CircleCI Breach, Vulns in Auto Sites, Google Speaker Bugs, Office Space, S3 Defaults – ASW #225
Exposed secrets from CircleCI, web hackers target the auto industry, $100K bounty for making Google smart speakers listen, inspiration from Office Space, AWS making better defaults for S3, resources for learning Rust
Announcements
Follow us on X (formerly known as Twitter) for livestream reminders, highlighted clips, memes, and more! You can find us @ SecWeekly.
Hosts
- 1. CircleCI: Rotate Stored Secrets ASAP
Every app relies on secrets. How you rotate them is a reflection of maturity in tools and processes. When you rotate them is...sometimes influenced by breaches. We'll be hearing about CI/CD hardening and third-party risk throughout 2023 -- which isn't much of a surprise.
Read the disclosure from CircleCI at https://circleci.com/blog/january-4-2023-security-alert/
- 2. Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More
Web interfaces and connected systems are bug bounties waiting to happen. Here's a roundup of several dead simple techniques (like hard-coded secrets and trivial SQL injection) and some patience (fuzzing paths to find security bypasses). It shows how much of car hacking can still be successful without access to the car itself. After all, not everyone has a spare Ferrari in the garage to experiment with.
- 3. Turning Google smart speakers into wiretaps for $100k
This is the kind of bounty that can pay for a car (see the previous article web apps and car hacking).
It's also a great writeup that starts with an "I wonder" about hacking Google smart speakers, then walks through intercepting web traffic, looking at protobufs, dealing with OAuth, and Wi-Fi security. You don't have to be an expert on any of those topics to follow the techniques and the tools covered are useful in all sorts of situations, especially if you like to hack on IOT and smart home devices.
The gpsoauth library is at https://github.com/simon-weber/gpsoauth.
Find mitmproxy at https://mitmproxy.org (you can also install it from brew!).
- 4. ‘Office Space’ inspired WA software engineer’s theft scheme, prosecutors say
The movie "Office Space" is too often omitted from lists of hacking movies (as is Superman III, which in turn inspired part of the plot). "Business logic" vulns are often included on lists of hacking threats, but too often remain generic or hand-wavy.
This article combines both. Not only did a developer modify code to steal money from customers, but they then changed the code again when an audit team was discovering discrepancies.
- 5. LEARN: Welcome to Comprehensive Rust
Google's Android team has put together a short course for learning Rust. As the project notes, it might not be ideal for self-study since a lot of the material is intended for interactive discussion. But if you're trying to learn the language or teaching it to others, this could be a useful reference.
All of the material is on git.
There's also, of course, resources from the rust-lang.org site itself.
- 6. Telling users to ‘avoid clicking bad links’ still isn’t working
Just a quick reminder why the burden of security should start with appsec, devops, and applications instead of dumping responsibility onto users.
- 7. TOOL: OWASP Amass
The OWASP Amass project is designed to "perform network mapping of attack surfaces and perform external asset discovery using open source information gathering and active reconnaissance techniques."
It's written in Golang. The project repo is at https://github.com/OWASP/Amass
We'll be highlighting different types of tools all year. Let us know what you'd like to see us include!
- 1. Reverse Prompt Engineering for Fun and (no) Profit
"Pwning the source prompts of Notion AI, 7 techniques for Reverse Prompt Engineering... and why everyone is wrong about prompt injection"
You can find the full list of notion AI prompts here
- 2. TOOL RECOMMENDATIONS – 7 Places to do Automated Security Tests
This short article suggests what types of automated security tests to run on your code both inside and outside of the ci/cd pipeline to keep up with the speed of dev and ops.
- 3. OAuth 2.0 authentication vulnerabilities
Want to learn more about OAuth inherent vulnerabilities? Check out this resource delving into how OAuth works and how it can be exploited.
- 1. VSCode extensions as an attack vector?
- 2. A Deep Dive into poweRAT
We've talked through 2022 about various supply chain incidents, but this writeup is interesting in that Phylum (who focuses on Python's PyPi supply chain issues) breaks down how installing a package with pip turns into powershell running and then using a cloudflare tunnel to bypass http filtering. While I often share posts that allow us to see what good code looks like, this post lets us learn what to look for when malicious code is present.
- 3. Rust’s Hyper package leads to potential DoS
Hyper - a popular http package for Rust applications has a function to_bytes() which performs no length checks while concatenating buffers from a http response body to a bytes. The documentation clearly mentions to developers to be careful when handling responses from untrusted sites, but still many packages - including a few popular Rust frameworks - were not paying heed to this, resulting in potential DOS situations
