- tl;dr sec
- Posts
- [tl;dr sec] #93 - Reading Your CSO's Performance Review, Fuzzing, NSO Group
[tl;dr sec] #93 - Reading Your CSO's Performance Review, Fuzzing, NSO Group
[tl;dr sec] #93 - Reading Your CSO's Performance Review, Fuzzing
tl;dr sec is a newsletter about AppSec and scaling security, automated bug finding, conference talk and paper summaries, and useful links from around the web. You can subscribe here and see past issues here.
(You can also read this issue on our blog
)
Hey there,
I hope you’ve been doing well!
Love at First Meme
People used to find their spouse through family, mutual friends, or who happened to live nearby.
But something was missing.
Then, dating websites and apps proliferated, leading to a greater pool of potential candidates. Dating became gamified, as you were always only a few swipes away from texting a cutie.
But something was missing.
Then, newer apps mixed in multi-media, like voice, video, or the blockchain. Meet Viola.ai:
But something was still missing.
Finally, with Schmooze, dating has reached its zenith: find your soulmate by being matched with people who love similar memes (more backstory).
In case you weren’t already sold:
“Schmooze is part built on AI-driven algorithms and part monitored by a team of “meme officers.”
Wow 🤣 Well, we live in a society.
Sponsor
📢 Why the Largest SaaS Providers are investing in SaaS Security and in AppOmni
People are often surprised to learn that Salesforce Ventures and ServiceNow Ventures are investors in AppOmni, and in SaaS Security in general. But they shouldn’t be. One of the primary goals of SaaS vendors is to ensure that their customers maintain secure SaaS environments, and they know that AppOmni is one of the best ways to do so. AppOmni automates the tracking of security settings, user permissions, 3rd party app access, and API configurations. We make it easy for security and IT teams to keep SaaS data secure, without adding additional workload. Watch the video to find out more.
📜 In this newsletter...
AppSec: Cybersecurity for the Board, RCE in cdnjs
Cloud Security: Scott Piper discusses his Cloud Security Roadmap, AWS incident response playbooks, how would you do your AWS from scratch?
Container Security: Istio's first security assessment released, sign container images with cosign and verify with OPA
Fuzzing: Fuzzing Android native libraries, fuzzing macOS, automatically generate harnesses, libafl
Blue Team: Mapping of technology and vendor tools to NIST CSF, TTPs used by Chinese state-sponsored actors
Red Team: Exploit development and kernel pools
Politics / Privacy: Data leak shows NSO Group tools targeting activists, how to catch NSO Group's Pegasus, toolkit to detect potential compromise of mobile devices, companies that map mobile ad IDs to PII, senior U.S. military officials were making plans to prevent a coup after the 2020 election
OSINT: Collection of 300+ OSINT tools
Leadership: Mindful leadership, a CSO who shares his performance review with the full company
Misc: Search TV shows and movies by a word or phrase, it's never been better to be talent
AppSec
Cybersecurity - The Board’s PerspectiveGoogle’s Phil Venables describes what Boards should expect from management with respect to cybersecurity.
Remote code execution in cdnjs of CloudflareRyotaK describes a remote code execution bug they found in Cloudflare’s CDNJS that, no big deal, could have allowed tampering of 12.7% of all websites 😅 Path traversal via specially crafted .tgz name and some symbolic links trickery. Nice example of a security review workflow.
Cloud Security
Building Cloud Security RoadMapScott Piper joins Ashish Rajan’s Cloud Security Podcast to discuss Scott’s excellent AWS Security Maturity Roadmap, cloud security from start-ups to medium and large companies, getting started in cloud security, and more.
aws-samples/aws-incident-response-playbooksRepo by AWS’ Frank Phillis that contains playbooks covering several common scenarios: credential compromise, unintended S3 bucket access, web app DoS / DDoS, and ransomware. The playbooks outline steps based on the NIST Computer Security Incident Handling Guide.
Lessons learned: if you could do it “all” from the start again, what would you do differently in your AWS?Reddit post with some useful context and ideas.
Container Security
Announcing the results of Istio’s first security assessmentIstio describes the results of NCC Group’s assessment and shares the report. No Criticals, 4 Highs, the rest Medium, Low, and Informational. See the Security Best Practices and hardening guide.
Sign Container Images with cosign and Verify signature with Open Policy AgentBatuhan Apaydın and Furkan Türkal describe how to ensure only images that have valid signatures can be deployed into production-grade Kubernetes clusters.
Fuzzing
ant4g0nist/SlothA coverage guided fuzzing framework for fuzzing Android Native libraries that makes use of libFuzzer and QEMU user-mode emulation, by Chaithu. Blog post.
ant4g0nist/ManuFuzzerAlso by Chaithu: A binary code-coverage fuzzer for macOS, based on libFuzzer and LLVM. Supports Apple Silicon.
parikhakshat/autoharnessA tool that automatically generates fuzzing harnesses for you, using LLVM and Clang for libfuzzer, CodeQL for finding functions, and Python for the overall program.
AFLplusplus/LibAFLBy Andrea Fioraldi, Dominik Maier, and team: a collection of reusable pieces of fuzzers, written in Rust. Fast, multi-platform (Windows, Android, MacOS, Linux), no_std compatible, and scales over cores and machines. Includes different modes like binary-only Frida mode, easy to extend with grammar fuzzing, and more.
Blue Team
mikeprivette/NIST-to-TechAn open-source listing of cybersecurity technologies and vendor tools mapped to the NIST Cybersecurity Framework (CSF).
CISA: Chinese State-Sponsored Cyber Operations: Observed TTPsTactics, techniques, and procedures (TTPs) used by Chinese state-sponsored cyber actors as well as recommended mitigations.
Some targeted sectors include managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions.
Red Team
Exploit Development: Swimming In The (Kernel) Pool - Leveraging Pool Vulnerabilities From Low-Integrity ExploitsAn impressively detailed blog post by Connor McGarr.
Politics / Privacy
Revealed: leak uncovers global abuse of cyber-surveillance weaponThe Guardian reports that NSO Group sold spyware to authoritarian regimes who used it to target activists, politicians and journalists.
Forensic Methodology Report: How to catch NSO Group’s PegasusGreat, detailed write-up by Amnesty International and Citizen Lab.
mvt-project/mvtMobile Verification Toolkit by Amnesty International’s @botherder and @tenacioustek is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.
Tech companies have repeatedly reassured the public that trackers used to follow smartphone users through apps are anonymous or at least pseudonymous, not directly identifying the person using the phone. But what they don’t mention is that an entire overlooked industry exists to purposefully and explicitly shatter that anonymity.
They do this by linking mobile advertising IDs (MAIDs) collected by apps to a person’s full name, physical address, and other PII. Motherboard confirmed this by posing as a potential customer to a company that offers linking MAIDs to PII.
The top US military officer, Chairman of the Joint Chiefs Gen. Mark Milley, was so shaken that then-President Donald Trump and his allies might attempt a coup or take other dangerous or illegal measures after the November election that Milley and other top officials informally planned for different ways to stop Trump, according to excerpts of an upcoming book obtained by CNN.
Milley viewed Trump as “the classic authoritarian leader with nothing to lose,” the authors write, and he saw parallels between Adolf Hitler’s rhetoric as a victim and savior and Trump’s false claims of election fraud.
Ahead of a November pro-Trump “Million MAGA March” to protest the election results, Milley told aides he feared it “could be the modern American equivalent of ‘brownshirts in the streets,’” referring to the pro-Nazi militia that fueled Hitler’s rise to power.
OSINT
OSINT tools collectionOver 300 OSINT tools grouped by Osint Stuff by social media, domain/IP/links, image search and identification, code, search engines, archives, people search, and more.
Leadership
Mindful Leadership: A Conversation between Tara Brach and Michelle Maldonado“In these times of mistrust and dividedness, our world desperately needs each of us to cultivate the qualities of focus, presence, care, respect, clarity, and curiosity that mark a true leader.” H/T Jason Chan.
A C-suite executive shared his performance review to all 1,400 people in the company to promote a culture of feedback. Read the email he sent.Pretty cool transparency by Gusto CSO Fredrick Lee. Unpaywalled images of his review: 1 2 3 4 5. H/T Rami for the Archive.org trick.
Feedback and transparency are such powerful tools. By sharing my feedback/performance reviews with the entire company, my peers and reports have much better insight into where my strengths and weaknesses are. This enables them to have better situational awareness.
Yes, everyone gets access to my performance reviews. I have the advantage of getting over 1400 people holding me accountable and strengthening me via their feedback. Transparency and feedback are super powers everyone should have access to.
Misc
yarn.coSearch a vast amount of TV shows and movies by word or phrase, filter by genre, decade, title, and more.
It’s Never Been Better To Be TalentFacebook, TikTok, YouTube, Pinterest, and others have all pledged millions to billions of funding for creators. Unrelatedly, I’ve been working on launching OnlySec.com, where you can tune in for my personal musings on security, unkempt as I make my morning coffee, during my night time bed routine, etc. #nofilter
We’re seeing a stark — but inevitable — shift in the conventional belief that user-generated content was enough to fill social platforms’ feeds, and keep them vibrant. It turns out that making videos, photos, or words that people want to watch or read is difficult. Only a select few are good at it. And the platforms are all competing for their work. So, it’s advantage: talent.
Thanks for reading!
Cheers,
Clint