Introducing GoKart, a Smarter Go Security Scanner
Praetorian has released GoKart, a Golang static analyzer that aims to be more precise than tools like
gosec by leveraging source-to-sink tracing and single static assignment (SSA).
Great thread by my bud Travis, which he’s given me permission to backup here for easy future reference.
Introducing the Allstar GitHub App
The Open Source Security Foundation has released Allstar, a GitHub app that provides automated continuous enforcement of security best practices for GitHub projects. With Allstar, owners can check for security policy adherence, set desired enforcement actions, and continuously enact those enforcements when triggered by a setting or file change in the organization or project repository.
Current built-in policy checks include: branch protection best practices, a
SECURITY.md file is present, enforcing users with admin privileges are members of the owning organization, and warning on binary artifacts.
Ensuring postMessage Origin Validation with Semgrep
Shopify’s Bernardo de Araujo describes the process of writing a new Semgrep rule to ensure that the
origin is checked by
posMessage handlers. Nice walkthrough, includes using a new and advanced-ish feature,
metavariable-pattern, and he submitted the rule to the public Registry for all to benefit from 🙌
Tool by Tarunkant Gupta that generates Gopher payloads for exploiting SSRF and gaining RCE on various servers. Currently has payloads for MySQL, PostgreSQL, FastCGHI, Memcached, Redis, Zabbix, and SMTP.
A script to quickly enumerate websites across your organization’s networks and query for known web technologies and versions, such as those with known vulnerabilities. Aims to address the problem mid to large sized organizations have with decentralized administration, where it can be almost impossible to track all of the web technologies deployed by various administrators distributed across different units and networks. Uses DNS zone transfers, masscan, Python
requests, and Wappalyzer.
HTTP/2: The Sequel is Always Worse
Portswigger’s James Kettle is back with more epic research, presented at Black Hat and DEF CON.
I’ll introduce multiple new classes of HTTP/2-exclusive threats caused by both implementation flaws and RFC imperfections.
I’ll start by showing how these flaws enable HTTP/2-exclusive desync attacks, with case studies targeting high-profile websites powered by servers ranging from Amazon’s Application Load Balancer to WAFs, CDNs, and bespoke stacks by big tech. These achieve critical impact by hijacking clients, poisoning caches, and stealing credentials to net multiple max-bounties.
Introducing Unattended Project Recommender: discover, reclaim, or deprecate abandoned projects under your organization
Google’s Dima Melnyk and Bakh Inamov share a new features of Active Assist that uses machine learning to identify projects that are likely abandoned based on API and networking activity, billing, usage of cloud services, and other signals.
By Microsoft’s Roberto Rodriguez: “This tool is an event-driven, serverless compute application built on the top of Azure Functions that expedites the research process and assessment of security controls.”
How to create IAM roles for deploying your AWS Serverless app
By Paul Swail: A detailed guide to creating least privilege IAM roles for serverless apps, with a focus on deploy-time actions, including handling deploying across multiple AWS accounts.
Kontra AWS Top 10
“Free interactive training modules that teach developers how to identify and mitigate security vulnerabilities in their AWS-hosted cloud applications.”
Exploring Kyverno: Introduction
Think OPA is too complex? Chip Zoller describes Kyverno, “an open-source policy engine built specifically for Kubernetes to not only validate and ensure requests conform to your internal best practices and policies, but to modify those requests if needed and even create new objects based on a variety of conditions.”
Tool by Kaspersky Labs that allows you to easily capture network communications from a smartphone or any device which can be associated to a Wi-Fi access point. It can be used to check if any suspect or malicious communication is outgoing from a smartphone, by using heuristics or specific Indicators of Compromise (IoCs), for example, to detect stalkerware or other spyware.
The Red Team Vade Mecum
Short, actionable, red team notes on privilege escalation, enumeration, execution, initial access, lateral movement, code injection, defense evasion, persistence, and more.
Hacking G Suite: The Power of Dark Apps Script Magic
DEF CON talk by Snapchat’s Matthew Bryant that covers phishing, persistence, lateral movement, accessing data, bypassing protective measures like U2F, OAuth app allowlisting, and locked-down enterprise Chromebooks, and more.
He also released PaperChaser, a Google Drive/Docs/Sheets/Slides Enumeration Spider.
A multi-tool for building, analyzing, and hacking USB devices, by Great Scott Gadgets. Supports performing MitM attacks on USB communications and other features for USB reverse engineering and security research.
Politics / Privacy
A tool by MIT grad student Anish Athalye to find target hash collisions for Apple’s NeuralHash perceptual hash function. Released *checks watch* less than a month after Apple announced CSAM.
Apple Defends Its Anti-Child Abuse Imagery Tech After Claims of ‘Hash Collisions’
More context from Vice.
An Afghan woman in Kabul: ‘Now I have to burn everything I achieved’
Early on Sunday morning I was heading to university for a class when a group of women came running out from the women’s dormitory. I asked what had happened and one of them told me the police were evacuating them because the Taliban had arrived in Kabul, and they will beat women who do not have a burqa.
MacKenzie Scott’s Money Bombs Are Single Handedly Reshaping America
Interesting overview of the organizations that have received grants.
With almost $8.6 billion in gifts announced in just 12 months, Scott has vaulted to the tippy top of philanthropic giving, outspending the behemoth Gates and Ford Foundations’ annual grants — combined.
Burned-out Bay Area home lists for $850,000, and offers are rolling in
This week, on “prices in the Bay Area are stupid”, a burned-out family home in Walnut creek is pending sale after multiple offers flooded in only 6 days after hitting the market. Eight offers came in, with more on the way, and a sale is expected “significantly over list price.”
Thanks for reading!