[tl;dr sec] #53 - OneFuzz, Program Analysis, Ring Alarm Teardown
Microsoft releases self-hosted fuzzing-as-a-service platform, several solid program analysis resources, detailed teardown of Ring's hardware and attack surface.
I hope you’ve been doing well!
Last weekend I watched Max Max, which is an engaging documentary about life in the U.S., though a few years ahead of its time.
I’m going to be joining my friend Jb Aviat next Tuesday, September 29 at 8am PDT / 5pm CET to discuss data they’ve collected about web applications being exploited in the wild.
There are a number of interesting take-aways: there’s data to back up some things we security professionals tend to intuitively believe, and there’s a few things I found pretty surprising.
✊ RIP RBG
This past week the world lost an incredible woman: Ruth Bader Ginsburg.
Despite graduating joint first in her class from Columbia Law School, she couldn’t get a job at a law firm because she was a woman. Nevertheless, she advanced to the highest position in her field, inspiring generations of people who are outside the traditional mold of their field.
📢 Jobs @ Praetorian
If you default to taking the initiative and prefer the brutal truth over hypocritical politeness, Praetorian is hiring. Their team is comprised of some of the world’s brightest cybersecurity minds, who humbly put customers first and have fortitude towards making the world a safer and more secure place. A default-to-open, take-the-initiative work culture has earned them Inc’s Best Places to Work, and they've been on Inc's Fastest Growing Companies for 7 years running. Praetorian is hiring for a range of positions from security engineers to director level.
📜 In this newsletter...
Program Analysis: 73 page PDF overview by CMU profs, abstract intrepretation explained through chess, MIT's class on abstract interpretation
AppSec: A comic explaining HTTPS, pen testing guide for online roulette apps, lessons learned from 4 years of bug bounty, understanding and preventing web app DoS
Cloud Security: Tools to find exposed S3 buckets, tool to visualize your Terraform deployments, 11 tools for mapping trust relationships in AWS
Container Security: A compiled list of public Kubernetes failure stories, vulnerability scanner for Windows containers
Blue Team: An SSH tarpit to trap scanners
Hardware: A teardown of Amazon's Ring alarm system
Fuzzing: Microsoft releases a self-hosted fuzzing-as-a-service platform
Browser Security: Sniff communication between Chromium processes
Red Team: Simple multi-language reverse shell generator
Politics / Privacy: Comparing secure messaging apps, Palantir and Thiel shade, banks happily move money for criminals and the U.S. gov't doesn't stop it
OSINT: Tool to find a company's infra and files on top cloud providers, an extensible HTTP/DNS scanner, hilarious story of finding former Australian PM's passport number
Misc: Toonify yourself, VS Code 4 lyfe
I got some nice reading recommendations from a Twitter thread started by Sean Heelan, thanks!
73 page PDF by CMU professors Jonathan Aldrich and Claire Le Goues covering a simple WHILE language, doing dataflow analysis, interprocedural and pointer analysis, symbolic execution, program synthesis, concolic testing, and more.
Concrete and Abstract Interpretation, Explained through Chess
Some neat slides by Rolf Rolles describing abstract interpretation by using the state space of a chess board (all of the possible combinations of piece locations) as sort of an analogy to the state space of programs. If you’ve dreamed of seeing what peak LaTeX/Beamer look like for creating slides, look no further.
How HTTPS works
A nice, high level overview of HTTPS in an approachable comic. Probably understandable by non technical friends and family.
Online Casino Roulette – A guideline for penetration testers and security researchers
NCC Group’s Jesús Calderón Marín presents a pretty thorough walkthrough of security issues to test for when assessing online roulette applications, including time-of-check / time-of-use (TOCTOU), insecure randomness, business logic bugs, and more.
Hacking on Bug Bounties for Four Years
Awesome transparency by AssetNote co-founder Shubham Shah: he earned $635,387.47 over 4 years and 4 months through HackerOne, which is roughly $400/day, though he wasn’t doing bug bounty every day. The continuous attack surface monitoring capabilities he’s been building into Assetnote account for 18% of the bugs he reported- not too shabby 👍
Not all attacks are equal: understanding and preventing DoS in web applications
Django creator Jacob Kaplan-Moss writes a well reasoned post on evaluating the risk posed by application-level DoS attacks. I really like the lens though which he describes this: attacker leverage; that is, how much work must the attacker perform to cause how much work for the target, how strongly the targeted app authenticates users, etc. (Disclaimer: I helped edit this post.)
Tool by Steeve Barbeau to help you understand your Terraform deployments by visualizing them. Useful for keeping your network schema up-to-date in your documentation/wiki or when threat modeling cloud-based services.
Exploring Cloud Trust Relationships: AWS
This post describes 11 different AWS security scanning tools with a focus on those that can map and graph trust relationships between different objects in AWS. Tools mentioned: Prowler, Pacu, WeirdAAL, AWS Inspector, Cartography, PMapper, Cloudmapper, AWSPX, Aaia, and Altimeter.
By NCC Group’s Saira Hassan: A vulnerability scanner for Windows containers, which performs several benchmark checks, checks for CVEs/vulnerable packages, and checks the config and Docker files for misconfigurations.
skeeto/endlessh: SSH tarpit that slowly sends an endless banner
“An SSH tarpit that very slowly sends an endless, random SSH banner. It keeps SSH clients locked up for hours or even days at a time. The purpose is to put your real SSH server on another port and then let the script kiddies get stuck in this tarpit instead of bothering a real server.”
Inside Amazon’s Ring Alarm System
Great teardown by Tenable’s Nicholas Miles: many screenshots of the hardware internals, then dumping the firmware to understand the device’s attack surface for trying to get a root shell on the device.
🔥 microsoft/onefuzz: A self-hosted Fuzzing-As-A-Service platform
“Project OneFuzz enables continuous developer-driven fuzzing to proactively harden software prior to release. With a single command, which can be baked into CICD, developers can launch fuzz jobs from a few virtual machines to thousands of cores.” Justin Campbell and Michael Walker spoke about it at Cppcon, but the video doesn’t appear to be live yet. (blog post)
Built-in ensemble fuzzing: By default, fuzzers work as a team to share strengths, swapping inputs of interest between fuzzing technologies.
Programmatic triage and result de-duplication: It provides unique flaw cases that always reproduce.
On-demand live-debugging of found crashes: It lets you summon a live debugging session on-demand or from your build system.
Fuzz on Windows and Linux OSes
A tool to capture communication between Chromium processes on Windows in real-time using Wireshark, by capturing data sent over named pipes.
Reverse Shell Generator
A very simple reverse shell generator that’ll give you a 1-liner for Bash, Lua, netcat, PHP, Perl, PowerShell, Python, and Ruby.
Politics / Privacy
Secure Messaging Apps Comparison
Excellent overview of ~12 messaging apps across 30+ attributes by Mark Williams. tl;dr: Use Signal (or Threema or Wire). Snippet from the table:
😱 FinCEN Files Show Criminals Moved Billions As Banks Watched
Wow, what a story.
A tool by @0xsha @j3ssiejjj to find a target company’s infrastructure, files, and apps on the top cloud providers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode). See also ProxyFor for verifying good proxies. blog post
Community Powered Scanning with Nuclei
A customizable, extensible HTTP/DNS scanner by Project Discovery (@pdnuclei). Specify request patterns in YAML, scan for known CVEs, common misconfigurations, and more. What seems especially useful is being able to define multi-step flows, and have one step extract words or text via regex from prior steps which can be used in later ones. source code
When you browse Instagram and find former Australian Prime Minister Tony Abbott’s passport number
@mangopdf writes hilarious posts, and this is no exception. One of Australia’s former PMs posted their plane ticket on Instagram, which included their boarding number. Using that, he logged onto the airline’s website as Tony and using extreme hacking skills like right-clicking and selecting “View HTML,” was able to recover passport number and phone number.
The Era of Visual Studio Code
Roben Kleene argues that VS Code is likely to remain the most popular editors for potentially 10+ years, due to its penetration of the developer market, how it’s maximized the power and visibility of extensions, has successfully moved beyond being a desktop app to the web (Codespaces), and Microsoft is putting significant resources behind it. This post covers some interesting history of text editors, from Vi to Emacs, BBEdit, TextMate, and more. H/T Daghan Altas
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!