[tl;dr sec] #155 - Understanding IAM, Autogenerate Art from Blog Post, Attacking Closed DNS Resolvers
Understanding AWS permission boundaries and IAM policy evaluation, use ML to create art for your blog post based on its text, taking over your infrastructure Kaminsky style.
I hope you’ve been doing well!
Saving the World 🦸
This week, on #PeakBayArea.
Even more than making money or being profitable, it’s key for Bay Area tech companies to have a grand vision.
Regardless of if you’re getting third world kids clean water, or more likely improving ad targeting, it’s essential to disrupt, and as Silicon Valley rightly skewered, make the world a better place.
But it’s not just tech companies that need to Be The Change. It’s everyone.
Does your milk provide calcium and other healthy vitamins and minerals?
Weak. You gotta get on this milk that embodies environmental leadership or directly fights climate change, as you drink it!!
📢 2022 Cloud-Native Threats
As organizations move to cloud, cyberattackers have followed. While motives haven’t changed, techniques have - cryptojacking, supply chain threats and geopolitical hacktivism.
Did you know that for a cryptojacker to make $1, it costs the victim $53 in cloud bills?
Read Sysdig’s blog for more insights and analysis on:
Notorious cloud adversary: TeamTNT
Supply chain attacks against containers
Geopolitical conflict influences on attacker behavior
📜 In this newsletter...
AppSec: How to plan an SMS migration, you can brute force version 1 GUIDs, write Semgrep rules to quickly verify ideas
Web Security: Generate an API client from OpenAPI, open source API security platform, DNS attacks on closed resolvers
Cloud Security: Clean up unused AWS access keys, compute cost calculator, AWS permission boundaries for dummies, diving deeply into IAM policy evaluation
Blue Team: Cloned website canarytoken, on trust and transparency in detection, stopping vulnerable driver attacks
Politics / Privacy: Kanye buys Parler, UK spy chief says China's tech manipulations threaten all
Machine Learning: GitHub Copilot lawsuit, prompt engineering resources, public database of AI generated images, Google project to generate video from text, automatically generate AI art using your own blog content, Microsoft product to use AI for social media graphics
Misc: Super Mario Bros movie, meme search engine, archery tag, a vision for OWASP's future
How to plan an SMS MFA migration that affects thousands of users
Twilio’s Jordan Kohl describes how they handled a tricky migration, including dealing with an external API and constantly changing production database, in a way that doesn’t lock out users.
In GUID We Trust
Intruder’s Daniel Thatcher describes how you can brute force version 1 GUIDs if you know the approximate time the GUID was generated, as well as the node ID and clock sequence of the generating system. When GUIDs are used for password resets, this could be used for account takeover for example.
Semgrep: Writing quick rules to verify ideas
GitLab’s Dominic Couture makes the case for using Semgrep for quickly writing disposable rules to validate an idea when reviewing code. Specifically, finding GET routes that contain state-changing functionality (frameworks often don’t protect against this by default). Using this approach, he found and reported a real CSRF issue in Kibana!
A CLI tool for generating an API client to call any OpenAPI described API. The goal is to eliminate the need to take a dependency on a different API SDK for every API that you need to call. Kiota API clients provide a strongly typed experience with all the features you expect from a high quality API SDK, but without having to learn a new library for every HTTP API.
Endpoint Discovery - Scans network traffic and creates an inventory of every API endpoint.
Sensitive Data Scanning - Each endpoint is scanned for PII data and given a risk score.
Vulnerability Discovery - Get alerts for issues like unauthenticated endpoints returning sensitive data, no HSTS headers, PII data in URL params, Open API spec diffs, and more.
Melting the DNS Iceberg: Taking over your infrastructure Kaminsky style
SEC Consult’s Timo Longin and Clemens Stockenreitner describe attacking closed DNS resolvers, which you can reach using SPF, DKIM, and DMARC. Tool release: DNS-Analysis-Server.
Diving Deeply into IAM Policy Evaluation
Ermetic’s Noam Dahan provides a great overview of the AWS re:Inforce session by AWS Sr. Solutions Architect Matt Luttrell and AWS Sr. Software Engineer for IAM Access Analyzer Dan Peebles. The talk delves into some of AWS IAM’s most arcane edge cases – and why they behave as they do. The session took a deep dive into AWS IAM internal evaluation mechanisms never shared before and revealed a new model for representing the AWS permission evaluation process. So many GIFs of flow charts 😆
📢 Drop that Cloud Zero for a Cloud Hero!
We at Permiso love our bold statements and definitely our 90s references (can you guess it?). Do you have an army of cloud heros building detections and responding to cloud breaches in your environment? If so, then we’re not the solution for you!
However, if you need help from experts who know how to find “evil” in cloud, we’re your Cloud Heros! If you don’t believe us, just check out our research and disclosures on our blog to get a glimpse of our unique insights and why we’re the Cloud Heros for you! We’re also offering a free Cloud Compromise Assessment with no strings attached (except maybe talking to one of our CEOs!). If you just want to reminisce about the 90s, that’s fair game too!
Cloned Website Token
On Trust and Transparency in Detection
Interesting reflections by Anton Chuvakin and Oliver Rochford on the history and future of detection logic being transparent, explainability vs understandability, accuracy, and more.
Stopping Vulnerable Driver Attacks
Ransomware actors are leveraging vulnerable drivers to tamper with endpoint security products. Elastic’s Joe Desimone describes how Elastic Security has released 65 YARA rules to detect vulnerable driver abuse.
Politics / Privacy
Ye, formerly known as Kanye West, to acquire Parler platform
Kanye was recently booted from Twitter for antisemitic comments. Also, is this real life?
GitHub Copilot investigation
Description of a lawsuit being filed against GitHub Copilot, claiming it violates its legal duties to open-source authors and end users.
Explore AI generated designs, images, art and prompts by top community artists and designers. Some seriously cool photos.
New release from the Google Research, Brain Team, that generates video based on a text description.
Generate AI Art Using Your Own Writing
Super cool post by Daniel Miessler that describes how to take the text of a blog post, auto-summarize it into a prompt (for DALL-E 2, Stable Diffusion, Midjourney), and then use the prompt to generate art for the post. Such a neat read.
Microsoft Designer - Create stunning designs in a flash
New product by Microsoft aimed at making it easier to create graphics for social media and other everyday uses, powered by DALL-E 2. You can generate a totally custom image, or start from a template or stock image, add your own content (photo, logo, messaging), and more.
Also, everybody needs to relax sometimes.
The Super Mario Bros. Movie - Official Teaser Trailer
It’s-a me, franchise money-oh!
Search millions of memes from across the web in seconds. You can search by text in the meme, or by providing a meme you want to find similar memes to.
Last week I called out DodgeBow, and lamented that it’s only in Montreal. Soon after, Rami McCarthy let me know about Archery Tag, which appears to be a similar idea, with many more locations!
My Manifesto for the OWASP Board Election
Mark Curphey paints an interesting picture for where OWASP could head. I’m not endorsing (or not endorsing) these points, but in general, I like people dreaming big. Mark recommends:
Changing the funding model - instead of running mostly on personal membership fees, raise money from large corporate sponsors and government grants, like the CNCF and OSSF.
Creating an OWASP Investment Fund - Invest like a VC in companies built around OWASP projects.
Clarify the mission statement, reduce beaucracy, clarify community values, and more.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!