[tl;dr sec] #9 - Autonomous Bug Reporting, HTTP Desync Attacks, & Censorship
Fuzzing is finding security bugs faster than CVEs can be issued, HTTP desync attacks advance, China's censorship power is felt around the world.
I hope you've been doing well!
Just links this time, no summary, as I've been busy prepping for a ShellCon talk this weekend on building simple but useful lightweight static analyses using open source tools.
Google has been working on a new sanitizer, the Kernel Concurrency Sanitizer (KCSAN). "In their testing just last month, in two days they found over 300 unique data race conditions within the mainline (Linux) kernel." Whoa. 🔥
A bash script that documents and walks through using pretty much every
Duo Labs released Journal, their tool for centralizing research notes and publishing articles. Journal is composed of a Hugo (Golang static site generator) template and a CLI tool that can create/publish posts and convert Jupyter notebooks and R markdown for easy inclusion.
Excellent Twitter thread of advice by Phil Venables: "When starting or reinvigorating a security program, focus on a small number of meta-objectives that can have sustained outsize effects - as well as diving into the immediate and very specific things that need improving."
Autonomy and the Death of CVEs?
Tools like Google's ClusterFuzz find thousands of bugs a year.
Many of these bugs are security-relevant. Based on Chrome and oss-fuzz data, that's 100's of security bugs discovered per year.
There is no way to automatically report and index these bugs; it takes manual work to file a CVE and for the DB to be updated => thus many of these security bugs don't have CVEs!
Yet we depend on indexes like the MITRE CVE database to tell us whether we’re running known vulnerable software.
Add structure to CVE and CWE databases that is machine parsable.
Create a system where autonomous systems can report bugs that other autonomous systems can consume. Lower fidelity than a human-verified system (potential FPs/FNs), but it would help us move faster.
HTTP desync attacks continue
You can read his bug bounty report to New Relic ("This is a pretty dope bug.")
The Black Hat video isn't live yet, but it looks like he gave a similar talk at BSides Manchester.
FYI: If you're not familiar with his work yet, James Kettle is web app pen testing wizard, and anything he puts out is worth reviewing.
James Mickens gets tenure
James Mickens' Harvard tenure announcement is as hilarious as the articles he writes and talks he gives.
For one example, from the abstract of his Usenix 2018 keynote "Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible?”:
A new contender in asset inventory security start-ups
Tanya Janca, a globetrotting frequent speaker, recently left a cloud security role at Microsoft to do a start-up, which she just announced: Security Sidekick- "real-time web app inventory and vulnerability discovery."
It'll be interesting to see how her company differentiates, as asset inventory seems to be a hot/crowded area right now (e.g. one of the things Jupiter One seems to do, as mentioned in tl;dr sec #8).
The Chinese censorship machine is broader than you realize
The continued protests in Hong Kong are showing how powerful the Chinese government's censorship powers are outside of their borders. (Some good additional thoughts by Stratechery.)
Let's review an incomplete list of examples:
1. The Houston Rockets general manager posted a pro-Hong Kong democracy tweet, various Chinese companies were upset, then the NBA went into damage control mode.
3. Video games
Blizzard suspends a professional Hearthstone player for Hong Kong comments.
A Twitter thread with some interesting context from a video game industry veteran:
Finally (4): the screen industry
Hollywood is already inserting or cutting scenes to make Chinese censors happy.
Dalian Wanda, China's largest commercial property company and movie theater operator, is actively acquiring U.S. cinema assets.
In 2012, Wanda bought AMC Entertainment, the second largest U.S. movie theater chain. This year, AMC is buying Carmike Cinemas, which would form the largest movie theater chain in the country.
Wanda bought Legendary Entertainment (production company behind The Dark Knight Trilogy) and is interested in Lionsgate (The Hunger Games). When they acquired Legendary, they called it, "China's largest cross-border cultural acquisition to date."
Wanda's founder and chairman is a former Communist deputy and the company has received at least $1.1 billion in government subsidies.
"The control of both production and distribution channels allows him to censor movies in their development stage and after release. In theory, he could prevent his movie theaters from playing films unapproved by the Communist Party."
South Park has been wiped from the Chinese-accessible Internet due to their "Band in China" episode that criticizes how American media adjusts content to accommodate Chinese censorship rules.
Trolling tweet from the South Park creators: "Like the NBA, we welcome the Chinese censors into our homes and into our hearts. We too love money more than freedom and democracy." Oh snap!
To summarize, the Chinese government is already:
Influencing one of the biggest video game companies (Blizzard).
Making an NBA team manager apologize for acknowledging widespread protests that are currently happening.
Apple, one of the biggest and most profitable tech companies, is censoring emoji and giving the Chinese government control over user data.
Major Hollywood films are adding, removing, or changing scenes to please the censors, and a Chinese media company is actively acquiring U.S. cinemas and film production companies while acknowledging this is about extending China's soft power abroad. 😅
Today it's Hong Kong, tomorrow it's...?
Mo money mo problems
What Really Happens When You Become an Overnight Millionaire? is a fascinating article about Peter Rahal, who bootstrapped RxBar out of his mom's kitchen, took no funding, then sold it for $600 million.
People spend a lot of time dreaming about "making it," but rarely ask, "How will my life change once I've 'made it'?"
To be honest, at least for me, having hundreds of millions of dollars would probably be more stressful than it's worth.
A few million would be OK though, as that'd get me a small studio in SF (with a bad view and no in-unit laundry) ;-)
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!