Security in a Cloud Native World & Mobile App Attacks – ASW #252

Discord offers up quite a new take on the phrase, "We take your security seriously."

Now it's a quite decisive, "We are stopping all operations for the foreseeable future."

Microsoft's Azure has had a lot of attention from security vendors lately and the recent Microsoft 365 breach exposed a lot of risk associated with Azure's Active Directory.

Also check out the Cyber Safety Review Board's announcement.

Flaws in cloud providers don't often get CVEs. That's one of the reasons a group, sponsored by Wiz, created the CloudVulnDB project. AWS talked about the shared responsibility model with cloud service providers. And the CSRB will be looking at that shared responsibility and shared fate of flaws within cloud providers, their potential impact on tenants, and how to harden that ecosystem.

I like this article for the level of scrutiny the researchers put into understanding the state changes of putting an iPhone into airplane mode. They were able to figure out how to make the UI reflect the state change, but prevent Safari from being aware of the change. I'm not convinced this would be a high risk or become an attack vector, but that's partly because similar UI-oriented attacks like browser clickjacking always felt like cool bugs in search of an exploit, too. In any case, it's a bug to be fixed and great work in understanding the behavior of iOS.

AIs are the new hot tech and everybody wants one. But nobody wants to the be training data for them when there's a lack of transparency, lack of opt-outs, and lack of affirmative consent.

We'll be diving more into the technical and social aspects of AI next week!

This is a followup blog from the author's talk at this year's DEF CON AI Village.

It's a mix of common package management issues like creating name confusion and collisions, and typosquatting. And it has a few examples of misusing and abusing ML models. Overall a good example of demonstrated attacks to include in your threat models and threat hunting playbooks.

Here's an article that explains the underlying concepts of LLMs like ChatGPT. It's a good mix of technical and accessible. There's a bit of math in there, which is unavoidable considering the topic and the author, but it's not an overwhelming amount and there are helpful visualizations to reinforce the concepts.

This week marks 25 years since one of the earliest XSS attacks I could track down. It's from a Usenet message about a vuln in Hotmail.

The writeup is almost indistinguishable from what you might see today (with one typo fixed):

1. The malicious code runs as soon as e-mail message is viewed
2. The resources required to launch the attack are minimal and freely available.
3. The malicious e-mail can be sent from virtually anywhere, including libraries, internet cafes, or classroom terminals
4. The exploit will work with any javascript-enabled browser, ...

Ok, the "internet cafes" dates it, but otherwise that's the past and most of the present of appsec today. I try not to be too pessimistic about appsec -- and there are improvements to point to -- but this is one of the reasons why I find XSS flaws to be largely boring these days.

Check out the original disclosure here.

p.s. I have another example from 1996 here

This project from CNCF is intended to help appsec and dev teams create a trusted attestation for building and deploying software. Users define the expected steps of the process -- what the project calls a layout. As the tool executes each step, it records and cryptographically stamps the state.

The in-toto specification just hit 1.0 in June of this year, but it's been an idea since 2016 and worked on since 2017. But as a CNCF project, and with the attention on all things supply chain, maybe it'll reach a wide adoption.

Bambu, a manufacturer of 3D printers and software, recently had an outage in their cloud. Their customers printers, which connect to said cloud to poll for new jobs to print, started timing out. The result of said timeout was the printers deciding to reprint the last job they had worked on, waking up nerds everywhere.

We talk a lot about not wanting security teams to be seen as the "department of no," but does that really happen? Here's a complete non-appsec instance where a user/writer decides the threat model for somebody hacking his iphone via bluetooth is not too risky for him to leave bluetooth on and use his airpods.

"At least" 10 million secrets were committed in 1 billion GitHub commits over the last year, according to a pair of talks at BSides Vegas. Apparently this was a 50% increase over the previous year.

Stop, please. Thanks.

Besides the quantum and FIDO parts, there's a bit of a foxhole here to go down. They're releasing this as an app for TockOS, a lightweight OS for IOT devices, so in theory one could build their own authenticator token with this?

Just in case you need another project...

NOTE This is not meant for daily usage - "The cryptography implementations are not resistent against side-channel attacks."

While a fun video, this provides a visual example of how ML algorithms get trained