KindleDrip, State of Messaging State Machines, DoH, & Data Security Strategies – ASW #137
An overflow and a flawed regex paint an RCE picture for Kindle, messaging apps miss the message on secure state machines, three pillars of a data security strategy for the cloud, where DoH might fit into appsec, and all the things that can go wrong when you give up root in your Kubernetes pod.
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!
A researcher pokes around Kindle's firmware, finds an image decoding library with an overflow flaw, and paints a picture of RCE. And for extra credit, the researcher also found a flaw in a regex intended to prevent injection attacks.
Project Zero picks apart the protocol implementations for several messaging apps and discovers that most of their state machines can be confused into leaking audio or video to unauthenticated users. It's also a good overview of WebRTC and protocol analysis in general. We even touched on state machines and fuzzing in the previous episode 136, https://securityweekly.com/asw136.
You might not be in charge of your org's shift to DNS over HTTPs (DoH), but it does present a chance to apply threat modeling exercises to where you'll gain or lose visibility in the security of your DevOps endpoints and the network connections being made throughout the CI/CD pipeline. You can find the report at https://media.defense.gov/2021/Jan/14/2002564889/-1/-1/0/CSI_ADOPTING_ENCRYPTED_DNS_U_OO_102904_21.PDF
You can skip over the specific references to Google Cloud products and still gain a good understanding of how to approach a data security program for your own environment regardless of cloud service provider. You can find the paper at https://services.google.com/fh/files/misc/designing_and_deploying_data_security_strategy.pdf
Real World Crypto ran from January 11th through the 14th. Two sessions in particular are relevant to areas we've touched on in the podcast, one talks in more detail about the end-to-end encryption for Zoom and the other talks about the importance of understanding user needs in designing systems.
- "E2E Encryption and Identity Properties for Zoom Meetings" with slides (https://iacr.org/submit/files/slides/2021/rwc/rwc2021/91/slides.pdf) and video (https://youtu.be/jeQvDLPQsuw?t=1814)
- "Mental Models of Cryptographic Protocols - Understanding Users to Improve Security" with slides (https://iacr.org/submit/files/slides/2021/rwc/rwc2021/95/slides.pdf) and video (https://youtu.be/-mBlQVEXcB8?t=3)
What sounds at first like an innocuous bug report turns into an interesting situation on vuln research, disclosure, and ethics. And it's something that could generalize to bug bounty and other vuln disclosure programs.
Radware did a study (PDF link in the article) on appsec and API security. Some interesting takeaways and stats, sometimes they're taking existing data and making you think about it a different way - eg 71% of respondents mostly/completely trust the level of security offered by their CSPs - but this translates to "71% mostly trust that their customer data won't be compromised by a bad actor"
"API security will be first area of investment" for 2021 - security expertise is #3.
Interesting predictions, including "The mad dash to the cloud will undermine application security in 2021" and "Human errors will become more frequent and more costly"
Also a reminder to go back and watch Mike's great api security panel from securityweekly unlocked!
Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on Dec 13, 2022.
Threat modeling is an important part of a security program, but as companies grow you will choose which features you want to threat model or become a bottleneck. What if I told you, you can have your cake and eat...
We've been scanning code for decades. Sometimes scanning works well -- it finds meaningful flaws to fix. Sometimes it distracts us with false positives. Sometimes it burdens us with too many issues. We talk about finding a scanning strategy that works well and what the definition of "works well" should even be.