tl;dr sec is a newsletter about AppSec and scaling security, automated bug finding, conference talk and paper summaries, and useful links from around the web. You can subscribe here and see past issues here.
I hope you had an awesome holiday break and New Years, and that you’re not too sore from going to the gym every day since Jan 1.
One Christmas tradition my family has, that I’m fond of, is that my siblings and I pick up a live Christmas and then set it up in our living room. Per tradition, my mom asks us, “Hey, get a nice sized tree, maybe 7 - 8 feet, not like last year.”
And per tradition, my siblings and I pick up a tree that’s at least 10 - 12 feet tall.
(For reference, I'm 6 ft tall)
This issue is a bit longer than most, as I took a few weeks off and there’s much to catch up on.
This week I’m at NCC Con in San Diego, an annual internal-only conference NCC Group holds where security consultants from all over gather to give trainings, present research they’ve done, and talk shop over beverages (like orange juice).
It’s neat to see the early stages of research that will later be presented on major stages like BlackHat and DEF CON. Definitely one of my favorite events all year.
🎁 Epic Post Next Week
I’ve been working hard for the past few months on one of the more ambitious writing projects I’ve ever tried to tackle. It’s taken me a few hundred hours, and I’m not aware of any post quite like it.
I hope you like it! If you do, I’d greatly appreciate your help in sharing it with any friends/colleagues who you think would find it useful 🙏
I’m not going to say what it’s about, but it relates to some upcoming events…
📜 In this newsletter...
Getting into Security: Tanya Janca on the various roles in security, John Opdenakker's list of useful learning resources
Cloud Security: AWS IAM analyzer, 21 AWS PrivEsc techniques, Docker wrapper for AWS tools, demystifying AssumeRole and sts:ExternalId, Adopting AWS VPC Endpoints at Square
Securing Terraform & CloudFormation Scripts: Several tools that will scan Terraform or CloudFormation scripts for insecure configurations
Beyond Beyond Corp: Google BeyondProd whitepaper + overview by Maya Kaczorowski, whitepaper on how Google does code provenance, NCSC's zero trust architecture design principles
Programming: Computer Science from the Bottom Up, Rosettagit: solutions to the same task in many languages
AWS IAM Access Analyzer
IAM Access Analyzer aims at making it easy to check that your policies provide only the intended access to resources. After enabling it in the Console, IAM Access Analyzer will continuously analyze permissions granted using policies associated with your S3 buckets, KMS keys, SQS queues, IAM roles, and Lambda functions. “…uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.” Currently free!
Amazon Web Services’ AssumeRole operation accepts an optional parameter called “sts:ExternalId” which is intended to mitigate certain types of attacks. However, both the attacks that sts:ExternalId mitigates and how to properly use it are widely misunderstood, resulting in large numbers of vulnerable AWS-based applications. This post aims to describe what std:ExternalId does, when to use it, and how to use it.
Adopting AWS VPC Endpoints at Square
Square describes how they use VPC endpoints to access AWS services without giving the VPC resources direct Internet connectivity, and ensure only their own resources are accessed, with a Shared VPC model.
Securing Terraform & CloudFormation Scripts
Here are several tools that will scan Terraform or CloudFormation scripts for insecure configurations.
liamg/tfsec - “Static analysis powered security scanner for your terraform code.”
BeyondCorp applied zero-trust principles to define corporate network access. At the same time, we also applied these principles to how we connect machines, workloads, and services. The result is BeyondProd.
In BeyondProd, we developed and optimized for the following security principles:
Protection of the network at the edge
No inherent mutual trust between services
Trusted machines running code with known provenance
Choke points for consistent policy enforcement across services, for example, ensuring authorized data access
Simple, automated, and standardized change rollout, and
For developers, the best part is that these security controls are built directly into the tools they use. You can address security issues earlier, when it’s less costly, and do so in a standardized and consistent way.
You can’t make a change to cloud-native (containers, microservices) in your infrastructure, without also changing your dev practices. (You’re missing the point, and missing out on the security benefits.)
TL;DR: Moving to a cloud-native infrastructure let Google meet stronger security principles. BeyondProd assumes no trust between services, isolation between workloads, verified deployments, and centralized policy management.
In this whitepaper we describe Google’s code review process, its provenance, and the need for enforcement mechanisms. We focus on the development of a specific enforcement check - Binary Authorization for Borg (BAB). The goal of BAB is to reduce insider risk by ensuring that production software deployed at Google is properly reviewed and authorized, particularly if that code has the ability to access user data.
Presents “solutions to the same task in as many different programming languages as possible. It demonstrates how languages are similar and different and can help you learn new approaches to solving problems.”
Takes an API specification as input and creates a series of attacks based on the specification. No human intervention needed, but it can be extended if there are particular types of attacks you’d like to do.
Detecting unsafe path access patterns with PathAuditor
Tool from Google to find file access related vulnerabilities. “PathAuditor is a shared library that can be loaded into processes using LD_PRELOAD. It then hooks all filesystem related libc functions and checks if the access is safe. For that, we traverse the path and check if any component could be replaced by an unprivileged user, for example if a directory is user-writable.” Source code on GitHub
A collection of various awesome lists for hackers, pentesters and security researchers. Links to various awesome-<topic> repos on GitHub on topics like asset discovery, fuzzing, bug bounty, and more.
Dive into Deep Learning
An interactive deep learning book with code, math, and discussions, based on the NumPy interface.
On Linux’s Random Number Generation
NCC Group’s Thomas Pornin gives some interesting details about how random number generation on Linux works and its history. If you’re into crypto, I’d highly recommend checking out Thomas’ work, as he’s brilliant.
Notwithstanding its flaws, the entropy depletion theory got its followers early on, and was adamantly maintained by some big names in Linux kernel development, mostly because it is quite hard to admit to other people, and to oneself, that one might have got something wrong.
It’s still early stages but WebAuthn seems to be picking up steam. This page has a nice overview and a bunch of code examples.
The Web Authentication API (also known as WebAuthn) is a specification written by the W3C and FIDO. The API allows servers to register and authenticate users using public key cryptography instead of a password, using strong identifiers now built into devices, like Windows Hello or Apple’s Touch ID.
How to Track President Trump
Article by the NY Times Privacy Project on the impact of services that aggregate and sell location data. They obtained a dataset with more than 50 billion location pings from the phones of more than 12 million people in the US, consisting of a random sample from 2016 and 2017. The page has some neat (😅) visualizations of people going about their day.
Location data could become a powerful political tool, exposing the private lives of wealthy elites who prefer to adopt a more egalitarian persona. It is not difficult to imagine efforts to undermine a political campaign by exposing travels through private airports or visits to expensive restaurants and luxurious spas.
Share with Friends Who Have “Nothing to Hide”
If you’re in security, you’re probably well aware of the dangers and implications of location data. One thing I think this article did really well is explaining in a non technical way all the bad things that could be done with this data, like determining the identities of government officials working in sensitive roles (e.g. tracking people from the Pentagon or other buildings to their homes), blackmail and extortion (affairs, visits to Planned Parenthood, etc.), help with social engineering, kidnapping, and more.
This is a good article to bookmark to share with friends or relatives who don’t think aggregating location data is a big deal.
Creepy or convenient? Big data is big business in China
A woman saw her friend’s face on a “traffic violator exposure screen,” which uses cameras set up at intersections that automatically detect pedestrians and cyclists running red lights or committing other traffic violations. The images are matched with local authority databases to identify the individual, and their face appears on the monitor within five minutes. It is said that over 95% of wrongdoers can be identified. Violators are contacted by police and fined.
“If we combine their shopping and call records with various surveillance camera images and analyze the data, we can identify, to a certain degree, who has deep connections with the person in question,” a company representative said. “There are privacy issues with this, so we haven’t put it into practice, but from a technical standpoint, it’s quite possible,” the representative added with a smile.
Images of pedestrians captured on cameras on busy streets are analyzed by artificial intelligence systems. These are compared with a database of wanted suspects, and if there is a match, police are immediately notified. … It has been used to arrest more than 10,000 people in over 5,000 crimes by September 2018.
Mike Bloomberg is plowing millions of $ into a secretive tech firm
The company is called Hawkfish, and it provides “digital ad services, including content creation, ad placement and analytics.” Bloomberg started Hawkfish to be a counteracting force in how effectively Trump and Republicans used digital platforms and social media better than Democats in 2016. Bloomberg has already spent at least $13 million on Facebook and Google spots and said he plans to spend over $100 million on anti-Trump digital ads. Hawkfish will be working to support Democrats in a variety of elections, not just Bloomberg’s campaign, and the team includes former Facebook and Foursquare executives. Since any regulation of political ads or limitations on voter targeting seems unlikely, “if you can’t beat’em, join ‘em” ¯_(ツ)_/¯
Banned recording reveals China ambassador threatened Faroese leader at secret meeting
China’s ambassador to Denmark threatened the Faroese prime minister that a trade agreement with China would not be signed unless they signed a 5G contract with Huawei. This “marks the first (public) instance where the Chinese government has linked access to China’s huge market to Huawei being awarded contracts for 5G networks in Europe. Huawei has publicly stated that it is a private company with no ties to the Chinese state.” This is unsurprising, of course there are strong ties between the Chinese government and most large Chinese companies, this has been shown again and again.
Twitter on Work Culture
There were a number of people on Twitter talking about work/life balance, career advancement, and tradeoffs. It was interesting to read, as it’s something I struggle with too.
Here are a few snippets, let me know if there were any others you found useful.
I did years of overwork, for the security community (e.g. presos, trainings, books in personal time), as an employee, and as a founder. It came at a cost from other important parts of a healthy, normal life. I still have to work, but now strive for balance.
For years, my hobby was doing all of things that I’m known for and 99% was outside of work hours and independent of my actual job. I got to speak around the world, meet a bunch of awesome people, and had a blast. But I had more friends around world than in the city I lived in.
Working my tail off for small companies or companies that I founded also came at similar personal life costs. Every book I wrote and company I founded left a failed relationship in its wake. People brag about their hustle on Twitter, but rarely talk about the true costs.
Looking back, there were some painful and expensive lessons along the way, but you can’t predict what will be a good investment of time. Either way, life’s too short to spend any of it around toxic people or in toxic situations.
Shopify grew up very far from the primary places where people build companies. For its founders, this company was our first real Job. If the startup ecosystem is a Darwinian struggle for survival, Ottawa is the Galapagos islands.
I’ve never worked through a night. The only times I worked more than 40 hours in a week was when I had the burning desire to do so.
For creative work, you can’t cheat. My believe is that there are 5 creative hours in everyone’s day. All I ask of people at Shopify is that 4 of those are channeled into the company.
We are not moist robots. We are people and people are awesome. What’s even better than people are teams. Friends, that go on journeys doing difficult things.
When I hire someone at Shopify we can make the assumption that we work together for a decade. There are a lot of things that changes. And most of Shopify’s advantage comes from there. For example:
The value equation changes entirely. In some places average tenure is only 18 months. Yes, you might want to work everyone 80 hours to make that work. On-boarding is expensive so you skip it. You need value day 1. The relationship is exploitative.
We don’t need that. We can hire on future potential and help people get there quickly. Junior employees are put together with seasoned vets and sometimes coaches to help them get there. We are all on the same side of the table and want the same.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them🙏