• tl;dr sec
  • Posts
  • [tl;dr sec] #84 - Establishing a Cloud Security Program, Measuring Security, On Signal's Cellebrite Hack

[tl;dr sec] #84 - Establishing a Cloud Security Program, Measuring Security, On Signal's Cellebrite Hack

A roadmap for establishing a cloud security program + a task list, thoughts on measuring security, the legal implications of Signal's Cellebrite hack.

Hey there,

I hope you’ve been doing well!

Mask Up to Keep It Up

Apparently, in some cases, COVID-19 can cause erectile dysfunction (Cleveland Clinic).

Man, if we had this evidence early in the pandemic, I think things would have played out quite differently.

If I was the media, I’d be showing this all the time, everywhere (scrolling text, hourly segments).

Unfortunately, I can’t claim to have come up with this section’s title, it’s actually from this medical paper.

For context, giving the tool you created a clever name or making a witty or punny paper title is like 83% of the joy of being an academic.

The remainder is 10% mentoring students, 2% chalk that doesn’t break, 5% pleasure, 50% pain, and 100% reason to remember the name.

Impactful Weekend Hack Project Idea

Since we’re on the topic, I’d like to potentially nerd snipe someone.

I propose the following automation:

  1. Subscribe to Twitter and/or Facebook APIs, looking for references to “vaccines” and related keywords.

  2. Use NLP (or regex) to determine if the post or tweet is negative about the vaccine.

  3. Automatically post a reply like, “Hm yeah, you make a good point, but have you heard COVID-19 can cause ED , I’m pretty concerned about that…”

Bonus points:

  • Use GPT-3 to make the comment fit in to the context and conversational flow.

  • Create a series of believable puppet accounts that you can round robin through to make it less obvious.


📢 Automate IaC Security Analysis In Your CI/CD Pipeline?

Are you using infrastructure-as-code (IaC) to build a more scalable cloud environment and looking to automate security analysis of your Terraform? There are many open-source tools available, but these tools offer limited detection and create a lot of unnecessary alerts for developers. There’s a better way. Discover how to catch IaC security issues sooner, with fewer false positives.

📜 In this newsletter...

  • AppSec: Arbitrary code exec in VS Code via Rust macro, testing browser extensions, detecting malicious activity in CI/CD pipelines

  • Measuring Security: Business-friendly vulnerability management metrics, extending the error budget model to security and feature freshness

  • Web Security: New open-source web scanner with a JSON DSL

  • Cloud Security: Establishing a cloud security program, IaC scanner by AWS, tips on working with IAM

  • Container Security: Intro to using Falco with Kubernetes, helm diff

  • Red Team: Ghidra script to fix Objective-C XREFs

  • Politics / Privacy: DarkSide ransomware gang quits, 12 people are behind most vaccine hoaxes

  • Career: Security mentor club, the missing semester of your CS education

  • Misc: Some Amazon managers hire people to fire them, tracking the San Francisco tech exodus, Juul pissed off some rich parents, an open source Datadog/New Relic

  • On Signal's Cellebrite Hack: A legal perspective


This repo contains a PoC macro that shows that simply opening a malicious Rust project in VS Code will cause arbitrary code to be executed. This occurs because the rust-analyzer automatically analyzes and indexes your code, including expanding macros.

Testing Extensions in Chromium Browsers - Nordpass
Parsia Hakimian walks through manual testing of the Nordpass browser extension, including analyzing traffic between the extension and a native app, unpacking and modifying the extension, reverse engineering obfuscated JavaScript, logging and instrumenting the extension, dynamic analysis with DevTools, and exporting an extension’s functions for manual fuzzing.

Parsia joined Lewis Ardern on the excellent (and delicious) SecuriTEA & Crumpets, episode #5 to do a live demo of this process.

Detecting Malicious Activity in CI/CD Pipeline with Tracee
Simar Singh from Aqua Security describes adding Tracee to a GitHub Action CI/CD pipeline (as a service container in the background). Tracee uses eBPF to flag potentially sketchy activity, such as running strace or doing standard I/O over a socket. See Tracee’s built-in signatures here.

Measuring Security

Business-friendly vulnerability management metrics
Uber’s Serge Pastukhov & Martin Georgiev argue that instead of treating vulnerability management like a standard time series chart of the number of vulnerabilities or bugs per asset over time, it should instead be treated similar to service availability, except instead of maximizing uptime we want to minimize vulnerability exposure.

They walk through a number of increasingly precise ways to calculate it, but in short, you calculate the number of assets whose vulnerabilities are over their SLAs divided by the total number of assets, for a given time period (e.g. 30 days).

Extending the Error Budget Model to Security and Feature Freshness
USENIX SREcon 2019 talk by Pivotal’s Jim Thomson and David Laing that similarly argues for having a “vulnerability budget.” If you have a Service Level Objective (SLO) of having 99.9% uptime, once you get close to that threshold, you shift resources to focus on availability.

Likewise, having dependencies with known CVEs open for beyond a certain amount of time could reshift team resources to focus on patching.

I like that they include feature delivery as an SLO, as a business that focuses only on uptime and security, to the detriment of new features, likely won’t last long.

Web Security

Detectify releases Ugly Duckling, an open-source web scanner for ethical hackers
Detectify’s Tom Hudson and Johan Svensson have released Ugly Duckling, a Golang tool that lets you to codify a stateless web security check (one HTTP request/response) in JSON. This also makes it easier to submit modules to Detectify’s Crowdsource bug bounty program, in which they recurringly pay you if your module finds vulnerabilities for their customers. Seems quite similar to nuclei.

It’s interesting to see a number of security tools standardize on codifying “checks” or “rules” in JSON or YAML rather than a custom DSL or a full-fledged programming language, like Ugly Duckling, nuclei, Semgrep, and probably others.

Cloud Security

On Establishing a Cloud Security Program
CloudSecList’s Marco Lancini describes from the foundations through different maturity levels to reach a “best in class” solution to support and secure a product that span across multiple service providers, runs on Kubernetes, and must comply with strict regulations. Great overview. Marco also created a list of (currently) 94 tasks you can track to make this roadmap a reality.

aws-cloudformation/cloudformation-guard v2.0
(DJ Khaled voice) Another one. Guard offers a policy-as-code DSL to write rules and validate JSON- and YAML-formatted data such as CloudFormation Templates, K8s configurations, and Terraform JSON plans/configurations against those rules.

Top Recommendations for Working with IAM from Our AWS Heroes
(Narrator: Anyone who deals with IAM is a hero.)

  • Part 1: Rowan Udell covers how to balance developer innovation with the principle of least privilege and elaborates on IAM resource IDs.

  • Part 2: Ben Bridts shows how the IAM visual editor makes policy creation easier and explains the benefits of using federation over IAM users.

  • Part 3: Ian Mckay highlights how permissions boundaries and conditions help you limit access to AWS.

  • Part 4: Mark Nunnikhoven shares the Service Authorization Reference, which is a comprehensive list of all the permissions in AWS, and points you to the AWS CloudTrail userIdentity element that keeps track of who did what.

Container Security

An Introduction to Kubernetes Security using Falco
Frederick Fernando describes setting Falco up using Helm and detecting potential attacker activity, including using a terminal shell in a container, contacting the k8s API server from a container, and checking if the shell is in a container environment.

A helm plugin that shows a diff explaining what a helm upgrade would change. It basically generates a diff between the latest deployed version of a release and helm upgrade --debug --dry-run.

Red Team

FOX - Fix Objective-C XREFs in Ghidra
Federico Dotta and Marco Ivaldi share a Ghidra script they developed that adds XREFs (and potential XREFs) to iOS disassembled and decompiled code passed on the string arguments based to objc_msgSend.

Politics / Privacy

“Servers were seized (country not named), money of advertisers and founders was transferred to an unknown account,” reads a message from a cybercrime forum reposted to the Russian OSINT Telegram channel.

Just 12 People Are Behind Most Vaccine Hoaxes On Social Media, Research Shows
“The ‘Disinformation Dozen’ produce 65% of the shares of anti-vaccine misinformation on social media platforms.” It’s nice see Twitter and Facebook cracking down on this a bit, even if, like political polarization and election disinformation, it feels a bit too little too late.

It’d be nice to somehow allow free speech but enforce accountability. Like, you can say whatever you want, but if your words cause a lot of people to get sick or die, lose a lot of money, or otherwise make the world measurably worse, maybe there are some sort of economic or criminal repercussions. Hard to measure and prove causality though 🤷 


Security Mentor Club
If you’re looking to get some mentorship or advice from other people in the security industry, check out this new effort by Yashvier Kosaraju, Teja Myneedu, and Robert Gallagher.

The Missing Semester of Your CS Education
Topics: mastering the command-line, using a powerful text editor, using fancy features of version control systems, debugging and profiling, metaprogramming, security and cryptography, and more.


Some Amazon managers say they ‘hire to fire’ people just to meet the internal turnover goal every year
When you have a target “unregretted attrition” (URA) rate per year, some managers hire new people just to protect their existing team. Sounds like a great place to work!

Tracking the San Francisco Tech Exodus
Some pretty interesting stats and figures. Note that the data seems focused on SF, I’d be curious what the stats would be be if they included the broader Bay Area. That is, I wonder if many people and companies are leaving SF but staying local.

Juul Finds Hell Hath No Fury Like an Army of Really Rich Parents
Excerpt from the new book The Devil’s Playbook, which describes how some Silicon Valley parents, after finding vaping was rampant among their kids’ friend groups, banded together to give Juul trouble.

By @SignozHQ: “Monitor your applications and troubleshoot problems in your deployed applications, an open-source alternative to DataDog, New Relic, etc.”

Like many security professionals, I enjoyed Signal thumbing their noses at Cellebrite a few weeks ago. While it’s important to help law enforcement fight criminals, I’m a fan of privacy, and not a fan of selling security tools to repressive regimes.

But I’m not a lawyer and I don’t spend much time thinking about the legal or policy implications of my security work.

Which is why I found this lengthy article by Stanford Internet Observatory Research Scholar Riana Pfefferkorn really interesting.

It’s worth reading the whole thing, but here are a few key points I took from it:

  • Signal is unlikely to carry out on its implicit threat as it is illegal.

  • This hack likely won’t have that much impact on trials in practice.

  • The timing was suboptimal, as Cellebrite was used in a number of Capitol rioter cases that are still ongoing, and it’s another arrow in the quiver of anti E2EE law enforcement types.

I put a few more details and quotes here.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!