• tl;dr sec
  • Posts
  • [tl;dr sec] #238 - Security Engineering @ Google Interview Notes, BSidesSF Talks, GitHub CI/CD Egress Filtering

[tl;dr sec] #238 - Security Engineering @ Google Interview Notes, BSidesSF Talks, GitHub CI/CD Egress Filtering

Interview resources, >55 talks on AI and more, a GitHub Action to limit data exfiltration

Hey there,

I hope you’ve been doing well!

🎆 Amurrica!

Good to see you again my friend *hat tip*, last week I took off for the 4th of July.

A friend made a cake decorated like an American flag (white icing, blueberries and strawberries for the stars and stripes), and then I watched the fireworks from a hill with a view of most of San Francisco.

Imagine a beautiful cityscape with 5+ neighborhoods illuminated for hours by professional grade fireworks launched by vigilantes hobbyists.

But the best part was catching up with some college friends (shout-out Case Western! Cleveland tourism video).

It’s crazy when your roommate whose dorm experiments would occasionally almost cause explosions, is now a respectable ER doctor, with a daughter who is currently calling herself “Grasses with Leaves.” If that sounds too specific to be made up, trust your instincts.

There’s something special about spending time with people who’ve known you through multiple “seasons” of your life.

I’ve been thinking about this recently. To paraphrase someone wiser: like planting trees, “You can’t just make an ‘old friend’ immediately.” The best time to start is 20 years ago. The second best time is now.

Sponsor

📣 AI in Cybersecurity: Insights from the 2024 Benchmark Survey Report

Artificial intelligence in cybersecurity presents a complex picture of risks and rewards. According to Hyperproof’s 5th annual benchmark report, AI technologies are at the forefront of both enabling sophisticated cyberattacks and bolstering defenses against them. This duality underscores the critical need for nuanced application and vigilant management of AI in cyber risk management practices. Are you ready? Read the full article to unlock the strategies and innovations defining the next era of cybersecurity defense.

Neat, a very timely report! It’s cool to see what AI risk frameworks the most companies are using, industry-specific AI concerns and practices, etc. 👍️ 

AppSec

Conferences

singe/tidcli
By Dominic White: A simple touchID prompt'er for use in shell scripts.

Exploiting Client-Side Path Traversal to Perform Cross-Site Request Forgery
Neat blog by Doyensec’s Maxence Schmitt that shows that client-side path traversal (e.g. ../../../ in a URL parameter) can be exploited to perform CSRF, even with the SameSite cookie flag, by rerouting legitimate API requests. This bug was found on major apps like Mattermost and Rocket.Chat, there’s a whitepaper with more info, and Burp Suite extension to help find it.

Catching Compromised Cookies
Ryan Slama, Oliver Grubin, and Grace Li describe Slack’s system to detect and mitigate session cookie misuse by detecting session forking: if a cookie is being used from more than one device at the same time. A last access timestamp is stored on both the cookie and in the database, so it can tell when an old cookie is being replayed.

The post walks through minimizing false negatives and false positives with this approach, including doing IP address checks, and a two-phased cookie update approach.

Sponsor

📣 Omdia’s latest ASPM Market Landscape Report

Cloud computing and digital transformation have expanded the attack surface necessitating a shift towards proactive security technologies such as application security posture management (ASPM), which complement traditional reactive measures like EDR, NDR, XDR, etc.

In Omdia's latest market landscape report by Senior Principal Analyst Rik Turner, learn about ASPM's evolution, its role in modern security, its four core components, and uncover why ASPM must transcend basic data aggregation to prioritize security findings based on genuine business risks and actively enforce security policies.

ASPM is becoming a popular term these days, so it’s nice to learn about its evolution and how it potentially fits in a modern security program 🤘 

Career

The difference between good and great hackers
Dominic White shares some nice quotes from Chuck Close, Ira Glass, and Richard Hamming.

People who quit their big tech job to found a startup are bad at financial projections
Alex Sukhanov shares some rough financial projections and stats, using Levels.fyi and Carta data. Personally, I also think that people looking to join a startup to make a lot of money are probably not doing the risk x expected outcome calculation.

Security Engineering at Google: My Interview Study Notes
By Grace Nolan: An great collection of notes, from learning and interviewing tips to technical topics like networking, web apps, infrastructure, OS, cryptography, malware and reversing, threat modeling, detection, and more.

Questions: What is your biggest failure? Why do you want to work here? Tell me about yourself. What work accomplishment are you most proud of? What is your greatest weakness? How do you handle competing priorities? What are your compensation expectations? Tell me about a conflict at work. What are your career goals? What is your approach to giving and receiving feedback?

Cloud Security

domain-protect/domain-protect-gcp
A tool by Paul Schwarzenberger designed to scan Google Cloud DNS across a GCP organization for domain records vulnerable to takeover, including subdomain NS delegations, CNAME records for missing Google Cloud Storage buckets, and A records for Google Cloud Load Balancers with missing storage bucket backends. It supports deployment via GitHub Actions or manual scans from a laptop, with alerts sent through Slack or email.

Cloud Threat Landscape - Defenses
Wiz has added a collection of security measures for defending cloud environments to their existing Cloud Threat Landscape resource, including ~50 defenses, mapped to attacker technique and D3FEND Tactic.

Permissions Boundaries Made Easy
Rich Mogull explains permissions boundaries, an advanced IAM concept, which restricts the total potential permissions of an identity, no matter what other policies are assigned. Permissions boundaries are mostly used to allow someone to administer some IAM without allowing them to abuse it to give themselves more permissions. Includes a lab.

AWS Network Firewall egress filtering can be easily bypassed
Jianjun Huo describes how AWS Network Firewall’s (which uses Suricata) egress filtering can be bypassed by spoofing the destination host name; thus, an attacker inside your VPC can still exfiltrate data.

Container Security

fluxcd/image-automation-controller
A GitOps Toolkit controller that patches container image tags in Git (automates updates to YAML when new container images are available).

ofirc/k8s-sniff-https
By Ofir Cohen: A simple mitmproxy blueprint to intercept HTTPS traffic from apps running on Kubernetes. Useful if you want to reverse engineer API calls or debug/troubleshoot your own app or a third party app that performs HTTPS calls to remote SaaS backends.

Supply Chain

regreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server
Qualys’ Bharat Jogi describes the vulnerability, which is a signal handler race condition in OpenSSH’s server (sshd). TIL Qualys has a product named CyberSecurity Asset Management that goes by CSAM, which definitely does not have other meanings in other contexts.

bullfrogsec/bullfrog
A GitHub Action for securing GitHub workflows (e.g. limit secret exfiltration) using egress policies: control all outbound network connections made from within your GitHub Actions workflows by defining a list of IPs and/or domains that you want to allow.

See also harden-runner by Step Security, and shout-out to Francois Proulx and Adnan Khan and others for an excellent discussion on LinkedIn.

ReversingLabs Launches Spectra Assure Community
A new site providing risk assessments for over 5 million open source software packages from repositories like npm, PyPI, and RubyGems. The packages are checked for malicious code, code tampering, suspicious behaviors, known vulnerabilities, license compliance issues, exposed secrets, and overall package health. ReversingLabs is also contributing lists of malicious packages to the OpenSSF Malicious Packages repo.

Vulnerabilities in CocoaPods Open the Door to Supply Chain Attacks Against Thousands of iOS and MacOS Applications
Great write-up! E.V.A Information Security’s Reef Spektor and Eran Vaknin describe a number of critical issues discovered during a red team in CocoaPods, an open source dependency manager for Swift and Objective-C projects.

  • Popular orphaned packages could be claimed by an attacker.

  • An insecure email verification workflow (command injection via domain name 😂 ) → arbitrary code execution on the CocoaPods ‘Trunk’ server

  • An attacker can receive a user’s session validation email by spoofing the X-Forwarded-Host header and pointing it at their server.

💡 If I were to handwavily read between the lines here, basically some “game over” level vulns were found in CocoaPods during a red team, that probably wasn’t even focused on CocoaPods, it was just an adjacent thing in scope. When you lightly shake a target and this many Criticals fall out, it’s reasonable to believe there are more lurking.

Another neat trick from the post is turning the email account takeover issue from a 1 click to 0 click exploit by leveraging email security tools that scan every link in emails. Nice!

Blue Team

JanielDary/ELFieScanner
By Daniel Jary: A C++ tool for process memory scanning & suspicious telemetry generation that attempts to detect a number of malicious techniques used by threat actors & those which have been incorporated into open-source user-mode rootkits.

Detecting Linux Stealth Rootkits with Directory Link Errors
Sandfly Security walks through how Linux rootkits can be detected by asking “How many directories are here?” multiple ways (e.g. ls and stat) and observing a discrepancy, indicating hidden directories.

💡 The key insight here is that when a rootkit is trying to hide something (a file, directory, process, etc.), there are many ways to query a machine’s state, and it’s tough for the rootkit to hide all the ways one can observe it.

Red Team

vxCrypt0r/Voidgate
A technique that can be used to bypass AV/EDR memory scanners. This can be used to hide well-known and detected shellcodes (such as msfvenom) by performing on-the-fly decryption of individual encrypted assembly instructions, thus rendering memory scanners useless for that specific memory page.

When the hunter becomes the hunted: Using custom callbacks to disable EDRs
Altered Security’s Saad Ahla describes how a signed rootkit can use the PsSetCreateProcessNotifyRoutine function to register a custom callback that blocks critical EDR processes from starting, effectively disabling real-time detection and response capabilities.

AI + Security

Skynet or WALL-E? How AI is changing work for Security teams
Webinar next Wednesday July 17, 2024 at 10AM PT with my bud Daniel Miessler, Semgrep CTO Drew Dennison, and Anthropic’s Jackie Bow. They’ll discuss how LLMs might impact both offensive and defensive security practices, learnings & predictions from security leaders on the impact of AI on security and engineering orgs, and more.

I’ll be attending, looking forward to it!

Declare your AIndependence: block AI bots, scrapers and crawlers with a single click
Cloudflare has introduced a one-click feature to block AI bots, scrapers, and crawlers, available to all users (even free), to protect content creators from unauthorized data scraping. Interestingly, they find some AI bots try to hide that they’re bots so they’re not blocked.

kpolley/PIIDetective
By Kyle Polley: A web app designed to identify, classify, and protect Personally Identifiable Information (PII) in data platforms such as BigQuery and Snowflake. It leverages LLMs to identify PII column names, and with human-in-the-loop validation, uses Dynamic Data Masking Policies (lets data scientists interact with PII without viewing the raw data) to easily enforce ACLs while minimizing user friction.

For an AI-powered code scanner that looks for sensitive data, see HoundDog.ai.

referefref/sinon
A tool by James Brine that automates the setup of Windows-based deception hosts, using GPT-4 to generate content (files, emails, etc.), and a config file that supports various actions like installing applications, browsing websites, creating and modifying files, downloading decoy files, simulating user interaction, creating lures, and other activities to emulate user behavior.

RAID (Real World AI Definitions)
Daniel Miessler offers concise and expanded definitions of various terms, including AI, machine learning, prompt engineering, retrieval augmented generation (RAG), agents, chain-of-thought, prompt injection, jailbreaking, artificial general intelligence (AGI), and artificial superintelligence (ASI).

Misc

Caught in the Net: Using Infostealer Logs to Unmask CSAM Consumers
This is wild. Recorded Future used infostealer malware data to identify ~3,300 unique consumers of child sexual abuse material (CSAM), by searching for credentials to known CSAM domains in logs. So logs from malware focused on stealing credentials was used to identify child predators 🤯 

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler