Copy
tl;dr sec is a newsletter about AppSec and scaling security, automated bug finding, conference talk and paper summaries, and useful links from around the web. You can subscribe here and see past issues here.
(You can also read this issue on our blog here)
 

Hey there,

I hope you’ve been doing well!


Love at First Meme

People used to find their spouse through family, mutual friends, or who happened to live nearby.

But something was missing.

Then, dating websites and apps proliferated, leading to a greater pool of potential candidates. Dating became gamified, as you were always only a few swipes away from texting a cutie.

But something was missing.

Then, newer apps mixed in multi-media, like voice, video, or the blockchain. Meet Viola.ai:

But something was still missing.

Finally, with Schmooze, dating has reached its zenith: find your soulmate by being matched with people who love similar memes (more backstory).

In case you weren’t already sold:

“Schmooze is part built on AI-driven algorithms and part monitored by a team of “meme officers.”

Wow 🤣 Well, we live in a society.

Sponsor


📢 Why the Largest SaaS Providers are investing in SaaS Security and in AppOmni

People are often surprised to learn that Salesforce Ventures and ServiceNow Ventures are investors in AppOmni, and in SaaS Security in general. But they shouldn’t be. One of the primary goals of SaaS vendors is to ensure that their customers maintain secure SaaS environments, and they know that AppOmni is one of the best ways to do so. AppOmni automates the tracking of security settings, user permissions, 3rd party app access, and API configurations. We make it easy for security and IT teams to keep SaaS data secure, without adding additional workload. Watch the video to find out more.

Video: AppOmni in 100 seconds
📜 In this newsletter...
  • AppSec: Cybersecurity for the Board, RCE in cdnjs
  • Cloud Security: Scott Piper discusses his Cloud Security Roadmap, AWS incident response playbooks, how would you do your AWS from scratch?
  • Container Security: Istio's first security assessment released, sign container images with cosign and verify with OPA
  • Fuzzing: Fuzzing Android native libraries, fuzzing macOS, automatically generate harnesses, libafl
  • Blue Team: Mapping of technology and vendor tools to NIST CSF, TTPs used by Chinese state-sponsored actors
  • Red Team: Exploit development and kernel pools
  • Politics / Privacy: Data leak shows NSO Group tools targeting activists, how to catch NSO Group's Pegasus, toolkit to detect potential compromise of mobile devices, companies that map mobile ad IDs to PII, senior U.S. military officials were making plans to prevent a coup after the 2020 election
  • OSINT: Collection of 300+ OSINT tools
  • Leadership: Mindful leadership, a CSO who shares his performance review with the full company
  • Misc: Search TV shows and movies by a word or phrase, it's never been better to be talent

AppSec

Cybersecurity - The Board’s Perspective
Google’s Phil Venables describes what Boards should expect from management with respect to cybersecurity.


Remote code execution in cdnjs of Cloudflare
RyotaK describes a remote code execution bug they found in Cloudflare’s CDNJS that, no big deal, could have allowed tampering of 12.7% of all websites 😅 Path traversal via specially crafted .tgz name and some symbolic links trickery. Nice example of a security review workflow.
 

Cloud Security

Building Cloud Security RoadMap
Scott Piper joins Ashish Rajan’s Cloud Security Podcast to discuss Scott’s excellent AWS Security Maturity Roadmap, cloud security from start-ups to medium and large companies, getting started in cloud security, and more.
 

aws-samples/aws-incident-response-playbooks
Repo by AWS’ Frank Phillis that contains playbooks covering several common scenarios: credential compromise, unintended S3 bucket access, web app DoS / DDoS, and ransomware. The playbooks outline steps based on the NIST Computer Security Incident Handling Guide.
 

Lessons learned: if you could do it “all” from the start again, what would you do differently in your AWS?
Reddit post with some useful context and ideas.


Container Security

Announcing the results of Istio’s first security assessment
Istio describes the results of NCC Group’s assessment and shares the report. No Criticals, 4 Highs, the rest Medium, Low, and Informational. See the Security Best Practices and hardening guide.
 

Sign Container Images with cosign and Verify signature with Open Policy Agent
Batuhan Apaydın and Furkan Türkal describe how to ensure only images that have valid signatures can be deployed into production-grade Kubernetes clusters.

Fuzzing

ant4g0nist/Sloth
A coverage guided fuzzing framework for fuzzing Android Native libraries that makes use of libFuzzer and QEMU user-mode emulation, by ChaithuBlog post.
 

ant4g0nist/ManuFuzzer
Also by Chaithu: A binary code-coverage fuzzer for macOS, based on libFuzzer and LLVM. Supports Apple Silicon.
 

parikhakshat/autoharness
A tool that automatically generates fuzzing harnesses for you, using LLVM and Clang for libfuzzer, CodeQL for finding functions, and Python for the overall program.
 

AFLplusplus/LibAFL
By Andrea FioraldiDominik Maier, and team: a collection of reusable pieces of fuzzers, written in Rust. Fast, multi-platform (Windows, Android, MacOS, Linux), no_std compatible, and scales over cores and machines. Includes different modes like binary-only Frida mode, easy to extend with grammar fuzzing, and more.


Blue Team

mikeprivette/NIST-to-Tech
An open-source listing of cybersecurity technologies and vendor tools mapped to the NIST Cybersecurity Framework (CSF).
 

CISA: Chinese State-Sponsored Cyber Operations: Observed TTPs
Tactics, techniques, and procedures (TTPs) used by Chinese state-sponsored cyber actors as well as recommended mitigations.

Some targeted sectors include managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions.


Red Team

Exploit Development: Swimming In The (Kernel) Pool - Leveraging Pool Vulnerabilities From Low-Integrity Exploits
An impressively detailed blog post by Connor McGarr.


Politics / Privacy

Revealed: leak uncovers global abuse of cyber-surveillance weapon
The Guardian reports that NSO Group sold spyware to authoritarian regimes who used it to target activists, politicians and journalists.


Forensic Methodology Report: How to catch NSO Group’s Pegasus
Great, detailed write-up by Amnesty International and Citizen Lab.
 

mvt-project/mvt
Mobile Verification Toolkit by Amnesty International’s @botherder and @tenacioustek is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.
 

Inside the Industry That Unmasks People at Scale

Tech companies have repeatedly reassured the public that trackers used to follow smartphone users through apps are anonymous or at least pseudonymous, not directly identifying the person using the phone. But what they don’t mention is that an entire overlooked industry exists to purposefully and explicitly shatter that anonymity.

They do this by linking mobile advertising IDs (MAIDs) collected by apps to a person’s full name, physical address, and other PII. Motherboard confirmed this by posing as a potential customer to a company that offers linking MAIDs to PII.


‘They’re not going to f**king succeed’: Top generals feared Trump would attempt a coup after election

The top US military officer, Chairman of the Joint Chiefs Gen. Mark Milley, was so shaken that then-President Donald Trump and his allies might attempt a coup or take other dangerous or illegal measures after the November election that Milley and other top officials informally planned for different ways to stop Trump, according to excerpts of an upcoming book obtained by CNN.

Milley viewed Trump as “the classic authoritarian leader with nothing to lose,” the authors write, and he saw parallels between Adolf Hitler’s rhetoric as a victim and savior and Trump’s false claims of election fraud.

Ahead of a November pro-Trump “Million MAGA March” to protest the election results, Milley told aides he feared it “could be the modern American equivalent of ‘brownshirts in the streets,’” referring to the pro-Nazi militia that fueled Hitler’s rise to power.


OSINT

OSINT tools collection
Over 300 OSINT tools grouped by Osint Stuff by social media, domain/IP/links, image search and identification, code, search engines, archives, people search, and more.


Leadership

Mindful Leadership: A Conversation between Tara Brach and Michelle Maldonado
“In these times of mistrust and dividedness, our world desperately needs each of us to cultivate the qualities of focus, presence, care, respect, clarity, and curiosity that mark a true leader.” H/T Jason Chan.
 

A C-suite executive shared his performance review to all 1,400 people in the company to promote a culture of feedback. Read the email he sent.
Pretty cool transparency by Gusto CSO Fredrick Lee. Unpaywalled images of his review: 1 2 3 4 5. H/T Rami for the Archive.org trick.

Feedback and transparency are such powerful tools. By sharing my feedback/performance reviews with the entire company, my peers and reports have much better insight into where my strengths and weaknesses are. This enables them to have better situational awareness.

Yes, everyone gets access to my performance reviews. I have the advantage of getting over 1400 people holding me accountable and strengthening me via their feedback. Transparency and feedback are super powers everyone should have access to.


Misc

yarn.co
Search a vast amount of TV shows and movies by word or phrase, filter by genre, decade, title, and more.
 

It’s Never Been Better To Be Talent
Facebook, TikTok, YouTube, Pinterest, and others have all pledged millions to billions of funding for creators. Unrelatedly, I’ve been working on launching OnlySec.com, where you can tune in for my personal musings on security, unkempt as I make my morning coffee, during my night time bed routine, etc. #nofilter

We’re seeing a stark — but inevitable — shift in the conventional belief that user-generated content was enough to fill social platforms’ feeds, and keep them vibrant. It turns out that making videos, photos, or words that people want to watch or read is difficult. Only a select few are good at it. And the platforms are all competing for their work. So, it’s advantage: talent.

 

Thanks for reading!

Cheers,
Clint

@clintgibler

 

Forwarded this email? Sign up here 🚀
Copyright © 2021 Practical Program Analysis, LLC, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.