[tl;dr sec] #93 - Reading Your CSO's Performance Review, Fuzzing, NSO Group

tl;dr sec is a newsletter about AppSec and scaling security, automated bug finding, conference talk and paper summaries, and useful links from around the web. You can subscribe here and see past issues here.

(You can also read this issue on our blog

here

)

Hey there,

I hope you’ve been doing well!

  Love at First Meme 

People used to find their spouse through family, mutual friends, or who happened to live nearby.

But something was missing.

Then, dating websites and apps proliferated, leading to a greater pool of potential candidates. Dating became gamified, as you were always only a few swipes away from texting a cutie.

But something was missing.

Then, newer apps mixed in multi-media, like voice, video, or the blockchain. Meet Viola.ai:

But something was still missing.

Finally, with Schmooze, dating has reached its zenith: find your soulmate by being matched with people who love similar memes (more backstory).

In case you weren’t already sold:

Wow 🤣 Well, we live in a society.

Sponsor

  📢 Why the Largest SaaS Providers are investing in SaaS Security and in AppOmni 

People are often surprised to learn that Salesforce Ventures and ServiceNow Ventures are investors in AppOmni, and in SaaS Security in general. But they shouldn’t be. One of the primary goals of SaaS vendors is to ensure that their customers maintain secure SaaS environments, and they know that AppOmni is one of the best ways to do so. AppOmni automates the tracking of security settings, user permissions, 3rd party app access, and API configurations. We make it easy for security and IT teams to keep SaaS data secure, without adding additional workload. Watch the video to find out more.

📜 In this newsletter...

• AppSec: Cybersecurity for the Board, RCE in cdnjs

• Cloud Security: Scott Piper discusses his Cloud Security Roadmap, AWS incident response playbooks, how would you do your AWS from scratch?

• Container Security: Istio's first security assessment released, sign container images with cosign and verify with OPA

• Fuzzing: Fuzzing Android native libraries, fuzzing macOS, automatically generate harnesses, libafl

• Blue Team: Mapping of technology and vendor tools to NIST CSF, TTPs used by Chinese state-sponsored actors

• Red Team: Exploit development and kernel pools

• Politics / Privacy: Data leak shows NSO Group tools targeting activists, how to catch NSO Group's Pegasus, toolkit to detect potential compromise of mobile devices, companies that map mobile ad IDs to PII, senior U.S. military officials were making plans to prevent a coup after the 2020 election

• OSINT: Collection of 300+ OSINT tools

• Leadership: Mindful leadership, a CSO who shares his performance review with the full company

• Misc: Search TV shows and movies by a word or phrase, it's never been better to be talent

AppSec

Cybersecurity - The Board’s PerspectiveGoogle’s Phil Venables describes what Boards should expect from management with respect to cybersecurity.

Remote code execution in cdnjs of CloudflareRyotaK describes a remote code execution bug they found in Cloudflare’s CDNJS that, no big deal, could have allowed tampering of 12.7% of all websites 😅 Path traversal via specially crafted .tgz name and some symbolic links trickery. Nice example of a security review workflow. 

Cloud Security

Building Cloud Security RoadMapScott Piper joins Ashish Rajan’s Cloud Security Podcast to discuss Scott’s excellent AWS Security Maturity Roadmap, cloud security from start-ups to medium and large companies, getting started in cloud security, and more. 

aws-samples/aws-incident-response-playbooksRepo by AWS’ Frank Phillis that contains playbooks covering several common scenarios: credential compromise, unintended S3 bucket access, web app DoS / DDoS, and ransomware. The playbooks outline steps based on the NIST Computer Security Incident Handling Guide. 

Lessons learned: if you could do it “all” from the start again, what would you do differently in your AWS?Reddit post with some useful context and ideas.

  Container Security 

Announcing the results of Istio’s first security assessmentIstio describes the results of NCC Group’s assessment and shares the report. No Criticals, 4 Highs, the rest Medium, Low, and Informational. See the Security Best Practices and hardening guide. 

Sign Container Images with cosign and Verify signature with Open Policy AgentBatuhan Apaydın and Furkan Türkal describe how to ensure only images that have valid signatures can be deployed into production-grade Kubernetes clusters.

Fuzzing

ant4g0nist/SlothA coverage guided fuzzing framework for fuzzing Android Native libraries that makes use of libFuzzer and QEMU user-mode emulation, by Chaithu. Blog post. 

ant4g0nist/ManuFuzzerAlso by Chaithu: A binary code-coverage fuzzer for macOS, based on libFuzzer and LLVM. Supports Apple Silicon. 

parikhakshat/autoharnessA tool that automatically generates fuzzing harnesses for you, using LLVM and Clang for libfuzzer, CodeQL for finding functions, and Python for the overall program. 

AFLplusplus/LibAFLBy Andrea Fioraldi, Dominik Maier, and team: a collection of reusable pieces of fuzzers, written in Rust. Fast, multi-platform (Windows, Android, MacOS, Linux), no_std compatible, and scales over cores and machines. Includes different modes like binary-only Frida mode, easy to extend with grammar fuzzing, and more.

  Blue Team 

mikeprivette/NIST-to-TechAn open-source listing of cybersecurity technologies and vendor tools mapped to the NIST Cybersecurity Framework (CSF). 

CISA: Chinese State-Sponsored Cyber Operations: Observed TTPsTactics, techniques, and procedures (TTPs) used by Chinese state-sponsored cyber actors as well as recommended mitigations.

  Red Team 

Exploit Development: Swimming In The (Kernel) Pool - Leveraging Pool Vulnerabilities From Low-Integrity ExploitsAn impressively detailed blog post by Connor McGarr.

  Politics / Privacy 

Revealed: leak uncovers global abuse of cyber-surveillance weaponThe Guardian reports that NSO Group sold spyware to authoritarian regimes who used it to target activists, politicians and journalists.

Forensic Methodology Report: How to catch NSO Group’s PegasusGreat, detailed write-up by Amnesty International and Citizen Lab. 

mvt-project/mvtMobile Verification Toolkit by Amnesty International’s @botherder and @tenacioustek is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices. 

Inside the Industry That Unmasks People at Scale

‘They’re not going to f**king succeed’: Top generals feared Trump would attempt a coup after election

  OSINT 

OSINT tools collectionOver 300 OSINT tools grouped by Osint Stuff by social media, domain/IP/links, image search and identification, code, search engines, archives, people search, and more.

  Leadership 

Mindful Leadership: A Conversation between Tara Brach and Michelle Maldonado“In these times of mistrust and dividedness, our world desperately needs each of us to cultivate the qualities of focus, presence, care, respect, clarity, and curiosity that mark a true leader.” H/T Jason Chan. 

A C-suite executive shared his performance review to all 1,400 people in the company to promote a culture of feedback. Read the email he sent.Pretty cool transparency by Gusto CSO Fredrick Lee. Unpaywalled images of his review: 1 2 3 4 5. H/T Rami for the Archive.org trick.

  Misc 

yarn.coSearch a vast amount of TV shows and movies by word or phrase, filter by genre, decade, title, and more. 

It’s Never Been Better To Be TalentFacebook, TikTok, YouTube, Pinterest, and others have all pledged millions to billions of funding for creators. Unrelatedly, I’ve been working on launching OnlySec.com, where you can tune in for my personal musings on security, unkempt as I make my morning coffee, during my night time bed routine, etc. #nofilter

Thanks for reading!

Cheers,

Clint