Defense at Scale
> Last year, my colleague Chris Rohlf gave a keynote at BSidesNOLA entitled “Offense at Scale”. Offense sounds fun. Pwn all the things. And you’re always going to win! And normally I’m a big fan of being massively offensive. Unfortunately, I find myself on the defense when it comes to information security.
> Here’s how you defend at scale. Can’t be done. The end. Everything’s fucked. You’re pwned.
Plenty of good points here. Also a fun read.
Migrating From Cloudflare
> Okay so here’s the thing: Cloudflare isn’t just the CDN provider for the instance, it is also the domain’s nameserver. That means that it holds all the DNS records that point mastodon.technology to the various IP addresses used for HTTP requests, email, and even public DKIM keys for mail server verification. These DNS settings are really, really important. If they get messed up, everything about the instance can break.
> So I split up the migration from Cloudflare to BunnyCDN into two phases: first migrate the CDN provider, and then migrate the DNS provider. Getting this right is really important, and I mostly did okay, but hopefully you can learn from my experiences.
Public Suffix List Problems
> This is a collection of thoughts from a maintainer of the Public Suffix List (PSL) about the importance of avoiding new Web Platform features, security, or privacy boundaries assuming the PSL is a good starting point.
> Equally terrifying, however, is how many providers only discovered the existence of the PSL once LE was using it to rate limit - meaning that their users were able to influence cookies and other storage without restriction, until an incidental change (wanting to get more certs) caused the server operator to realize.
Preventing The Capital One Breach
> Every indication is that the attacker exploited a type of vulnerability known as Server Side Request Forgery (SSRF) in order to perform the attack. SSRF has become the most serious vulnerability facing organizations that use public clouds. SSRF is not an unknown vulnerability, but it doesn’t receive enough attention and was absent from the OWASP Top 10.
> SSRF is a bug hunters dream because it is an easy to perform attack and regularly yields critical findings, like this bug bounty report to Shopify. The problem is common and well-known, but hard to prevent and does not have any mitigations built in to the AWS platform.
Google Groups entirely ignores SMTP time rejections
> Google Groups ignored this rejection and began sending email messages from the group/mailing list to my spamtrap address. Each of these messages was rejected at SMTP time, and each of them contained a unique MAIL FROM address (a VERP), which good mailing list software uses to notice delivery failures and unsubscribe addresses. Google Groups is, of course, not good mailing list software, since it entirely ignored the rejections. I expect that this increases the metrics of things like ‘subscribers to Google Groups’ and ‘number of active Google Groups’ and others that the department responsible for Google Groups is rewarded for. Such is the toxic nature of rewarding and requiring ‘engagement’, especially without any care for the details.
Building Facebook’s service encryption infrastructure
> In this post, we’ll talk about how we migrated our encryption infrastructure in data centers from the Kerberos authentication protocol to TLS. Optimizing for operability and performance, while still satisfying the right security model for each service, required navigating difficult trade-offs. By sharing our experiences, we hope to show how we think about our encryption infrastructure and help others as they think through their own implementation.
The Unusual Case of Status code- 301 Redirection to AWS Security Credentials Compromise
> The redirection that I got in the first step was now becoming a Server Side Redirection, not just a client-side redirection. Now if its a server side redirection then there would definitely be a big chance of SSRF (Server Side Request Forgery) attack.
Stealing Downloads from Slack Users
> The vulnerability could have allowed a remote attacker to submit a masqueraded link in a slack channel, that “if clicked” by a victim, would silently change the download location setting of the slack client to an attacker owned SMB share. This could have allowed all future downloaded documents by the victim to end up being uploaded to an attacker owned file server until the setting is manually changed back by the victim.
Hackers Could Read Your Hotmail, MSN, and Outlook Emails by Abusing Microsoft Support Portal
> A hacker or group of hackers had first broken into a customer support account for Microsoft, and then used that to gain access to information related to customers’ email accounts such as the subject lines of their emails and who they’ve communicated with.
> But the issue is much worse than previously reported, with the hackers able to access email content from a large number of Outlook, MSN, and Hotmail email accounts, according to a source who witnessed the attack in action and described it before Microsoft’s statement, as well as screenshots provided to Motherboard. Microsoft confirmed to Motherboard that hackers gained access to the content of some customers’ emails.
How Spotify & Discover Weekly Earns Me $400 / Month
> Of course that’s not enough to support a full-time artist but that’s not what I’m trying to be. I don’t tour, I don’t sell merch and I’m not on a label. I just want to make music and Spotify is making that possible.
Cloud computing simplified: a Berkeley view on serverless computing
> Ten years ago Berkeley released the ‘Berkeley view of cloud computing’ paper, predicting that cloud use would accelerate. Today’s paper choice is billed as its logical successor: it predicts that the use of serverless computing will accelerate. More precisely:
> … we predict that serverless computing will grow to dominate the future of cloud computing.
Introducing Firefox Send
> Send is a free encrypted file transfer service that allows users to safely and simply share files from any browser.
AWS Nitro System
> The Nitro System supports key network, server, security, firmware patching, and monitoring functions freeing up the entire underlying server for customer use. This allows EC2 instances to have access to all cores – none need to be reserved for storage or network I/O. This both gives more resources over to our largest instance types for customer use – we don’t need to reserve resource for housekeeping, monitoring, security, network I/O, or storage. The Nitro System also makes possible the use of a very simple, light weight hypervisor that is just about always quiescent and it allows us to securely support bare metal instance types.
Protecting your data, no matter where you go on the web
> We help keep your Google Account safe by proactively detecting and responding to security threats. For example, we already automatically reset the password on your Google Account if it may have been exposed in a third party data breach—a security measure that reduces the risk of your account getting hacked by a factor of ten.
> But we want to provide you with the same data breach protections for your accounts, beyond just Google apps and sites. This is where the new Password Checkup Chrome extension can help. If we detect that a username and password on a site you use is one of over 4 billion credentials that we know have been compromised, the extension will trigger an automatic warning and suggest that you change your password.
Inside Google’s Team Fighting to Keep Your Data Safe From Hackers
> Mr. Huntley doesn’t work for the National Security Agency or another government spy shop. He heads Google’s in-house counterespionage group, the Threat Analysis Group, which has emerged as an important force in the battle against hackers and a leading example of tech giants building up powerful cybersecurity defenses in an age of rising nation-state hacks.
> The 27-person team tracks more than 200 hacker groups that pose a threat to Google and its users, analyzing hacking techniques and clues to the groups’ identities to head off attacks. It leverages access to data across widely used Google products like Gmail, with more than 1.5 billion accounts world-wide, and to a database of attack code called VirusTotal managed by another arm of Google-parent Alphabet Inc.
The Firecracker virtual machine monitor
> Cloud computing services that run customer code in short-lived processes are often called “serverless”. But under the hood, virtual machines (VMs) are usually launched to run that isolated code on demand. The boot times for these VMs can be slow. This is the cause of noticeable start-up latency in a serverless platform like Amazon Web Services (AWS) Lambda. To address the start-up latency, AWS developed Firecracker, a lightweight virtual machine monitor (VMM), which it recently released as open-source software. Firecracker emulates a minimal device model to launch Linux guest VMs more quickly. It’s an interesting exploration of improving security and hardware utilization by using a minimal VMM built with almost no legacy emulation.
Critical Kubernetes Bug Gives Anyone Full Admin Privileges
> An authenticated user can also send specially crafted network requests to the Kubernetes application programming interface (API) server and create a connection to the backend server. The API server’s job is to determine if the requests are valid, and to instruct other components to carry out the instructions for valid requests. With the flaw, the API server is tricked into connecting to the backend server as itself and not as the user, and with the highest level of permissions. Once the connection is established, the user can send arbitrary requests—authenticated with the API server’s Transport Layer Security (TLS) credentials—directly to the backend server. The user can run any API request against the kubelet API of the node where a targeted pod is running, such as listing all pods on the node, running commands inside pods, and getting the output of those commands.
The authorization is coming from inside the house!
Also, from the discoverer: https://rancher.com/blog/2018/2018-12-04-k8s-cve/
EC2 Instances (A1) Powered by Arm-Based AWS Graviton Processors
> Today we are launching EC2 instances powered by Arm-based AWS Graviton Processors. Built around Arm cores and making extensive use of custom-built silicon, the A1 instances are optimized for performance and cost. They are a great fit for scale-out workloads where you can share the load across a group of smaller instances. This includes containerized microservices, web servers, development environments, and caching fleets.
Among other AWS announcements.
sr.ht, the hacker's forge, now open for public alpha
> For those who are new, let me explain what makes sr.ht special. It provides many of the trimmings you’re used to from sites like GitHub, Gitlab, BitBucket, and so on, including git repository hosting, bug tracking software, CI, wikis, and so on. However, the sr.ht model is different from these projects - where many forges attempt to replicate GitHub’s success with a thinly veiled clone of the GitHub UI and workflow, sr.ht is fundamentally different in its approach.
Rendered Insecure: GPU Side Channel Attacks are Practical
> Under a number of scenarios the GPU can be shared between multiple applications at a fine granularity allowing a spy application to monitor side channels and attempt to infer the behavior of the victim. For example, OpenGL and WebGL send workloads to the GPU at the granularity of a frame, allowing an attacker to interleave the use of the GPU to measure the side-effects of the victim computation through performance counters or other resource tracking APIs. We demonstrate the vulnerability using two applications. First, we show that an OpenGL based spy can fingerprint websites accurately, track user activities within the website, and even infer the keystroke timings for a password text box with high accuracy. The second application demonstrates how a CUDA spy application can derive the internal parameters of a neural network model being used by another CUDA application, illustrating these threats on the cloud.