Twitter Whistleblower Complaint, LastPass Breach, Threat Modeling Culture – ASW #210

Yep, it's the whistleblower report about Twitter that everyone's talking about. At over 120 items, we won't be able to cover them all, but they do fall into perhaps four broad categories: bots, insider threats (including external influences), user endpoint security, and the Secure SDLC. It's interesting to see the range of reactions to the report, from cynical shrugs of "not surprised" to the exasperated "what!?" of security perfectionists. Find out which parts surprised us, which parts seem like universal challenges for every company, and what appsec teams can learn from these details. The documents: - https://s3.documentcloud.org/documents/22161666/twitter-whistleblower-cover-letter.pdf - https://s3.documentcloud.org/documents/22186683/twitter-whistleblower-disclosure.pdf Additional news and comments: - https://threatpost.com/twitter-whistleblower-tldr-version/180472/ - https://medium.com/starting-up-security/endpoint-security-intuition-around-the-mudge-disclosures-dfbe014790f2 - https://www.theverge.com/2022/8/23/23318002/twitter-bots-lawsuit-elon-musk-mudge-zatko-ceo-agrawal - https://www.platformer.news/p/mudge-blows-the-whistle-on-twitter - https://duo.com/decipher/thirty-minutes-or-less-an-oral-history-of-the-l0pht-part-three

This is the type of breach where watching reactions to it are educational. LastPass indicated that portions of its source code had been stolen, but no cryptographic material associated with users was exposed. In terms of attackers having access to source, I find that less concerning. For me it reflects the spirit of Kerchoff's principle about cryptosystems that they "...should be secure even if everything about the system, except the key, is public knowledge". Of course, it's possible that the attackers could discover some subtle and exploitable coding flaws that LastPass and external researchers have missed. Loss of source code is obviously a repetitional hit as well as a loss of intellectual property. But we're in a world where binary analysis has been demonstrably successful in identifying flaws, binary diffing of Microsoft's patch Tuesday releases lead to quick turnarounds for exploits, and client-side code in browsers is easily analyzed. Even if this leaves you uncomfortable with using LastPass, still consider using a password manager to automatically select and organize unique credentials across all the sites you authenticate to. And, wherever possible, use WebAuthn and supplement the password with a FIDO2 security key. The company's notification is at https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/

This is a super short article that grabbed me because its emphasis on threat modeling isn't about some framework or tool, but about building a culture of threat-oriented thinking through coaching, collaboration, and integration. I like approaches to threat modeling that engage DevOps teams to consider what could go wrong with their apps and how they'd counter it. For me, threat modeling isn't about enumerating OWASP Top 10 issues or identifying technical flaws -- I'd prefer to leave that to better linters and tooling. Informative threat modeling comes from DevOps teams who understand assumptions and expectations built into an app's workflows, and the insights that come from thinking about how those assumptions can fail.

Here's an example of attackers taking advantage of the unfortunate confluence of three attributes: known vulns in a binary, the binary is signed, and it runs with high privileges. There's a whole world of appsec within gaming and countering cheating. A lot of anti-cheat mechanisms also require elevated privileges in order to observe processes and memory. As the appsec industry pushes for more SBOMs and efforts like SLSA to sign artifacts, we'll see more integrity checking of binaries. That's a good thing; it helps ensure the provenance of a binary. However, we all know that approved and reviewed code can have flaws, which is what this article touches on. Provenance conveys trust in a binary's integrity and creator, not trust that it's bug-free. Check out the technical writeup at https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html In fact, we had a similar explain just last week in episode 209 where a flaw in Xiaomi's trust store failed to track and enforce version checks in the signed binaries it would run -- leading to the potential for payment forgery.

Nmap, the venerated port scanner, first appeared in Phrack issue 51 on September 1, 1997. The article describes several scanning techniques, some of which remain effective today and others, like FTP bounce, are largely extinct. From an appsec perspective, the modern web has finally reached a mostly ubiquitous port 443 (with some servers insistent on sticking with 80). We may have largely moved on from port scanners and into testing for SSRF or dangling CNAMEs, but nmap and service discovery still has a place in asset inventory and finding surprises like legacy servers that were never shut down.

In August 1991 Linus Torvalds posted about a new project of his to the comp.os.minix group: "I'm doing a (free) operating system (just a hobby, won't be big and professional like gnu) for 386(486) AT clones." Of course, today Linux is everywhere. Even Microsoft -- famous in the 90s for its embrace, extend, and extinguish strategy -- now has the Windows Subsystem for Linux. So, the next time you're trying to debug a k8s issue, trying trim down a container, or wrangling eBPF to let your app work, think back to the time when the promise of Linux remained humble, "it probably never will support anything other than AT-harddisks" https://docs.microsoft.com/en-us/windows/wsl/

Worth a quick scan to see how security vendors attempt to scare politicians into creating federal budget to spend on security

Acala's code base was audited by multiple consultancies, including Trail of Bits. But that didn't stop a major attack where $1.3B worth of tokens were issued - the result of a parameter misconfiguration in their Honzon protocol based liquidity pool.