• tl;dr sec
  • Posts
  • [tl;dr sec] #52 - Prioritizing 3rd Party Vulnerabilities to Fix, LangSec History, Distilled Compliance Controls

[tl;dr sec] #52 - Prioritizing 3rd Party Vulnerabilities to Fix, LangSec History, Distilled Compliance Controls

How to prioritize vulnerabilities in your dependencies, some history and context around LangSec, and a set of common controls across 10+ standards.

Hey there,

I hope you’ve been doing well.

Last weekend I watched Deadpool 2, and it was pretty good. If you liked the first one, you’ll probably like it. Also, if you need something to cheer you up, here is Deadpool interpretive dancing to Celine Dion singing a catchy power ballad.

Screaming Snarking into the Void

They say journaling is really cathartic, but I’ve never really done it. But now I know why.

Watching a lot of conference talks, you inevitably come across some talks that are not good. Perhaps the material is too basic or not novel, they make claims that aren’t substantiated by data, it’s mostly shilling a commercial product, etc.

Although I feel compelled to write a screed about them, I don’t, because there’s many reasons why this could be the case: they’re a new speaker, some content couldn’t make it through legal, or other factors I’m not aware of. There’s enough negativity in the security industry at times, so I work hard not to add to it.

But last weekend I gave myself permission to let loose and write Peak Snark™ into my private notes, never to be shared publicly.

And it felt great.

Sponsor

📢 Modern DAST with StackHawk

StackHawk is a dynamic application security testing tool built for today’s software engineering teams. With StackHawk, finding, triaging, and fixing security bugs is simple and automated in CI/CD. Developers can run AppSec tests on every PR, recreate findings with automated curl commands, and tie into engineering workflows with integrations like Slack and Jira. Get a demo or test out StackHawk today.

.One neat thing about StackHawk is that they hired Simon Bennet, the founder of OWASP ZAP. It’s always nice to see commercial support for prominent open source projects 👍

📜 In this newsletter...

🔗 Links:

  • Machine Learning: Threat modeling and practically attacking a machine learning-based service

  • AppSec: Unauth RCE on MobileIron MDM by Orange Tsai, how to prioritize which out-of-date vulnerable dependencies to fix

  • Web Security: Burp extension enabling the creation of sequences of steps and extracting info to use in later steps

  • Cloud Security: Find sensitive info in S3 buckets at scale, purposefully vulnerable Cloudformation, AWS CDK, and Terraform repos

  • Blue Team: Extending Thinkst Canary to be an interactive honeypot

  • Red Team: Massive list of pen testing resources, creating your own leaded credential search engine, a PHP backdoor management and generation tool

  • Politics / Privacy: Chinese state-sponsored hackers target the F5 VPN flaws, NIST on threat modeling differential privacy systems, the influence and power of WeChat

  • OSINT: Tool to run OCR on images available on Lightshot, a utility program to perform operations on subnet/CIDR ranges, tool to retrive all of the IPs of a target organization

  • JSON 4 Days: A wrapper around jq to avoid typing common patterns, a faster implementation of jq in Reason, a semantic comparing and tool for JSON/XML/HTML/YAML/TOML

  • Misc: Minimalist CLI knowledge base manager for your hacking cheatsheets, a massive deep dive into K-pop

  • Injection and an Impromptu LangSec History Story: A SQL / SQLi tokenizer parser analyzer to detect SQLi payloads, a lovely random Twitter encounter about some LangSec history

📚 Peeling the Web Application Security Onion Without Tears

Quick summary of this BSidesSF 2020 talk by Adobe Document Cloud’s Noam Lorberbaum and Keith Mashinter, which presents lessons in how building reusable, secure-by-default services and infrastructure improves your security and reduces compliance burden.

Machine Learning

The machine learning pipeline and attacks
Blog post series by Johann Rehberger on practically attacking a machine learning-based service, from threat modeling the system to brute forcing images to find incorrect predictions. The latter was done in a Python Jupter Notebook, which I feel like I keep seeing everywhere in security recently.

AppSec

How I Hacked Facebook Again! Unauthenticated RCE on MobileIron MDM
More impressive work by Orange Tsai. Blackbox testing to greybox using some Google-fu (found an RPM) -> bypass ACLs via breaking parser logic -> Java deserialization.

The Devil’s in the Dependency: Data-Driven Software Composition Analysis
This Black Hat USA 2020 talk by Ben Edwards and Chris Eng is kind of like the talk version of Veracode’s State of Software Security Volume 10 report, with a focus on vulnerabilities in third-party dependencies. The slides contain some interesting slicing and dicing of a pretty big dataset, by vulnerability class, programming language, etc.

One thing that stuck out to me is their thoughts on prioritizing remediation, which is super important. Also, thanks Ben for answering my questions on Twitter 🙏

Of the apps that have at least one flaw introduced by a library (70% of total dataset), 2.6% have ‘closed’ their flaws by either patching or accepting the risk.

  • So 97.4% of the remaining apps have at least 1 open flaw

  • 52.3% have an open flaw with a public PoC

  • 25% of those PoCs are known to have been exploited in the wild by Kenna Security

  • 1% fulfill the above + the app uses the vulnerable library function in its code

In short: If you prioritize addressing third-party vulnerabilities that a) have public PoCs, b) are actively being exploited, c) in which your app calls the vulnerable function, you’ll both maximally reduce your risk and you’ll limit your scope to ~1% of all of the dependencies you could patch. 

Web Security

Burp Suite Extension: Stepper
By Corey Arthur: “Stepper is designed to be a natural evolution of Burp Suite’s Repeater tool, providing the ability to create sequences of steps and define regular expressions to extract values from responses which can then be used in subsequent steps.”

Cloud Security

S3Insights: Derive insights about your S3 environment at scaleMore neat work from Uber’s Ashish Kurmi (See also: How Uber Continuously Monitors the Security of its AWS Environment). S3Insights is a platform for efficiently deriving security insights about S3 data through system metadata analysis. Rather than analyzing the content of individual objects, S3Insights harvests S3 inventory data from multiple buckets in a multi-account environment to help discover and manage sensitive data.

Purposefully Vulnerable Config Management Repos by Bridgecrew

Blue Team

Extending a Thinkst Canary to become an interactive honeypotHow to extend Thinkst Canary to give attackers an SSH “shell” (actually a Docker container) so you can observe their behavior, by Liam Stevenson.

Red Team

The only Penetration testing resources you need
Pretty massive list of resources by KaliTut covering pen testing resources and tools, network, web, Linux, Windows, OSINT, and other security tools, books, and more.

DIY Leaked Credential Search Engine - Part 1
By Kevin Dick: “This post will walk through the process we followed to build a search engine for leaked credentials from publicly disclosed breaches/database leaks using Django REST Framework and PostgreSQL. At the end of this blog, you should have all you need to build an API and frontend Web Application that searches over 5 billion passwords in seconds.”

gellin/bantamA PHP backdoor management and generation tool featuring end to end encrypted payload streaming designed to bypass WAF, IDS, and SIEM systems.

Politics / Privacy

Chinese State-Sponsored Attackers Target F5, VPN Flaws“Attacks against the F5 flaw (CVE-2020-5902) began almost immediately after the company disclosed it on June 30 and CISA said it has responded to several incidents in government agencies and enterprises involving successful exploits against the bug.”

NIST: Threat Models for Differential Privacy
The point of differential privacy is to allow one to search and calculate stats on a dataset without being able to determine things about an individual within the dataset. This post is a nice overview of central vs local differential privacy and hybrid models. See also the first post of this blog series for a nice introduction to differential privacy.


Figure 1: Central Model of Differential Privacy

Figure 2: Local Model of Differential Privacy

As the coronavirus spread in early 2020 and China’s relations with countries around the world strained, Ms. Li posted an article on WeChat from the U.S. government-run Radio Free Asia about the deterioration of Chinese-Canadian diplomacy, a piece that would have been censored.

“The next day, four police officers showed up at her family’s apartment. They carried guns and riot shields.”

The police officers took Ms. Li, along with her phone and computer, to the local police station. She said they manacled her legs to a restraining device known as a tiger chair for questioning. They asked repeatedly about the article and her WeChat contacts overseas before locking her in a barred cell for the night.

A report from Citizen Lab, a University of Toronto-based research group, showed that Tencent surveilled images and files sent by WeChat users outside of China to help train its censorship algorithms within China. In effect, even when overseas users of WeChat are not being censored, the app learns from them how to better censor.

OSINT

mxrch/darkshot
By @mxrchreborn: “Darkshot is a scraper tool on steroids, to analyze all of the +2 Billions pictures publicly available on Lightshot. It uses OCR to analyze pictures and auto-categorize them via keywords and detection functions. You can find pretty much everything: credentials, personal informations (emails, phone numbers, addresses, ID cards, passports), banking information, etc. Since it’s modulable, you can make your own detection function and use it as a monitoring tool.”

projectdiscovery/mapcidr
A small utility program to perform multiple operations for a given subnet/CIDR ranges, developed to ease load distribution for mass scanning operations, by ProjectDiscovery.io.

harleo/asnip
By Leonid Hartmann: Retrieves all of the IPs of a target organization. It uses the IP or domain name and looks up the Autonomous System Number (ASN), retrieves the Classless Inter-Domain Routing (CIDR) subnet masks and converts them to IPs. Uses HackerTarget.

JSON 4 Days

For some reason there were a few JSON-related links this week 🤷

pry0cc/jf
A wrapper around jq to avoid typing common patterns by Ben Bidmead.

davesnx/query-json
A faster and simpler re-implementation of the jq language in Reason Native, by David Sancho.

Graphtage: A New Semantic Diffing Tool
By Trail of Bits: “Graphtage is a command line utility and underlying library for semantically comparing and merging tree-like structures such as JSON, JSON5, XML, HTML, YAML, and TOML files.” You can also compare across file formats, like comparing JSON to YAML.

We also plan to extend Graphtage to work on abstract syntax trees, which will allow your source code diffs to tell you things like which variables were changed and whether code blocks were reordered.

Misc

gnebbia/kb: A minimalist knowledge base manager
“kb is a text-oriented minimalist command line knowledge base manager. kb can be considered a quick note collection and access tool oriented toward software developers, penetration testers, hackers, students or whoever has to collect and organize notes in a clean way. I use it in the context of penetration testing to organize pentesting procedures, cheatsheets, payloads, guides and notes.”

A Deep Dive into K-pop
If you’re curious to learn about Korean pop music, this ~50 page treatise may be for you.

Injection and an Impromptu LangSec History Story

client9/libinjection
A SQL / SQLi tokenizer parser analyzer created by Signal Sciences CTO and co-founder Nick Galbreath from Signal Sciences that aims to detect SQL injection payloads. Libinjection can be useful for WAFs because being able to operate on tokenized input generally performs better than regex-based rules.

When I shared the above on Twitter, Andrew van der Stock kindly referenced some related earlier academic work, by Robert J. Hansen and Meredith L. Patterson (paper: Guns and Butter: Towards Forma Axioms of Input Validation).

The Twitter thread that followed (note: you may have to refresh, sometimes Twitter breaks redirects) had some interesting context, including:

  • “The historical foundation of langsec.org can be traced to two hungry grad students eating cheap seafood at a restaurant in the middle of nowhere, Iowa”

  • What happens when you’re thinking about patents but you have to deal with major DB players with patent portfolios

  • And Robert’s lessons learned (lightly edited):

1. Whenever you’ve found a silver bullet, ask yourself whether it’s a silver bullet for the real problem, or whether it’s a silver bullet for what you WISH was the real problem.

2. It is very unlikely you will ever make a dime from your discoveries.

3. Unless you make the secure way easier to code than the insecure way, developers will go the insecure way.

4. Infosec is, in virtually all its forms, a human-computer interaction problem of one flavor or another. People think to be good in infosec you have to understand tech in and out. Yes, but you also need to understand people.

I wrote a quick summary of this BSidesSF 2020 talk by Adobe Document Cloud’s Noam Lorberbaum and Keith Mashinter, which presents lessons from Adobe in how building reusable, secure-by-default services and infrastructure improves your security and reduces compliance burden.

One aspect you may find particularly useful is Adobe evaluated over 10 different standards (e.g. SOC, FedRAMP, ISO 27001, HITRUST) with around ~1,350 control requirements, and distilled that down to ~290 common controls across 20 control domains. Ideally, by handling these common controls, you can easily check off a wide swathe of compliance requirements. Check out the common controls list here.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint