[tl;dr sec] #145 - Defending Against Phishing, iOS Privacy, DEF CON Advice
Cloudflare's write-up on a sophisticated phishing campaign, examining Meta apps' privacy implications and iOS16's Lockdown Mode, be yourself and find your tribe at DEF CON
I hope you’ve been doing well!
Garbage Collection that Sparks Joy
If you’ve been reading tl;dr sec for awhile, you probably have an (accurate) mental model that I live a hardcore, rocker lifestyle.
You know, like going hard Friday nights: reading about building AppSec programs with a glass of red wine, with notes of oak, subtle Italian leather, and nerd tears that have fallen into the glass.
As an example of the crazy things I get up to, I give you my latest experiment: trying a series of trash cans to see which ones are the right size and have the right aesthetic.
My colleagues definitely respected this experiment and did not tease me in any way.
Join Me at sec4dev
I love the idea behind sec4dev: a security conference for developers!
There are a bunch of other great speakers and trainers who I’m a fan of and have been looking forward to meeting.
sec4dev is coming up soon: hope to see you or some of the developers you support in Vienna, this September 6-9.
📢 Faraday security- Open Source Vulnerability Manager
The new version of our open source platform is here!
Faraday was built from within the CyberSec community. We think of security as an integrated ecosystem where every part counts. This is our contribution: a renewed open-source community version. With a complete new dashboard, and UI experience to improve pentesters' day-to-day work.
Hate spending time on manual tasks? You can now focus on discovering vulnerabilities while we help you with the rest.
📜 In this newsletter...
AppSec: Mapping STRIDE to OWASP ASVS, catching security vulnerabilities with Semgrep
Web Security: How to hack web apps in 2022, customizable security middleware for Apollo GraphQL servers
Supply Chain: CloudSecDocs supply chain pages, a private Terraform registry, adopting Sigstore incrementally
AWS IAM Roles Anywhere: Setting it up with GitHub Codespaces, walkthrough of using it with your own CA and signing client certs
Cloud Security: HashiCorp State of Cloud Survey survey, cloud DNS security overview
Blue Team: Open sourced YARA and endpoint behavior rules from Elastic, Python library to parse .NET PE files, how to objectively measure a detection rule's strength, the mechanics of a sophisticated phishing scam and how we stopped it
Politics / Privacy: Fraud charges against Uber ex-CISO dropped, Instagram and Facebook apps can track anything you do on any website in their in-app browser, analyzing iOS 16 Lockdown mode browser features and performance
Misc: Summarize HN with GPT-3, convert English to cron expressions, an argument for why Amazon's One Medical acquisition is OK, the Disney World for bodybuilders
Ean Meyer's DEF CON Advice: Be yourself, find your tribe
Tecdata Engineering’s Miguel Llamazares’s repo aims to bridge threat modeling and the security controls definition by providing an equivalence table that maps the STRIDE model against OWASP Application Security Verification Standard (ASVS) chapters.
Catching Security Vulnerabilities With Semgrep
Santosh Bhandari shares a write-up of his PenTester Nepal talk as a blog post, giving an intro to writing Semgrep rules, including examples of rules to flag command injection or missing authentication on a controller.
How To Hack Web Applications in 2022: Part 2
Hakluke provides an overview of several vulnerability classes, including SSRF, business logic flaws, insecure direct object references (IDORs), authentication issues, CSRF, directory traversal, file inclusion and more.
A customizable security middleware for Apollo GraphQL servers and Envelop, by Escape. Plugins: disable Apollo Server stacktraces and batched queries (enabled by default), enforce a character limit on queries, cost analysis that attempts to block queries that appear too expensive, disable field suggestions (can leak the schema), and more.
Interesting, I hadn’t heard of Envelop before, which is a GraphQL plugin system that lets you build and share plugins that are usable with any GraphQL server framework or schema.
CloudSecDocs: Supply Chain
My bud Marco Lancini has a few pages on his great CloudSecDocs wiki for supply chain security. They provide a nice overview, breakdown, and useful references for topics like SLSA, Sigstore, and more.
By Sector Labs’s Valentin Deaconu: A private Terraform registry for providers and modules following the published HashiCorp protocols. It provides a secure way to distribute your confidential modules and providers, and soon a management interface to visualize documentation.
Signing with self-managed, long-lived keys
Signing with self-managed keys with auditability
Self-managed keys in identity-based code signing certificate with auditability
Identity-based (“keyless”) signing
AWS IAM Roles Anywhere
Setup GitHub Codespaces with AWS IAM Roles Anywhere
Nathan Glover describes configuring IAM Roles Anywhere to work with GitHub Codespaces, a GitHub feature that allows you to spin up a fully powered VS Code instance in the cloud and write code there.
Calling AWS from Your On-Premises with IAM Roles Anywhere
CyberArk’s Roy Ben Yosef walks through using IAM Roles Anywhere, including rolling your own CA and signing client certificates using OpenSSL. See also AWS’ monitoring guide for IAM Roles Anywhere.
HashiCorp State of Cloud Strategy Survey
Insights from HashiCorp’s 2022 State of Cloud Strategy Survey, commissioned by HashiCorp and conducted by Forrester Consulting. Forrester surveyed more than 1,000 technology practitioners and decision makers from around the world, drawn from random samplings as well as the HashiCorp opt-in contact database.
Some stats that stuck out to me:
81% of companies are or are planning to use multiple cloud providers
86% have a centralized function or group responsible for cloud operations or strategy
Cloud DNS Security - How to protect DNS in the Cloud
Sysdig’s Brett Wolmarans describes some deployment options for DNS security and some security best practices for DNS in the Cloud.
📢 Malware Detection In Less Than 180 Seconds
Crytica Security introduces a Zero-Day Detection™ so you have one less thing to “dwell” on.
Architected specifically to observe any unauthorized change to a system’s operation, be it benign, malignant, or fatal, Crytica’s detection engine will continuously scan your system’s entire internal infrastructure; providing rapid notifications, within seconds, of all detection alerts.
Elastic released 1000+ YARA rules (targeting trojans, ransomware, cryptominers, attack penetration frameworks, and more) and 200+ endpoint behavior rules, mapped to MITRE ATT&CK tactic and technique.
dotnetfile Open Source Python Library: Parsing .NET PE Files Has Never Been Easier
Palo Alto Networks’s Yaron Samuel describes dotnetfile a Common Language Runtime (CLR) header parser library for Windows .NET files built in Python. In addition to parsing, it supports more advanced functionality like a new original fingerprinting technique (MemberRef Hash) that can be used to cluster samples, discovering potential entry points, and detecting anomalies in .NET metadata structures (often used by packers and protectors to break parsing).
How To Objectively Measure A Detection Rule’s Strength
CDW’s Tareq Alkhatib walks through a number of considerations when evaluating the effectiveness of a detection rule.
The mechanics of a sophisticated phishing scam and how we stopped it
Cloudflare’s Matthew Prince, Daniel Stinson and Sourov Zaman share details about a phishing attack targeting Twilio, Cloudflare, and likely others. Nice breakdown, and it was neat to see how Cloudflare dogfoods its own security products to protect itself.
Politics / Privacy
Fraud charges in hacking case against Uber ex-security chief are dismissed
This case will set an interesting precedent for what CISOs are on the hook for legally.
iOS Privacy: Instagram and Facebook can track anything you do on any website in their in-app browser
Felix Krause outlines how Meta’s apps bypass various privacy features. Great example of writing that both provides technical details and “why should I care / what does this mean” for nontechnical readers.
The post lists a number of potential solutions, but the easiest is: whenever you open a link from Instagram (or Facebook or Messenger), make sure to click the dots in the corner to open the page in Safari instead.
Analyzing iOS 16 Lockdown Mode: Browser Features and Performance
GPT-3 created summaries of Hacker News stories.
Convert English to Cron Expressions.
Welcome to Alphaland, the Disney World for Bodybuilders
I’ve found the location for the first TL;DR SECon 💪 #SwoleSec
Great thread, love the positivity.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!