[tl;dr sec] #90 - Eradicating Subdomain Takeovers, GitHub's AI Pair Programmer, Testing File Upload Functionality
Open source tool to continuously scan for subdomain takeover vulnerabilities, GitHub's Copilot can suggest whole functions within VS Code, resources for assessing and securing file upload functionality.
I hope you’ve been doing well!
Out of Context
Recently I was talking a walk, minding my own business, when a woman in a car slowed down, rolled down the window, and said, gesturing at me and the area behind me:
And drove off.
In college, I was in an improv comedy troupe, and one thing we liked to do was take snippets of real conversations we overheard on campus and use them to initiate warm-up scenes at the beginning of rehearsal.
The type of conversation fragments that make no sense out of context, that make you laugh and try to imagine the context that would make those words in that order make sense.
It was a joy to bring those words to life, in a context probably very different than the original.
So the next time you overhear a fun snippet of conversation, try storing it in your back pocket and use it later with a friend. I bet you’ll have fun 😃
📢 Do the impossible for free - cloud-native cyber asset security with JupiterOne
Effective cyber asset governance sounds like a dream. Building a security program based on up to date knowledge of your cyber assets is not only possible, it’s easy. JupiterOne integrates with your security and infrastructure stacks to provide graph-based and context-driven cloud-native visibility and security. Deliver compliance, cloud security posture management, security operations, and more on the back of the JupiterOne platform. Log in, integrate and get started for free!
📜 In this newsletter...
AppSec: Terraform for Google Workspace, reflections on GitHub's bug bounty program, Google's JSON schema for vulnerability data, tool to apply changes across many GitHub repos simultaneously
Web Security: Repo of media exploit files, file upload testing methodology by community members and OWASP
Cloud Security: Back up your GitHub account to S3, auto-tagging your infrastructure with code, eliminating subdomain takeovers
Container Security: Find unused Kubernetes resources, easily sharing your dev environment with Docker
Blue Team: Awesome GRC, open source no-code SOAR platform
Politics / Privacy: Governments using apps to get people to collect OSINT, when to pay ransomware
Tech Company News: Google's execs see cracks in their success, inside look at Airbnb's 'black box' safety team
Misc: Find useful repo forks, saving enough money to buy a house with your parent's money, GitHub's AI pair programmer
Announcing the Google Workspace Provider for HashiCorp Terraform Tech Preview
A new Terraform provider allows you to manage users, groups, and domains in your Google Workspace (formerly G Suite).
Seven years of the GitHub Security Bug Bounty program
GitHub’s Greg Ose shares their favorite bug and a number of 2020 highlights. Emphasis in the quote below is mine.
Announcing a unified vulnerability schema for open source
Google’s Oliver Chang and Russ Cox announce a unified JSON schema for vulnerability data, and a web UI for searching the aggregated results: https://osv.dev/list. Access vulnerability data with a single curl, no sign-ups/API keys needed.
Naively, SCA seems to be largely a data problem, so I wonder if Google (or someone else) will build a Snyk competitor on top of all of these useful data sources and primitives 🤔
A simple tool to help apply changes across many GitHub repositories simultaneously (forking, cloning, committing, and raising PRs en-masse), so that you can focus on the substance of the change). Some tips:
By @barracud4_: A repository of various media files for known attacks on web applications processing media files (DoS attacks, GhostScript, MemoryLeaks, etc.). Useful for penetration tests and bug bounty.
Using Yor for ownership mapping using YAML tag groups
By Bridgecrew’s Naor David: “Yor is an open source tool that supports auto-tagging of infrastructure from code to cloud by adding metadata such as repository, commit and path, and the last modifier of the code based on git log data. You can expand those out-of-the-box tags into additional common tags such as Operation team, cost center, and environment.”
How we prevented subdomain takeovers and saved $000s
OVO’s Paul Schwarzenberger describes Domain Protect, a new open source tool they’ve released that leverages AWS Lambdas and SNS to proactively, continuously scan for subdomain takeover vulnerabilities.
And note their thought process behind it, which I strongly agree with: they started a private bug bounty program -> over half of the identified issues were subdomain takeovers -> build tooling to address this entire vulnerability class.
A curated list of resources for security Governance, Risk Management, Compliance and Audit professionals, by Ayoub Fandi, including a nice overview, relevant frameworks and regulations, books, talks/videos, podcasts, and more.
Jimi is an automation first no-code platform designed and developed originally for Security Orchestration and Response. Over 50 open source integrations that include alerting and monitoring, asset management, software packaging and deployment, security playbooks, SIEM and XDR.
Politics / Privacy
App Taps Unwitting Users Abroad to Gather Open-Source Intelligence
Typical assignments involve snapping photos, filling out surveys or doing other basic data collection or observational reporting such as counting ATMs or reporting on the price of consumer goods like food.
Negotiating Ransoms: When to Play and When to Fold
Kim Zetter interviews Bill Siegel, CEO and co-founder of Coveware, a company that negotiates ransomware payments for victims.
It boils down to: what is the financial impact to the business that could be averted by hastening the recovery? (e.g. “This is costing us X per day in lost business, and paying will shave a week off of recovery time.”)
Often it takes several days to determine the quality of your backups, so you proceed in the negotiation, then before paying you’ve determined if you need to.
Having proper backups isn’t sufficient. Say you have 50 PB of data in a facility 30 miles away. You start restoring from backup and realize it’s going to take 70 years.
Rebuild an entirely new network, don’t use the ransomed systems again. Re-image all servers, re-install all applications, and load data from backups onto these green-network machines.
Tech Company News
Inside Airbnb’s ‘Black Box’ Safety Team: Company Spends Millions on Payouts
An inside glimpse into all of the bad things that can happen when you’re building a platform that relies on trusting strangers at scale, and what Airbnb has done to keep a positive reputation.
Interestingly, over time Airbnb has hired various ex-CIA / ex-military people to lead their crisis management teams, including Nick Shapiro, the former deputy chief of staff at the Central Intelligence Agency and National Security Council adviser in the Obama White House. Trigger warning, the article references some bad stuff.
Type in a repo’s name and get a list of useful forks; that is, forks that have additional activity beyond the original fork, sorted by number of stars.
How I Saved Enough to Buy a House With My Parents’ Money
Tongue-in-cheek article by McSweeney’s.
🔥 Introducing GitHub Copilot: your AI pair programmer
Mind the telemetry terms though, which seem to say basically that they’ll see all the snippets you generate or approve, and potentially any file in any VS Code workspace you have open.
Also, @eevee raises an interesting point regarding copyright:
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!