🛣️ Netflix’s Paved Road: The Origin Story

I’ll be live with former Netflix VP of InfoSec Jason Chan a few hours after you receive this email, at 10am PT. Join the webinar here.

⚽ Security is a Team Sport

New guest post by my friend Rami McCarthy on the power of collaborating with security folks at other companies.

Excellent tactical advice on when and how to reach out, with concrete examples.

It’s useful for anyone, but you should especially read it if you’re more junior in your career (or share it with someone who is). You can read it here.

P.S. I’ve been working hard on some new cool stuff to be launched soon… the folks who’ve filled out this 3min survey will see them before they’re public 😎 

Sponsor

📣 Get the full picture of your org's attack surface

Discover the unknown and protect your business with our cutting-edge software for external attack surface monitoring. With our advanced technology, you can uncover hidden vulnerabilities in your web domains and secure your organization from potential threats. Don't leave your security to chance—because you don’t know what you don't know. 

Take control of your cyber resilience with Sweepatic from Outpost24 and stay one step ahead and safeguard your business with confidence. 

Test it out with a free attack surface mapping.

👉️ Get a Free Attack Surface Analysis 👈️

AppSec

C isn’t a Hangover; Rust isn’t a Hangover Cure
An impressive deep dive by security OG John Viega into the history of memory safety, mitigations, vulnerability research in practice, the economic trade-offs of switching from C to another language, and overall just an excellently nuanced and thoughtful post. Awesome!

10 Things Your First Security Hire Shouldn’t Do
Another post by Rami McCarthy launched this week. Is he actually three hackers in a trench coat? No one knows. Rami recommends: don’t run a public beg bug bounty or run internal red team assessments/pentests, don’t set up hamster wheels of toil, don’t start big engineering projects, and more.

Building An Application Security Program - Level 1
Tanya Janca, author of the best selling book Alice and Bob Learn Application Security, is kicking off a series of live trainings. Each training is most of a day (< 8 hours). She used to give these trainings for thousands of dollars, and she’s doing these for free! 😍 Level 1 is May 1st, Level 2 is May 29th, and Level 3 is June 20th.

Securing millions of developers through 2FA
GitHub CSO Mike Hanley shares updates on rolling out 2FA to GitHub users. Check out my interview of Mike here on scaling security at GitHub, AI, and more. Stats:

• 95% opt-in rate for code contributors who received the 2FA requirement

• 54% increase in adoption among all active contributors

• Nearly 1.4M passkeys registered

• Internal workflow optimization and automation led to a 54% reduction in 2FA account recovery support tickets that require significant human intervention (huge!), and >75% of account recovery tickets come through the in-product workflow.

Sponsor

📣 Best Practices for Securing GCP 

Wiz partnered with Wiley to create an in-depth eBook focused on GCP security fundamentals. This guide goes back to the basics and dives into how to secure everything you run on Google Cloud. 

You’ll learn how to: 

• Manage complexity in the cloud 

• Understand Shared Fate and Zero Trust principles 

• Meet developers earlier in the development process 

• Secure the supply chain 

👉️ Google Cloud Security Foundations for Dummies 👈️

I’m prototyping something in GCP right now so I downloaded this for a quick overview and ramp up. Nice, thanks Wiz 👍️ 

Cloud Security

Introducing Cloud Console Cartographer: Understand Log Events Generated by AWS Console Activity
Permiso’s Daniel Bohannon announces Cloud Console Cartographer, an open-source tool built to help security teams distill the noise of events generated in cloud logs by activity in AWS console. It maps the myriad of events generated to a consolidated list of succinct events that quickly tell defenders what actions an identity actually conducted while using AWS’s console UI.

S3 Bucket Encryption Doesn't Work The Way You Think It Works
Plerion’s Daniel Grzelak on how S3 decryption works more like access control than decryption, walking through basic S3 encryption, using a customer managed or customer provided key with KMS, and client-side encryption. “S3 encryption can prevent data exfiltration but is irrelevant after exfiltration.”

Remediating AWS IMDSv1
Latacora provides an excellent overview of the dangers of IMDSv1, abusing v1 and how v2 is different, and a detailed walk through for detecting (CloudWatch) and remediating (IaC, guardrails, SCPs, SAST) IMDSv1 use, as well as an open source tool to help.

Our Journey Migrating to AWS IMDSv2
Slack’s Archie Gunasekara describes how they migrated to IMDSv2 (which prevents SSRF). Great example of a big security initiative roll-out. More summary details on the web version.

• First they determined how many instances were currently using IMDSv1 and mapped those to service teams and apps. (How: using an EC2 CloudWatch metric called MetadataNoToken that counts how often the IMDSv1 API was used for a given instance.)

• Worked with teams to migrate existing scripts and libraries to using IMDSv2.

• Modified Terraform templates to turn off IMDSv1 for new instances.

• Blocked instances with IMDSv1 from launching using Service Control Policies (SCPs)

• Created a notification system using AWS EventBridge and Lambda to capture calls to IMDSv1.

• Created IMDSSv1 Terminator, which enforces IMDSv2 on already running instances that have IMDSv1 enabled.

Container Security

The Kubenomicon
A community project, inspired by Microsoft’s Kubernetes Threat Matrix, to provide a place where offensive Kubernetes security techniques and how to defend against them can easily be documented. Tons of detailed pages, nice!

Abusing search permissions on Docker directories for privilege escalation
WithSecure’s Mohit Gupta describes how having the search bit set for “other” on /var/lib/docker and child directories (drwx--x--x) could potentially allow a low privileged user to access other containers’ filesystems, escalate privileges, and gain access to the host. This issue was previously identified by CyberArk and remediated in Docker version 20.10.9.

Supply Chain

google/osv-scalibr
SCALIBR (Software Composition Analysis Library) is an extensible file system scanner used to extract software inventory data (e.g. installed language packages) and detect vulnerabilities.

GitHub comments abused to push malware via Microsoft repo URLs
This is a neat attack vector! Basically, when you add a file to a GitHub comment, GitHub will upload it to their CDN at https://githhub.com/USER/REPO/files/FILE_ID/filename , even if you don’t post the comment. So you can upload malware to legit looking repos (e.g. Microsoft, NVIDIA) and (it seems) there’s no way for the repo owners to see or delete these files.

An Obscure Actions Workflow Vulnerability in Google’s Flank
Adnan Khan continues his GitHub Action tear, this time reporting a vulnerability that’s existed for years in a Google public repo without being detected. What’s interesting about this post his Adnan’s approach to vuln hunting at scale (soon to be released Gato-X tool) and how he tried to make the exploit and exfiltration stealthy, to bypass Harden-Runner (more below).

step-security/harden-runner
By StepSecurity: Network egress filtering and runtime security for GitHub-hosted and self-hosted runners. Harden-Runner monitors process, file, and network activity to:

• Monitor and block outbound network traffic at the DNS, HTTPS, and network layers to prevent exfiltration of code and CI/CD credentials

• Detect if source code is being tampered during the build process to inject a backdoor

• Detect poisoned workflows and compromised dependencies

See also this post on how Harden-Runner can monitor the HTTP method and path of outbound HTTPS requests using eBPF to detect potential exfiltration attempts (e.g. write your sensitive info to a comment in another GitHub repo) and recommend GITHUB_TOKEN permissions.

Blue Team

anvilogic-forge/armory
Repo of hundreds of free detections by Anvillogic, across Okta, AWS, endpoint, network, web, and more.

Resolving Stack Strings with Capstone Disassembler & Unicorn in Python
Overfl0w explains how malware authors use string encryption to lower detection rates and slow down malware analysts, and how analysts can use the Capstone disassembler and Unicorn emulation framework to build a standalone decryptor, using Conti ransomware as an example. The post describes how to identify encryption routines, build a "finder" regular expression, and use emulation to execute assembly code within Python.

Red Team

Backdooring Dotnet Applications
Nicholas Starke walks through how to backdoor a .NET application, specifically, adding functionality to an open source content management system that captures and sends valid login credentials to a remote server. Using tools like ilasm, ildasm, and Dotpeek.

frkngksl/Shoggoth
By Furkan Göksel: An open-source project based on C++ and the asmjit library used to encrypt given shellcode, PE, and COFF files polymorphically. Previously presented at BlackHat EU 2022 Arsenal.

AI + Security

openai/openai-security-bots
OpenAI’s Fotis Chantzis, Tiffany Citra, and Harold Nguyen have open sourced three security Slackbots they've built for OpenAI:

• Incident Response Slackbot: Automatically chats with users who have been part of an incident alert.

• SDLC Slackbot: Decides if a project merits a security review.

• Triage Slackbot: Triages inbound requests in a Slack channel to different sub-teams within your organization.

TikTok and China

I don’t often share my personal views, but I thought I’d give it a try 🤷 

Before I start, I want to be clear: Chinese Americans and immigrants are amazing and contribute incredible value to the U.S. Some of my best friends, most talented colleagues, and my PhD advisor are all Chinese. There’s no animosity here, I’m only discussing politics and national dynamics.

(Personally, I feel we should encourage more talented immigrants from everywhere to come and create and build, it’s America’s superpower.)

Anyway-

A U.S. bill was recently signed into law that would ban TikTok unless it is sold within a year. Personally, I think this is good.

TikTok is a great product (that I have not installed), built by talented, well-meaning people.

It’s also an incredibly effective soft power tool for the Chinese government.

Imagine being able to imperceptibly tweak the content seen by half of a rival country’s population.

• Content that aligns with your country’s views does a little bit better, and critical voices just don’t quite get traction.

• Content that angers or divides groups in your targeted nation get shown to the other party.

ByteDance plans to fight this in court because it violates Americans’ freedom of expression.

I’m glad they care so much about freedom of expression.

I assume ByteDance is also fighting for Google, YouTube, Facebook, Twitter, Reddit, Instagram, LinkedIn, Pinterest, the New York Times, and the Wall Street Journal, all of which are blocked in China. 😏 

Why does China block all these American companies?

Perhaps they believe another country having unfettered direct control to the content consumed by a large percentage of their populace as dangerous?

If China carefully controls Western companies’ access to their citizens, perhaps we should think twice before giving them free reign.

See the web version for some additional relevant links and snippets.

I have pages and pages of links related to TikTok and China, but here are a few:

TikTok: Trojan Stallion
Prof Galloway makes an excellent argument for TikTok’s potential influence.

Some ex-TikTok employees say the social media service worked closely with its China-based parent despite claims of independence

TikTok may be banned in the US. Here’s what happened when India did it
TL;DR: It was fine, people just used other apps.

Misc

• Biggest Scams In Software Engineering - Some spicy takes in this trolling video

• How do LLMs like ChatGPT work? Explained by Deep-Fake Ryan Gosling using Synclabs and ElevenLabs - What a time to be alive.

• Ray Dalio: In China: The 100-Year Storm on the Horizon and How the Five Big Forces Are Playing Out - Fascinating deep dive.

• A Letter from the Future - Intense Sci-Fi ish short story on what an attack on U.S. critical systems (power, hospitals, water plants, etc.) could look like.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler