[tl;dr sec] #44 - Formal Methods, New Web Security Mechanisms, Have GPT-3 Code for You

Hey there,

I hope you've been doing well!

Baking, En Quarantine

Like everyone, I’ve been experimenting with making some new things whilst confined to my spacious one bedroom apartment.

One of the easier sets of experiments has been variations on “mug cakes,” which are essentially putting some flour, sugar, cocoa powder, and whatever else you want into a mug, and then microwaving it. Yup, I’m fancy like that 🧑‍🍳

Here are some things I’ve tried:

• Oats and peanut butter - pretty good, made it fairly chewy.

• Chunks of cookie dough inside - delicious buried treasure.

• Sea salt on top - a nice touch.

• Whole wheat flour - trick yourself into thinking you’re being healthy.

• Mochi rice flour - interesting, chewy texture.

• Closing your eyes and feeling like you’re in Saison - priceless.

You can learn more about how the Netflix partnership team supports dev teams from Scott Behrens and Esha Kanekar’s AppSec Cali 2019 talk, “A​ Pragmatic Approach for Internal Security Partnerships”, which I’ve written a summary of here.

AppSec

./ OOO archive | DEF CON CTF
A live, playable archive of DEF CON CTF challenges by Order of the Overflow.

OWASP Sensitive Enterprise Data Analyzer To Eliminate Disclosure
Integrates with git to scan for secrets being pushed. Interestingly, its regexes appear to overlap with truffleHog’s, but not exactly. Seems like there should be some consolidation in regex-based tools to find secrets, but 🤷

Web Security

Ask me anything, with Burp Suite creator Dafydd Stuttard
Some interesting history about Burp Suite and the founding of Portswigger. Fun facts include: Burp was the first tool Daf ever wrote in Java, he did a PhD in philosophy and thought he might go into academia, and more.

How To Bypass CSP By Hiding JavaScript In A PNG Image
“Using HTML Canvas you can hide any JavaScript code (or an entire library) into a PNG image by converting each source code character into a pixel. The image can then be uploaded onto a trusted website like Twitter or Google (usually whitelisted by CSP) and then loaded as a remote image in a HTML document. Finally, by using the canvas getImageData method, it’s possible to extract the “hidden JavaScript” from the image and execute it.”

Towards native security defenses for the web ecosystem

Blog post by Google security information engineers Artur Janc and Lukas Weichselbaum on new web security mechanisms, specifically around injection vulnerabilities and isolation capabilities.

The root cause of injection vulnerabilities like XSS (and SQL injection, command injection, etc.) is a mixing of code and data. Web apps can separate data from code using two new security features:

1. Trusted Types “make JavaScript code safe-by-default by restricting risky operations, such as generating HTML or creating scripts, to require a special object – a Trusted Type. The browser will ensure that any use of dangerous DOM functions is allowed only if the right object is provided to the function.” Done properly, this can prevent all DOM-based XSS.

2. Content Security Policy based on script nonces - the random nonce attribute for loaded scripts ensures that even if an attacker is able to inject scripts on the page, the browser will refuse to execute it, preventing reflected and stored XSS.

These protections can be implemented with the following headers:

Content-Security-Policy: require-trusted-types-for 'script'; report-uri /report
Content-Security-Policy: script-src 'nonce-{randomValue}'; object-src 'none'; base-uri 'none'

New isolation capabilities include:

1. Fetch Metadata Request Headers - These provide trustworthy info about the source of requests (e.g. same-site, cross-site), whether it’s a navigation or resource request, and more. This allows the web server to apply security policies before processing the request, preventing vulnerabilities like CSRF or web-based info leaks (XS-leaks).

2. Cross-Origin Opener Policy (COOP) - “By default, the web permits some interactions with browser windows belonging to another application: any site can open a pop-up to your webmail client and send it messages via the postMessage API, navigate it to another URL, or obtain information about its frames.” COOP allows you to lock down your app to prevent such interactions.

For more info, see the Securing Web Apps with Modern Platform Features Google I/O talk: slides, video.

Cloud Security

AWS Lambda Abuse
@luminousmen describes how to minimize the damage of DDoS attacks on your AWS Lambdas.

• Make sure your code doesn’t hang on bad inputs (e.g. ReDoS or long payloads).

• Set up billing alerts.

• You can set concurrency levels on a per-function basis.

• Using SQS as a broker for your Lambda function lets you batch process multiple events at a time.

• Use a CDN like CloudFront, or use AWS WAF.

• For internal apps, require an API key to hit API Gateway.

• Use the API Gateway usage plans (e.g. “Token Bucket” model).

Incident Response in the Cloud
Ollie Green discusses the IR phases (preparation, identification, triage, investigation, containment, recovery, and lessons learned) and highlights some of the key differences between “traditional” IR and Cloud IR.

Container Security

12 Container image scanning best practices to adopt in production 

1. Bake image scanning into your CI/CD pipelines

2. Adopt inline scanning to keep control of your privacy (only scan metadata sent to the scanning tool)

3. Perform image scanning at registries

4. Leverage Kubernetes admission controllers

5. Pin your image versions

6. Scan for OS vulnerabilities

7. Make use of distroless images

8. Scan for vulnerabilities in third-party libraries

9. Optimize layer ordering

10. Scan for misconfigurations in your Dockerfile

11. Flag vulnerabilities in services already deployed and running in Kubernetes

Container Breakouts – Part 1: Access to root directory of the Host
First of a series of posts by Jan Harrie on container breakout techniques. Future posts will cover privileged containers and having access to the Docker socket.

I’ve collected links to a few tools that test container environments for common breakout bad practices here.

Blue Team

microsoft/ProcMon-for-Linux
This week in “Things I Never Thought I’d See,” Microsoft releases Process Monitor (Procmon) for Linux, a convenient way for Linux developers to trace the syscall activity on their system.

Politics / Privacy

Huawei 5G kit must be removed from UK by 2027 - BBC News

Coronavirus: Russian spies target Covid-19 vaccine research
As I imagine China is doing as well. The first country to create a vaccine will get a nice PR boost.

America’s Innovation Engine Is Slowing
Between handling COVID-19 poorly and settings policies that discourage international students, the U.S. could be damaging its economy for decades. More than half of American startups that became companies valued at $1 billion include immigrants among their founders and top executives, and international students represent 12 percent public university enrollment but ~28% of total tuition revenue. The problem is that these things compound: smart people go where there are other smart people and opportunities, so if the U.S. stops being that place, it’s quite hard to get it back.

The True True Truth
Jon Oliver got John Cena, Catherine O’Hara, Billy Porter, Paul Rudd, and Alex Trebek to record short messages that you can show to your friends or relatives who believe in conspiracy theories, that encourages them to think critically about the info they encounter, without talking down to them. See also Jon Oliver’s episode on coronavirus conspiracy theories.

More automation is coming, what are we going to do about it?We are sprinting towards a future where certain classes of jobs, currently employing millions of people are just not going to exist. And few people are sounding the alarm, other than perhaps Andrew Yang. You can’t just “bring back coal” or “break up big tech.” People are costly, and businesses are incentivized to cut costs.

• UiPath raises $225 million to automate repetitive back-office tasks - the details on what it does and how is interesting.

• Verizon’s call center will start using Google Cloud’s Contact Center AI

EFF: Atlas of Surveillance
A searchable map of surveillance tech deployed by police including body camears, drones, automated license plate readers, Ring partnerships, facial recognition, cell-site simulators, predictive policing, and more. Data was crowdsource gathered from volunteers and OSINT over ~2 years.

Explain Why You’re Asking Your Team to Do Something

Misc

Dark Web Price Index 2020
The Privacy Affairs team scanned dark web marketplaces, forums, and websites, to create an index of the average prices for a range of specific products. Some interesting stats on prices for credit card data / online banking logins, payment processing services like PayPal, forged documents, social media accounts, malware, and DDoS attacks.

Strong Reject
Apparently there’s this meme floating around academia on getting rough peer review. If you’ve also spent time in academia, you’ll probably get a laugh.

“Concepts” by Daniel Miessler
Bite-sized nuggets of wisdom from books, articles, and more covering topics ranging from psychology, to philosophy, reasoning, and more. A super dense and quick way to get exposed to a bunch of interesting ideas.

🔥 Describe the Layout You Want -> Autogenerate with GPT-3Impressive demo by Sharif Shameem of entering text like “a button that looks like a watermelon” or “a button for every color of the rainbow” and it generates JSX code that does it. And here’s a video of him describing and then generating the Google home page.

How McKinsey Is Making $100 Million (and Counting) Advising on the Government’s Bumbling Coronavirus Response
Welp, good thing the U.S. coronavirus response is going so well 😅 Here are some fun snippets:

• In April, McKinsey was penalized for refusing to comply with a General Services Administration audit. The firm went over the head of a contracting officer and found a GSA supervisor who was willing to accommodate them and improperly inflated contract prices.

• “The firm effectively sells data it obtains from one government project to other agencies. McKinsey generally retains in its central databases anonymized work product from its engagements, so future consulting teams can get a head start on similar projects.” If the government did the work, they would share it with state and city governments for free.

☝️ Security consultants be like 😭😭

📚 PLTalk: Practical Formal Methods with Hillel Wayne

I stumbled across this Twitch stream (PLTalk) by Jean Yang and Hongyi Hu on making academic-y programming languages research more accessible.

This sort of thing is my jam - listen to some smart people discuss technical topics in approachable ways, covering ideas, tools, and techniques that’ll expand your knowledge of what’s out there and possible 🤘

This week they were joined by guest Hillel Wayne, where they discussed using formal methods in the real world.

I wrote a summary of the ~1.5 hour video that includes points from the discussion, code snippets from Hillel’s live demo, and links to some neat academic papers and related tools.

Also check out this great summary by Leslie Lamport of the paper: Use of Formal Methods at Amazon Web Services.

Or read Jean’s comparison of high fashion to programming languages research; and yes, the metaphor fits (and thus sits)!

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them

🙏

Thanks for reading!

Cheers,

Clint