[tl;dr sec] #176 - Cloud Security Atlas, Semgrep + AI, Finding Malicious PyPi packages

Hey there,

I hope you’ve been doing well!

Workplace Challenges

You know, sometimes you try your best to fit in with work culture, and it still doesn’t work out.

Insensitivity like that at work gits me real fired up.

Web Security

devploit/debugHunterBy Daniel Púa:
A Chrome extension that scans websites for debugging parameters and notifies you when it finds a URL with modified responses.

Exploiting prototype pollution in Node without the filesystem
If you’ve detected Server-Side Prototype Pollution, Portswigger’s Gareth Heyes describes how to use the --import CLI flag in Node to execute arbitrary code without requiring a local file. There’s also a learning lab to practice on.

GitHub

tailscale/ToBeReviewedBot
A GitHub App to watch for PRs merged without a reviewer approving, by Tailscale.

Announcing the GitHub Actions extension for VS Code
he official GitHub Actions VS Code extension provides support for authoring and editing workflows, and helps you manage workflow runs without leaving your IDE.

Introducing GitHub vulnerability management integrations for security professionals
GitHub now supports integration with the following vulnerability management providers: Brinqa, Kenna Security, Nucleus, and Threadfix.

GitHub Copilot X: The AI-powered developer experience

• Auto-generate PR description text based on code changes. Automatically warn if you’re missing sufficient testing for a pull request and then suggest potential tests.

• GitHub Copilot Chat: ChatGPT-like experience in your editor. Get in-depth analysis and explanations of what code blocks are intended to do, generate unit tests, and even get proposed fixes to bugs. Can also just use your voice.

• Use a chat interface to ask docs questions.

• Copilot for CLI

Cloud Security

gofireflyio/aiac
AI Infrastructure as Code generator, by Firefly.

oguzhan-yilmaz/balcony By Oğuzhan Yılmaz:
Effortlessly enumerate your AWS Account with Balcony - a CLI tool that utilizes the AWS API and automatically populates required parameters.

Public Access Key - 2023
Chris Farris walks through the timeline of what happened when he intentionally published an AWS Access Key and its secret to GitHub.

A Guide to S3 Logging
Rami McCarthy on what you should do about S3 logging, comparing S3 logs (data events vs server access logs), working with Server Access Logs, and more.

Automate IAM credential reports for large AWS Organizations
How to automate IAM credential reports in AWS Organizations with many accounts. The reports list all AWS IAM users in your accounts and the status of their credentials, including passwords, access keys, and MFA devices.

Exploring Amazon VPC
LatticeIan Mckay walks through creating a simple VPC Lattice service using CloudFormation, and takes a look at the service overall. VPC Lattice is a service that enables you to connect clients to services within a VPC.

Welcome to the Jungle: Pentesting AWS
Presentation by Black Hills Information Security’s Mike Felch on:

1. Adaptive techniques to scale AWS pentesting across hundreds of accounts and thousands of resources.

2. Exploitation, lateral movement, and privilege escalation methodology for those looking to get their start with AWS penetration tests.

3. Tool release to help extract the discovered vulnerabilities and generate boilerplate language for the report.

Identify and remediate common cloud risks with the Datadog CloudSecurity Atlas
DataDog’s Andrew Krug and Christophe Tafani-Dereeper announce Cloud Security Atlas, a searchable database of real-world attacks, vulnerabilities, and misconfigurations designed to help you understand and remediate risk in cloud environments. You can search and filter on your cloud provider platform, risk type, and sort by impact, exploitability, and recency.

Container Security

ECS Compose-X
Easily deploy your services to AWS ECS from your docker-compose files.

Blue Team

MattKeeley/Spoofy
A program that checks if a list of domains can be spoofed based on SPF and DMARC records, by Matt Keeley.

How we built DMARC Management using Cloudflare Workers
Cloudflare’s André Cruz and Nelson Duarte describes how Cloudflare’s new DMARC management was built, using Workers, R2, and other Cloudflare platform features. Cloudflare Workers seem neat, I keep meaning to play around with them more.

Supply Chain

Finding Malicious PyPi Packages in the Wild
Insomni’Hack presentation by Christophe Tafani-Dereeper and Vladimir de Turckheim that provides an overview of malicious software packages in 2023 and approaches to detect them, describes GuardDog, their open source tool to detect malicious packages, and findings from continuously scanning PyPI. 900+ malicious package dataset here.

Introducing SafeDep vet 🚀
Madhu Akula and Abhisek Datta announce vet, a tool for identifying risks in open source software supply chains that lets you define organizational “policy as code” and enforce it in CI/CD.

chainloop-dev/chainloop
An open source software supply chain control plane, a single source of truth for artifacts plus a declarative attestation crafting process. With Chainloop, SecOps teams can declaratively state the attestation and artifacts expectations for their organization’s CI/CD workflows, while also resting assured that latest standards and best practices are put in place.

See also Software Supply Chain Attestation the Easy Way 
by Chainloop’s Miguel Martinez Trivino.

Attackers have better things to do than corrupt your builds
Kelly Shortridge argues that exploiting a vulnerability in your build pipeline is not the most effective action for an attacker, as if they have that access they can do other things. Nice discussion of attack paths and the importance of understanding build processes as a security professional.

Politics / Privacy

Help, My Therapist Is Also an Influencer!
What happens when your therapist uses your session as inspiration for their growing TikTok following?

Australian Parliament’s Exploration of CCP’s Ties to TikTok
The 113-page doc details the CCP’s controls and its surveillance and propaganda aims, which contradict TikTok’s public statements. From the executive summary:

The FBI Just Admitted It Bought US Location Data
So they didn’t have to obtain a warrant.

H/T Zack Whittaker for the meme.

Misc

Tabloid: The Clickbait Headline Programming Language
A Turing-complete programming language for writing programs in the style of clickbait news headlines 🤣

Machine Learning

YakGPT
A simple, locally running ChatGPT UI.

My kids and I just played D&D with ChatGPT4 as the DM
Wow, and it was really good.

scrapeghost
An experimental library for scraping websites using OpenAI’s GPT.

Segment Anything
A new AI model from Meta AI that can “cut out” any object, in any image, with a single click.We put GPT-4 in Semgrep to point out false positives & fix coder2c’s Bence Nagy describes the newly launched Semgrep Assistant, which provides automated recommendations for triaging findings and suggested code remediations, using Semgrep + GPT-4.

6 Phases of the Post-GPT World
What Daniel Miessler thinks is coming as a result of connecting GPT-4 to the Internet: companies and people become models/APIs, AI assistants, content authentication, knowledge work replacement, and the creativity explosion.

Existential risk, AI, and the inevitable turn in human history
Tyler Cowen argues that we should move forward with AI, and that in some ways it’s inevitable anyway.

Astral Codex Ten argues why this is a bad way to look at it. Tyler Cowen’s reply.

✉️ Wrapping Up 

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint