AppSec Cali 2020

This week I’m honored to be giving a talk (An Opinionated Guide to Scaling Your Company’s Security) at AppSec Cali. If you’re attending, hope to see you at 11:55am on Friday in the Terrace Lounge!

I think it’s going the best talk I’ve ever given, and is certainly the most ambitious.

Basically, I’m taking what I’ve learned from the hundreds (thousands?) of hours I’ve spent learning how companies have successfully scaled their security programs. The good stuff. The big, scalable, high leverage wins that measurably improve a company’s security posture for the long haul, not just one-off, ad hoc wins.

I reference probably 100+ of my favorite talks, blog posts, tools, and other resources, grouped by topic. My hope is that the talk is a great way to get exposed to a bunch of ideas + resources to dig into specific topics in more detail.

Oh, and if you haven’t seen it yet, check out my blog post here for detailed summaries of all 44 AppSec Cali 2019 talks.

One person was very kind and said that they got more value reading the summaries of my top 10 talks from any conference they’ve attended. I can’t promise that, but hopefully you’ll find it useful 🙂

AppSec

doyensec / graph-ql
A collection of security scripts and resources related to GraphQL. Currently contains a tool that can use introspecton to retrieve information about all the Queries, Mutations & Subscriptions. It can then generate templates (with optional placeholders) for all the known types, for use by Burp Suite repeater. For more on GraphQL, see Abhay Bhargav’s AppSec Cali ‘19 talk An Attacker’s View of Serverless and GraphQL Apps.
 

Burp Suite roadmap for 2020

• Burp Enterprise: Better API support, auto-scaling of resources in the cloud, integrations (e.g. AD, GitHub, Team Foundation Server).
• Burp Pro: UI/UX improvements (whaaa?!) including colorizing and prettifying JSON and other content types, HTTP/2 support, new payload types, better attack result analysis.
• Burp Scanner: Improvements to browser-driven scanning (to ensure good coverage on modern, AJAX-heavy frontends), record login sequences in your browser, will report JS libraries containing known vulns.

Practical Approach to Automate the Discovery & Eradication of Open-Source Software Vulnerabilities
BlackHat USA 2019 talk by Aladdin Almubayed on Netflix’s approach to identify and eliminate open-source vulnerabilities in Netflix applications at scale. (slides)
 

Busting Cisco’s Beans :: Hardcoding Your Way to Hell
Very detailed Java deserialization walkthrough featuring “three full exploitation chains and multiple primitives that can be used to compromise different installations and setups of the Cisco DCNM product to achieve unauthenticated remote code execution as SYSTEM/root. In the third chain, I (ab)use the java.lang.InheritableThreadLocal class to perform a shallow copy to gain access to a valid session.”

Other good deserialization resources include OWASP’s and GrrrDog’s respective deserialization cheat sheets.

Cloud / Kubernetes Security

Peirates
A Kubernetes pen testing tool by InGuardians - “it automates known techniques to steal and collect service accounts, obtain further code execution, and gain control of the cluster.”
 

Mapping Moving Clouds: How to stay on top of your ephemeral environments with Cartography
Great post by Marco Lancini on using Lyft’s cartography tool to gain continuous visibility into his company’s ephemeral, cloud environment. The post nicely sets up the problem space, their requirements and reasoning for using cartography, and then a detailed walkthrough with tons of diagrams and code snippets. See Sacha Faust’s BSidesSF 2019 talk for more detail about cartography, and tl;dr sec #8 for some notes on a DevSecCon Seattle ‘19 talk by Erkang Zheng on a similar proprietary product they’ve been building at Jupiter One.
 

Salesforce Cloud Security: Automating Least Privilege in AWS IAM with Policy Sentry
Policy Sentry (source code) is a new tool from Salesforce that can be used to make it easier to generate least privilege IAM policies. You can read some thoughts on this by Travis McPeak, author of Repo Kid, one of my favorite least privilege-related tools, in tl;dr sec #10.
 

GitLab Bug Bounty Stats

Here are some stats and tidbits from GitLab’s first year of having a bug bounty program:

• Of the 1,378 submissions, 346 were valid bugs (~25%).
• Impact breakdown of valid submissions: 16 critical (~5%), 57 high (16%), 102 medium (29%), 171 low (49%).
• 23% of reports were for access control issues.
• GitLab pays HackerOne for initial triage and has a bot that initially respond to the submission and include an estimate on how long it will take the team to triage the report. They have another bot follows up with a message providing the expected date for the fix.
• Their goal is to have a mitigation in place for criticals/highs within 24 hours and have a security fix ready by the next security release.

FYI: Based on conversations I’ve had with a number of companies, pretty much everyone agrees that paying for triage is worth it.

Open questions: what was the impact breakdown by vuln class? What informs the bot’s appraisal of likely triage time?

Fuzzing

Fuzzing Roundtable @36c3
Topics include: snapshot fuzzing, fuzzer evaluation, improving tooling, rehosting, and new targets.
 

Custom Proto Mutation
Blog post on how to write your own custom protobuf mutators by Bhargava Shastry.
 

Expanding the Reach of Fuzz Testing
Talk by Caroline Lemieux, a PhD student at Berkeley, on several neat projects she and her colleagues have worked on. Most of the tools are open source! From the abstract:

In this talk, I will introduce several projects expanding the reach of fuzz testing. First, I will introduce methods that enable fuzz testing to find inputs hitting deeply nested branches and inputs that expose performance bottlenecks in programs. Then, I will explore how leveraging human knowledge—in the form of input generators—allows coverage-guided fuzzing’s evolutionary algorithm to explore behavior and bugs deep in the core logic of the program. Finally, I will share a key insight that enables us to pair these input generators with machine learning methods to achieve huge speedups in valid input generation, and even step towards program synthesis for real-world APIs.

VrankenFuzz – a multi-sensor, multi-generator mutational fuzz testing engine

Some snippets from the paper:

Whereas a traditional fuzzer will only manipulate the target, VrankenFuzz allows the target to dynamically manipulate the fuzzer.

Core concepts:

• Sensors: Earlier, the author released libfuzzer-gv, which implemented stack depth guided fuzzing, code intensity guided fuzzing, allocation size guided fuzzing, and custom guided fuzzing. VrankenFuzz proceeds to build on the realization that not just code coverage, but any quantifier can be used to guide fuzzing.
• Generators allow a target application to have not just one, but multiple inputs
• Processors - define how to interpret Sensor data.

Use cases:

• Differential fuzzing. Each of multiple implementations of the same specification can have its own code coverage tracked separately by leveraging VrankenFuzz’ multi-sensor facilities.
• Black-box fuzzing, even remotely. A logical categorization of a black-box application that is in line with its internal state allows it to be fuzzed. Create a sensor for a remote web application’s execution time (eg. round-trip time minus average round-trip time) and the fuzzer will tend to generate inputs that lead to an ever-greater execution time (= denial-of-service). Create a sensor for the total number of unique error codes that a HTTP server has returned for a body of inputs, and you will end up with a corpus that likely constitutes a set of diverse internal states within the remote server.
• A supplement to manual audits. You can force VrankenFuzz to focus on a certain function within the target, instead of hoping the fuzzer will hit that function. You can force certain inputs, for example inputs that take a long time to execute, or inputs that consume a lot of memory, to be discarded (not added to the corpus), thereby creating a corpus of fast-executing or low-memory inputs.

He then describes circumventing common blockers like cryptographic comparisons (MACs) and trickle-down logic.
 

The Secretive Company That Might End Privacy as We Know It

Clearview AI provides a service where you upload a (not even good quality) picture of a person and it compares is to ~3 billion public photos scraped from Facebook, YouTube, Venmo, and millions of other websites. Over 600 law enforcement agencies are already using it, including DHS and the FBI. They’re working on an AR version, where your glasses will be able to identify the people around you.

Honestly, I’m not surprised this exists - the algorithms have already been built and proven and the cloud computing resources are available; really, it was just a matter of time. And like the atom bomb or deep fakes, you can’t just “uninvent” something like this. Other companies will do it too. It’s unclear what the solution is here, if one exists. Regulation? Other countries (like China) will continue developing deeper expertise and capabilities in the space.

In February, the Indiana State Police started experimenting with Clearview. They solved a case within 20 minutes of using the app. Two men had gotten into a fight in a park, and it ended when one shot the other in the stomach. A bystander recorded the crime on a phone, so the police had a still of the gunman’s face to run through Clearview’s app.

They immediately got a match: The man appeared in a video that someone had posted on social media, and his name was included in a caption on the video. “He did not have a driver’s license and hadn’t been arrested as an adult, so he wasn’t in government databases,” said Chuck Cohen, an Indiana State Police captain at the time.

Misc

ATT&CK for Industrial Control Systems
 

Circumventing the JVM’s bytecode verifier
“An adventure with Java bytecode, HotSpot VM internals, sun.misc.Unsafe, and the power of Java.”
 

4 Things You Should Know VSCode Can Do — Without Extensions
Conditional breakpoints, log points, tasks (easily run frequently used shell commands, can auto-run them before/after debug sessions), user inputs in tasks and launch configurations.
 

Ian McKellen’s blog about the filming of the Lord of the Rings
 

Politics

I was thinking about starting a drinking game where you take a sip every time there’s a new development in technology where people’s privacy is impacted, surveillance broadens, or when the already low bar in American politics sinks to a new low, but I’ve got enough on my conscience without potentially promoting widespread alcoholism. On that high note, here are some links.
 

Don’t Tilt Scales Against Trump, Facebook Executive Warns
In a leaked internal memo, Andrew Bosworth, who leads Facebook’s virtual and augmented reality division, warned employees not “to use the tools available to us to change the outcome” of the 2020 election. You read that right: a private company just encouraged its employees to not try to influence the US presidential election. Inherently acknowledging that Facebook does have the capability to influence people at scale in an intentional way for political (and other) ends.

“He didn’t get elected because of Russia or misinformation or Cambridge Analytica,” Mr. Bosworth wrote. “He got elected because he ran the single best digital ad campaign I’ve ever seen from any advertiser. Period.”

NPR: Iran Conflict Could Shift To Cyberspace, Experts Warn
“Hackers linked to Iran are probing American companies for vulnerabilities, cybersecurity researchers and U.S. government officials say.” Makes sense, cyber attacks have nice asymmetry properties vs. physical attacks- you don’t need a big army or expensive jets to cause significant economic or reputational damage.
 

Amazon boss Jeff Bezos’s phone ‘hacked by Saudi crown prince’
The Guardian published this article saying that the conclusion of a forensic investigation by Bezos’s team indicated that MBS sent a malicious file over WhatsApp to Bezos which likely compromised Bezos’s phone. The article hypothesizes that this was the source of data later used by the National Enquirer in its expose sharing Bezos’s text messages. Why? Bezos owns the Washington Post, which had published a number of critical articles of Saudi Arabia, some written by Khashoggi.

However, the Guardian article was light on technical details. Then, this Vice article provided more technical details, which seem to indicate that the forensic evidence is a bit more handwavy - they didn’t find an exploit in the sent file, they just observed that Bezos’s phone started sending out much more data than it had previously after having received the file, no smoking gun. Nice thread by Alex Stamos here about it, and @ErrataRob linked the full forensic report here. Also, it wouldn’t be Twitter if there wasn’t some 🔥

The hacking attempts against Burisma, the Ukrainian gas company on whose board Hunter Biden served, began in early November, as talk of the Bidens, Ukraine and impeachment was dominating the news in the United States.

It is not yet clear what the hackers found, or precisely what they were searching for. But the experts say the timing and scale of the attacks suggest that the Russians could be searching for potentially embarrassing material on the Bidens — the same kind of information that Mr. Trump wanted from Ukraine when he pressed for an investigation of the Bidens and Burisma, setting off a chain of events that led to his impeachment.

The Russian tactics are strikingly similar to what American intelligence agencies say was Russia’s hacking of emails from Hillary Clinton’s campaign chairman and the Democratic National Committee during the 2016 presidential campaign. In that case, once they had the emails, the Russians used trolls to spread and spin the material, and built an echo chamber to widen its effect.

See here to read the report by Area 1.