I hope you’ve been doing well!
Reflections on Machine Learning
I’ve noticed that recently Machine Learning has unintentionally become a regular section in tl;dr sec. I hope you find it interesting and not annoying 😅
I’ve long been an AI skeptic (and even wrote about it), as I felt many vendors drastically overclaimed how powerful AI made their product, or the companies where “AI” was really low-cost analysts in another country.
I still don’t think AI is a silver bullet, but the amazing advances (and rate of improvement) over the past year or two, to me, makes it impossible to ignore.
The explosion of tools, single-purpose AI driven websites, integration into existing apps, and more does feel a bit like the Renaissance, or the early days of the Internet, or some other period in which creativity flourished.
What a time to be alive.
📢 The First Security Communications Center of Excellence
Discernible is a multidisciplinary team with a single mission: to make your security team the most effective communicators in your company. Why? Because effective communicators drive behavior, earn influence, and get things done.
We’re a one-stop-shop for addressing all of your communication challenges including board presentations, conference CFPs and public speaking, customer support, and external Trust Centers. Looking for a regular cadence of technical blog posts authored by your team or an updated plan for IR communications? We do that. All of it.
Trusted by security teams at Twilio, Yahoo, and Trail of Bits.Learn more
📜 In this newsletter...
- Conferences: BSidesSF, The Diana Initiative 2023
- Web Security: Exploit padding oracle issues, write-up of an account takeover vulnerability affecting ChatGPT, The Bug Hunter's Methodology Live
- AppSec: GPT + nmap, How Semgrep and Nuclei Are Shaping the Future of Security Engineering
- Cloud Security: amazon-cognito-passwordless-auth, Implementing Magic Links with Amazon Cognito, Using Service Control Policies to protect security baselines, scrape SSL certs from AWS IP ranges, aws-cost-cli, serverless infra to track newly registered domains
- Container Security: Awesome k8s threat detection, turning the Kubernetes API Server into a port scanner, top 15 kubectl plugins for security engineers
- Blue Team: awesome-detection-rules, CISA's untitledgoosetool, Introducing Microsoft Security Copilot, 2022 Zero-Day Exploitation Trends
- Misc: Make a PDF look like it was manually scanned, "Lots of cyber security companies are going to fail this year", Star Wars as a Scrolling Infographic, The Last Question, CLI tool to query JSON, CSV and more
- Machine Learning: ChatGPT Plugins, run a fast ChatGPT-like model locally on your device, Cheating is All You Need, Democratizing the magic of ChatGPT with open models, Sam Altman on Lex Fridman Podcast, The secret history of Elon Musk, Sam Altman, and OpenAI, "Secret" ChatGPT plugins leaked via the API, How to Move from AI “Prompts” to AI Whispering, The Age of AI has begun, The Prospect of an AI Winter, Big tech and the pursuit of AI dominance
One of my favorite conferences is coming up soon– April 22-23 (right before RSA). If you’re going to be in town, I highly recommend checking it out. I’ll be there, come say hi 😀
The Diana Initiative 2023
A one day hacker conference dedicated to creating a more inclusive infosec industry, taking place Monday August 7, 2023 to kick off Hacker Summer Camp. Their CFP is still open and tickets are on sale. If your company is interested in increasing diversity in the infosec industry, consider sponsoring.
📢 Start Secure, Stay Secure!
Cloud misconfiguration is the third highest cause of security breaches.
Misconfigurations are easier to prevent than to fix. Developers report it can take days to weeks to provision infrastructure, and it shouldn't!
Creating a win-win is possible. Where developers get the cloud infrastructure they need faster than they can get a coffee break. The best part – it's built on a library of golden patterns and protected by guardrails. Netflix Information Security teams call these solutions paved roads.
Resourcely offers cloud infrastructure paved roads as a service.Find out how
An advanced exploiter for Padding Oracle attacks against CBC mode encryption, by @blegmore.
Write-up of an account takeover vulnerability affecting ChatGPT
By Nagli: tl;dr: steal their JWT via web cache deception. Nice walkthrough. This would let you takeover someone’s account, view their chat history, and access their billing information without them ever realizing it.
The Bug Hunter’s Methodology Live
My bud Jason Haddix will be teaching the course live July 15-16 and another weekend. Jason’s Bug Hunter Methodology talks have been some of my favorites, cool to see them extended into a course. Also, I’m really stoked that Jason has started a newsletter (Executive Offense), that I immediately signed up for.
Tool by Chiranjeevi G that uses the ChatGPT API and Python-Nmap module to create vulnerability reports based on Nmap scan data.
Harnessing the Hive Mind: How Semgrep and Nuclei Are Shaping the Future of Security Engineering
This post by Travis Biehn is an excellent overview of the benefits of open source security tooling, modern security engineering, and where things are headed.
…this type of flexibility means that these tools are useful in expanded contexts from those imagined by the product managers at incumbent security tool vendors.
Semgrep and Nuclei can be used for portfolio level efforts to understand code, coding practices, and coding risk in ways that can drive interesting and effective behavior by security teams. One typical use case is software inventory and risk analysis - sure you can ask a development team if their project uses, for example, credit card services, but with Semgrep you can just write a query for them. With a set of checks that tell you what software properties express risk, you can realize many benefits of threat modeling in a totally automated way - use that information to automatically risk-score applications in your inventory, and respond with automation to address risk.
Open source projects with simple rule languages like Nuclei and Semgrep are in a great position to become the lingua franca used by modern engineers and distributed alongside popular development frameworks to realize similar dynamics outside of the halls of super-high-tech-firms.
These tools can scale an individual bit of knowledge trapped inside a security engineer across a portfolio of code, or the world’s code. Their flexibility means you can count on these tools to tell you more about your software, rather than if that software just has a particular security problem.
Passwordless authentication with Amazon Cognito: FIDO2 (WebAuthn), Magic Link, SMS OTP Step Up.
Implementing Magic Links with Amazon Cognito: A Step-by-Step Guide
By Yan Cui. See also: implementing passwordless authentication using one-time passwords (OTPs) using Cognito.
Using Service Control Policies to protect security baselines
Wiz’s Scott Piper illustrates a specific use case of SCPs that protects the security baseline, or landing zone, configuration you’ve created for accounts.
A tool by Jason Haddix to scrape SSL certificates from all AWS IP ranges, searching for specific keywords in the certificates’ Common Name (CN), Organization (O), and Organizational Unit (OU) fields.
By Kamran Ahmed: CLI tool to perform cost analysis on your AWS account, with Slack integration.
Serverless Domain Hunting: Track Newly Registered Domains With Ease
How to set up Lambdas that continuously poll for newly registered domains to detect potential phishing or other malicious domains.
A curated list of resources about detecting threats and defending Kubernetes systems by Databricks’ Jason Trost.
Fun with SSRF - Turning the Kubernetes API Server into a port scanner
Datadog’s Rory McCune shows how to leverage existing functionality on Kubernetes to perform scans from the perspective of the API server using validating admission webhooks (PoC).
Top 15 Kubectl plugins for security engineers
By Sysdig’s Nigel Douglas. Stern plugin, RBAC-tool, Cilium Plugin, Kube Policy Advisor, Kubectl-ssm-secret, Kubelogin, Kubectl-whisper-secret, Kubectl-capture, Kubectl-trace, Access-matrix, Rolesum, Cert-manager, np-viewer, ksniff, Inspektor-Gadget.
A collection of threat detection rules / rules engines by Databricks’ Jason Trost, including Yara, Sigma, Falco, Zeek, Snort/Suricata, Splunk, and more.
By CISA: A robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments.
Introducing Microsoft Security Copilot
Basically you can use a ChatGPT-esque command prompt to query your infrastructure/SIEM/etc. during incident response, threat hunting, security reporting, and more. The demo video is worth watching, and includes asking the system to reverse engineer a malicious Powershell script and create a visual diagram of what it does. Very cool.
Move, Patch, Get Out the Way: 2022 Zero-Day Exploitation Continues at an Elevated Pace
Mandiant’s James Sadowski and Casey Charrier share interesting trends and A+ song references in section titles.
- 55 0days exploited in 2022, which was lower than the 81 in 2021, but still ~3X the number from 2020.
- Chinese state-sponsored cyber espionage groups exploited the most 0days, which is consistent with previous years.
- Four were exploited by financially motivated threat actors, 3/4 linked to ransomware operations.
- Products from Microsoft, Google, and Apple made up the majority of zero-day vulnerabilities in 2022, consistent with previous years.
- Most exploited product types: operating systems (19), browsers (11), security, IT, and network management products (10), and mobile OS (6).
Make a PDF look like it was manually scanned
Using a quick shell script.
“Lots of cyber security companies are going to fail this year.”
Thread by GreyNoise’s Andrew Morris on how money becoming”expensive” will affect security start-ups, and what to do about it.
Star Wars as a Scrolling Infographic
The Last Question
Famed SciFi writer Isaac Asimov averaged a new magazine article, short story, or book every two weeks for 50 years. This was his favorite short story.
Commandline tool for running SQL queries against JSON, CSV, Excel, Parquet, and more, by Multiprocess Labs.
Language models can now search the Internet, run computations, and use third-party services. Very cool and incredibly powerful, the demos are worth watching.
Run a fast ChatGPT-like model locally on your device. This combines the LLaMA foundation model (from Facebook) with an open reproduction of Stanford Alpaca, a fine-tuning of the base model to obey instructions.
Cheating is All You Need
When Steve Yegge blogs, it’s worth reading. He shares stories of how things that start as a small demo (e.g. AWS, Kubernetes, talking to someone over the Internet) can become massive, shares a nice overview about LLMs, discusses productivity improvements, and more.
LLMs aren’t just the biggest change since social, mobile, or cloud–they’re the biggest thing since the World Wide Web. And on the coding front, they’re the biggest thing since IDEs and Stack Overflow, and may well eclipse them both.
Hello Dolly: Democratizing the magic of ChatGPT with open models
We show that anyone can take a dated off-the-shelf open source large language model (LLM) and give it magical ChatGPT-like instruction following ability by training it in less than three hours on one machine, using high-quality training data. Surprisingly, instruction-following does not seem to require the latest or largest models: our model is only 6 billion parameters, compared to 175 billion for GPT-3. We open source the code for our model (Dolly) and show how it can be re-created on Databricks.
Sam Altman: OpenAI CEO on GPT-4, ChatGPT, and the Future of AI | Lex Fridman Podcast
A discussion very much worth listening to, on GPT-4, bias, AI safety, Artificial General Intelligence, and more.
The secret history of Elon Musk, Sam Altman, and OpenAI
In 2018, Musk wanted to take control of OpenAI and run it, but when Altman and other founders rejected that proposal he left, and didn’t donate the large sum of money he said he would. Interestingly, Altman has no equity in OpenAI.
“Secret” ChatGPT plugins leaked via the API
rez0 shares what he found.
From the founder of HashiCorp.
Response Shaping: How to Move from AI “Prompts” to AI Whispering
Actionable and concrete tips by Daniel Miessler on how to get consistently high-quality results from the AIs you interact with.
See also Prompt Engineering by OpenAI’s Lilian Weng.
The Age of AI has begun
Long post by Bill Gates on why he believes AI is as revolutionary as mobile phones and the Internet, his thoughts on applications in education, healthcare, climate change, workplace productivity, and more.
The development of AI is as fundamental as the creation of the microprocessor, the personal computer, the Internet, and the mobile phone. It will change the way people work, learn, travel, get health care, and communicate with each other. Entire industries will reorient around it. Businesses will distinguish themselves by how well they use it.
Soon the pre-AI period will seem as distant as the days when using a computer meant typing at a C:> prompt rather than tapping on a screen.
The Prospect of an AI Winter
Are we in an AI bubble? Erich Grunewald walks through potential critiques, like Moore’s Law is slowing down, chip production is centralized and reaching physical limits, could AI applications be unprofitable, could they run out of data to train on, etc.
Big tech and the pursuit of AI dominance
Nice overview of Apple, Meta, Microsoft, Alphabet, and Amazon’s job listings, acquisitions, investments, etc. in AI.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!Cheers,