• tl;dr sec
  • Posts
  • [tl;dr sec] #28 - 25 Years of Fuzzing, Secrets Management, Security Questionnaires

[tl;dr sec] #28 - 25 Years of Fuzzing, Secrets Management, Security Questionnaires

Some history and overview of fuzzing, preventing/detecting/remediating leaked secrets, static analysis, macOS security, reflections on privacy post COVID-19.

Hey there,

I hope you’ve been doing well.

I’ve been playing around with a few things to relax. I finished watching season 1 of The Witcher, which was pretty good, and I’ve doodled around a bit with Procreate on my iPad, even though my drawing ability peaked at stick figures.

I’ve also been experimenting with how many things I can bake in a toaster oven. Current answer: most things. Here’s some pretty delicious banana bread in a ramekin:

❓ How do you consume content?

I’m reevaluating how I save links, read articles, and overall keep up with content for tl;dr sec.

If you have a workflow you like, or if you use a service like Pocket, Feedly, or others, I’d love to hear how you do things.

Rift Recon Grand Re-opening

My friend Eric Michaud and co. are starting up Rift Recon again, a digital and physical security company with a cool online shop featuring a bunch of physical security products and “everyday carry” items, ranging from lockpicks to multi-tool hair clips to lapel daggers. Yep, you read that last part correctly.

They’re giving away Access Prohibited, a 35-page color guide that “explains the tools, techniques and methods used in the field every day by physical security professionals worldwide to gain unauthorized access to buildings, rooms and facilities.”

Check out the welcome email with the free DRM-free PDF here 🎁

Oh also, if you want to get anything in the store to play with at home, Eric kindly created a 10% discount code to anything in the store for the first 25 tl;dr sec people who use it - here.

📜 In this newsletter...

🔗 Links:

  • Secrets: Building a repeatable and hardened Vault, tool to prevent secret leakage via a git hook, tool to find open DBs/source code leaks, what to do after leaking secrets

  • AppSec: Adam Shostack on threat modeling with questionnaires

  • macOS: Sniffing authentication references, how offensive actors use AppleScript, exploiting directory permissions

  • Static Analysis: Tool to aid in analyzing Chrome extensions, finding Python ReDoS bugs at scale, Clang checker for symbolic execution

  • Cloud Security: Gaining AWS Console access via API keys, Azure Security Benchmark released, ensuring you're running the right AMIs, continuously monitor your AWS environment

  • Red Team: Backdooring Wordpress installations, command and control over DNS PoC, bypassing network restrictions using LDAP attributes

  • Politics / Privacy: Coronavirus could reshape geopolitics, will privacy exist afterwards?

  • Misc: AppSec engineer interview questions, free malware database, tips on remote development on a Chromebook

📚 Mini Summary: Lightning in a Bottle: 25 Years of Fuzzing

FuzzCon 2020 keynote by Richard Johnson that gives a brief overview of fuzzing, the history of fuzzing, and where we are today.


Building a Repeatable and Hardened Vault POC
Video and slides showcasing a few simple steps you can take to apply Vault’s hardening best practices without requiring a lot of time and energy.

Leverage git hooks to make sure secrets like authorization tokens and private keys aren’t leaked. See also, Yelp’s detect-secrets.

LeakLooker: Discover, browse & monitor DB/source code leaks
LeakLooker (source code) is a script + web UI to continuously look for open databases and services. It currently supports Elasticsearch, CouchDB, MongoDB, Gitlab, Rsync, Jenkins, Sonarqube, Kibana, CassandraDB, RethinkDB, Directory listing, and S3 buckets. Uses Binary Edge for discovery.

  1. Revoke the secret or credentials (list here of how to do that for a number of providers)

    1. Deleting the file or repo is not enough- it’s easy for attackers to monitor public git repos, and the secret may still exist in your git history.

  2. (Optional) Permanently delete all evidence of the leak

    1. For example, using git push --force (Warning: will break everyone else’s workflow) or BFG Repo-Cleaner.

  3. Check access logs for intruders

    1. Sometimes a secret key leaking can lead to a domino effect: getting access to Slack or a wiki then yields new credentialss, and an attacker can pivot.

  4. Implement future tools and best practices


Threat Modeling with Questionnaires
A bit ago, Adam Shostack and I briefly discussed scaling threat modeling on LinkedIn, which he later fleshed out in this post. Some parts that stuck out to me:

  • The “highest ROI approach” may not be feasible if it requires a too high minimum investment.

  • Adam discussed the idea of a “Big Wall Map,” a visual representation of your code on a wall that feature discussions can use to show where changes will take place, if new data flows will be added, etc.

  • Some discussion of this article on LinkedIn.

So the question we can ask is not “what do you threat model”, but “how can we best use the time available?”

What is the goal of the questionnaire? Is it to ensure that nothing slips through the cracks? That there’s enough security analysis of each story? That there’s a record of the analysis so there’s someone to blame? Is it to allocate work by security engineers? Engineering is all about tradeoffs. Crisply defining what we want will help us get there.


Sniffing Authentication References on macOS
Post by Patrick Wardle that discusses research he did highlighting flaws in a number of third-party installers that allowed local attackers to escalate their privileges to root.

How Offensive Actors Use AppleScript For Attacking macOS
“AppleScript is widely used by offensive actors. This includes its use in adware, its use for tasks such as persistence, anti-analysis, browser hijacking, spoofing and more.” Malware authors like it because it’s effective at automating interapplication communication and sidestepping user interaction. Walks through some example malware and why Applescript is useful for avoiding detection.

Exploiting directory permissions on macOS
Detailed post by Csaba Fitzl that discusses the macOS filesystem’s permission model, some non trivial cases it can produce, some installer bugs he found, and how to find similar bugs yourself.

Static Analysis

Tarnish - A Chrome Extension Static Analysis Tool To Help Aide In Security Reviews
Attempts to find potential clickjacking issues, shows the location of dangerous functions (e.g. innerHTML, chrome.tabs.executeScript), shows entry points, analyzes the CSP to point out potential weaknesses, etc. Accompanied by a detailed blog post: Kicking the Rims – A Guide for Securely Writing and Auditing Chrome Extensions.

Finding Python ReDoS bugs at scale using Dlint and r2c
Post by r2c’s Matt Schwager on using Dlint, a Python static analysis tool he wrote while at Duo, to find regular expression denial-of-service (ReDoS) bugs at scale. One bug he found was in urllib.request.AbstractBasicAuthHandler , resulting in CVE-2020-8492 (more).

Clang checker for symbolic execution
Describes writing a checker to statically analyze which data structure is relevant to satisfy a conditions constraint in C. Also discusses syzkaller for kernel fuzzing.

Cloud Security

Gaining AWS Console Access via API Keys
How to turn permanent credentials (AKIA* access key + secret key) or temporary credentials (generally come from assuming an IAM role and are used by apps or users with the AWS CLI or SDK) into Console access. Also, a tool to make it easy.

Azure Security Benchmark
V1 of the Azure Security Benchmark was released, which contains over 90 security best practices recommendations, based on based on industry standards and best practices, such as CIS.

How to Embezzle Money Using Amazon AMIs
Threat scenario: attacker copies a standard AWS AMI, publishes it on the Amazon Marketplace, charges a small amount per hour of use, writes a great CloudFormation template that uses this AMI, posts links to the CloudFormation template online, for example, on StackOverflow in answers. Protecting against things like this: Securing access to AMIs in AWS Marketplace, check whether running instances are using specified AMIs.

jonrau1 / ElectricEye
Continuously monitor your AWS services for bad configurations, all results sent to Security Hub for further aggregation and analysis.

  • 100% native Security Hub integration & 100% serverless

  • 160+ security & best practice detections not covered by Security Hub nor Config (AppStream, Cognito, EKS, ECR, DocDB, etc.)

  • 60+ multi-account SOAR playbooks

  • CloudFormation & Terraform support

  • 3rd Party Integrations: Config Recorder, Slack, ServiceNow, JIRA, Azure DevOps, Shodan with more on the way

As I called out in my AppSec Cali and BSidesSF slides, as well as tl;dr sec issues #26 and #24, continuous monitoring of cloud environments and auto-remediating issues is a key trend in scaling security, and is likely only going to become more so in the future.

Red Team

Backdooring WordPress with Phpsploit
Phpsploit is a post-exploitation framework that aims to provide a stealthy shell-like connection over HTTP. This post makes the argument that it’s easier to monitor changes to the www-folder (e.g. with OSSEC or Wazuh) than it is to detect backdoor code. They also have a post on detecting WordPress backdoors with Sysdig Falco, which basically just includes a custom rule to detect any write to files in the WordPress directory by a user who is not www-data.

DNS for red team purposes
Demonstrates a “proof-of-concept for how red teamers can build DNS command & control, perform DNS rebinding attack and create fast flux DNS. This approach can also be used by blue teams for building DNS blackhole / DNS sinkhole.”

Bypassing network restrictions using LDAP attributes
NCC Group’s Rindert Kramer describes LDAPFragger, a C2 tool that enables attackers to route Cobalt Strike beacon data over LDAP using user attributes. Iveco Aliza wrote a blog post about detecting it.

Politics / Privacy

It seems inevitable that COVID-19 will lead to an increase in video surveillance, and once those systems are in place, they’re likely to be used for other purposes, such as immigration enforcement, finding criminals, stopping potential criminals, …

  • Israel is using the cellphone data it has for counterterrorism to inform people who have crossed paths with known patients. NYT, TechCrunch

  • Daniel Miessler wrote about the idea here.

The status of the United States as a global leader over the past seven decades has been built not just on wealth and power but also, and just as important, on the legitimacy that flows from the United States’ domestic governance, provision of global public goods, and ability and willingness to muster and coordinate a global response to crises. The coronavirus pandemic is testing all three elements of U.S. leadership. So far, Washington is failing the test.

As Washington falters, Beijing is moving quickly and adeptly to take advantage of the opening created by U.S. mistakes, filling the vacuum to position itself as the global leader in pandemic response. It is working to tout its own system, provide material assistance to other countries, and even organize other governments. Beijing understands that if it is seen as leading, and Washington is seen as unable or unwilling to do so, this perception could fundamentally alter the United States’ position in global politics and the contest for leadership in the twenty-first century.

The decisions people and governments take in the next few weeks will probably shape the world for years to come. When choosing between alternatives, we should ask ourselves not only how to overcome the immediate threat, but also what kind of world we will inhabit once the storm passes.

Many short-term emergency measures will become a fixture of life. Decisions that in normal times could take years of deliberation are passed in a matter of hours.

If you can monitor what happens to my body temperature, blood pressure and heart-rate as I watch a video clip, you can learn what makes me laugh, what makes me cry, and what makes me really angry.

It is crucial to remember that anger, joy, boredom and love are biological phenomena just like fever and a cough. The same technology that identifies coughs could also identify laughs. If corporations and governments start harvesting our biometric data en masse, they can get to know us far better than we know ourselves, and they can then not just predict our feelings but also manipulate our feelings and sell us anything they want — be it a product or a politician.


Application Security Engineer Interview Questions
List by Ishaq Mohammed of common questions when interviewing for an AppSec or ProdSec role.

Introducing Malwarebazaar
A free service providing a database of known malicious malware samples, enriched with additional intelligence. Extensive API for automation, search for samples by family name, fuzzing hashing, and tags.

Remote Development with a Chromebook in 2020
Marco Lancini on streamlining the process of working on your external Linux workstation with your Chromebook. Discusses SSH access, tmux, and using VSCode Remote.

📚 Lightning in a Bottle: 25 Years of Fuzzing

This year during RSA week Richard Johnson gave this keynote at the first ever FuzzCon.

The talk has some useful intro and overview information if you’re new to fuzzing, and covers a solid breadth of material, ranging from the history of fuzzing, the primary types of fuzzing, modern tools and advancements, SDLC integration, and more.

I wrote some brief takeaways here.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!