Cybersecurity - The Board’s Perspective
Google’s Phil Venables describes what Boards should expect from management with respect to cybersecurity.
Remote code execution in cdnjs of Cloudflare
RyotaK describes a remote code execution bug they found in Cloudflare’s CDNJS that, no big deal, could have allowed tampering of 12.7% of all websites 😅 Path traversal via specially crafted
.tgz name and some symbolic links trickery. Nice example of a security review workflow.
Building Cloud Security RoadMap
Scott Piper joins Ashish Rajan’s Cloud Security Podcast to discuss Scott’s excellent AWS Security Maturity Roadmap, cloud security from start-ups to medium and large companies, getting started in cloud security, and more.
Repo by AWS’ Frank Phillis that contains playbooks covering several common scenarios: credential compromise, unintended S3 bucket access, web app DoS / DDoS, and ransomware. The playbooks outline steps based on the NIST Computer Security Incident Handling Guide.
Lessons learned: if you could do it “all” from the start again, what would you do differently in your AWS?
Reddit post with some useful context and ideas.
Announcing the results of Istio’s first security assessment
Istio describes the results of NCC Group’s assessment and shares the report. No Criticals, 4 Highs, the rest Medium, Low, and Informational. See the Security Best Practices and hardening guide.
Sign Container Images with
cosign and Verify signature with Open Policy Agent
Batuhan Apaydın and Furkan Türkal describe how to ensure only images that have valid signatures can be deployed into production-grade Kubernetes clusters.
A coverage guided fuzzing framework for fuzzing Android Native libraries that makes use of
libFuzzer and QEMU user-mode emulation, by Chaithu. Blog post.
Also by Chaithu: A binary code-coverage fuzzer for macOS, based on libFuzzer and LLVM. Supports Apple Silicon.
A tool that automatically generates fuzzing harnesses for you, using LLVM and Clang for libfuzzer, CodeQL for finding functions, and Python for the overall program.
By Andrea Fioraldi, Dominik Maier, and team: a collection of reusable pieces of fuzzers, written in Rust. Fast, multi-platform (Windows, Android, MacOS, Linux), no_std compatible, and scales over cores and machines. Includes different modes like binary-only Frida mode, easy to extend with grammar fuzzing, and more.
An open-source listing of cybersecurity technologies and vendor tools mapped to the NIST Cybersecurity Framework (CSF).
CISA: Chinese State-Sponsored Cyber Operations: Observed TTPs
Tactics, techniques, and procedures (TTPs) used by Chinese state-sponsored cyber actors as well as recommended mitigations.
Some targeted sectors include managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions.
Exploit Development: Swimming In The (Kernel) Pool - Leveraging Pool Vulnerabilities From Low-Integrity Exploits
An impressively detailed blog post by Connor McGarr.
Politics / Privacy
Revealed: leak uncovers global abuse of cyber-surveillance weapon
The Guardian reports that NSO Group sold spyware to authoritarian regimes who used it to target activists, politicians and journalists.
Forensic Methodology Report: How to catch NSO Group’s Pegasus
Great, detailed write-up by Amnesty International and Citizen Lab.
Mobile Verification Toolkit by Amnesty International’s @botherder and @tenacioustek is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.
Inside the Industry That Unmasks People at Scale
Tech companies have repeatedly reassured the public that trackers used to follow smartphone users through apps are anonymous or at least pseudonymous, not directly identifying the person using the phone. But what they don’t mention is that an entire overlooked industry exists to purposefully and explicitly shatter that anonymity.
They do this by linking mobile advertising IDs (MAIDs) collected by apps to a person’s full name, physical address, and other PII. Motherboard confirmed this by posing as a potential customer to a company that offers linking MAIDs to PII.
‘They’re not going to f**king succeed’: Top generals feared Trump would attempt a coup after election
The top US military officer, Chairman of the Joint Chiefs Gen. Mark Milley, was so shaken that then-President Donald Trump and his allies might attempt a coup or take other dangerous or illegal measures after the November election that Milley and other top officials informally planned for different ways to stop Trump, according to excerpts of an upcoming book obtained by CNN.
Milley viewed Trump as “the classic authoritarian leader with nothing to lose,” the authors write, and he saw parallels between Adolf Hitler’s rhetoric as a victim and savior and Trump’s false claims of election fraud.
Ahead of a November pro-Trump “Million MAGA March” to protest the election results, Milley told aides he feared it “could be the modern American equivalent of ‘brownshirts in the streets,’” referring to the pro-Nazi militia that fueled Hitler’s rise to power.
OSINT tools collection
Over 300 OSINT tools grouped by Osint Stuff by social media, domain/IP/links, image search and identification, code, search engines, archives, people search, and more.
Mindful Leadership: A Conversation between Tara Brach and Michelle Maldonado
“In these times of mistrust and dividedness, our world desperately needs each of us to cultivate the qualities of focus, presence, care, respect, clarity, and curiosity that mark a true leader.” H/T Jason Chan.
A C-suite executive shared his performance review to all 1,400 people in the company to promote a culture of feedback. Read the email he sent.
Pretty cool transparency by Gusto CSO Fredrick Lee. Unpaywalled images of his review: 1 2 3 4 5. H/T Rami for the Archive.org trick.
Feedback and transparency are such powerful tools. By sharing my feedback/performance reviews with the entire company, my peers and reports have much better insight into where my strengths and weaknesses are. This enables them to have better situational awareness.
Yes, everyone gets access to my performance reviews. I have the advantage of getting over 1400 people holding me accountable and strengthening me via their feedback. Transparency and feedback are super powers everyone should have access to.
Search a vast amount of TV shows and movies by word or phrase, filter by genre, decade, title, and more.
It’s Never Been Better To Be Talent
Facebook, TikTok, YouTube, Pinterest, and others have all pledged millions to billions of funding for creators. Unrelatedly, I’ve been working on launching OnlySec.com, where you can tune in for my personal musings on security, unkempt as I make my morning coffee, during my night time bed routine, etc.
We’re seeing a stark — but inevitable — shift in the conventional belief that user-generated content was enough to fill social platforms’ feeds, and keep them vibrant. It turns out that making videos, photos, or words that people want to watch or read is difficult. Only a select few are good at it. And the platforms are all competing for their work. So, it’s advantage: talent.
Thanks for reading!