Attacks & Vulnerabilities
|
Clever 'GitHub Scanner' campaign abusing repos to push malware (3 minute read)
A sneaky campaign on GitHub is tricking users into visiting a fake domain and installing Windows malware by falsely reporting security vulnerabilities. Users are receiving convincing email alerts from legitimate GitHub addresses, leading to the spread of malicious software. Threat actors are using GitHub's "Issues" feature to distribute malware through open-source repositories, highlighting the platform's vulnerability to abuse.
|
|
A SaaS Provider's Guide to Securely Integrating with Customers' AWS Accounts (9 minute read)
SaaS providers often need to integrate with customers' AWS environments to perform a variety of tasks such as cost optimization or CSPM. The basics that a provider can do are to use IAM Roles with ExternalIDs instead of IAM users and to audit and minimize permissions that your role requires. Some paved roads and guardrails that providers can then take would be to provide CloudFormation templates and/or a Terraform provider as well as refusing to assume an overly permissive role. Finally, providers should treat their integrations as crown jewels and consider using defense-in-depth models such as bastion accounts and restricting the customer's trust boundary to a single role instead of a full account.
|
|
Stowaway (GitHub Repo)
Stowaway is a Multi-hop proxy tool for security researchers and pentesters. Users can use it to proxy external traffic through multiple nodes to the core internal network, breaking through internal network access restrictions, constructing a tree-like node network, and easily realizing management functions.
|
|
Cybersecurity Technology Adoption Cycle and its Implications for Startups and Security Teams (7 minute read)
Security teams can be classified into three categories: mature and engineering-focused teams, mature but not engineering-focused teams, and less mature teams or organizations that lack resources. Mature and engineering-focused teams will look to build their own tools, become design partners with early stage startups, and only look to buy tooling once it becomes commodified. Mature but not engineering-focused teams will often buy tooling from early-stage startups. Less mature teams will primarily wait for larger companies to adopt new tooling and features to reduce the amount of products they pay for. Startups need to be aware of these trends as they are the inverse of typical strategies. Security teams need to consider this cycle when deciding to build vs buy tooling.
|
Policy Language Security Comparison (65 minute read)
AWS engaged Trail of Bits to evaluate three major authorization and access management policy languages: Cedar, Rego, and OpenFGA. Trail of Bits evaluated sixteen threat scenarios and grouped them by attack surface and mitigation similarity. Cedar's predictable evaluation model protects against DoS from users and the formalized semantics, testing, and typing system prevent language misuse and mis-evaluation, but data ingestion and engineering may cause complexities. Rego provides a flexible policy language which can make it easier to use but also may lead to language misuse, mis-evaluation, or performance considerations. OpenFGA provides a declarative language for mapping ReBAC constraints, which can simplify policy writing, but it relies on external attribute lists and can lead to unpredictable performance. The language also features mitigations for threats related to policy extension and replacement.
|
|
Love TLDR? Tell your friends and get rewards!
|
Share your referral link below with friends to get free TLDR swag!
|
|
Track your referrals here. |
Want to advertise in TLDR? π°
|
If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us.
If you have any comments or feedback, just respond to this email!
Thanks for reading,
Prasanna Gautam, Eric Fernandez & Sammy Tbeile
|
|
|
|