metatrapd - Metadata and honeypots
Using a honeypot/honeyservice/honeytoken is one of the simplest and most impactful security actions one can take. Thinkst Canary has proven this over a number of years and continues to lead the field. Taking inspiration from what Thinkst has done and combining this with their idea of “honey tokens” for cloud services, I wrote metatrapd a couple of years back. Finally I’m making this public, maybe it will be useful to someone....
Accessibility in Security
A really quick post about how we as security and engineering communicate. The language we use in communicating security issues has been spoken about often and we have gotten a lot better at making the language more inclusive and accessible. We still have a long way to go, but a shift away from confrontational language (we aren’t fighting a war) has, in my experience lead to better acceptance of what we are trying to say....
Thoughts on Threat Modeling
It has taken me a long time to get around to writing this post, mostly because having an opinion about threat modeling can be so polarising. I’m expecting to be told “you are wrong!”, “that is not what threat modeling is!”, and “that is not how you threat model!”. Fortunately, this is the internet, and we all get to have our own wrong opinions. What follows are some of my personal views on threat modeling, how I approach threat modeling and what has worked for me (both as a Platform Security Engineer and vulnerability researcher)....
Universal RCE with Ruby YAML.load (versions > 2.7)
A couple of years ago I wrote a universal YAML.load deserialization RCE gadget based on the work by Luke Jahnke from elttam. This has since been patched and no longer works on Ruby versions after 2.7.2 and Rails 6.1. Fortunately, William Bowling (vakzz) has found a new gadget chain that works on all Ruby versions 2.x - 3.x. His write-up for this is excellent and I highly recommend you give it a read: https://devcraft....
CVE-2020-25695 Privilege Escalation in Postgresql
It has been quite a year, I hope everyone is well and staying safe. This is my first and probably only post for the year, and covers a fun privilege escalation vulnerability I found in Postgresql. This affects all supported versions of Postgresql going back to 9.5, it is likely it affects most earlier versions as well. The vulnerability is similar to a time-of-check to time-of-use (TOCTOU) issue, however in this case it relates to state not being fully cleared/reset before exiting a security restricted operation....