A ‘Novel’ Way to Bypass Executable Signature Checks with Electron
Parsia Hakimian gives an overview of analyzing the attack surface of app update mechanisms on Windows, including 6 relevant bugs. He then demonstrates how to bypass signature checks using signed Electron binaries and backdoored
SANS Virtual Summits FREE in 2021
Nice, usually SANS stuff is $$$.
Custom Static Analysis Rules Showdown: Brakeman vs. Semgrep
So you’re doing a code review and you find some code base-specific pattern that likely indicates a bug (e.g. authn/authz). You’d like to search for this code pattern across thousands of files, but because this pattern is unique to this code base, no SAST tool is going to have a rule for it out of the box. This is the perfect opportunity for writing a custom rule.
Include Security’s Jason Kielpinski walks through his experiences writing custom rules in both Brakeman and Semgrep.
Client Side Encryption Bypass Part-1
- First find where the logic is implemented.
- You can do this via the Developer tools and
Ctrl+f-ing for potentially relevant function names, or inspecting DOM elements and looking for
onClick or other registered callbacks.
- Then set breakpoints, step through the code, and modify it as necessary; after all, it’s running in your browser 😉
Sameer also includes a Docker image practice lab.
A Glossary of Blind SSRF Chains
Blind SSRF is when you can cause a server to make a request to an arbitrary URL but you can’t see the result. Assetnote co-founder Shubham Shah presents a cheatsheet of high impact blind SSRF targets including Elasticsearch, Weblogic, Hashicorp Consul, Structs, Confluence, Jira, Jenkins, Docker, and many more. Other tips include “SSRF canaries,” using DNS and AltDNS to find internal hosts, and side channel leaks. (GitHub repo)
Security Overview of AWS Lambda
20 page PDF by Amazon on how Lambda manages security: process sandboxes, microkernel, hypervisors, how to monitor and audit Lambda functions, and more. H/T Mark Manning for sharing.
Google Cloud IAM Custom Role and Permissions Debugging Tricks
Darkbit’s Brad Geesaman describes the process of creating a custom GCP IAM role to follow least privilege, including using the IAM Policy Troubleshooter.
By Mark Wolfe: “This service provides OpenID authenticated access to a static website hosted in an S3 bucket,” using AWS API Gateway HTTP APIs, powered by AWS Lambda.
Bad Pods: Kubernetes Pod Privilege Escalation
What are the risks associated with overly permissive pod creation in Kubernetes? Bishop Fox’s Seth Art describes eight insecure pod configurations and the corresponding methods to perform privilege escalation:
- Allowing everything;
- Privileged and hostPid;
- Privileged, hostPath, HostPid, hostNetwork, or hostIPC only
- Nothing allowed
See this repo for a collection of manifests that map to these configs.
Politics / Privacy
New campaign targeting security researchers
Google’s Threat Analysis Group has identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations, likely a government-backed entity based in North Korea. They set up fake social media accounts and security research blogs to build trust, and then compromise targets via sharing a backdoored Visual Studio Project or just from visiting the threat actor’s blog (on a fully patched and up-to-date Windows 10 + Chrome browser). Yikes!
OSINT / Recon
An open source tool to automate the internal threat intelligence generation, inventory collection and compliance check from different AWS resources.
A @TomNomNom Recon Tools Primer
Great overview by Daniel Miessler of useful tools by Tom Hudson that follow the Unix philosophy of doing one thing well. See my summary of Daniel’s Mechanizing the Methodology talk for more details on the power of this approach.
- gf - Easily
grep for security-sensitive things
- httprobe - Given a list of domains, finds the ones listening on web ports
- unfurl - Easily break down URLs into discrete pieces (e.g. domain, path, URL paraters, etc.) for further processing
- meg - Quickly checks a list of interesting
paths across a set of
- anew - Adds the contents of an input stream to the output, but only if it’s new
- waybackurls - Finds archived URLs for a domain
Fauci steps up to the podium
In slow motion, with some hyped up entrance music. I couldn’t help but laugh.
Fraud Is No Fun Without Friends
H/T Jon Oberheide for sending me this link. Apparently the SEC has received 31% more tips alleging white-collar malfeasance this year, potentially due to remote work removing the office culture glue that might normalize bending the rules.
Separately, the article also makes the interesting argument that SEC rules that mandate more disclosure could have a positive impact on areas ranging from global warming and corporate diversity to political donations. I don’t have enough context to know if this is possible or a good idea, but it’s interesting.
If you want to stop global warming, you make fossil-fuel companies disclose much more about the risks of global warming, you sue coal and oil companies for being too blasé (in their securities disclosure!) about climate change, you make rules requiring banks and mutual funds to consider long-term climate risks in their investing and financing decisions…
I did not expect to see an InfoSec sea shanty from my friend Rachel Tobac, but I did, and it made my day 🤣
Thanks for reading!