tl;dr sec
Posts
[tl;dr sec] #49 - Web Cache Entanglement, Finding a Mentor, Build Tools Around Workflows

[tl;dr sec] #49 - Web Cache Entanglement, Finding a Mentor, Build Tools Around Workflows

New cache research by James Kettle, how to effectively reach out and build mentor relationships, tools should support workflows, not vice versa.

Clint Gibler
August 26, 2020

Hey there,

I hope you’ve been doing well!

Definitely a real article title

I wanted to share a simple trick I’ve been using recently to watch more conference talks.

Ensure you have a backlog of talks you’re interested in ready to watch.
Turn on one of the talks when you’re exercising, washing dishes, cleaning, doing laundry, or other normal tasks.
Ensure you’re wearing Bluetooth earbuds so your partner isn’t annoyed.
???
🧠💰

Nothing fancy, but I’ve been watching ~2-4 talks/week the past few weeks doing this.

Keeping the Summary Section

Thank you to everyone who voted last week! Votes to keep the summary section won by roughly 3:1, so it shall be kept.

Zapier with Moar Power

I’ve been using Zapier to automate a few things in my tl;dr sec workflow.

If you’re not familiar, Zapier is a site that makes it easy to set up automations that connect various services together; for example, every time you get a new email that matches a pattern, download its contents to Dropbox and send you a Slack message.

Zapier’s value prop is that it has a million connectors to various services, so you don’t need to write integrations, and it has a workflow for creating custom workflows via a GUI that is actually quite intuitive. I’d recommend checking it out as an example of an intuitive UX and enabling coding-esque capabilities to people who don’t know how to code.

However, some specific tasks I want to perform aren’t supported by default integrations and I’ve been a bit frustrated. But! I just discovered two features that seem pretty baller:

You can send and receive arbitrary webhook data.
You can add arbitrary Python or JavaScript as a step in any of your automation flows.

I’ll write up more about my workflow at some point if you’d find that interesting.

Why not write your own custom code? I have for some purposes, but it takes more time and I’d prefer not to maintain custom code.

Sponsor

📢 Datadog Security Monitoring

Enhance your DevSecOps initiatives with Datadog's cloud-native security monitoring tool. Break down silos between developers, security, and operations team by correlating your threats, metrics, traces, and logs all in one, unified platform. Sign up for a live demo with one of Datadog's security engineers and receive a free Datadog T-shirt.

📜 In this newsletter...

🔗 Links:

AppSec: Tools for generating a Software Bill of Materials and scanning for vulnerabilities in container images and file systems
Web Security: Headless browser automation guides for Puppeteer and Playwright
Web Cache Entanglement: Novel Pathways to Poisoning: New cache research by James Kettle with a nice, grokkable structure
Container Security: A static analysis tool to scan your Kubernetes role-based access control
Career: A guide a professor gives his PhD students, Daniel Miessler and Eric Barker on building mentor relationships
Politics / Privacy: Readings for an Internet Law course, company whose business model is basically doing deep fakes, listing of privacy-focused services and tools, alternatives to cut Google out of your life, deep dive on NSO
OSINT: How to use Amass more effectively
Misc: InfoSec Bob Ross, when having a math background as a developer is useful, a book for programmers to learn math
Build tools around workflows, not workflows around tools: Thoughts on the value of having tools that tightly model your workflows and mental processes

AppSec

Anchore Toolbox

syft - CLI tool for generating a Software Bill of Materials (SBOM) from container images and filesystems.
- Supports packages and libraries from various ecosystems (APK, DEB, RPM, Ruby Bundles, Python Wheel/Egg/requirements.txt, JavaScript NPM/Yarn, Java JAR/EAR/WAR, Jenkins plugins JPI/HPI, Go modules)
- Linux distribution identification (supports Alpine, BusyBox, CentOS/RedHat, Debian/Ubuntu flavored distributions)
grype - A vulnerability scanner for container images and filesystems.
- Find vulnerabilities for major operating system packages across Alpine, BusyBox, CentOS / Red Hat, and Debian / Ubuntu flavored distributions
- Find vulnerabilities for Ruby (Bundler), Java, JavaScript (npm/yarn), Python (Egg/Wheel) packages, and Python Pip/requirements.txt listings

Web Security

theheadless.dev - Learn Puppeteer & Playwright
Tips, tricks and in-depth guides on headless browser automation: clicking and typing, navigating and waiting, etc.

Web Cache Entanglement: Novel Pathways to Poisoning

Portswigger’s Director of Research James Kettle presented at Black Hat USA, furthering his cache-related research. As always, his work is quite neat and well worth checking out if you’re interested in web security.

But there are a couple of structural things I think James did quite well that make this a solid talk to examine from a “how to give a good security talk” point of view, so I’d encourage you to watch at least the first ~10 minutes for that alone.

First, right off the bat, he does a great job teasing the talk’s content and building your anticipation.

Have you ever thought that you understood something, and then realized that what you understand is actually only 1% of the total?

Or have you ever found a vulnerability that wasn’t quite exploitable - an exploit chain with a missing link?

In this session, I’m going to share with you advanced techniques to expose some seriously esoteric cache behaviors, and weave them into high impact exploit chains, to turn junk vulnerabilities into criticals.

After a brief outline of the talk and recap on cache poisoning, James spends awhile discussing the overall methodology for his research.

This is important, because the rest of the talk is quite technical and in the weeds discussing case studies of different exploit scenarios, so spending a fair amount of time upfront helps the audience construct some mental scaffolding for how to understand the later examples.

Also, a number of subsequent slides have these helpful breadcrumbs in the top right so it’s always clear where in the methodology the slide lies.

These small things aren’t rocket science, but I do think they make a big difference in helping the audience get your research; which, after all, is the point.

Container Security

appvia/krane
A static analysis tool to scan your Kubernetes role-based access control (RBAC). Identifies potential security risks in K8s RBAC design, makes suggestions on how to mitigate them, and has a dashboard that shows your current RBAC security posture.

Career

Perspective on the PhD
Thoughtful ~20 page guide that University of Michigan professor Eric Gilbert gives his PhD students, covering topics including doing research, finding ideas, writing papers, avoiding burnout, and more. Worth reading if you’re considering grad school.

How to Initiate Contact With a Mentor
💯 post by Daniel Miessler that includes some great principles and example scripts. I’ve definitely done this poorly before, and some people who reach out to me make these same mistakes. This post is spot on with things I’ve learned and found successful personally. Key points:

Avoid flattery.
Be specific.
Behave like a peer.
Indicate that you put the work in.
Show them something you’ve built.
Provide some kind of value to their craft.
If you seek respect, produce something they respect.

8 Steps To Getting The Perfect Mentor For You
Great article by Eric Barker that discusses: what mentors actually do, how to pick a mentor, how to contact one, example email templates, how to handle the first meeting, and how to maintain the relationship.

Politics / Privacy

Internet Law - Fall 2020
Texas A&M University School of Law professor Hannah Bloch-Wehba has kindly shared the reading list for her upcoming course on Internet Law, which appears to cover a large number of interesting areas, including but not exclusive to: the First Amendment & Platforms as Forums, Net Neutrality, Elections, Disinformation, and political ads, Cryptography, Anonymity, Privacy, Law Enforcement & Surveillance, Trademark, Copyright, Fair Use, and more.

Hour One raises $5M Seed to generate AI-driven synthetic characters from real humans
The company can onboard “basically any human being and turn them into a synthetic character that’s a lifelike replica of that person. So it’s not an avatar or a version of that person. It really does look and behave like that person. You can then basically generate new content by uploading new texts.” They also have a guessing game site where you can try to guess which videos are real and which are deep fakes. And it’s pretty hard 😅 And we continue hurtling towards a Brave New World of deepfakes…

PrivacyTools.io
Provides services, tools and knowledge to protect your privacy against global mass surveillance. Covered info includes privacy-centric online services (email providers, VPN operators, etc.), web browsers, software, operating systems, and more. You can also follow them on Twitter.

degoogle: Cutting Google out of your life
Repo by Joshua Moore with many links to privacy-focused browser extensions and replacements/alternatives for Google’s services.

Inside NSO, Israel’s billion-dollar spyware giant
NSO claims that its Pegasus tool does not allow American numbers to be infected, and that it self-destructs if it finds itself within American borders.

The WhatsApp lawsuit, meanwhile, has taken aim close to the heart of NSO’s business. The Silicon Valley giant argues that by targeting California residents—that is, WhatsApp and Facebook—NSO has given the court in San Francisco jurisdiction, and that the judge in the case can bar the Israeli company from future attempts to misuse WhatsApp’s and Facebook’s networks. That opens the door to an awful lot of possibilities: Apple, whose iPhone has been a paramount NSO target, could feasibly mount a similar legal attack. Google, too, has spotted NSO targeting Android devices.

OSINT

Hakluke’s Guide to Amass — How to Use Amass More Effectively for Bug Bounties
Guide by Luke Stephens on how to get the most out of Amass: set up your API keys, use amass intel (reverse whois, grab SSL certs and ASNs, and run it recursively), use amass enum to grab more subdomains by passing in CIDRs and ASNs, and more.

Misc

If Bob Ross was in InfoSec

Hillel Wayne’s tweetstorm on times when having a math background was practically useful as a developer
Here’s one example:

Algebra: “This function is associative, so instead of applying it N times we can just compose it with itself N times and call it once.”

A Programmer’s Introduction to Mathematics
Interesting sounding book by Jeremy Kun that uses your familiarity with ideas from programming and software to teach math. It covers the central objects and theorems of mathematics, including graphs, calculus, linear algebra, eigenvalues, optimization, and more.

What seems especially interesting to me about this book is its content on some meta aspects about math, like the culture of the people in it, how to gain the right intuition, and how to learn on your own. I feel like too often resources are “How to do X” without this very helpful, contextual view.

You’ll also be immersed in the often unspoken cultural attitudes of mathematics, learning both how to read and write proofs while understanding why mathematics is the way it is. Between each technical chapter is an essay describing a different aspect of mathematical culture, and discussions of the insights and meta-insights that constitute mathematical intuition… By the end of the book, you will be able to learn mathematics on your own.

Build tools around workflows, not workflows around tools

For the last few years, I’ve been on a journey to replace all of the essential digital tools I use for organizing my life with tools I develop, maintain, and deploy myself.

Mass-market productivity tools don’t fit the way our individual minds are predisposed to work. Instead, to use these tools, we need to bend our workflows to fit around the tools.

My biggest benefit from writing my own tool set is that I can build the tools that exactly conform to my workflows, rather than constructing my workflows around the tools available to me. This means the tools can truly be an extension of the way my brain thinks and organizes information about the world around me. My tools aren’t perfect yet, but as they grow and evolve, they’ll only become better reflections of my personal mental models.

I discover my workflows. I start with a minimal, bare-bones solution, and try to pick up on patterns and tricks I create for myself. And then I encode those patterns and tricks into the tools over time.

I think it’s easy to underestimate the extent to which our tools can constrain our thinking, if the way they work goes against the way we work. Conversely, great tools that parallel our minds can multiply our creativity and productivity, by removing the invisible friction of translating between our mental models and the models around which the tools are built.

…it’s important to think of the tools you use to organize your life as extensions of your mind and yourself, rather than trivial utilities to fill the gaps in your life.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them

🙏

Thanks for reading!

Cheers,

Clint