Securing XML implementations across the web
Mattermost’s Juho Nurminen found XML round-trip parsing errors in four popular XML parsing libraries (in Ruby, NPM, Java, and .NET), and was able to confirm authentication bypasses in major SAML implementations and web applications for two of them. Juho doesn’t hold back:
Don’t get distracted by something like Golden SAML, when SAML itself is the problem. It’s a relic from an age when enterprise software meant XML and software that wasn’t built on top of XML was ridiculed and shunned.
SAML is inherently fragile, exceedingly complex, and nearly impossible to implement correctly. There are plenty of well-documented SAML vulnerability types predating my research yet still prevalent today: XEE, XML Signature Wrapping, Duo’s text node splitting attack etc.
Free as in Beer: Creating a Low-Cost Static Analysis Program
Slack’s Erin Browning and Tim Faraci have built out static analysis programs at multiple companies, using commercial and open source tools. In this DEF CON AppSec Village talk (slides), they discuss why at Slack they’re building their program around Semgrep.
I’ve written several Semgrep rules, and it takes me longer to write the developer guidance than the actual rule.
We’re finding similar true positive numbers running our open source Semgrep rules as I am comparing it to commercial offerings.
How easy is it to add a new language to Semgrep? Well, an intern can do it! Actually two interns who almost done with their CS degrees. (Slack interns David Frankel and Nicholas Lin have been adding Hacklang support this summer.)
An intentionally vulnerable GCP environment to learn and practice GCP security, by Joshua Jebaraj.
Cloud Security Orienteering
Excellent DEF CON Cloud Village talk by Cedar’s Rami McCarthy on how to rapidly find the information necessary to familiarize yourself with a new cloud environment, dig in to identify the risks that matter, and put together remediation plans that address short, medium, and long term goals.
AWS Organizations - Checklist for 2021
Chris Farris provides a great checklist of what you should do when setting up a new AWS Organization from scratch.
Building an AWS Perimeter
Whitepaper by AWS covering perimeter objectives, identity, resource, and network boundaries, preventing access to internal credentials, and cross-region requests.
Threat Hunting with Kubernetes Audit Logs
Square’s Ramesh Ramani walks through the basics of Kubernetes audit logs and how one can use these audit logs effectively to hunt for attackers in Kubernetes clusters. Ramesh covers specific log fields to focus on and why.
An extension for Lens - The Kubernetes IDE that displays Kubernetes resources and their relations as a real-time force-directed graph, by Lauri Nevala.
Protect domains that do not send email
Make sure that domains that do not send email cannot be used for spoofing, using SPF and DMARC.
Kernel Pwning with eBPF: a Love Story
Grapl’s Valentina Palmiotti covers eBPF basics & verifier internals, exploiting CVE-2021-3490 for local privilege escalation, debugging eBPF bytecode, exploitation techniques for DoS, info leak, and LPE, and weaknesses still in eBPF. Super detailed write-up 🤘.
Reverse Engineering for Beginners
New free workshop by Guardicore’s Ophir Harpaz covering an x86 overview, a short intro to IDA, and a number of exercises with hints.
Reverse Engineering Workshops by Malware Unicorn
Malware Unicorn’s workshops include reverse engineering 101 and 102, PE injection, macOS Dylib Injection, anti-analysis techniques, and more.
Android App Reverse Engineering 101
Maddie Stone’s workshop focuses on static analysis, covering DEX bytecode, native libraries, obfuscation, and more.
Politics / Privacy
OpenMined is an open-source community whose goal is to make the world more privacy-preserving by lowering the barrier-to-entry to private AI technologies.
With OpenMined, people and organizations can host private datasets, allowing data scientists to train or query on data they “cannot see”. The data owners retain complete control: data is never copied, moved, or shared.
Apple confirms it will begin scanning iCloud Photos for child abuse images
iOS will start scanning pictures on your device to look for known bad images. It tries to do this in a privacy preserving-ish way, but some security professionals view this as a step in the direction of giving law enforcement backdoors. More: Wired, Stratechery, must read Alex Stamos thread.
The Pentagon Is Experimenting With Using Artificial Intelligence To “See Days In Advance”
Basically they’re feeding ML/AI real-time data gathered by a network of sensors around the globe, including “commercially available information.” The AI can detect changes, and will trigger additional intelligence gathering to take a closer look at what might be ongoing in a location. Well on our way to Westworld Season 3.
The Jessica Simulation: Love and loss in the age of A.I.
By Jason Fagone. Your partner passes away before their time. You upload their text messages, email, and other communications to Project December, which is powered by GPT-3. Soon, you’re talking to “them” again. Wow, this was quite a read.
Rising Seas Are Coming For Big Tech Campuses. Who Will Pay To Protect Them?
Some pretty neat visualizations by NPR. Basically, a number of Bay Area communities around Google, Facebook, and others are likely going to get flooded due to global warming. Mitigations will be expensive, but who will pay for it?
Open Source Alternatives
A curated list of 200+ open source alternatives to tools that businesses require in day-to-day operations.
How the explosive growth in satellites could impact life on Earth
Satellites can be used for a variety of purposes, including: counting the number of cars in retail parking lots (like Walmart, Home Depot, etc.), monitoring activity at metal processing and storage facilities to predict metal prices and related trends, analyzing car numbers at certain hospitals to predict future pandemics, identifying and preventing illegal deforestation, assessing disasters like floods and oil leaks, provide Internet to the world, and more.
Downsides: potential surveillance abuse, space debris falling to Earth, potential interference with astronomers and current weather prediction services.