📺️ Usable Security at Netflix

How do you build security tooling & processes that your colleagues actually adopt?

I had a blast interviewing Letty Lourenco, a senior software engineer on Netflix’s application security team, who specializes in UI/UX.

I feel like I gained at least +3 out of 10 knowledge in building usable security software from our chat. Our conversation ranged from big picture and strategic to tactical tips, so there’s something for everyone. Some topics covered:

• How to apply UX and Product principles to security tooling and processes

• How Netflix auto-rightsizes Google Drive permissions, and rolled it out to the whole company

• What security should steal from marketing and advertising

• And much more!

Making security easy and usable is one of THE most important things, whether you’re a security vendor or internal security engineer.

And this is an excellent primer.

Sponsor

📣 Join the Lacework CISO book club

Join our discussion with author Gene Kim about his latest book: Wiring the Winning Organization. Sign up today to get a copy shipped to you ahead of the March meeting. 

AppSec

February OWASP Bay Area Meetup
Next Thursday Feb 15 at 5pm in SF. Hear Semgrep’s Kyle Kelly talk about tackling vulnerabilities in third-party packages and Jit’s Aviram Shmueli on security metrics all engineers should care about. I’ll probably be there, hope to see you there!

brinhosa/apidetector
By Rafael Brinhosa: Tool to efficiently scan for exposed Swagger endpoints across web domains and subdomains.

oppsec/tomcter
By Daniel Moura: A tool to bruteforce Apache Tomcat manager logins with default credentials.

mxschmitt/action-tmate
By Max Schmitt: Debug your GitHub Actions via SSH by using tmate to get access to the runner system itself.

narfindustries/http-garden
By Ben Kallus and Prashant Anantharaman: A collection of HTTP servers and proxies configured to be composable, for the purpose of enabling easy differential testing and fuzzing. See also their ShmooCon 2024 talk.

Differential fuzzing is a pretty neat technique: basically you fuzz two different implementations (libraries, programs, etc.) that are supposed to do the same thing (in this case, an HTTP server), and observe where they differ → bugs.

On Reviewing Employee Accesses Managed Through Okta
An excellent post by Mercari on reviewing employee access at scale. They used Neo4j to build a graph representation of their organization and access to apps, then used Slack to 1) ask employees if they needed all the access they currently had (including when they last used an app), 2) ask managers to confirm this access was needed, and 3) removed self-reported unnecessary access via the Okta API.

I really liked how this post walks through multiple strategies they could have taken and their trade-offs, explaining the reasoning behind their choices. They also share detailed flow diagrams, and I like how their approach minimizes upfront security team effort and intentionally requires as little time from other parts of the org as possible, especially people who will be busy (e.g. directors).

Sponsor

📣 Why is modern access architecture needed today? Here’s what the analysts think…

Organizations face an increasing risk of data breaches, with threat actors taking aim at credentials and standing privileges. So, what can companies do to protect their infrastructure?

Join Melinda Marks, Practice Director of Enterprise Strategy Group (ESG), Ev Kontsevoy (CEO), and Aleksandr Klizhentas (CTO) of Teleport on Feb 15 to explore:

• The current breach and PAM landscapes 

• The meaning of modern access and how it fortifies infrastructure security

• The impact of built-in policy governance and how it empowers security professionals 

Cloud Security

Evading Logging in the Cloud: Bypassing AWS CloudTrail
BlackHat USA 2023 talk by Nick Frichette in which he explores the attack surface of the AWS API, and shares multiple vulnerabilities he discovered that allowed him to bypass CloudTrail logging for different AWS services.

Here’s the playlist of the rest of the BlackHat talk videos.

Ransomware on RDS - Security Event Simulation and Detection
A new free workshop by AWS in which a ransomware event will be simulated (data exfiltration and deletion), you’ll be introduced to some of the tools and processes that the AWS CIRT team uses, and how to use the tools to find evidence of unauthorized activity.

KMS Key Policy Privilege Escalation
Cloudonaut’s Andreas Wittig describes how an IAM identity (user or role) can grant itself administrator access to any customer-managed key, basically by deleting the existing key administrators, putting your contact info in the AWS account’s contact info, and then contacting AWS support. Deleting the key administrators seems pretty noisy though…

The curious case of [email protected]
Thorough write-up by Invictus Incident Response on an AWS incident response case in which the threat actor gained access via an exposed AWS IAM user's long-term access key, performed discovery re: SES and IAM users, persisted by creating a new user, escalated privileges via an AdministratorAccess policy, and attempted to evade detection by mimicking existing user and role names, using their access to mine crypto, set up fake domains and phish. Notably the threat actor used SimulatePrincipalPolicy to stealthily determine if they could perform an action.

As I called out last week, Nick Frichette had a nice thread about the tradecraft.

Supply Chain

notaryproject/notation
By Notary Project: A CLI project to add signatures as standard items in the OCI registry ecosystem, and to build a set of simple tooling for signing and verifying the signatures. Like checking git commit signatures but for containers.

Forging signed commits on GitHub
A bug was found in an internal GitHub API that lets you sign commits as any user due to an incorrect regex. It has since been fixed. The bug was found via downloading a GitHub Enterprise Server trial VM and auditing the deobfuscated Ruby source code.

Do you know if all your repositories have up-to-date dependencies?
GitHub’s Zack Koppert announces Evergreen, a GitHub Action that ensures Dependabot version updates are enabled for all repos in your organization, and if not, configures it for you, and opens PRs with the changes for your review.

Cycode Discovers a Supply Chain Vulnerability in Bazel
Elad Pticha describes how they found a GitHub Actions workflow that could have been injected with malicious code due to a command injection vulnerability in one of Bazel’s dependent Actions, which could have affected millions of projects including Kubernetes, Google, NVIDIA, and more.

The issue was in a composite action that passed the issue body and title directly to an inline bash script that can be injected into using $(). They used RAVEN to scan public repositories with high star ratings, and have created the following query to help find a similar class of vulnerabilities.

Blue Team

Memory Scanning for the Masses
NCC Group’s Axel Boesenach and Erik Schamper announce Skrapa, a new tool that scans memory quickly by filtering on memory attributes; for example, you might be looking for a specific implant that will be in memory marked as executable, so you can skip scanning all memory that isn’t.

gertjanbruggink/Metrics
Gert-Jan Bruggink shares an infographic breakdown of different cyber threat intelligence metrics, from strategic (executives), tactical (managers) and operational (security analysts) perspectives, across various levels of maturity.

Defending against the Attack of the Clone[d website]s!
Thinkst Canary’s Jacob Torrey announces two new versions of their cloned website canarytoken that alert you when an attacker is using an Adversary-in-the-Middle (AitM) attack against one of your sites, like EvilGinx.

The canarytoken is CSS-only (uses url() to one of their domains → they check the Referer HTTP header to see if it’s coming from your site) and can easily be used on Azure portals or other sites you have limited control over.

Red Team

ASOT-LABS/TeamsBreaker
A tool designed for automating the sending of phishing messages to victims through Microsoft Teams.

Binary type inference in Ghidra
Trail of Bits’ Ian Smith announces BTIGhidra, a Ghidra extension that helps reverse engineers by inferring type information from binaries. The analysis is inter-procedural, propagating and resolving type constraints between functions while consuming user input to recover additional type information. This refined type information produces more idiomatic decompilation. Love the program analysis details in this post, really strong work 🙌 

AI + Security

Oh boy, lots of stuff has been happening in deepfakes and phishing.

I distilled a bunch of them onto their own page to keep this issue shorter. So to read about a $25M video deepfake scam that had a whole room of deepfakes, fake IDs as a service, nonconsensual Taylor Swift images, and more, see:
👉️ AI, Deepfakes, and Phishing 👈️ 

danielmiessler/fabric
A new open source framework by Daniel Miessler on augmenting humans using AI. Comes with a number of useful prompts, which Fabric makes easy to call via CLI or API, and more.

Security for AI: The New Wave of Startups Racing to Secure the AI Stack
Nice overview article and infographic by Menlo Ventures of 30+ companies focusing on security for AI, across governance, observability, and security. Within security: detection and response, AI firewall, continuous red teaming, data leak protection, vulnerability scanning and monitoring, PII identification/redaction, and federated learning. H/T Feyza Haskaraman for sharing.

google/oss-fuzz-gen
Google has released its framework that uses LLMs to generate fuzz targets for real-world C/C++ projects and benchmarks them via the OSS-Fuzz platform. Super cool. I called out the original blog post about this work in tl;dr sec 197. Nation states using this to find more 0-days in 3, 2, 1… 😉 

Misc

• Your Security Program Is Shit - The about page and other blog posts are similarly filled with 🌶️ 

• HackTricks has been directly stealing content from other sites without attribution, and profiting off of it through sponsorships and paid courses 👎️ (More)

• China gives suspended death sentence to former top banker for bribery and insider trading. Lol, now that’s accountability 😅 

• The FBI disrupted a campaign by China in hacking privately-owned U.S. routers to hide their efforts in targeting critical U.S. communications, energy, transportation, and water infrastructure. That critical infrastructure access is useful for China if they were, for example, to invade Taiwan.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler