The Razor: ep 4

Twas a few nights after Christmas, and across all your apps,
Were offers for discounts, and sales, and end of year wraps.
The last edition of The Razor also flew through the air,
In the hopes 2024 might be the year we stop ransomware

The CISOs were buried deep in compliance reports,
While Ockam released something to share ports.
And I hit send on largest list of links for the year,
which I'm happy to say starts right… here.

Secure-by-design

• 🪩 Attracting attention with new TLS certs: When you request a new TLS certificate from a provider such as Let's Encrypt, the fact a certificate was issued shows up in their certificate transparency logs. Chris Siebenmann decided to time how long it took between requesting a new certificate and someone using that information to try and port scan his machine for vulnerabilities. Spoiler: it's less than a minute.
• 🤝 On trust: A short essay from Mark Seeman that touches on an idea that I've seen embodied the way various high availability, large scale, and high trust systems are designed. Not trusting something doesn't require you to have distrust/mistrust, cynicism, or misgivings. It can be as simple as accepting human fallibility, and being supportive of each others humanity rather than expecting everyone to be superhuman all of the time.
• 🙅‍♂️ On losing trust: What happens when people just don't believe what you say? Simon Willison explores that in discussing the reaction to Dropbox launching some AI features. This is as much a result of Dropbox not being particularly clear with what data was being shared and when, but also people just not believing OpenAI (who Dropbox are selectively sharing the data with) when they say it's not being used to train their own models.
• 💵 A secondary market for compromised access: If you're a criminal that has a specific target in mind, the first step in getting access to the data is getting access to their systems somehow. In what should probably be absolutely no surprise it turns that for every problem there is a market-based solution. Just go find an Initial Access Broker who has already compromised your target and is willing to on-sell the access to you.
• 🕷️ Scattered spider and exploiting SaaS integrations: The team at Permiso do a teardown on an attack called LUCR-3. It's especially interesting given the way it's designed to use the victim's own SCCM and deployment tooling to spread across the victim's infrastructure. Ultimately it does everything possible to look like a human doing normal things and leveraging systems in normal ways to establish an organisation-wide foothold. The "Attacker Lifecycle" diagram is also useful for considering in all contexts and the various threat vectors to consider when considering the security of your systems.
• 🔍 When linting detects false assumptions: If you're using ECMAScript (i.e., JavasScript) then this post about the no-constant-binary-expression rule, from Jordan Eldredge, is definitely worth a read. That rule is intended to catch where short-circuit logic in an expression won't change at runtime. The result wasn't just clearer code though, it uncovered a lot of real world situations where developers had confused operator precedence in expressions or where object/value comparisons were not what the developer expected.
• 📱 How to completely pwn an iPhone: Through the crafty stacking of a number of vulnerabilities, Boris Larin discusses how an attacker could take complete control of an iPhone. An iMessage attachment that contains a PDF with a TrueType font exploit, which then patches the JavaScript Core environment to execute a privilege escalation. Most impressive of all is it does not require the recipient to open or even acknowledge the attachment, and circumvents the hardware-based security protection on iPhones. Ars Technica also have coverage that states this exploit has been in use for over four years!
• 🚫 These things are not equal: What is a parser mismatch vulnerability? Tim McCormack has the answer for you. The broad definition is: when two code paths parse the same thing but disagree in what some inputs mean. His examples highlight scenarios I've seen a lot where some validation logic will do a light parse, but later in the code the full value is consumed. The gotchas start to appear when this gets exploited with malformed inputs.
• 🛟 Are we looking for more than memory safety? We're big Rust fans at Ockam, so it's always great to read someone else's take on why Rust is valuable for building systems that are secure by design. When that someone is Steve Klabnik it's worth paying extra attention. I liked his threads about how maybe it's not so much about memory safety, and more about having defined behaviour by default.
• ⏱️ A 25 year old timing attack comes back: Many years ago a timing attack was discovered that allowed RSA decryption and signing operations where the attacker need only observe the time of the decryption operation performed with the private key. Hubert Kario is here to tell us all that not only can it still happen but that implementations previously thought immune are actually vulnerable, and that the core issues are applicable to most asymmetric cryptographic algorithms (e.g., Diffe-Hellman). He's also got a list of implementations they've tested to confirm/invalidate whether they're vulnerable. Thankfully for TLS-specific use cases the easiest remediation is to not support RSA cipher suites, though that may be a problem if the server needs to support older clients.
• 🔑 5,000 leaked GCP keys in a single repo: The fine folks over at Truffle Security Co posted an update to a previous story that had made the observation that they'd uncovered far more leaked GCP keys than any other provider. Some further digging uncovered that 5K of those keys were in a single repository. There's some further analysis on what that repo was trying to achieve (probably crypto mining) and speculation on why it was done this way and by whom. I'm still baffled as to why you'd launch an attack like this so blatantly out in the open though.
• 🔐 An intuition for cryptography: If you've ever struggled to wrap your head around the fundamentals of how cryptography works and how it keeps our information private then Azeem Bande-Ali has a great high-level explanation. Or if you already know, this is probably the most easily digestible form to send your relatives over the holidays who ask you these questions!
• 👋 Encrypted Hello: Whenever you connect to a website secured using TLS, the site name is transmitted in plaintext as part of the initial request. Mozilla has a implemented a feature called Encrypted Client Hello (in collaboration with other browser vendors and companies like Cloudflare) which fixes that. Now your ISP or anyone monitoring the network won't know the sites you're visiting. This isn't an immediately ubiquitous thing though as both clients and servers need to support it (Cloudflare has already rolled out support).
• 😭 Dependency patch updates won't fix security: A lot of people I know have automated PR creation for dependency updated built into the CI/CD systems. Moderne is a system that helps with such things, and the team there looked at the data across a set of Java-based GitHub repos. The result: only 30% of security issues are addressed in patch versions. The majority are in major and minor versions, which means you're also potentially bringing in breaking changes too. Nobody said this stuff was easy.
• 🙃 APAC firms targeted in SQL-injection attack: I don't know why this has a region specific focus, but there's a group exploiting pretty basic techniques around SQL-injection and CMS vulnerabilities to get access to systems. There's 24 knowns targets already, where 6 were successfully compromised.
• 🕵️ You're not paranoid if they're actually watching you: Push notifications on both of the major phone platforms go through a central authority. The information in that payload includes a bunch of metadata about the sender and recipient, and in some cases may include unencrypted content such as the message displayed in the notification. With such juicy information just out there waiting to be read, of course governments have been monitoring it.
• 🔃 How do you rotate keys? Have you got an API key you need to rotate? How do you do it? The answer is: there's no single answer! Thankfully the team at Truffle Security are at least helping by having a single place to find the answer. We think there might be a better way than having to manage a bunch of keys 😉.

Exposed

• 🌱 MongoDB corporate/support systems infiltrated: Another case of a phishing attack granting access to internal systems. Their investigation suggests no evidence of access to any customer data.
• 📵 Comcast Xfinity affects 35M people: A Citrix vulnerablity has leaked the names, contact information, partial SSNs, and birth dates of 35M people.
• 🚨 More than 10K Cisco devices being actively exploited: Cisco reported a 0-day, a day later the security research firm VulnCheck stated that tens of thousands of internet-facing devices had already been compromised.
• 👯‍♀️ Deep-faked social engineering: This one goes back a few months but I only just caught it, and thought it worth sharing if only because Retool claim the attacked deep faked the voice of someone from their IT department as part of the attack.
• 🤗 +1500 HuggingFace tokens exposed: Because supply chain risks exist everywhere and AI/LLMs are no different... too many people are repeating the same mistakes and exposing their training systems unintentionally.
• 🦷 7M dental patient records leaked: The MOVEit breach continues to have more victims, this time Delta Dental of California.
• 🚰 Western Pennsylvania water utility attacked: An Iranian-linked group attacked the PLCs in a number of US locations around the Thanksgiving holiday.
• 🧑‍⚖️ State Farm has 400M problems: There's potential of a class-action lawsuit due to attackers accessing 400M records in a breach of State Farm back in August. I'm curious about what constitutes a "record" in these situation though, as that's more than the entire population of the USA.
• 🙈 UniFi had a different kind of exposure: A misconfiguration meant that UniFi started sending private camera feeds to the wrong users.
• 🧬 7millionAndMe: initially 23andMe had stated about 14,000 people's data had been accessed in a breach this month, with a qualificaiton/asterisk on that number that the accessed accounts also contained information on the ancestry details of other people. Turns out other people means 6.9M in total were affected.
• 💳 Payment processor in ransomware attack: Tipalti is a technology provider to companies such as Roblox, Twitch, and Canva. They were hit by a ransomware attack though it seems there's not been any customer impact.
• 🆕 NewRelic social engineered: Another one for the humans are the weak link category. Internal systems accessed again.
• 🏦 60 (SIX ZERO!) Credit Unions have outage: The National Credit Union Administration said that 60 credit unions were out of action due to a ransomware attack on a vendor they use: Trellance/Ongoing Operations.

DX

• 🔫 AWS Kill Switch: a Lambda function that an organization can implement in a dedicated "Security" account to give their security engineers the ability to quickly deploy restrictions during a security incident.
• 📸 Screenshot to code: A simple app that converts a screenshot to code. It uses GPT-4 Vision to generate the code and DALL-E 3 to generate similar-looking images.
• 🫤 Confusing git terminology: Julia Evans was taking requests to explain/clarify some of the idiosyncrasies of git. Things like the difference between HEAD and "heads".
• 🐤 Building Angry Birds using AI: a really cool example of using GPT-4 + Dalle/Midjourney to make a game.
• 👻 Ghostty - a new terminal emulator: From Mitchell Hashimoto (of HashiCorp fame) comes a new terminal for MacOS.
• 🧑‍💻 Monaspace: a superfamily of fonts for code. I've been using it for a couple of months and love it.
• 💪 gittuf: a security layer for git that allows you to set permissions for repository branches, tags, files, etc. and handles key management for all developers on a repo.
• 🧑‍🔬 DevEx: What Actually Drives Productivity: some frameworks for actually understanding what this whole section in the newsletter is about!

Product spotlight

• 🟠 Portals for Mac, by Ockam 🔵 - The last couple of editions I've asked for testers for something we'd been playing with internally. Well, it's publicly available now and I'd love if you'd check it out. If you've ever needed to quickly and privately share a service on your local machine with a friend or teammate… this is what you need. The README in the repo also does a deep dive on how the team built this using the various Ockam libraries we've open sourced. There's also a look at how we integrated our Rust libraries into Swift.

The odd bits

• 👩‍❤️‍👨 A tale as old as (cryptography) time: Have you ever wondered why so many explanations of cryptographic concepts explains them with Alice and Bob as the protagonists? Of course you have! It's ok, I've got you.

That's it for the year! Thank you to all of our wonderful subscribers for your support. If you know anybody who you think would enjoy this content it'd meant the world if you could share the love and suggest they subscribe too. I promise it'll be another 12 months before you have to endure any more of my attempts at festive poetry 😉.

Cheers,