- tl;dr sec
- [tl;dr sec] #159 - Twitter vs Mastodon, GitHub Attack Trees, ThinkstScapes
[tl;dr sec] #159 - Twitter vs Mastodon, GitHub Attack Trees, ThinkstScapes
Twitter internals and Mastodon benefits/challenges, blue and red team attack trees for attacking GitHub, ThinkstScapes Quarterly covering AI/ML, clever cryptography, and software analysis at scale.
I hope you’ve been doing well!
The Real MVPs
I’m busy this week with Global AppSec SF and other stuff, so imagine a really clever intro and build up that logically progresses to this:
📢 Forget everything you know about SSH
Say hello to Tailscale SSH — and say goodbye to managing SSH keys, setting up bastion jump boxes, and unnecessarily exposing your private production devices to the open internet. Never deploy an infrastructure bastion again.
SSH from mobile devices, and across OSes. Tailscale SSH works where Tailscale works. Code from an iPad to your Linux workstation, without having to figure out how to get your private SSH key onto it. Answer an on-call emergency from anywhere, which means you can leave your desk now.
📜 In this newsletter...
Web Security: HTTP/3 connection contamination explainer, exploiting static site generators, Firebase exploiter, Burp extension that hijacks Burp's HTTP/TLS stack
Supply Chain: OpenSSL as example of supply chain security challenges, finding malicious PyPi packages with static analysis, attack trees for attacking GitHub
Cloud Security: Tool to find secrets in S3 buckets, AWS SSO reporter, AWS IAM roles are unnecessarily complex, have an AWS account just for getting into other AWS accounts
Politics / Privacy: What happens when everything becomes TikTok
Misc: Spreadsheet escape room, see the inside of the CIA museum virtually, Clippy Christmas sweater, edible rescue drone, USENIX Security '22 program, Q3 2022 ThinkstScapes, don't give your kids an allowance
Twitter and Mastodon: Mastodon intro and overview, why scaling Mastodon is hard, some details on the inside of Twitter, stealing passwords from infosec Mastodon with HTML injection
Exploiting Static Site Generators: When Static Is Not Actually Static
Assetnote’s Shubham Shah describes a persistent XSS issue they discovered on Next.js websites on Netlify and an SSRF on GatsbyJS.
By SecureBinary: A vulnerability discovery tool that discovers Firebase databases that are open and can be exploited. Primarily built for mass hunting bug bounties and penetration testing.
By @Sleeyax: A Burp Suite extension that hijacks Burp’s HTTP/TLS stack and allows you to spoof any browser fingerprint in order to make it more powerful and less prone to fingerprinting by all kinds of WAFs.
Challenges with the Supply Chain Security Ecosystem - An OpenSSL Story
Sherif Mansour describes the current challenges in understanding: newly published vulnerabilities, your company’s exposure, remediation, monitoring and preventative controls, as well as promising developments and what he’d like to see in the future.
Finding malicious PyPI packages through static code analysis: Meet GuardDog
Datadog’s Ellen Wang and Christophe Tafani-Dereeper announce GuardDog, a new tool that can identify malicious PyPi packages with Semgrep and package metadata analysis. They also released a corpus of 140+ actual malicious packages they found in the wild here.
See also Ellen’s Global AppSec SF talk this Friday at 4:30pm in Bayview A.
SLSA dip — At the Source of the problem!
François Proulx discusses different strategies for attacking GitHub, from a red team and blue team perspective. Then he combines all of the attacks and mitigations into an attack tree built using Deciduous, an open-source security decision tree tool. The attacks focus on three malicious end goals:
Submit malicious source code
Delete source code
Push a release tag pointing to vulnerable commit
A tool to find secrets in public S3 buckets. Lists public buckets in an account, lists textual or sensitive files (e.g. .p12, .pgp, etc.) and downloads and scans files using truffleHog3.
An AWS account just for getting into other AWS accounts
Some great perspective on AWS account architecture.
Politics / Privacy
📢 Two new tools from Trail of Bits
Trail of Bits has two new tools that allow developers to generate zero-knowledge proofs, which can ensure your program is executing correctly. Amarna is a static analyzer and linter for the Cairo programming language, allowing for analysis of any security-sensitive operations that need to be reviewed. Circomspect is a static analyzer for zero-knowledge proofs developed using Circom, which gives developers the chance to identify a wide range of issues. Both of these tools are open source and available for download on our GitHub page.
Trail of Bits does seriously cool work. I highly recommend checking out their GitHub for all of the neat tools they’ve released over the years, and their blog is 🔥 too.
Spreadsheet Escape Room
An escape room built in… Google Sheets.
See Inside the Rarely Seen and Newly Reimagined CIA Museum
Off-limits to all but a few in-person visitors, the museum is starting to welcome the public, online at least.
Windows Ugly Sweater: Clippy Edition
The Christmas gift guaranteed to go over well.
You can eat this rescue drone’s rice cake wings
But couldn’t you just… rescue them instead?
USENIX Security ‘22 Technical Sessions
Papers, slides, and talk recordings from one of the top academic security conferences.
Q3 2022 ThinkstScapes Quarterly
Another great round-up from Thinkst Canary, this time highlighting the following three budding trends: using AI/ML to amplify side-channel attacks, clever cryptography that goes beyond simple data protection, and software analysis at scale.
The latter covers some particularly interesting work:
TLS-Anvil: Adapting Combinatorial Testing for TLS Libraries
Arbiter: Bridging the Static and Dynamic Divide in Vulnerability Discovery on Binary Programs
In Need of ‘Pair’ Review: Vulnerable Code Contributions by GitHub Copilot
Catch Me If You Can: Deterministic Discovery of Race Conditions with Fuzzing
Twitter vs Mastodon
Scaling Mastodon is Impossible
Some reflections on the technical challenges of scaling Mastodon instances to many users, as well as fundamental questions around what we’re solving for, content moderation, federation, and more.
Stealing passwords from infosec Mastodon - without bypassing CSP
Portswigger’s Gareth Heyes describes how he could steal credentials on Infosec Mastodon with a HTML injection vulnerability, without needing to bypass CSP. The attack could easily be wormable, by collecting credentials and re-posting the vector for each user.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!