[tl;dr sec] #175 The Future of Security Engineering, Awesome Kubernetes Threat Detection, ChatGPT Plugins

Hey there,

I hope you’ve been doing well!

Reflections on Machine Learning

I’ve noticed that recently Machine Learning has unintentionally become a regular section in tl;dr sec. I hope you find it interesting and not annoying 😅

I’ve long been an AI skeptic (and even wrote about it), as I felt many vendors drastically overclaimed how powerful AI made their product, or the companies where “AI” was really low-cost analysts in another country.

I still don’t think AI is a silver bullet, but the amazing advances (and rate of improvement) over the past year or two, to me, makes it impossible to ignore.

The explosion of tools, single-purpose AI driven websites, integration into existing apps, and more does feel a bit like the Renaissance, or the early days of the Internet, or some other period in which creativity flourished.

What a time to be alive.

Conferences

BSidesSF
One of my favorite conferences is coming up soon– April 22-23 (right before RSA). If you’re going to be in town, I highly recommend checking it out. I’ll be there, come say hi 😀 

The Diana Initiative 2023
A one day hacker conference dedicated to creating a more inclusive infosec industry, taking place Monday August 7, 2023 to kick off Hacker Summer Camp. Their CFP is still open and tickets are on sale. If your company is interested in increasing diversity in the infosec industry, consider sponsoring.

Web Security

glebarez/padre
An advanced exploiter for Padding Oracle attacks against CBC mode encryption, by @blegmore.

Write-up of an account takeover vulnerability affecting ChatGPT
By Nagli: tl;dr: steal their JWT via web cache deception. Nice walkthrough. This would let you takeover someone’s account, view their chat history, and access their billing information without them ever realizing it.

The Bug Hunter’s Methodology Live
My bud Jason Haddix will be teaching the course live July 15-16 and another weekend. Jason’s Bug Hunter Methodology talks have been some of my favorites, cool to see them extended into a course. Also, I’m really stoked that Jason has started a newsletter (Executive Offense), that I immediately signed up for.

AppSe

morpheuslord/GPT_Vuln-analyzer
Tool by Chiranjeevi G that uses the ChatGPT API and Python-Nmap module to create vulnerability reports based on Nmap scan data.

Harnessing the Hive Mind: How Semgrep and Nuclei Are Shaping the Future of Security Engineering
This post by Travis Biehn is an excellent overview of the benefits of open source security tooling, modern security engineering, and where things are headed.

Cloud Security

aws-samples/amazon-cognito-passwordless-auth
Passwordless authentication with Amazon Cognito: FIDO2 (WebAuthn), Magic Link, SMS OTP Step Up.

Implementing Magic Links with Amazon Cognito: A Step-by-Step Guide
By Yan Cui. See also: implementing passwordless authentication using one-time passwords (OTPs) using Cognito.

Using Service Control Policies to protect security baselines
Wiz’s Scott Piper illustrates a specific use case of SCPs that protects the security baseline, or landing zone, configuration you’ve created for accounts.

jhaddix/awsScrape
A tool by Jason Haddix to scrape SSL certificates from all AWS IP ranges, searching for specific keywords in the certificates’ Common Name (CN), Organization (O), and Organizational Unit (OU) fields.

kamranahmedse/aws-cost-cli
By Kamran Ahmed: CLI tool to perform cost analysis on your AWS account, with Slack integration.

Serverless Domain Hunting: Track Newly Registered Domains With Ease
How to set up Lambdas that continuously poll for newly registered domains to detect potential phishing or other malicious domains.

Container Security

jatrost/awesome-kubernetes-threat-detection
A curated list of resources about detecting threats and defending Kubernetes systems by Databricks’ Jason Trost.

Fun with SSRF - Turning the Kubernetes API Server into a port scanner
Datadog’s Rory McCune shows how to leverage existing functionality on Kubernetes to perform scans from the perspective of the API server using validating admission webhooks (PoC).

Top 15 Kubectl plugins for security engineers
By Sysdig’s Nigel Douglas. Stern plugin, RBAC-tool, Cilium Plugin, Kube Policy Advisor, Kubectl-ssm-secret, Kubelogin, Kubectl-whisper-secret, Kubectl-capture, Kubectl-trace, Access-matrix, Rolesum, Cert-manager, np-viewer, ksniff, Inspektor-Gadget.

Blue Team

jatrost/awesome-detection-rules
A collection of threat detection rules / rules engines by Databricks’ Jason Trost, including Yara, Sigma, Falco, Zeek, Snort/Suricata, Splunk, and more.

cisagov/untitledgoosetool
By CISA: A robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments.

Introducing Microsoft Security Copilot
Basically you can use a ChatGPT-esque command prompt to query your infrastructure/SIEM/etc. during incident response, threat hunting, security reporting, and more. The demo video is worth watching, and includes asking the system to reverse engineer a malicious Powershell script and create a visual diagram of what it does. Very cool.

Move, Patch, Get Out the Way: 2022 Zero-Day Exploitation Continues at an Elevated Pace
Mandiant’s James Sadowski and Casey Charrier share interesting trends and A+ song references in section titles.

• 55 0days exploited in 2022, which was lower than the 81 in 2021, but still ~3X the number from 2020.

• Chinese state-sponsored cyber espionage groups exploited the most 0days, which is consistent with previous years.

• Four were exploited by financially motivated threat actors, 3/4 linked to ransomware operations.

• Products from Microsoft, Google, and Apple made up the majority of zero-day vulnerabilities in 2022, consistent with previous years.

• Most exploited product types: operating systems (19), browsers (11), security, IT, and network management products (10), and mobile OS (6).

Misc

Make a PDF look like it was manually scanned
Using a quick shell script.

“Lots of cyber security companies are going to fail this year.”
Thread by GreyNoise’s Andrew Morris on how money becoming”expensive” will affect security start-ups, and what to do about it.

Star Wars as a Scrolling Infographic
Pretty neat.

The Last Question
Famed SciFi writer Isaac Asimov averaged a new magazine article, short story, or book every two weeks for 50 years. This was his favorite short story.

multiprocessio/dsq
Commandline tool for running SQL queries against JSON, CSV, Excel, Parquet, and more, by Multiprocess Labs.

Machine Learning 

ChatGPT Plugins
Language models can now search the Internet, run computations, and use third-party services. Very cool and incredibly powerful, the demos are worth watching.

antimatter15/alpaca.cpp
Run a fast ChatGPT-like model locally on your device. This combines the LLaMA foundation model (from Facebook) with an open reproduction of Stanford Alpaca, a fine-tuning of the base model to obey instructions.

Cheating is All You Need
When Steve Yegge blogs, it’s worth reading. He shares stories of how things that start as a small demo (e.g. AWS, Kubernetes, talking to someone over the Internet) can become massive, shares a nice overview about LLMs, discusses productivity improvements, and more.

Hello Dolly: Democratizing the magic of ChatGPT with open models

Sam Altman: OpenAI CEO on GPT-4, ChatGPT, and the Future of AI | Lex Fridman Podcast
A discussion very much worth listening to, on GPT-4, bias, AI safety, Artificial General Intelligence, and more.

The secret history of Elon Musk, Sam Altman, and OpenAI
In 2018, Musk wanted to take control of OpenAI and run it, but when Altman and other founders rejected that proposal he left, and didn’t donate the large sum of money he said he would. Interestingly, Altman has no equity in OpenAI.

“Secret” ChatGPT plugins leaked via the API
rez0 shares what he found.

From the founder of HashiCorp.

Response Shaping: How to Move from AI “Prompts” to AI Whispering
Actionable and concrete tips by Daniel Miessler on how to get consistently high-quality results from the AIs you interact with.

See also Prompt Engineering 
by OpenAI’s Lilian Weng.

The Age of AI has begun
Long post by Bill Gates on why he believes AI is as revolutionary as mobile phones and the Internet, his thoughts on applications in education, healthcare, climate change, workplace productivity, and more.

The Prospect of an AI Winter
Are we in an AI bubble? Erich Grunewald walks through potential critiques, like Moore’s Law is slowing down, chip production is centralized and reaching physical limits, could AI applications be unprofitable, could they run out of data to train on, etc.

Big tech and the pursuit of AI dominance
Nice overview of Apple, Meta, Microsoft, Alphabet, and Amazon’s job listings, acquisitions, investments, etc. in AI.

✉️ Wrapping Up 

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint