[tl;dr sec] #181 - Awesome CloudSec Labs, Red Team Infra in 2023, Privilege Escalation in EKS

Hey there,

I hope you’ve been doing well!

Life Advice from VCs

This week I found myself at a dinner with a few VCs, founders, and other tech folks.

The conversation ranged from strangest start-up pitch (one founder who, wanting to remain anonymous, entered and remained in a mask throughout their pitch) to the origin of IPA beers.

At one point the conversation turned to relationship and life advice. Most of these will likely ring true, but I bet The Last One Will Shock You™.

• ✅ Be with someone who makes the boring day-to-day stuff fun (e.g. grocery shopping or laundry).
• ❌ If you meet your partner’s friends and you don’t like any of them. Who your partner chooses to spend time with is indicative of who they are, and you’re going to have to spend time with their friends.
• ✅ If your partner has a close relationship with their parents and received a lot of love growing up.
• In life, Happiness = Expectations / Reality

Finally, this incredibly friendly Brazilian woman shared some advice that I hope you never have to use:

If someone asks you where you want to get kidnapped, Brazil or the U.S., definitely choose Brazil.

Why? Kidnapping in Brazil is purely economic, you’re going to exchange some money then get out fine.

In the U.S., it’s going to be about emotion, and the person may have some sort of mental illness, and you may end up… *chopping motions with hands*.

There you have it- never let it be said that tl;dr sec doesn’t also give you practical street smarts 😂

AppSec

Catching XXE bugs in Java with Semgrep taint labels
Great detailed video by Pieter De Cremer. See also Pieter’s videos:

• Transforming code with Semgrep autofixes
• Trying out the new Semgrep syntax - which has such a delightful thumbnail

Mitigating Risky Pull Requests with Monocle Risk Advisor
David Trejo discusses how Chime has introduced guardrails and security control checks in their GitHub PR workflow in a tool called Monocle Risk Advisor. Risk Advisor makes it easy for their auditors to track deviations from controls, and these are tracked as tickets in Jira. OPA is used to implement checks.

Web Security

Ambushed by AngularJS: a hidden CSP bypass in Piwik PRO
PortSwigger’s Gareth Heyes discusses an AngularJS gadget that could be exploited as a CSP bypass in Piwik PRO, which could be turned into XSS if chained with an HTML injection.

Odoo: Get your Content Type right, or else!
Dennis Brinkrolf and Thomas Chauchefoin from Sonar Source discuss the security implications of the Content-Type header returned by web applications and discuss an XSS discovered in Odoo that resulted from a misconfigured Content-Type header set on an API endpoint.

Cloud Security

AWS Nitro System API & Security Claims
NCC’s John Redford has released a public report on an architecture review conducted on the AWS Nitro System design.

An Adventure in Google Cloud threat detection
DataDog’s Martin McCloskey and Day Johnson share common threats and exploits in Google Cloud, including techniques known to be used by threat actors (e.g. the creation or use of service account keys outside of Google Cloud) as well as likely techniques, such as data extraction via Google Cloud SQL or the creation of a privileged service account.

The Service Mesh Landscape
A comparison of various service meshes, including Linkerd, Istio, Consul, NGINX service mesh, and Network Service Mesh.

iknowjason/Awesome-CloudSec-Labs
Free cloud native security learning labs, including CTF, self-hosted workshops, guided vulnerability labs, and research labs, by SANS’s Jason Ostrom.

My Love/Hate Relationship with Cloud Custodian
Chandrapal Badshah writes about his experience using Cloud Custodian, a rules engine for cloud security, cost optimization, and governance. Chandrapal highlights its ability to detect misconfigurations in near-real-time or at periodic intervals and auto-mitigate those issues thanks to the customizable detection rules engine, while remaining cost-effective.

Areas for improvement: lack of documentation and its difficult to create custom notification messages.

Container Security

NCCloud/mayfly
A Kubernetes operator that enables you to create temporary resources on the cluster that will expire after a certain period of time, by Namecheap.

Privilege escalation in AWS Elastic Kubernetes Service (EKS)
Calif’s An Trinh on achieving privilege escalation from a compromised pod in EKS and how to defeat Kubernetes NodeRestriction, a security mechanism enabled by default on all EKS versions.

Blue Team

So long passwords, thanks for all the phish
Google’s Arnar Birgisson and Diana K. Smetters announce that you can now use passkeys on your personal Google Account, a more secure and convenient alternative to passwords and two-step verification. You can sign in by unlocking your computer or mobile device with your fingerprint, face recognition or a local PIN.

Living Off The Land Drivers
Michael Haag announces the LOLDrivers project, which aims to consolidate vulnerable and malicious Windows drivers that can be used by adversaries to bypass security controls into a single location.

Announcing network flow logs and log streaming
Tailscale’s Pouyan Aminian and Jairo Camacho announce the release of network flow logs, a new Tailscale feature that records metadata about your network traffic to assist you in monitoring network activity in your tailnet, identifying threats, investigating security incidents, troubleshooting network issues, and maintaining compliance with your network security policies.

Red Team

Building a Red Team Infrastructure in 2023
Secure Systems Engineering GMBH’s André Tschapeller explores the essential components needed for robust red teaming infrastructure. André provides an overview of the system as a whole then dives into each separate element, including the C2 infrastructure, HTTPS and DNS redirectors, and using GoPhish in conjunction with a postfix redirector for the phishing server.

Introducing resocks - An Encrypted Back-Connect SOCKS Proxy for Network Pivoting
RedTeam Pentesting unveils their new tool: Resocks, a reverse/back-connect SOCK5 proxy tunnel that enables users to route traffic through an otherwise inaccessible system while ensuring the traffic is encrypted. Resocks uses mTLS and generates certificates based on a connection key to guarantee secure communication.

Politics / Privacy

Chinese hackers outnumber FBI cyber agents by ‘at least 50 to 1’
Says FBI Director Christopher Wray.

China has stolen more personal and corporate data from the U.S. than all other nations combined.

“A key part of the Chinese government’s multi-pronged strategy to lie, to cheat and to steal their way to surpassing us as the global superpower in cyber.”

Machine Learning

How to build a tool-using agent with LangChain
Jupyter notebook walkthrough by OpenAI on using LangChain to augment an OpenAI model with access to external tools using an agent approach: allow it to do chain of reasoning, search the Internet for answers, retain a memory of the conversation and use it as context for subsequent steps, or reference a custom knowledge base using a vectorstore like Pinecone.

Hackers are increasingly using ChatGPT lures to spread malware on Facebook
Meta has seen threat actors create malicious browser extensions available in official web stores that claim to offer ChatGPT-based tools, then they’d promote these malicious extensions on social media and through sponsored search results to trick people into downloading malware.

FTC Chair Lina Khan says she’s on alert for abusive A.I. use

The Federal Trade Commission is on alert for the ways that rapidly advancing artificial intelligence could be used to violate antitrust and consumer protection laws it’s charged with enforcing, Chair Lina Khan wrote in a New York Times op-ed on Wednesday.

Google “We Have No Moat, And Neither Does OpenAI”
Fascinating leaked internal Google document claims open source AI will outcompete Google and OpenAI. Very much worth reading. The timeline at the bottom is quite neat to see the pace of innovation.

Open-source models are faster, more customizable, more private, and pound-for-pound more capable. They are doing things with $100 and 13B params that we struggle with at $10M and 540B. And they are doing so in weeks, not months.

The barrier to entry for training and experimentation has dropped from the total output of a major research organization to one person, an evening, and a beefy laptop.

The Spherical Cow of ML Security
Sven Cattell shares his perspective on managing risks in a Machine Learning model, including:

1. Measuring and externally auditing the model’s efficacy guarantees.
2. Real-world challenges include difficulties in accurately measuring the efficacy of the ML, addressing sampling bias, and guarding against privacy issues or model theft.
3. Theoretical challenges, such as adversarial examples.
   
   

Misc

The best picket signs of the Hollywood writers’ strike
About ChatGPT, good memes, and more.

Five Books
The best five books on a variety of topics, selected by experts in those areas, ranging from food to AI, science fiction, thrillers, history, and more.

lizrice/ebpf-beginners
Slides, videos, and code examples for learning eBPF, by Liz Rice.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!