KindleDrip, State of Messaging State Machines, DoH, & Data Security Strategies – ASW #137
An overflow and a flawed regex paint an RCE picture for Kindle, messaging apps miss the message on secure state machines, three pillars of a data security strategy for the cloud, where DoH might fit into appsec, and all the things that can go wrong when you give up root in your Kubernetes pod.
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!
- 1. KindleDrip — From Your Kindle’s Email Address to Using Your Credit Card - A researcher pokes around Kindle's firmware, finds an image decoding library with an overflow flaw, and paints a picture of RCE. And for extra credit, the researcher also found a flaw in a regex intended to prevent injection attacks.
- 2. The State of State Machines - Project Zero picks apart the protocol implementations for several messaging apps and discovers that most of their state machines can be confused into leaking audio or video to unauthenticated users. It's also a good overview of WebRTC and protocol analysis in general. We even touched on state machines and fuzzing in the previous episode 136, https://securityweekly.com/asw136.
- 3. Bad Pods: Kubernetes Pod Privilege Escalation - A nice overview of Kubernetes pod security assumptions and what happens when a lack of least privilege turns into mostly accessed.
- 4. NSA Recommends How Enterprises Can Securely Adopt Encrypted DNS - You might not be in charge of your org's shift to DNS over HTTPs (DoH), but it does present a chance to apply threat modeling exercises to where you'll gain or lose visibility in the security of your DevOps endpoints and the network connections being made throughout the CI/CD pipeline. You can find the report at https://media.defense.gov/2021/Jan/14/2002564889/-1/-1/0/CSI_ADOPTING_ENCRYPTED_DNS_U_OO_102904_21.PDF
- 5. Designing and deploying a data security strategy with Google Cloud - You can skip over the specific references to Google Cloud products and still gain a good understanding of how to approach a data security program for your own environment regardless of cloud service provider. You can find the paper at https://services.google.com/fh/files/misc/designing_and_deploying_data_security_strategy.pdf
- 6. Real World Crypto 2021 - Real World Crypto ran from January 11th through the 14th. Two sessions in particular are relevant to areas we've touched on in the podcast, one talks in more detail about the end-to-end encryption for Zoom and the other talks about the importance of understanding user needs in designing systems. - "E2E Encryption and Identity Properties for Zoom Meetings" with slides (https://iacr.org/submit/files/slides/2021/rwc/rwc2021/91/slides.pdf) and video (https://youtu.be/jeQvDLPQsuw?t=1814) - "Mental Models of Cryptographic Protocols - Understanding Users to Improve Security" with slides (https://iacr.org/submit/files/slides/2021/rwc/rwc2021/95/slides.pdf) and video (https://youtu.be/-mBlQVEXcB8?t=3)
- 7. Firefox fails to load favicon from HTTP cache - What sounds at first like an innocuous bug report turns into an interesting situation on vuln research, disclosure, and ethics. And it's something that could generalize to bug bounty and other vuln disclosure programs.
- 1. Reliance on cloud, APIs create confusion and introduce risk into software development - Radware did a study (PDF link in the article) on appsec and API security. Some interesting takeaways and stats, sometimes they're taking existing data and making you think about it a different way - eg 71% of respondents mostly/completely trust the level of security offered by their CSPs - but this translates to "71% mostly trust that their customer data won't be compromised by a bad actor" "API security will be first area of investment" for 2021 - security expertise is #3. Interesting predictions, including "The mad dash to the cloud will undermine application security in 2021" and "Human errors will become more frequent and more costly" Also a reminder to go back and watch Mike's great api security panel from securityweekly unlocked!