October 2020 Week 3
I started listening to the Cloud Security Podcast this past month. Great digestible interviews with security professionals from different fields. This episode really caught my attention when they discussed bug bounty hunters using a continuous monitoring technique involving favicon hashes.
What’s a favicon: A favicon is the tiny logo you see in the tab section of your browser. For instance you should (if on a desktop browser) see this little egg next to the title of this page. most favicons have the file extension .ico. Go ahead and type in your favorite website followed by the path /favicon.ico
or just check out these links to get an idea
What can we do with this: By calculating the hash we can use a search engine like Shodan.io (our search would like something like this -> http.favicon.hash:"OUR HASH HERE"
) to scour the internet for devices that serve our favicon. We can do this with a simple python script. Even better, there’s a great tool FavFreak developed by Devansh Batham which provides domains, subdomains, and IPs of our selected hash.
Why is this a useful technique: It makes sense that the cloud security podcast would bring up this technique when talking about continuous monitoring. We could use this technique to locate devices associated with “our brand” which should not be externally facing, or should be decommissioned. This is also valuable when monitoring for phishing websites or fraudulent IPs posing as “our brand”
ML systems are a very interesting, relatively new, attack surface and adversaries are attacking. According to a Gartner report 30% of cyberattacks by 2022 will involve data poisoning, model theft or adversarial examples. The threat matrix was a partnership between 12 industry and academic research groups. The framework is seeded with a curated set of vulnerabilities and adversary behaviors that Microsoft and MITRE have vetted to be effective against production ML systems. If you’re interested in learning about how to attack, or defend, a ML system - this is the holy grail.
If you haven’t restarted your browser in a while, it’s probably a good time to do so.
what is “This Week in Cyber”?
I wanted to start a weekly post to highlight some of the Cyber related things I’ve found / read / or done that week. Could be a little, could be a lot.