By Jonas Lejon: “Generate ten different malicious pdf files with phone-home functionality. Can be used with Burp Collaborator. Used for penetration testing and/or red-teaming.”
A Rust library and command line tool to harden Electron binaries against runtime behavior modifications.
Some interesting comments in this thread. I’ve taken a few snippets that touch on things I’ve seen successful across a number of companies (bolding mine).
NetSuite’s John Melton:
I … disagree. SAST (like all tools) has limits. Out of the box, sure, it’s got issues. But targeted SAST, custom rules, etc. are really solid. I particularly like using SAST to enforce invariants rather than finding bugs.
Netflix’s Patrick Thomas:
If choosing to invest in either “build SAST that detects bad impl of <thing>” or “build clearly secure component for <thing> & a way to assert usage”, I’m door #2 for sure.
All-around baller Jim Manico:
SAST is horrible when you run it at scale with no customization and just throw raw results back at developers. This is a path to total failure. Maturing a SAST program takes per-app customization.
Marqeta’s Ronnie Flathers:
I think SAST is much better as a scalpel than a shotgun - i.e I know my code bases well and these are very specific issues and anti patterns I want to surgically hunt down and prevent. Then write custom rules and use a fast engine like @semgrep in a pipeline as a guardrail (2/2)
Anti-Debug JS/WASM by Hand
Inside Figma: securing internal web apps
Figma’s Max Burkhardt describes their system to securely provide access to internal apps using AWS ALBs, Cognito, Okta, and Lambdas. Loved the details on getting fine-grained access control right.
The discerning tl;dr sec reader might recall Hongyi Hu’s AppSec Cali 2019 talk on how Dropbox secures internal apps (my summary), which is still one of my favorite talks on modern security engineering, highly recommend it. In fact, Dev Akhawe and Hongyi were at Dropbox, and are now on Figma’s security team with Max. Small world!
The last S3 security document that we’ll ever need, and how to use it
163 page Threat Model of S3 by TrustOnCloud’s Jonathan Rault covering:
- Best practices (best security/effort ratio)
- Reviewing the service depending on your application(s), and implementing the controls based on your risk tolerance
- Onboarding for large enterprises/agencies
- Compliance mapping to demonstrate a risk-based approach, gap analysis and formulating an action plan
Threat Hunting with Kubernetes Audit Logs - Part 2
Square’s Ramesh Ramani walks through threat hunting using ATT&CK for Containers.
- Execution: Finding repeated
- Persistence: Unusual cronjob creation failures
- Privilege Escalation: Users being given “cluster-admin” access
- and more
Tool by Armosec to determine if Kubernetes is deployed securely as defined in the Kubernetes Hardening Guidance by the NSA and CISA.
macOS 11’s hidden security improvements
Malwarebytes discusses some lesser known security changes they found by diffing the macOS 11 and 10.15 SDKs, including CPU security mitigation APIs, endpoint security API improvements, and a new
O_NOFOLLOW_ANY, that can mitigate an entire family of potential vulnerabilities.
Top 15 Vulnerabilities Attackers Exploited Millions of Times to Hack Linux Systems
Data by Trend Micro: from “50 million events reported from 100,000 unique Linux hosts during the same time period, the researchers found 15 different security weaknesses that are known to be actively exploited in the wild or have a PoC.”
Linux Privilege Escalation - Package Managers
Michael Ikua describes how to escalate privileges when you can’t
sudo but you can use package managers.
Politics / Privacy
Interesting discussion on the political and economic competition between the U.S. and China, by Prof Galloway.
The Taliban Have Seized U.S. Military Biometrics Devices
The U.S. military spent years gathering biometric data like iris scans and fingerprints of Afghans helping them. That data is now in Taliban hands, and could be used to target them. This is what’s so dangerous about surveillance tech and PII: you don’t know who will be elected or seize power, and how they may abuse it.
Opinion | We built a system like Apple’s to flag child sexual abuse material — and concluded the tech was dangerous
Princeton University professor Jonathan Mayer and PhD candidate Anunay Kulshrestha wrote a peer-reviewed paper on building a system for detecting child sexual abuse material in encrypted images, but concluded it was too dangerous, as it could be easily repurposed for surveillance and censorship.
We’re not concerned because we misunderstand how Apple’s system works. The problem is, we understand exactly how it works.
OnlyFans CEO on why it banned adult content: ‘the short answer is banks’
Article by the Verge.
And this thread has some pretty interesting context around various groups’ attempts to attack the sex industry, using sex trafficking and other bad things as a proxy.
Last minute update: OnlyFans has reversed course and will not ban adult content.
Mandatory Team Fun Time
Twitter’s Ronnie Chen describes a practice she created which allowed their distributed team to have a day of fun. Guidelines:
- You are strictly forbidden from spending your offsite time on catching up on work, chores, or other obligations and commitments.
- Select an activity or activities that you would not otherwise have time to do that you find delightful, meaningful, serene, challenging, relaxing, amusing, awe-inspiring, satisfying, or intriguing.
Burning out and quitting
A powerfully honest and great post by my friend Maya Kaczorowski (HN discussion). I’m not going to lie, reading this from someone as brilliant and productive as Maya made me feel a little better about my (probably continuing) feelings of burnout during the pandemic.
It’s not a single thing - like a specific work stressor - that caused my burnout. It was the neverending treadmill of yet another day’s worth of useless meetings, with a TODO list that only grows, while you get less and less done on it every day. There isn’t a single moment that causes burnout, but there is a single moment when you realize it - that what you’re doing is impossible, insurmountable, unachievable - and that you don’t care. You can’t do it. And you don’t want to anyways.
End to end, it’s taken 6 months to realize I was burnt out while trying (and failing) to work, 3 months to recover, and then 2 months of vacation to feel excited to work again - which is longer than I ever would have expected. But I’m so happy I gave myself the time I needed.
Bringing the Unix Philosophy to the 21st Century
Kelly Brazil describes his tool
jc, which parses the output of a number of *nix commands into nicely consummable JSON. If you like the idea of piping a bunch of security tools together, Unix-style, check out my summary of Daniel Miessler’s Red Team Village talk, Mechanizing the Methodology.
Thanks for reading!