A Midwinter Night’s Con Playlist
There were a number of great talks, see the abstracts here.
Fixing a Google Vulnerability
“I reported a vuln, why won’t they fix it?!” This post by Dylan and Allison Donovan is an interesting behind the scenes look at the process behind getting a vulnerability fixed at a massive tech company (re: their GCP privilege escalation and lateral movement research presented at Black Hat and elsewhere). There are often competing interests even when everyone has the best intentions; for example: product managers tend to prioritize widespread adoption of their feature or product, new features, and not breaking backwards compatibility.
Tool by Daniel Cuthbert’s Santander security team to find Cross-Origin Resource Sharing (CORS) misconfigurations.
Template Injection in Action
A 2-hour workshop in server-side template injection (SSTI) by GoSecure with 6 labs: how to identify template engines, and then exploiting template engines in PHP (Twig), Python (Jinja2, Tornado), and Java (Velocity, Freemarker).
Subdomain Takeover: Going for High Impact
Patrik Hudak describes how to demonstrate a maximum impact for subdomain takeovers using stored XSS on the victim domain, account takeover, CSRF, and authentication bypass.
A list of services and how to claim (sub)domains with dangling DNS records, by @EdOverflow.
AWS’ worst public security mistakes and delays in fixes of 2020
Neat, detailed thread by Scott Piper referencing a ton of bugs external researchers found. Ties a broad range of things together and puts them in perspective in a nice way.
Shifting Cloud Security Left — Scanning Infrastructure as Code for Security Issues
Nice overview by Christophe Tafani-Dereeper of a number of tools (Checkov, Regula, Terraform-compliance, Terrascan, tfsec) with examples of custom check writing and more.
“afl++ is afl (American Fuzzy Lop) with community patches, QEMU 5.1 upgrade, collision-free coverage, enhanced laf-intel & redqueen, AFLfast++ power schedules, MOpt mutators, unicorn_mode, and a lot more!”
Politics / Privacy
Apple’s App ‘Privacy Labels’ Are Here—and They’re a Big Step Forward
Apps in the Mac and iOS App Stores will display mandatory labels of what data they collect and what they do with it. The labels have three categories: Data Used to Track You, Data Linked to You, and Data Not Linked to You, with bullet points for each detailing what the app has going on under the hood. I think this is a step in the right direction, but there are a few challenges: the privacy is self-reported by the app developer (honor system), and apps often include third party analytics libraries that may obtain and use sensitive user info in ways unbeknownst to the development team.
Definitely Not Scary Tech Advancements
Boston Dynamics: Do You Love Me?
These delightful dancing robots will briefly make you forget their inevitable, devastating future. Dancing, fluid movements, balancing on one leg – they are genuinely a marvel of engineering. I thought this would take longer, but after this video, I’d give it 2-5 years tops before robots start being used (more) regularly by the military and displacing massive amounts of warehouse workers. Also, you can watch one parkour. In unrelated news, I’m watching Battlestar Galactica.
DeepMind’s latest AI can master games without being told their rules
DeepMind’s latest AI, MuZero, didn’t need to be told the rules of go, chess, shogi and a suite of Atari games to master them. Instead, it learned them all on its own and is just as capable or better at them than any of DeepMind’s previous algorithms.
While we’re not there yet, MuZero is the closest researchers have come to developing a general-purpose algorithm. The subsidiary says MuZero learning capabilities could one day help it tackle complex problems in fields like robotics where there aren’t straightforward rules.
France Approves Bionic Cyborg Soldiers
I mean, what could go wrong? 😅
OSINT / Recon
“A modular framework to analyse potential information leaks from unstructured data sources like pastes from Pastebin or similar services or unstructured data streams,” by CIRCL, the CERT for the private sector, communes and non-governmental entities in Luxembourg.
Recon suites & Subdomain tools review
@Six2dez1 presents the pros, cons, and features of over 30 recon and subdomain tools.
Whose Life Are You Living?
Powerful article by Daniel Miessler on not just letting life happen to you, but pursuing what truly makes you feel alive.
Look at what you wanted to be. Look at what you are. How far apart are they? If there’s a big difference there, look at how to close it.
Awesome new post by Scott Piper covering initial access, recon, lateral movement, exfiltration, and defenses against each.
You know it’s good when you get comments on
r/netsec like this 😂
If you like the post and want to help share it on LinkedIn
or Twitter, that’d be cool.