KindleDrip, State of Messaging State Machines, DoH, & Data Security Strategies – ASW #137

A researcher pokes around Kindle's firmware, finds an image decoding library with an overflow flaw, and paints a picture of RCE. And for extra credit, the researcher also found a flaw in a regex intended to prevent injection attacks.

Project Zero picks apart the protocol implementations for several messaging apps and discovers that most of their state machines can be confused into leaking audio or video to unauthenticated users. It's also a good overview of WebRTC and protocol analysis in general. We even touched on state machines and fuzzing in the previous episode 136, https://securityweekly.com/asw136.

A nice overview of Kubernetes pod security assumptions and what happens when a lack of least privilege turns into mostly accessed.

You might not be in charge of your org's shift to DNS over HTTPs (DoH), but it does present a chance to apply threat modeling exercises to where you'll gain or lose visibility in the security of your DevOps endpoints and the network connections being made throughout the CI/CD pipeline. You can find the report at https://media.defense.gov/2021/Jan/14/2002564889/-1/-1/0/CSI_ADOPTING_ENCRYPTED_DNS_U_OO_102904_21.PDF

You can skip over the specific references to Google Cloud products and still gain a good understanding of how to approach a data security program for your own environment regardless of cloud service provider. You can find the paper at https://services.google.com/fh/files/misc/designing_and_deploying_data_security_strategy.pdf

Real World Crypto ran from January 11th through the 14th. Two sessions in particular are relevant to areas we've touched on in the podcast, one talks in more detail about the end-to-end encryption for Zoom and the other talks about the importance of understanding user needs in designing systems. - "E2E Encryption and Identity Properties for Zoom Meetings" with slides (https://iacr.org/submit/files/slides/2021/rwc/rwc2021/91/slides.pdf) and video (https://youtu.be/jeQvDLPQsuw?t=1814) - "Mental Models of Cryptographic Protocols - Understanding Users to Improve Security" with slides (https://iacr.org/submit/files/slides/2021/rwc/rwc2021/95/slides.pdf) and video (https://youtu.be/-mBlQVEXcB8?t=3)

What sounds at first like an innocuous bug report turns into an interesting situation on vuln research, disclosure, and ethics. And it's something that could generalize to bug bounty and other vuln disclosure programs.

Radware did a study (PDF link in the article) on appsec and API security. Some interesting takeaways and stats, sometimes they're taking existing data and making you think about it a different way - eg 71% of respondents mostly/completely trust the level of security offered by their CSPs - but this translates to "71% mostly trust that their customer data won't be compromised by a bad actor" "API security will be first area of investment" for 2021 - security expertise is #3. Interesting predictions, including "The mad dash to the cloud will undermine application security in 2021" and "Human errors will become more frequent and more costly" Also a reminder to go back and watch Mike's great api security panel from securityweekly unlocked!