Copy
tl;dr sec is a newsletter about AppSec and scaling security, automated bug finding, conference talk and paper summaries, and useful links from around the web. You can subscribe here and see past issues here.
(You can also read this issue on our blog here)
 

Hey there,

I hope you’ve been doing well!


Holiday Weekend

I spent some time last weekend hanging out with a visiting friend, and we want to the Museum of Modern Art.

If you also live in the U.S., I hope you had a relaxing Labor Day weekend, and that there was no firefighting.

I never thought I’d say this, but the NSA director actually dropped a pretty good meme 👍


100 Issues & Over 8,000 Subscribers!

This week is the 100th issue of tl;dr sec, and it’s surpassed 8,000 subscribers! 🎂

This newsletter started about 2.5 years ago as an email I sent to a handful of friends who I had manually added to the list, after asking them 1:1 for permission.

Later, I remember sweating and shaking a bit before clicking the “Send” button every week, as there were now ~300 subscribers, many of whom I didn’t know! I was scared of embarrassing myself, bringing shame upon my family, etc.

Thankfully, that has (mostly) not happened.

For everyone who’s reached out with kind words over the years- thank you. Your kindness, and knowing you find tl;dr sec useful has inspired me and kept me going.

I’m honored you let me share great security content with you, and here’s to many more years!

Lessons Learned
I’m planning to write up some reflections and lessons learned about this journey.

What would you like to know?

Feel free to reply directly, I’d love to hear what you’d find most interesting or useful so I can make sure include it.

Sponsor


📢 Go Fuzz Yourself – How to Find More Vulnerabilities in APIs Through Fuzzing

The general approach to web app pentesting should include testing APIs. There’s a number of tools to choose from, but when the pentester doesn’t include fuzzing in her methodology, this can leave a number of critical vulnerabilities undetected. Alissa Knight and Detectify released new security research to show how fuzzing APIs will reveal more vulnerabilities. Get your copy of the Go Fuzz Yourself whitepaper.

Learn how to use fuzzing to security test APIs
📜 In this newsletter...
  • AppSec: Getting the max security from your C compiler
  • Web Security: Effective web app authorization testing, GraphQL server fingerprinter, GraphQL security guide, survey of API token types, JavaScript anti-debugging
  • Cloud Security: Open source Cloud Security Posture Management tools, replacing SSH with AWS systems manager, replacing bastion hosts in GCP
  • Container Security: Kubernetes is too complex, visual guide to troubleshooting Kubernetes deployments
  • Politics / Privacy: Distinguishing hacktivists on the Risky Biz newsletter, how to find hidden cameras, China's been stealing >$200B in IP from U.S. for 20 years, Australian politician remixed
  • Visualizations: What happens when you type a URL into a browser, Linux kernel defense map, defense oriented infosec infographics
  • The Modern Trap of Feeling Obligated to Turn Hobbies Into Hustles: It's OK to do stuff for fun

AppSec

Getting the maximum of your C compiler, for security
Airbus Security Lab’s Raphaël Rigo and Sarah Zennou list the flags you should use in GCC, Clang or MSVC, in order to: detect the maximum number of bugs or potential security problems, enable security mitigations in the produced binaries, and enable runtime sanitizers to detect errors (overflows, race conditions, etc.) and make fuzzing more efficient.


Web Security

Authorization Testing: AuthMatrix - Part 1
White Oak Security’s Tib3rius describes how to effectively test access controls in web apps with complicated authz logic (e.g. multiple role types with different permissions) using the AuthMatrix Burp Suite extension.

For testing authorization logic, and I’d also recommend Justin Moore’s AutoRepeater Burp extension.
 

dolevf/graphw00f
By Dolev Farhi: A fingerprinting tool for GraphQL endpoints that sends a number of benign and malformed queries to determine the GraphQL engine being used. graphw00f then provides insights into what security defences each technology provides out of the box, and whether they are on or off by default.
 

The complete GraphQL Security Guide: Fixing the 13 most common GraphQL Vulnerabilities to make your API production ready
WunderGraph’s Jens Neuse does a good job outlining common GraphQL issues and how and why they occur.
 

API Tokens: A Tedious Survey
Fly.io’s Thomas Ptacek gives a great, opinionated overview of various token types: simple random tokens, platform tokens, OAuth 2.0, JWT, Macaroons, throws shade on SAML, and more.

 

Javascript Anti Debugging — Some Next Level Sh*t (Part 2— Abusing Chromium Devtools Scope Pane)
Some serious JavaScript chicanery by Gal Weizman. The Chromium Devtools Scope Pane can allow execution of JavaScript by the devtools while the main thread is paused by the debugger. This allowed him to write code that can determine which specific functions are being debugged, choose what action to take when a function is being debugged, and execute that action in a different parallel thread with full access to the main thread. PoC

What’s also very cool about this trick and will give a hard time to anyone trying to debug the attacker’s code is that the callback to be called when the function is being debugged cannot be debugged in the devtools because it is a piece of code that is being called by the devtools itself. Meaning the only way to successfully debug this function is via the developer tools of the developer tools!

 

Cloud Security

Reddit: Open Source CSPMs?

Inside Figma: getting out of the (secure) shell
Figma’s Hongyi Hu describes how they got rid of SSH and replaced it with AWS Systems Manager, Okta for SSO, and required WebAuthN for multi-factor authentication.

Great stuff: focus on developer experience, minimizing security team toil, adding guardrails for users, locking down Session Manager, and more.


Leaving Bastion Hosts Behind Part 1: GCP
Netskope’s Colin Estep discusses the GCP services, OS Login and Identity-Aware Proxy (IAP) to show how they can be used as an alternative to bastion hosts.
 

Container Security

Summer Blog Backlog: Distributed Systems
This post argues that Kubernetes has fundamentally too much accidental complexity, and that in the future it’ll replaced by something with fewer new concepts and that’s more compositional. I found the historical references to other domains interesting.
 

A visual guide on troubleshooting Kubernetes deployments
An impressively detailed and thorough guide by Daniele Polencic. Includes this great overview diagram, which, like looking up at the stars at night, reminds us of our insignificance in the face of Kubernetes’ complexity.

 

Politics / Privacy

Srsly Risky Biz: Thursday, September 2
If you didn’t know, Risky Biz has a newsletter! And it’s great. In this edition, Tom Uren had a long chat with The Grugq on distinguishing hacktivists vs nation state actors posing as them, as well as other topics.
 

How to find hidden cameras in Airbnbs
TikTok by Marcus Hutchins.
 

Top counterintelligence official Mike Orlando on foreign espionage threats facing U.S.
Acting director of the National Counterintelligence and Security Center: the U.S. has experienced $200 billion to $600 billion dollars a year in losses to intellectual property theft by China. For the past 20 years.
 

How Facebook Undermines Privacy Protections for Its 2 Billion WhatsApp Users
WhatsApp analyzes messages in two ways: a) AI that scans unencrypted metadata (names, profile images, phone numbers, related Facebook accounts, etc.) and b) a content moderation team, that whenever a message is “reported,” receives that message + the four previous ones unencrypted.

If you want a messaging app whose financial incentives aren’t “know everything about you and target you with ads,” nor is it “0-click RCE as a service” (sorry iMessage): use Signal.
 

Gladys Berejiklian Takes Over The World
Someone remixed this Australian politician to say some… mean things, hilariously.


Visualizations

Some nice visual overviews.

Wassim Chegham: What happens when you type a URL in a browser’s address bar


Linux Kernel Defense Map
Awesome resource by Alexander Popov covering vulnerability classes, exploitation techniques, bug detection mechanisms, and defense technologies. The following is a small snippet:

Infosec Infographics thread by John Lambert
Lots of great ones worth reviewing, but here are two to give you a taste:


 

The Modern Trap of Feeling Obligated to Turn Hobbies Into Hustles

You know, errr, totally unrelated to this newsletter 😅 But really, it’s important to remember stuff like this. Something I have to work on sometimes.

It’s okay to love a hobby the same way you’d love a pet; for its ability to enrich your life without any expectation that it will help you pay the rent.

What if we allowed ourselves to devote our time and attention to something just because it makes us happy? Or, better yet, because it enables us to truly recharge instead of carving our time into smaller and smaller pieces for someone else’s benefit?

How did we get to the point where free time is so full of things we have to do that there’s no room for things we get to do?

We don’t have to monetize or optimize or organize our joy. Hobbies don’t have to be imbued with a purpose beyond our own enjoyment of them. They, alone, can be enough.



Thanks for reading!

Cheers,
Clint

@clintgibler

 

Forwarded this email? Sign up here 🚀
Copyright © 2021 Practical Program Analysis, LLC, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.