Now you C me, now you don’t: An introduction to the hidden attack surface of interpreted languages
Just because you’re using an interpreted language, doesn’t mean you’re safe from memory safety issues. Bas Alberts describes the attack surface of targeting interpreters, and gives 3 case studies: Perl format strings, deserialization in PHP, and Python’s
How to Find Vulnerabilities in Code: Bad Words
Will Butler describes an underrated technique for finding serious security vulnerabilities in code: words that “sound dangerous.” Myself and others found this surprisingly effective as security consultants. Examples include:
insecure, and more.
GitHub: Code scanning is now available!
CodeQL / Semmle is now in general availability on GitHub. In another blog post, GitHub also announced a number of third-party static analysis and developer security training GitHub Actions and Apps available on the GitHub Marketplace. It’ll be interesting to see how GitHub handles third-party SAST tools, given that they compete with CodeQL, and if they’ll have to pay an Apple App Store-esque
extortion market fee.
HTTP Desync Attacks in the Wild and How to Defend Against Them
Imperva describes several types of HTTP desync attacks they’ve observed in practice and several defenses they’ve implemented to protect against it.
The Powerful HTTP Request Smuggling
Detailed write-up on how Ricardo Iramar dos Santos was able to exploit HTTP Request Smuggling in some Mobile Device Management (MDM) servers and send any MDM command to any device enrolled on them for a private bug bounty program.
An HTTP Request Smuggling / Desync testing tool written in Python 3 by Evan Custodio.
The DDoS That Almost Broke the Internet
Rather than attacking our (Cloudflare) customers directly, they started going after the network providers CloudFlare uses for bandwidth.
Anycast means that if the attacker attacked the last step in the traceroute then their attack would be spread across CloudFlare’s worldwide network, so instead they attacked the second to last step which concentrated the attack on one single point. This wouldn’t cause a network-wide outage, but it could potentially cause regional problems.
Great overview of common JWT issues and how to use JWTs safely, by Michał Sajdak.
OAuth 2.0 Security Best Current Practice
Updated working document from the Internet Engineering Task Force (IETF) describing security best practices for OAuth 2.0. “It updates and extends the OAuth 2.0 Security Threat Model to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0.”
Enter the Vault: Authentication Issues in HashiCorp Vault
Two serious bugs in Vault’s
gcp authentication methods, by Project Zero’s Felix Wilhelm.
In my experience, tricky vulnerabilities like this often exist where developers have to interact with external systems and services. A strong developer might be able to reason about all security boundaries, requirements and pitfalls of their own software, but it becomes very difficult once a complex external service comes into play. Modern cloud IAM solutions are powerful and often more secure than comparable on-premise solutions, but they come with their own security pitfalls and a high implementation complexity. As more and more companies move to the big cloud providers, familiarity with these technology stacks will become a key skill for security engineers and researchers and it is safe to assume that there will be a lot of similar issues in the next few years.
By @an0n_r0: Deploy a small, intentionally insecure, vulnerable Windows Domain as an RDP Honeypot fully automatically.
Salesforce policy deviation checker by NCC Group’s Jerome Smith. The tool reveals which Profiles have become desynchronised from Organization level policies, and reviews each one’s password policies and session settings to highlight any deviations from those set at the Organization level.
Graphology of an Exploit - Hunting for exploits by looking for the author’s fingerprints
Fascinating blog post by Check Point’s Itay Cohen and Eyal Itkin in which they differentiate between the people writing malware and those developing the exploits malware uses, and fingerprint two exploit developers. The post analyzes the exploit authors’ clientele, how they improve technically over time, and more.
The set of exploit-related artifacts that they looked for
Can We Have “Detection as Code”?
Anton Chuvakin makes the case for making detection logic automated, systematic, repeatable, predictable, and shareable.
- Detection content versioning: understand what specific rule or model triggered an alert, even in the past.
- Proper “QA” for detection content: test for broken alerts (e.g. those that never fire, false positives/negatives) and gaps in detection overall.
- Content (code) reuse and modularity of detection content: rules, signatures, analytics, algorithms, etc.
- Cross-vendor content: e.g. Sigma, YARA, YARA-L
- Cross-tool detection content: e.g. looking for a hash in EDR data and also in NDR; and in logs as well.
- Metrics and improvement: Get better over time
- Goal: build a full CI/CD pipeline for detections to continuously build, refine, deploy and run detection logic in various product(s).
IoT-PTv/List-of-Tools: List of the tools and usage
A list of various hardware and IoT security tools: firmware reverse engineering, dynamic analysis, bluetooth, radio assessment, etc.
Metasploit — A Walkthrough Of The Powerful Exploitation Framework
Nice overview by Manish Shivanandhan of the various components in Metasploit.
Politics / Privacy
Academic study by Arvind Narayaran et al
At Princeton CITP, we were concerned by media reports that political candidates use psychological tricks in their emails to get supporters to donate. So we collected 250,000 emails from 3,000 senders from the 2020 U.S. election cycle. Here’s what we found. https://electionemails2020.org
Smart male chastity lock cock-up
A smart Bluetooth male chastity lock - what could go wrong? In a twist that should surprise precisely no one, the API had flaws allowing anyone to remotely lock all devices and prevent users from releasing themselves (removal then requires an angle grinder or similar), and the API also leaks precise user location data, personal info, and private chats. Also, TIL internetofdon.gs exists, a project dedicated to testing the security and privacy of… adult IoT devices.
Grocery Store Argument: The Musical
Twitter thread: A guy records himself dramatically singing in a grocery store, and then a bunch of other users add themselves to his base video with various harmonizing parts. Pretty impressive and fun.
Thanks for reading!