A list of websites by category, if they support 2FA, and if so, what types (SMS, phone call, email, hardware token, software token).
“Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening.” V3 includes some security fixes, initial support for profiles (e.g. DevOps, forensics, and pen testing), and a number of new tests. H/T Michael Boelen
OWASP Software Component Verification Standard v1.0
By project lead Steve Springett: “The SCVS is a community-driven effort to establish a framework for identifying activities, controls, and best practices, which can help in identifying and reducing risk in a software supply chain.” Sections: Inventory, Software Bill of Materials, Build Environment, Package Management, Component Analysis, Pedigree and Provenance.
Playing Around With The Fuchsia Operating System
Detailed post by Quarkslab, discussing the Zircon micro kernel and attacking Fuchsia: the USB and Bluetooth stack, a hypervisor
vmcall bug, and kernel mishandling of
A few days of vulnerability research allowed us to conclude that the common programming bugs found in other OSes can also be found in Fuchsia. However, while these bugs can often be considered as vulnerabilities in other OSes, they turn out to be uninteresting on Fuchsia, because their impact is, for the most part, mitigated by Fuchsia’s security properties.
We note however that these security properties do not - and in fact, cannot - hold in the lowest layers of the kernel related to virtualization, exception handling and scheduling, and that any bug here remains exploitable just like on any other OS.
Fuchsia has the potential to significantly increase the difficulty for attackers to compromise devices.
System hardening in Android 11
Post by Google describing a number of hardening steps, including automatic memory initialization in both Android 11’s userspace (stack variables) and the Linux kernel (stack and heap initialization), Scudo is now Android’s default native memory allocator (hardened to help detect and mitigate memory corruption bugs in the heap), and more.
By Jesse Li: a tool for exfiltrating data from the browser using DNS.
Web skimmer hides within EXIF metadata, exfiltrates credit cards via image files
Copyright metadata field of favicons.
Crooks abuse Google Analytics to conceal theft of payment card data
To conceal their data exfiltration, some attackers are sending data they’ve skimmed to an account they control on google-analytics.com, which tends to be whitelisted by site owners.
Cached and Confused: Web Cache Deception in the Wild
Usenix 2020 paper, overview article by Portswigger’s Ben Dickson.
We present the first large-scale study that quantifies the prevalence of WCD in 340 high-profile sites among the Alexa Top 5K. Our analysis reveals WCD vulnerabilities that leak private user data as well as secret authentication and authorization tokens that can be leveraged by an attacker to mount damaging web application attacks. Furthermore, we explore WCD in a scientific framework as an instance of the path confusion class of attacks, and demonstrate that variations on the path confusion technique used make it possible to exploit sites that are otherwise not impacted by the original attack. Our findings show that many popular sites remain vulnerable two years after the public disclosure of WCD.
PortSwigger has started a Youtube Channel
Will be interesting to see what they add over time 👍
Operator driven API security testing based on OpenAPI definition
Last Autumn Banzai Cloud open sourced dast-operator, which aims to make it easy to run OWASP ZAP as a Kubernetes operator.
dast-operator can now ingest OpenAPI definitions to feed the ZAP scan.
Kubernetes static code analysis with Checkov
Checkhov now scans Kubernetes manifests and identifies security and configuration issues in Kubernetes workloads, including issues like over-privileged containers, bad image lifecycle practices, QoS and health check misconfiguration, and more.
Modular Kubernetes Lab that provides an easy and streamlined way to deploy a test cluster, by Marco Lancini. Currently supports Vault and ELK, with Prometheus and Grafana, Kafka, Istio, and more on the roadmap.
🔥 The Current State of Kubernetes Threat Modelling
Excellent blog post by Marco Lancini that ties together three main initiatives: a blog post by NCC Group’s Rory McCune, the CNCF Financial User Group, and the Kubernetes Security Audit Working Group, including an audit by Trail of Bits.
Kubernetes Trust Boundaries, from the CNCF
Kubernetes Data Flow, from the wg-security-audit
Threat Alert: DzMLT has Hidden Cryptominers in Container Images
Aqua Security found 23 Docker Hub container images that included crypto mining code, collectively downloaded over 330,000 times. To avoid detection by static security tools, many of them downloaded malicious elements hosted on GitHub at runtime.
Container Vulnerability Scanning Fun
NCC Group’s Rory McCune ran 3 open source vuln scanning tools (Anchore Engine, Clair, trivy) on 4 base images. Key takeaways:
- Even in base images, different scanners product very different results.
- The scanning engines support different sets of base images, so keep that in mind when you’re deciding which one to use.
- Even in a fully updated base image, there can still be outstanding CVEs, depending on the update cycle of both Docker Hub and the underlying distribution.
“dankAlerts, powered by Sysmon, presents anomalies to you in text written into meme images and guides you in order to reduce false positives.”
Intel to bring anti-exploit tech to market in this year’s Tiger Lake chip family
Intel is set to debut security mechanisms known as Control Flow Enforcement Technology (CET) in its microprocessors.
Flipper Zero - Tamagochi For Hackers
Flipper is a small, pocket-sized multi-tool that aims to combine all hardware tools needed for pentesting in a portable device. Features: 433/868 MHz Transceiver, 125kHz RFID, Infrared transceiver, Arduino compatibility, can be connected to any hardware-piece that uses GPIO, can emulate a USB device and pose as a regular input device, like a keyboard, built-in iButton reader/writer, etc.
Introduction to Reverse Engineering with Ghidra
A four session class, each of which contains a video, lab, and office hour component, by @wrongbaud.
Frida 12.10 Released
frida-java-bridge now supports the HotSpot JVM, which means the Java runtime bridge is no longer exclusively for Android. Frida also recently added
Java.enumerateMethods(query), a brand new API for efficiently locating methods matching a given query.
Politics / Privacy
Police Brutality During the 2020 George Floyd Protests
GitHub repo with a public dataset in a structured format, easily slice and diceable.
Russian Info Ops Putting US Police in Their Crosshairs
The Russian state-sponsored news outlet RT has been interviewing U.S. police offers and publishing their frustrations related to the protests in an effort to further divide Americans ahead of the presidential election.
An OSINT, recon & vulnerability scanner that combines many tools with different module sets in order to quickly perform recon tasks, check network firewalling, enumerate remote and local hosts, and scan for the ‘blue’ vulnerabilities within Microsft and if unpatched, exploit them.
Learning to Cartoonize Using White-box Cartoon Representations
Tensorflow implementation for the CVPR2020 paper. Includes a number of neat images of cartoon-ifying landscapes, food, indoor scenes, and people.
Facebook’s newest proof-of-concept VR headset looks like a pair of sunglasses
Instead of a bulky contraption that covers most of your face. Whitepaper with details. H/T Bryant Zadegan
Video killed the conferencing star
A 6 part security analysis of videoconferencing solutions for business, covering Zoom, Microsoft Teams, Cisco Webex Meetings and Teams, Google Meet, Bluejeans, Skype for Business, Tixeo, Jitsi Meet, and BigBlueButton. Some nice overview tables on encryption, authentication, jurisdiction, security management, and vulnerability management.
The food you buy really is shrinking
Rather than increasing the price, some food and household good manufacturers are instead changing the container sizes and keeping the same price to be more profitable.
What advice would you give to your younger self?
By GitHub CTO Jason Warner. This ask me anything (AMA) repo has a number of other threads on other topics like making difficult decisions and maintaining work/life balance. H/T Daghan Altas
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them🙏
Thanks for reading!