Hack in the Box 2021 Singapore
Hack in the Box 2021 Singapore Slides
A bunch of good talks, mostly offense focused.
Security Technology Arms Race 2021: Medal Event
Awesome HITB keynote by Mark Dowd (video) on why offensive security has had the advantage in the past, how defense is turning the tables, and what the future looks like. Highly, highly recommend.
Summer of Fuzz
Jeremy Brown deep dive on fuzzing macOS.
Assetnote’s Shubham Shah discusses several ways to attack GraphQL implementations, including batch attacks, CSRF, leveraging introspection and suggestions, and they’ve released the BatchQL tool to assist with a number of these attacks.
A fast tool to check missing hosted DNS zones that can lead to subdomain takeover, by Dwi Siswanto.
How to set up Docker for Varnish HTTP/2 request smuggling
Detectify’s Alfred Berg shares a GitHub repo for easy local testing of HTTP/2 request smuggling on Varnish cache.
AWS ReadOnlyAccess: Not Even Once
SpecterOps’ Daniel Heinsen discusses the danger of managed AWS policies: they tend to be broad, containing a number of unnecessary permissions, and they can change under you in security-relevant ways.
By Gold Fig Lab’s Vikrum Nijjar and Greg Soltis: a tool to scan your AWS Security Groups for open ports and attached Network Interfaces to find anything listening on a port that you wouldn’t consider safe.
sgCheckup can also run
nmap to get specifics.
AWS’ Mostefa Brougui shows how to run periodic validations by building a Lambda that uses IAM Access Analyzer to validate IAM policies, and visualize the results using Amazon Quicksight.
A Security Review of Docker Official Images: Which Do You Trust?
Aqua’s Rory McCune found that a number of Docker Official Images are actually deprecated and/or full of unpatched vulnerabilities. The post lists official images with >50 unpatched vulnerabilities and ~14 deprecated images, including
Django, and more.
Red Hat: Top Open Source Kubernetes Security Tools of 2021
ghidra2frida - The new bridge between Ghidra and Frida
Federico Dotta announces a new Ghidra extension that bridges Ghidra and Frida, enabling you to create powerful scripts that take advantage of Frida’s dynamic analysis engine to improve Ghidra’s static analysis features.
Politics / Privacy
Data Brokers Are Advertising Data on U.S. Military Personnel
Post by Justin Sherman. I’ll take “Things that are dangerous for national security for $800, Alex.”
Three major U.S. data brokers—Acxiom, LexisNexis and Nielsen—openly and explicitly advertise data on current or former U.S. military personnel; LexisNexis advertises a capability to search an individual and identify whether the individual is active-duty military… make it possible for anyone to search for senior military personnel—uncovering home addresses, phone numbers and other information, as well as the names of known family members and relatives.
Will Gavin Newsom Lose California’s Recall Election?
If you live in California, vote in the recall. It is important. To be honest, I was feeling pretty lazy about it until I read this article.
The recall has two separate questions: yes/no on the recall, and then if the majority votes to recall, whoever has the highest vote becomes governor.
So Newsom could have 49.9% of the vote, lose the recall, and be replaced by a governor with 14% of the vote.
If Dianne Feinstein passes away, then whoever wins the recall will appoint her replacement. The Senate is currently split 50-50, meaning the result of this recall could fundamentally shift voting in the Senate and what Congress does until the next election.
OSINT / Recon
Attack Surface Management. You’re (probably) doing it wrong
Spiderfoot creator Steve Micallef argues that attack surface is much more than just IPs and ports, it’s also OSINT info like email addresses, leaked credentials, public code repos, and other things that could give an attacker an opening or hint at what your org’s internal environment contains.
Tech Interview Handbook
Curated interview preparation materials for busy engineers.
Excellent thread by Travis McPeak on being a great manager.
The Seniority Roller Coaster and Down-Leveling in Tech
Gergely Orosz describes how when switching companies, depending on the type or tier of company, you may get a pay cut but better title, or vice versa. Also, how to navigate when you don’t think you’re being evaluated at the right “level.”
Q3 2021 ThinkstScapes Quarterly
Once upon a time, Thinkst produced an awesome, non vendor-y publication outlining major new interesting security research called ThinkstScapes. I’m super excited to see they’re back! Make yourself some coffee or pour yourself a glass of wine, sit back, and enjoy.
New tool announced by Halvar Flake: “Prodfiler, a continuous profiler that “just works” – for C/C++/Rust/Go/JVM/Python/Perl/PHP – no code change required, no symbols on the machine required, no service restart required.”
A decade and a half of instability: The history of Google messaging apps
I’ve noticed many of these over the years, but interesting to see like 15+ of these laid out chronologically.
Boston Dynamics Robot Doing Parkour
A playful demo, in which they’re not yet hunting humans down and killing them for sport.
Buy an Empty House in Japan for Less Than a Month’s Rent!
A number of unoccupied homes in small villages are being offered quite cheap due to vacancy rates caused by an ageing population.
The Ransomware Song (Just Blame Math)
Winner of the Best Song at the 2021 Pwnie Awards, by Forrest Brazeal. I also enjoyed him spitting hard truths in Big Tech (It’s Probably Fine.
Thanks for reading!