- tl;dr sec
- Posts
- [tl;dr sec] #179 - BSidesSF Summaries, Attacking Kubernetes, OpenAI Burp Suite
[tl;dr sec] #179 - BSidesSF Summaries, Attacking Kubernetes, OpenAI Burp Suite
I wrote quick summaries of four BSidesSF presentations, common Kubernetes attack vectors and vulnerable lab, Burp Suite extension that uses OpenAI for recon.
Clint Gibler
April 27, 2023
Hey there,
I hope you’ve been doing well!
Conference Montage
I have some amusing anecdotes from BSidesSF and RSA that I want to share, but I haven’t had time to write them up yet. Will share next week.
For everyone who came up and said hi during BSidesSF or RSA- it was lovely to meet you!
I’m always honored to hear when people find tl;dr sec useful, and it keeps me going when its *checks watch* much too late and I’m still writing. It truly does mean a lot to me.
I’ll leave you for now with a meme my bud Tanya Janca included in our RSA training, which is probably one of my favorite infosec memes of all times.
Errata
Last week I borked the following link: Two Ways to Access EKS: Kubernetes RBAC and AWS IAM. Thank you Dev for letting me know.
BSidesSF Talk Summary Threads
I wrote a few summary tweet threads of talks and panels I liked. Check them out for a quick tl;dr of the main points:
For another time when I did this (to the extent that it may have damaged personal relationships), see: What I Learned Watching All 44 AppSec Cali 2019 Talks.
Sponsor
📢 The Cloud Security Workflow Handbook
The Wiz research team surveyed security orgs at hyper-scaling enterprises to uncover how they’re adapting in 2023 and beyond. They packed their best-practices, frameworks, and templates into this playbook including:
A breakdown of the three pillars of the modern cloud security operating model best-in-class orgs are moving to.
A 4-step roadmap used by the fastest-growing companies to adapt to the new threat landscape.
Plus: Goals and KPI templates for your team to track based on maturity stage presented in a convenient cheat sheet.
📜 In this newsletter...
Ain't nobody got time to write a Table of Contents this week.
AppSec
JakeWnuk/maskcat
A utility tool for Hashcat Masks and Password Cracking, by Jake Wnuk.
Look Mama, no TemplatesImpl
Hans-Martin Münch from MogwaiLabs provides an overview of how changes introduced in Java 16 have made exploiting native deserialization vulnerabilities much harder. He shares some examples on how it is still possible to achieve remote code execution in Java 17 and beyond using JDBC connections.
Java Exploitation Restrictions in Modern JDK Times
CODE WHITE’s Florian Hauser provides a deep dive into the evolution of Java deserialization gadgets in vulnerability research. Florian explores fresh approaches for executing Java code in the latest JDK versions (e.g. using a scripting engine to stay within the JVM to execute code, which is stealthier than exec()ing a child process), with a particular focus on OpenJDK and Oracle implementations.
Smashing Hashes with Token Swapping Attacks
Jake Wnuk’s article examines token swapping attacks, a technique that leverages two principles that password crackers can exploit to recover plaintext:
Human passwords frequently have patterns in common.
Secret material is often shared or reused, especially among shared user pools
Sponsor
📢 Make sense of your security data, all of it.
According to Gartner, data fabric architecture is key to modernizing data management and integration because it can continuously identify and connect data from disparate applications. It does this by connecting data at the processing layer rather than the storage layer.
Avalor’s Data Fabric for Security™
integrates disparate data sources from legacy systems, data lakes, data warehouses, SQL databases, applications, or any source of data – in any format – to give security teams a holistic view of their data and business performance.
Web Security
hisxo/ReconAIzer
A Jython Burp Suite extension by Adrien Jeanneau that utilizes OpenAI to enhance the recon process for bug bounty hunters- discover endpoints, params, URLs, subdomains and more.
Understanding HTTP Request Smuggling with Hop-to-Hop Headers
Payatu’s Mukund Kedia discusses how HTTP request smuggling attacks can be performed using hop-to-hop headers, a technique that manipulates the HTTP headers of a request in a way that causes different interpretations of the request between two or more intermediaries that handle the request before it reaches its target. Akamai CDN’s cache was affected.
Supply Chain
philips-software/SPDXMerge
A tool that can integrate multiple SPDX JSON formatted Software Bill of materials (SBOMs) into a parent SBOM.
Introducing ‘Trusted Publishers’
PyPI maintainer Dustin Ingram shares how package maintainers can securely publish packages using OpenID Connect, which can be used in automated environments (e.g. GitHub Actions) to eliminate the need to use usernames/passwords or manually generated API tokens.
Cloud Security
ljacobsson/cw-logs-insights-gpt
A Chrome extension that generates CloudWatch Logs Insights queries from ChatGPT prompts, by Lars Jacobsson.
GoogleCloudPlatform/jit-access
An AppEngine application that lets you manage just-in-time privileged access to Google Cloud projects.
udondan/cfn-teleport
A command-line tool which can move CloudFormation resources between stacks, by Daniel Schroeder.
jdyke/gcp-iam-analyzer
An all-in-one GCP IAM analyzer tool that provides comprehensive role and permission analysis, allowing for improved security and access management, by Block’s Jason Dyke.
Security best practices for Amazon S3
19 practical recommendations from AWS to enhance your S3 security policies with better security, monitoring, and auditing practices.
IAMbic
tl;dr: Manage IAM in YAML + some other nice features. “A multi-cloud identity and access management (IAM) control plane that centralizes and simplifies cloud access and permissions. It maintains an eventually consistent, human-readable, bi-directional representation of IAM in version control.”
Logging strategies for security incident response
AWS’ Anna McAbee, Ciaran Carragher and Pratima Singh outlines in this article how to develop an effective logging strategy for security incident response by identifying the logs to analyze (e.g. AWS account logs, OS and application logs, DB and network logs, access logs), determining where to store them, planning how to analyze them, and example queries.
Container Security
Attacking Kubernetes (K8s) - Part 1
Redfox Security discusses Kubernetes security, including common attack vectors that can pose a threat to clusters. The post walks through the Insekube tryhackme vulnerable lab, demonstrating lateral movement techniques and how to pivot into K8s nodes.
Blue Team
Chatgpt scam attacks increasing
Palo Alto Networks’ Unit42 shares data and case studies that demonstrates how the increasing popularity of ChatGPT has made it a target for scammers- getting victims to install malware, stealing sensitive info, the usual. “Between November 2022 through early April 2023, we noticed a 910% increase in monthly registrations for domains related to ChatGPT.”
Politics / Privacy
Bao Fan: Why do Chinese billionaires keep vanishing?
If billionaires can randomly “disappear,” why would TikTok (which is built by people), not be under the control of the Chinese government?
In 2015 alone, at least five executives became unreachable.
Two years later Chinese-Canadian businessman Xiao Jianhua was taken from a luxury hotel in Hong Kong. He had been one of China’s richest people and last year was jailed for corruption.
In March 2020 billionaire real estate tycoon Ren Zhiqiang vanished after calling Mr Xi a “clown” over his handling of the pandemic. Later that year, after a one-day trial, Mr Ren was sentenced to 18 years in prison on corruption charges.
The most high-profile disappearing billionaire was Alibaba founder Jack Ma. The then-richest person in China vanished in late 2020 after criticising the country’s financial regulators.
Machine Learning
Unrelated but amusing:
Meet Chaos-GPT: An AI Tool That Seeks to Destroy Humanity
When someone gave AutoGPT the parameter of being a “destructive, power-hungry, manipulative AI,” it created a 5-step plan to control humanity. It Googled for weapons of mass destruction, asked ChatGPT about destructive weapons, and when ChatGPT censored itself, as it’s been trained to not give out info like that, Chaos-GPT tried to manipulate ChatGPT to give it the info it wanted 😅
Lost in ChatGPT’s memories: escaping ChatGPT-3.5 memory issues to write CVE PoCs
Altin delves into ChatGPT’s memory limitations, offering solutions to escape the 4096-token limit, and outlining how to use ChatGPT as an assistant to analyze large codebases and write a CVE PoC for a resource exhaustion vulnerability discovered in Go’s textproto package.
Defensibility & Competition
Are early SaaS or AI companies ever defensible early? What is the basis for competition for a startup? This blog post by Elad Gil is so good it hurts.
On self-healing code and the obvious issue
In this article, Gynvael Coldwind reflects on Wolverine (when you run Python scripts with Wolverine, when they crash, GPT-4 edits them and explains what went wrong) and the use of ‘self-healing’ programs that can repair themselves with the help of AI.
Gynvael points out how a simple script could be used by a malicious actor to trick the program and add a prompt injection that might fix the code in an undesirable way. He advises developers to refrain from deploying self-healing code in real-world environments.
Building A ChatGPT-enhanced Python REPL
Logan Mortimer shares his experience in building a ChatGPT-enhanced Python REPL. Logan discusses the architecture and prompts used in his creation, named GEPL while exploring some software engineering patterns and paradigms that may arise when working with Large Language Models (LLMs).
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,
Clint