Tasty Beverage – ASW #184

February seems to be the month when everyone's reflecting on appsec in 2021. The first article in this vein is the new State of Software Security report from Veracode. As the report notes, scanning of one form or another (SAST, DAST, SCA) has shifted frequency from two to three times a year per app to a majority of apps being scanned three times a week. So, there's a positive step in the adoption of security tools. Of course, just using a tool doesn't create a security culture, but tools can contribute to the practices around securing apps. The report also points out that the half-life in third-party flaws (i.e. time to close 50% of flaws) has shrunk from 2017. Unfortunately, that half-life has gone from about three years to about one -- so maybe it's a mixed success. Heads up that this is one of those PDF reports that's behind a registration wall.

James Kettle and the folks at Portswigger look back on their favorite web hacking techniques of 2021. No surprise that HTTP Request Smuggling is on the list (deservedly so), with the twist that 2021 saw research into how HTTP/2 and HTTP/3 implementations may be susceptible when they downgrade to HTTP/1 to deal with backend servers that haven't yet upgraded. Cache poisoning and OAuth attack vectors are two other items that stand out. In fact, even though XSS is on the list, it's quite refreshing to see something that doesn't look like a rehash of the OWASP Top 10. (Of course, many of them could still map into that list.) There are some interesting new attack surfaces being discovered within Exchange and, as we've see in the request smuggling, still plenty of implementation details and edge cases to poke at for flaws.

Google has released some numbers around the activity of their vulnerability reward program for 2021. Overall, paying out $8.7 million seems like a good investment to keep widely used apps like Android and Chrome secure. They've only published total payouts and participants, which points to average payouts in Android of around $25K and close to $29K for Chrome. It'd be interesting to know the median reward since the highest payout was $157K. One neat aspect is seeing the Chrome Fuzzing program get attention and success, with one report earning $16K. Being Google, this got lots of news coverage (obviously from us as well!). Here are some more articles about it: - https://www.zdnet.com/article/google-vendors-took-an-average-of-52-days-to-fix-reported-security-vulnerabilities/ - https://www.zdnet.com/article/google-says-9-million-given-out-in-2021-vulnerability-rewards/ - https://therecord.media/google-awarded-8-7-million-to-security-researchers-in-2021/ - https://portswigger.net/daily-swig/google-project-zero-hails-dramatic-acceleration-in-security-bug-remediation

Apple understandably received a lot of scrutiny for its AirTags when they were first released. While the underlying concept predated Apple, the scale of devices that enabled the tracking was an immense leap. And even if iPhones tracked the AirTags in a privacy preserving manner -- that privacy was focused on the owner of the tag. This also meant that threat models for AirTags needed to consider stalking or unwanted tracking. On the technical side, it also touches on hardware (anti-tampering), software (interoperability for users outside of the Apple device ecosystem), and notification design (sound, on-device alerts). The primary concern is here is individuals being tracked without their knowledge. But there can be other unexpected uses of AirTags. Back in January, there was an article about an activist who used an AirTag to attempt to identity offices associated with a German intelligence agency -- they mailed it to one address and tracked all the points where the package was being handled. It's not clear how successful and correct the end results were for that specific instance, but the idea has a sound principle to it. Check out the article, with links to the activist's blog (in German) at https://appleinsider.com/articles/22/01/25/apples-airtag-uncovers-a-secret-german-intelligence-agency Read Apple's update on AirTags at https://www.apple.com/newsroom/2022/02/an-update-on-airtag-and-unwanted-tracking/ You can find more resources on concerns, countermeasures, and policy around hardware and software tracking at https://stopstalkerware.org

We're diving into quite a different type of article with this one. It has state machines, which we talked about a bit in episode 182, and AI, which we haven't really talked about other than to question whether the form of AI involved regexes or if statements. Yet here we have some pretty cool research that uses Natural Language Processing (NLP) to analyze a protocol's RFC in order to create an implementation of that protocol (it's state machine) in order to fuzz the protocol for security flaws. The concept is clever and, despite a description like "NLP on an RFC to create an FSM for Korg", it looks like a worthy investment. The approach still hasn't earned its first bounty and it still relies on humans to correct the RFC to state machine translation. But a tool that leads to clearer documentation and reasoning about a protocol is already useful. And one that can turn text into code into "attacker simulation" is one that's going to get better over time. Plus, as fans of synthwave, we don't want to miss any reference to Korg -- especially when the open source tool "is named after the KORG MicroKorg synthesizer, which has a dedicated attack knob. References: - https://github.com/RFCNLP/RFCNLP/blob/main/tutorials/attacker.synthesis.md - https://github.com/RFCNLP/RFCNLP/blob/main/rfcnlp.pdf - https://github.com/maxvonhippel/AttackerSynthesis

The summer cons (BlackHat, DEF CON) tend to draw lots of media attention. But there are security cons of various sizes throughout the year and throughout the globe. Here's an appsec presentation on JavaScript engines from OffensiveCon (https://www.offensivecon.org/). The first section likely won't be too informative unless you're familiar with browser engines. Instead, skip to the “Exploitation & Mitigations” section for a nice summary and observations on the past and future of exploits and hardening that browsers have been doing over the years. The con posts recordings, so we'll bring you an update once this one appears. In the meantime, check out these two presentations from 2020. - Keynote from Halvar Flake, https://youtu.be/8QRnOpjmneo - Talk from Maddie Stone, https://youtu.be/TAwQ4ezgEIo

This hacking is particularly fun to read about because of how physical the test harness is -- pictures, 3D printing, good lighting, and lots of clamps to hold everything in place. It's quite a different world from URLs and dropping alert() popups everywhere. Both those worlds have an important place in appsec, but we tend to not talk about the hardware side of things as much. It's also a chance to revisit threat models and talk about the appropriate times to balance security and convenience, putting choices into informed users hands, and realizing different people have different threat models. For once we have a PDF that isn't behind a registration wall. Check out the blog and if you're curious about the details, read the report at https://act-on.ioactive.com/acton/attachment/34793/f-3ddfff76-d7d8-47e6-8b07-e4d4ee841008/0/-/-/-/-/IOA-wp-FacialRecognition.pdf

Repeat after us: Docker containers are (still) not a security construct. But - in this instance, having docker around actually decreases the security of the system. Great writeup.

While the ThreatPost title points the finger at MQTT, IMHO the issue here is more around how it's used.