- tl;dr sec
- [tl;dr sec] #55 - Detection as Code, Vault Authentication Bugs, Fingerprinting Exploit Developers
[tl;dr sec] #55 - Detection as Code, Vault Authentication Bugs, Fingerprinting Exploit Developers
Why we should embrace Detection as Code, write-up of two complex AuthN bugs in Vault, tracking exploit developers by their work.
I hope you’ve been doing well!
🎉 Sponsor Slots Filled Through 2020!
Whoa! tl;dr sec is sponsored all the way through the rest of 2020, and even a bit into 2021!
I’m incredibly honored and humbled by this. A big thank you to all of the sponsors, and even bigger thank you to you, dear reader 🙏
Hearing from people that they find tl;dr sec useful or that they’ve put some of the tools and ideas to good use makes all the work worth it, and puts a spring in my step. Or maybe that’s me limping. Either way, it feels good 😀
Like everyone and their cousin (who works in tech), I watched The Social Dilemma (trailer).
In a nutshell, it’s a set of interviews with a bunch of OG senior tech people from popular social media platforms (Facebook, Youtube, Twitter, Instagram, etc.) who created many of the now common UX tricks to maximize engagement and user growth, woven in with an overarching narrative and reflections.
I thought the movie did a surprisingly good job at explaining technical topics to a non technical audience, and somehow making interviews with a bunch of nerds engaging 🤓
It’s been interesting to see so many representations of the tech industry in media: The Social Network, Silicon Valley, Steve Jobs movies, Theranos, etc.
I hope that one day I can burn enough bridges and make enough powerful enemies that my life also gets made into a trendy movie (Netflix, you know how to reach me 📞).
📢 Jobs @ Praetorian
If you are modest about your extraordinary brilliance, Praetorian is hiring. Their team is comprised of some of the world’s brightest cybersecurity minds, who humbly put customers first and have fortitude towards making the world a safer and more secure place. A default-to-open, take-the-initiative work culture has earned them Inc’s Best Places to Work, and they've been on Inc's Fastest Growing Companies for 7 years running. Praetorian is hiring for a range of positions from security engineers to director level.
📜 In this newsletter...
AppSec: Finding C-type bugs in memory safe languages, find bugs by looking for dangerous words in source code, code scanning on GitHub
Web Security: HTTP desync attacks in the wild and how to defend against them, sending arbitrary MDM commands via HTTP request smuggling, tool to test for HTTP request smuggling/desync vulnerabilities, Cloudflare's write-up on a massive DDoS attempt, JWT security anti-patterns and best practices, updated RFC on OAuth 2.0 security
Cloud Security: Write-up of some complex authentication bugs in Vault
Blue Team: Autodeploy a Windows Domain RDP honeypot, Salesforce policy deviation checker, fingerprinting exploit developers by their work, detection as code
Hardware: List of hardware and IoT security tools
Red Team: An overview of the various Metasploit components
Politics / Privacy: Academic study of the manipulative tactics used in campaign emails requesting donations
Misc: "Smart" bluetooth male chastity belt is totally secure, Grocery Store Argument: The Musical
Now you C me, now you don’t: An introduction to the hidden attack surface of interpreted languages
Just because you’re using an interpreted language, doesn’t mean you’re safe from memory safety issues. Bas Alberts describes the attack surface of targeting interpreters, and gives 3 case studies: Perl format strings, deserialization in PHP, and Python’s
How to Find Vulnerabilities in Code: Bad Words
Will Butler describes an underrated technique for finding serious security vulnerabilities in code: words that “sound dangerous.” Myself and others found this surprisingly effective as security consultants. Examples include:
insecure, and more.
GitHub: Code scanning is now available!
CodeQL / Semmle is now in general availability on GitHub. In another blog post, GitHub also announced a number of third-party static analysis and developer security training GitHub Actions and Apps available on the GitHub Marketplace. It’ll be interesting to see how GitHub handles third-party SAST tools, given that they compete with CodeQL, and if they’ll have to pay an Apple App Store-esque extortion market fee.
HTTP Desync Attacks in the Wild and How to Defend Against Them
Imperva describes several types of HTTP desync attacks they’ve observed in practice and several defenses they’ve implemented to protect against it.
The Powerful HTTP Request Smuggling
Detailed write-up on how Ricardo Iramar dos Santos was able to exploit HTTP Request Smuggling in some Mobile Device Management (MDM) servers and send any MDM command to any device enrolled on them for a private bug bounty program.
OAuth 2.0 Security Best Current Practice
Updated working document from the Internet Engineering Task Force (IETF) describing security best practices for OAuth 2.0. “It updates and extends the OAuth 2.0 Security Threat Model to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0.”
Enter the Vault: Authentication Issues in HashiCorp Vault
Two serious bugs in Vault’s
gcp authentication methods, by Project Zero’s Felix Wilhelm.
Salesforce policy deviation checker by NCC Group’s Jerome Smith. The tool reveals which Profiles have become desynchronised from Organization level policies, and reviews each one’s password policies and session settings to highlight any deviations from those set at the Organization level.
Graphology of an Exploit - Hunting for exploits by looking for the author’s fingerprints
Fascinating blog post by Check Point’s Itay Cohen and Eyal Itkin in which they differentiate between the people writing malware and those developing the exploits malware uses, and fingerprint two exploit developers. The post analyzes the exploit authors’ clientele, how they improve technically over time, and more.
The set of exploit-related artifacts that they looked for
Detection content versioning: understand what specific rule or model triggered an alert, even in the past.
Proper “QA” for detection content: test for broken alerts (e.g. those that never fire, false positives/negatives) and gaps in detection overall.
Content (code) reuse and modularity of detection content: rules, signatures, analytics, algorithms, etc.
Cross-tool detection content: e.g. looking for a hash in EDR data and also in NDR; and in logs as well.
Metrics and improvement: Get better over time
Goal: build a full CI/CD pipeline for detections to continuously build, refine, deploy and run detection logic in various product(s).
IoT-PTv/List-of-Tools: List of the tools and usage
A list of various hardware and IoT security tools: firmware reverse engineering, dynamic analysis, bluetooth, radio assessment, etc.
Metasploit — A Walkthrough Of The Powerful Exploitation Framework
Nice overview by Manish Shivanandhan of the various components in Metasploit.
Politics / Privacy
Smart male chastity lock cock-up
A smart Bluetooth male chastity lock - what could go wrong? In a twist that should surprise precisely no one, the API had flaws allowing anyone to remotely lock all devices and prevent users from releasing themselves (removal then requires an angle grinder or similar), and the API also leaks precise user location data, personal info, and private chats. Also, TIL internetofdon.gs exists, a project dedicated to testing the security and privacy of… adult IoT devices.
Grocery Store Argument: The Musical
Twitter thread: A guy records himself dramatically singing in a grocery store, and then a bunch of other users add themselves to his base video with various harmonizing parts. Pretty impressive and fun.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!