to ensure your APIs, applications, and sensitive data are protected. Read the Protecting APIs from Modern Security Risks white paper and learn how to secure your organization from today's threats.
📜 In this newsletter...
Cryptocurrency: Two novel crypto wallet exploits explained, Ethereum smart contract best practices, overview of recent U.S. crypto bill
Web Security: GraphQL automated security testing toolkit, account hijacking using "dirty dancing" in sign-in OAuth flows, OAuth 2.0 security cheat sheet
Blue Team: 3 mistakes at the beginning of an incident, think like a detection engineer
OSINT / Recon: Subdomain discovery through RNN, ProjectDiscovery-driven Attack Surface Management bot, fast and configurable TLS grabber
Cloud Security: Awesome cloud native trainings, get a free MFA security key from AWS, Open Roles Anywhere PoC, tracking the effectiveness of cloud adoption and speaking business
Container Security: On the security risks of exposing the Prometheus server, overview of the first four threat vectors in ATT&CK for Kubernetes
Misc: How to keep your houseplants from dying this summer, create a 3D city from your GitHub contributions, create a personalized poster of your trip routes, watch Anna Karenina film adaptation, reviews of historical sandwiches
Two Novel Crypto Wallet Exploits, Explained
At the last ‘Off the Chain’ Web3 security conference, colocated with RSA, Unciphered- a cryptocurrency asset recovery company– unveiled three novel exploits impacting popular (and once-popular) crypto wallets Electrum Bitcoin Wallet, Trezor One, and Ethereumwallet.com.
Eric Michaud showed an Electrum RCE via malicious QR code that would let you access all the Bitcoins stored in the wallet, and brute-forcing improvements that enable you to determine a Trezor One’s pin.
Ethereum Smart Contract Best Practices
By ConsenSys Diligence: This guide provides a baseline knowledge of security considerations for intermediate Solidity programmers, covering the smart contract security mindset, development recommendations with examples of good patterns, known attacks and classes of vulnerabilities to avoid, security tools, and a list of bug bounty platforms in the ecosystem.
A GraphQL automated security testing toolkit by Grant Smith. Checks if mutation is enabled, available sensitive queries, and if authentication is required. If introspection is not enabled on the endpoint, it will check if it is an Apollo Server and then can run Clairvoyance to brute force the schema.
See also graphql-path-enum to look for paths to certain types, like user IDs, emails, etc.
Account hijacking using “dirty dancing” in sign-in OAuth-flows
Impressive research by Detectify’s Frans Rosén:
An OAuth 2.0 security cheat sheet by Koen Buyens covering architectural decisions, client credentials, tokens, authorization code grant, PKCE, resource owner password grant, client credentials grant, and OIDC.
See also Koen’s Vulnerable-OAuth-2.0-Applications repo for hands-on practice.
3 mistakes I’ve made at the beginning of an incident (and how not to make them)
FireHydrant’s Robert Ross shares three mistakes he’s made during those stressful moments during the beginning of an incident: we didn’t have a plan, we weren’t production ready, and we fell down a cognitive tunnel.
Common sources of audit logs: infrastructure, host, network, application, database
Optimize for relevant, high-signal logs, consolidate data in a single place, and monitor the log pipeline to ensure there are no breakages, which creates blindspots.
OSINT / Recon
Affinis - Subdomain Discovery Through RNN (Recurrent Neural Network)
Affinis takes a list of subdomains generated from passive and active tools and formulates its own list of potential subdomains that the target may be using based off the ones that it already knows about. It’s found obscure subdomains that were never found with traditional passive and active subdomain discovery tooling.
📢 Complete vendor security assessments in ⅕ the time it used to take
Have a backlog of vendor reviews to complete? Or a large pipeline of new ones? Conveyor helps knock out security reviews in 79% less time. Find, connect, and assess all your vendors from a single platform. Fast, easy, accurate. Sign up for today & see if you qualify for your first review on us!
A list of free trainings with and without certificates released for different companies supporting Cloud Native Computing Foundations Projects and Kubernetes, by Akamai’s Jose Adan Ortiz.
Eligible customers can now order a free MFA security key
U.S.-based AWS account root users who have spent more than $100 each month over the past 3 months can order a free MFA security key.
An open-source proof-of-concept client for AWS IAM Roles Anywhere by Aidan Steele. Unlike the official client, this project lets you use private keys stored in an SSH agent. This is more flexible - and more secure if you use something like Secretive which stores unexportable keys in the macOS Secure Enclave hardware.
I’m including additional content and quotes from this one because I think it’s critical, as security professionals, to be able to speak to business goals and metrics (not just technical ones) as well as get executive buy-in for security initiatives you believe are important.
Try swapping “security” for “cloud” in some of the places below.
The post discusses:
Selecting the right KPIs
Nailing the “Why” we are adopting cloud
Focus on Business Value Measurement, Not just Technology Metrics
Rethink Legacy Metrics in Cloud
Measure activities that drive performance and not just the “output”
Picking Relevant Actionable Measures and the Importance of Baselining
Leverage cloud capabilities to automate data collection and building dashboards
How attackers use exposed Prometheus server to exploit Kubernetes clusters
Sysdig’s Miguel Hernandez and David de Torres share a write-up of their KubeCon Valencia 2022 talk (and link the recording and slides), in which they discuss the risk of having an exposed Prometheus server, and how attackers can use this information to successfully access a Kubernetes cluster. Kubernetes cluster info that can be extracted via Prometheus includes:
MITRE ATT&CK Matrix for Kubernetes: Tactics & Techniques Part 1
By Weaveworks: Learn about the first four threat vectors in Kubernetes: initial access, execution, persistence, and privilege escalation.
How to keep your houseplants from dying this summer
Some tips from Popular Science.
Create a 3D city from your GitHub contributions.
Paperad - Souvenir printer
Create personalized posters that trace the routes of your road trips, travels, marathons, etc.
Watch an 8-Part Film Adaptation of Tolstoy’s Anna Karenina Free Online
I still need to read Anna Karenina, but this sounds epic.
Meet the Man Reviewing Historical Sandwiches on TikTok
Barry Enderwick is eating his way through the past, one pan bagnat at a time.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!