• tl;dr sec
  • Posts
  • [tl;dr sec] #88 - Testing 2FA Implementations, Cloud Visibility/Enforcement, Altar of the Algorithm

[tl;dr sec] #88 - Testing 2FA Implementations, Cloud Visibility/Enforcement, Altar of the Algorithm

Potential bugs to test in 2FA implementations, tools for cloud visibility and enforcement, and how we all conform to please the algorithms around us.

Hey there,

I hope you’ve been doing well!

Security Vendor Marketing Pro-tips

It’s not easy to market something as complex as a security product.

You need to highlight your product’s salient features, differentiate from the competition, and do so in a way that’s detailed but not too opaque for people who aren’t domain experts in your area.

Fortunately, Matt Fuller shared a cheatsheet of how to do it 🤣

Open Security Summit Workshop

I’m giving a workshop starting a few hours after you receive this email!

If you can’t attend, no worries, it’ll be recorded.


📢 The Cloud Security Endgame and How To Really Shift Left

A “shift left” approach to cloud security means testing your code earlier in the development process. Studies show that fixing issues in code can take 10x less effort before deployment and 100x less effort before the project goes into maintenance. Discover how to achieve continuous security while building your cloud environment.

📜 In this newsletter...

  • Program Analysis: Query C++ code bases via SQL, auto-patching 100K+ Python code

  • AppSec: Securing Ansible configs, handling CLI secrets, building systems to protect sensitive data

  • Web Security: Testing 2FA implementations, brute-forcing Flask cookies

  • Cloud Security: Retrieving AWS security creds from the AWS console, tools for cloud visibility and enforcement, top 10 AWS identity health checks

  • Blue Team: Detecting outdated shared libraries, detecting malicious network traffic using incremental machine learning

  • Politics / Privacy: Securely erasing your iOS device, Google's efforts to protect slander victims

  • TikTok: China appreciates you sharing your voice and faceprints, influencer burnout, the altar of the algorithm

  • Misc: Atlassian security team's 20% ritual, fully homomorphic encryption resources by Google

Program Analysis

A proof-of-concept SQLite extension for querying C++ codebases that have been indexed using clangd.

Abstract Syntax Tree for Patching Code and Assessing Code Quality
Soroco’s Abdul Qadir describes scalably patching hundreds of thousands of lines of Python code using Python’s ast package. Use cases: upgrading deprecated pandas function calls, flagging single character variable names, and except clauses that don’t log exceptions.


Hack Series: Is your Ansible Package Configuration Secure?
Include Security’s Laurence Tennant describes his top 10 tips for auditing Ansible code as well as two subtle ways in which package managers may not verify signatures. Also, Ansible doesn’t natively provide a way to see the exact commands that are being run, but Laurence provides a handy strace command (in this case, looking for calls to apt)

$ sudo strace -f -e trace=execve ansible-playbook \
    playbook.yml 2>&1 | grep apt

How to Handle Secrets on the Command Line
smallstep’s Carl Tashian describes three methods for handling secrets on the command line, their risks, and how to use them as safely as possible: using piped data, credential files, and environment variables.

Protecting sensitive data at Gusto with HAPII — Part 1
Gusto’s Iain McGinniss describes the Hardened PII store (HAPII), a system built to further lock down how Gusto handles sensitive user data like SSNs. A few takeaways:

  1. Make sensitive data access explicit - easier to audit, don’t pull in data unless required.

  2. Return partial data where possible (e.g. last 4 digits of SSNs).

  3. Use usage data to engage engineering teams to understand the minimal set of PII they need.

Web Security

Testing Two-Factor Authentication
NCC Group’s @aschmitz provides an excellent walkthrough of three categories of checks to perform when assessing a 2FA implementation: general 2FA issues, authentication code-based issues, and WebAuthn security key issues. In general, WebAuthn > authentication code-based (e.g. Google Authenticator) > SMS.

Baking Flask cookies with your secrets
Flask by default signs but does not encrypt cookies. Luke Paris describes how you can bypass authentication if you can bruteforce the server’s signing secret. He scraped published secrets from GitHub and Stack Overflow to create a wordlist, used Shodan to find 1242 valid sessions, of which he was able to crack 28%. Luke has released Flask-Unsign to ease this attack.

Cloud Security

Retrieving AWS security credentials from the AWS console
Christophe Tafani-Dereeper describes how to retrieve AWS security credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN) when authenticated in the AWS Console, using a valid session cookie and an undocumented API. This could be useful for red teams and pen tests.

CloudSecDocs: Visibility & Enforcement
A cheatsheet of a number of useful tools for getting visibility into your cloud environment and continuously enforcing security policies, by Marco Lancini.

Top ten AWS identity health checks to improve security in the cloud
k9 Security breaks down the identity health checks into 3 categories:

  • Build foundations for identity and access management

  • Establish necessary IAM users and roles for people and applications

  • Evolve IAM permissions towards least privilege

Blue Team

A simple tool to detect outdated shared libraries still linked to processes in memory, by CloudLinux.

Incremental Machine Learning by Example: Detecting Suspicious Activity with Zeek Data Streams, River, and JA3 Hashes
In academic papers, the machine learning models used for security applications are usually trained on bounded datasets – where the dataset has a clear start and end. NCC Group and Fox-IT’s Data Science team describe how incremental learning techniques can be applied for novelty detection (the first time something has happened) and outlier detection (rare events) on data streams derived from Zeek (the network analysis tool formely known as bro).

Politics / Privacy

Securely Erasing Your iPhone or iPad — With a Power Drill
How to take off the screen and where to drill, by The Intercept.

Google also recently created a new concept it calls “known victims.” When people report to the company that they have been attacked on sites that charge to remove posts, Google will automatically suppress similar content when their names are searched for. “Known victims” also includes people whose nude photos have been published online without their consent, allowing them to request suppression of explicit results for their names.


*world weary sigh as I realize I created a “TikTok” section*

TikTok just gave itself permission to collect biometric data on US users, including ‘faceprints and voiceprints’
The Chinese government has access to face and voice data on millions of Americans, as well as what they like, don’t like, and what affects them emotionally. What could go wrong? 😅 

TikTokers know that their fame will likely fade unless they work very, very hard to cultivate themselves into something solidly monetizable. They seamlessly toggle between their two identities — the real person and the online persona — and speak with a kind of cynicism about tying their livelihoods to a platform that could disappear in an instant.

They’re afraid of branching out from whatever the algorithm decides it likes for fear of becoming a has-been, and they’re burned out by the churn of endlessly creating content they barely even like. Some have public meltdowns, others quit for good, while even the app’s biggest star Charli D’Amelio said she often feels overwhelmed by the constant negative attention.

The influencer industry is simply the logical endpoint of American individualism, which leaves all of us jostling for identity and attention but never getting enough.

The Anxiety of Influencers
Writer and English professor Barrett Swanson describes his experience spending five days at Clubhouse, the collective of dozens of college-aged social media hopefuls living in a smattering of content mansions in Los Angeles.

The truth is that the influencer economy is just a garish accentuation of the economy writ large… we’ve become cheerfully indentured to the idea that our worth as individuals isn’t our personal integrity or sense of virtue, but our ability to advertise our relevance on the platforms of multinational tech corporations.

If we sneer and snicker at influencers’ desperate quest to win approval from their viewers, it might be because they serve as parodic exaggerations of the ways in which we are all forced to bevel the edges of our personalities and become inoffensive brands. It is a logic that extends from the retailer’s smile to the professor’s easy A to the politician’s capitulation to the co-worker’s calculated post to the journalist’s virtue-signaling tweet to the influencer’s scripted photo. The angle of our pose might be different, but all of us bow unfailingly at the altar of the algorithm.


Innovation Week - Atlassian Security Team’s 20% Time Ritual
The Atlassian Product Security team was finding they were having trouble consistently making time for 20% projects. Marisa Fagan describes how they decided to set aside 1 week every 5 weeks (20%) for everyone to spend on side projects. Neat way to ensure 20% time is taken, and I bet there’s even more energy and progress during it than if it were portioned out over time. Interesting idea!

By Google: Libraries and tools to perform fully homomorphic encryption (FHE) operations on an encrypted data set. FHE has nice privacy benefits, but as far as I know, there’s still research being done to make it efficient enough to be practical at scale in the real world.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!