“Secret” Agent Exposes Azure Customers To Unauthorized Code Execution
Great research by Wiz: Microsoft Azure silently install management agents on your Linux VMs, which now have RCE and local privilege escalation vulnerabilities. Mostly requires manual updates. Great play-by-play thread from Kevin Beaumont, and to quote Ami Luttwak:
The RCE is the simplest RCE you can ever imagine. Simply remove the auth header and you are root. remotely. on all machines. Is this really 2021?
If you want to play around with it, there’s this BugHuntr.io lab, this nuclei template, this Python PoC, or watch IppSec’s video.
permissions.cloud: Permissions Reference for AWS IAM
Super cool work by Ian Mckay: the IAM dataset maps SDK calls to IAM actions, which are then displayed nicely on this site. Also, iamfast-js and related repos aim to generate IAM policies based on analyzing your source code. Baller.
Down the Rabbit Hole: Unusual Applications of OpenAI in Cybersecurity Tooling
Eugene Lim discusses his experiments with using OpenAI not just for human-based attacks like phishing and misinformation, specifically: reverse engineering assembly, analyzing Metasploit payloads, code reviews (e.g finding XSS), etc.
GitHub Copilot Generated Insecure Code In 40% Of Circumstances During Experiment
Out of 1,692 programs generated in 89 different code-completion scenarios.
An anonymous & ephemeral (and free) Docker image registry, by Replicated.
NSA & CISA Kubernetes Security Guidance – A Critical Review
NCC Group’s Iain Smart provides on feedback on what he views the NSA and CISA guidance doc outlined well, as well as some parts he views as misleading or incorrect.
Strong agree from me on this useful and snarky article by Daniel Miessler. Vendor Security Questionnaires seem ineffective at determining security posture and business needs often trump security recommendations.
Understanding a vendor’s risk to your business if compromised and working to limit it - this is the way.
A few people had comments I liked on Twitter.
SOC2 exerts the same forcing pressure to organize security; of course, SOC2 is just the Boss Fight version of a dumb security questionnaire.
And Dino Dai Zovi:
tl;dr: assume breach of every thing across a trust boundary and that includes vendors whether you give them money or not.
Start with identifying data sent and/or held by that vendor and how much ability you have to reduce data risk while preserving value of using that vendor.
Identify security maturity of vendor relative to sensitivity and volume of data sent/stored with them.
Measure that downside of data at risk against the upside value of using that vendor. If upside > downside, continue using them. If downside > upside, don’t use that vendor.
Most of vendor security IMHO is matching data at risk to security maturity of the vendor.
Deus X64: A Pwning Campaign
A series of increasingly difficult computer security challenges pertaining to reverse-engineering and binary exploitation, by RET2 Systems.
Politics / Privacy
Opinion | America Is Being Held for Ransom. It Needs to Fight Back.
Crowdstrike co-founder Dmitri Alperovitch argues that sanctions and defense alone will not be sufficient against ransomware, as it’s unrealistic to expect that every American hospital, school, fire department and small business to defend itself against highly sophisticated criminals. Instead, like with ISIS, the U.S. should pursue an aggressive campaign targeting the foundation of ransomware criminals’ operations: their personnel, infrastructure and money.
Inside Facebook’s Push to Defend Its Image
Facebook has kicked off a new internal project to use the News Feed, its most important digital real estate, to promote articles about how Facebook is about
political polarization making you sad invading your privacy promoting vaccine skepticism bringing us all closer together ❤️. Cutting off external parties from analyzing engagement data? Don’t worry about it 🤫
The Facebook Files
Oh boy, what a drop by the WSJ, a five-part investigation covering:
- Facebook has a secret VIP list for whom standard policy enforcements do not apply.
- An internal investigation found Instagram usage increased anxiety and depression, especially in teenage girls. more
- Facebook’s algorithm changes increased engagement, but made users angrier. The Zuck resisted proposed fixes because he was worried they would lead people to interact with Facebook less.
- Facebook employees flag drug cartels and human traffickers leveraging the platform, but the company’s response is often inadequate or nothing at all.
- Company documents show antivaccine activists undermined Zuckerberg’s ambition to support the rollout by flooding the site and using Facebook’s own tools to sow doubt about the Covid-19 vaccine.
The new warrant: how US police mine Google for your location and search history
Article from The Guardian on geofence and keyword warrants. The fundamental challenge is that companies that depend on ad revenue slurp up user data for targeting purposes, but then they have a rich set of data that police can subpoena.
From Norm Macdonald’s memori: Based on a True Story
Right in the feels. Also, here’s Norm on SNL’s Celebrity Jeopardy.
It can be difficult to define yourself by something that happened so long ago and is gone forever. It’s like a fellow at the end of the bar telling no one in particular about the silver medal he won in high school track, the one he still wears around his neck.
The only thing an old man can tell a young man is that it goes fast, real fast, and if you’re not careful it’s too late. Of course, the young man will never understand this truth.
The Time Travel Debugger for Web Development
Replay.io is building a new tool that enables you to record web app execution flow and go backwards and forwards. Sounds awesome for tracking down tricky bugs. Time travel debugging is one of the coolest concepts I wished I saw more of. Python, Java, and Ruby support coming.
As a security consultant at NCC Group, I saw how a number of companies implemented authorization in their monolith or across their fleet of microservices.
Nearly universally, they had made some decisions early that ended up making things painful several years later.
This detailed post by Oso’s Sam Scott may be one of the best I’ve read on covering the real world challenges, trade-offs, and different approaches in building authorization in real companies.
The post also links to blog posts other companies have written about their authorization approach: Carta, Slack, Airbnb, Intuit.
Oso has also put together an even more lengthy write-up in their Authorization Academy. Nice!
Finally, check out the HN thread on this post for various people weighing in, and posts by a number of other authorization-focused start-ups, including Authzed (YC W21), Cerbos, Aserto, and Warrant (YC S21). Open source libraries referenced: Casbin, and ory/keto, an implementation of Google’s Zanzibar.