[tl;dr sec] #88 - Testing 2FA Implementations, Cloud Visibility/Enforcement, Altar of the Algorithm
Potential bugs to test in 2FA implementations, tools for cloud visibility and enforcement, and how we all conform to please the algorithms around us.
I hope you’ve been doing well!
Security Vendor Marketing Pro-tips
It’s not easy to market something as complex as a security product.
You need to highlight your product’s salient features, differentiate from the competition, and do so in a way that’s detailed but not too opaque for people who aren’t domain experts in your area.
Fortunately, Matt Fuller shared a cheatsheet of how to do it 🤣
Open Security Summit Workshop
I’m giving a workshop starting a few hours after you receive this email!
If you can’t attend, no worries, it’ll be recorded.
📢 The Cloud Security Endgame and How To Really Shift Left
A “shift left” approach to cloud security means testing your code earlier in the development process. Studies show that fixing issues in code can take 10x less effort before deployment and 100x less effort before the project goes into maintenance. Discover how to achieve continuous security while building your cloud environment.
📜 In this newsletter...
Program Analysis: Query C++ code bases via SQL, auto-patching 100K+ Python code
AppSec: Securing Ansible configs, handling CLI secrets, building systems to protect sensitive data
Web Security: Testing 2FA implementations, brute-forcing Flask cookies
Cloud Security: Retrieving AWS security creds from the AWS console, tools for cloud visibility and enforcement, top 10 AWS identity health checks
Blue Team: Detecting outdated shared libraries, detecting malicious network traffic using incremental machine learning
Politics / Privacy: Securely erasing your iOS device, Google's efforts to protect slander victims
TikTok: China appreciates you sharing your voice and faceprints, influencer burnout, the altar of the algorithm
Misc: Atlassian security team's 20% ritual, fully homomorphic encryption resources by Google
Abstract Syntax Tree for Patching Code and Assessing Code Quality
Soroco’s Abdul Qadir describes scalably patching hundreds of thousands of lines of Python code using Python’s ast package. Use cases: upgrading deprecated pandas function calls, flagging single character variable names, and except clauses that don’t log exceptions.
Hack Series: Is your Ansible Package Configuration Secure?
Include Security’s Laurence Tennant describes his top 10 tips for auditing Ansible code as well as two subtle ways in which package managers may not verify signatures. Also, Ansible doesn’t natively provide a way to see the exact commands that are being run, but Laurence provides a handy strace command (in this case, looking for calls to apt)
$ sudo strace -f -e trace=execve ansible-playbook \ playbook.yml 2>&1 | grep apt
How to Handle Secrets on the Command Line
smallstep’s Carl Tashian describes three methods for handling secrets on the command line, their risks, and how to use them as safely as possible: using piped data, credential files, and environment variables.
Protecting sensitive data at Gusto with HAPII — Part 1
Gusto’s Iain McGinniss describes the Hardened PII store (HAPII), a system built to further lock down how Gusto handles sensitive user data like SSNs. A few takeaways:
Make sensitive data access explicit - easier to audit, don’t pull in data unless required.
Return partial data where possible (e.g. last 4 digits of SSNs).
Use usage data to engage engineering teams to understand the minimal set of PII they need.
Testing Two-Factor Authentication
NCC Group’s @aschmitz provides an excellent walkthrough of three categories of checks to perform when assessing a 2FA implementation: general 2FA issues, authentication code-based issues, and WebAuthn security key issues. In general, WebAuthn > authentication code-based (e.g. Google Authenticator) > SMS.
Baking Flask cookies with your secrets
Flask by default signs but does not encrypt cookies. Luke Paris describes how you can bypass authentication if you can bruteforce the server’s signing secret. He scraped published secrets from GitHub and Stack Overflow to create a wordlist, used Shodan to find 1242 valid sessions, of which he was able to crack 28%. Luke has released Flask-Unsign to ease this attack.
Retrieving AWS security credentials from the AWS console
Christophe Tafani-Dereeper describes how to retrieve AWS security credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN) when authenticated in the AWS Console, using a valid session cookie and an undocumented API. This could be useful for red teams and pen tests.
Top ten AWS identity health checks to improve security in the cloud
k9 Security breaks down the identity health checks into 3 categories:
Build foundations for identity and access management
Establish necessary IAM users and roles for people and applications
Evolve IAM permissions towards least privilege
Incremental Machine Learning by Example: Detecting Suspicious Activity with Zeek Data Streams, River, and JA3 Hashes
In academic papers, the machine learning models used for security applications are usually trained on bounded datasets – where the dataset has a clear start and end. NCC Group and Fox-IT’s Data Science team describe how incremental learning techniques can be applied for novelty detection (the first time something has happened) and outlier detection (rare events) on data streams derived from Zeek (the network analysis tool formely known as bro).
Politics / Privacy
Securely Erasing Your iPhone or iPad — With a Power Drill
How to take off the screen and where to drill, by The Intercept.
*world weary sigh as I realize I created a “TikTok” section*
TikTok just gave itself permission to collect biometric data on US users, including ‘faceprints and voiceprints’
The Chinese government has access to face and voice data on millions of Americans, as well as what they like, don’t like, and what affects them emotionally. What could go wrong? 😅
The Anxiety of Influencers
Writer and English professor Barrett Swanson describes his experience spending five days at Clubhouse, the collective of dozens of college-aged social media hopefuls living in a smattering of content mansions in Los Angeles.
Innovation Week - Atlassian Security Team’s 20% Time Ritual
The Atlassian Product Security team was finding they were having trouble consistently making time for 20% projects. Marisa Fagan describes how they decided to set aside 1 week every 5 weeks (20%) for everyone to spend on side projects. Neat way to ensure 20% time is taken, and I bet there’s even more energy and progress during it than if it were portioned out over time. Interesting idea!
By Google: Libraries and tools to perform fully homomorphic encryption (FHE) operations on an encrypted data set. FHE has nice privacy benefits, but as far as I know, there’s still research being done to make it efficient enough to be practical at scale in the real world.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!