[tl;dr sec] #175 The Future of Security Engineering, Awesome Kubernetes Threat Detection, ChatGPT Plugins
The power of open source, flexible tooling, k8s detection resources, ChatGPT just got a whole lot more powerful.
I hope you’ve been doing well!
Reflections on Machine Learning
I’ve noticed that recently Machine Learning has unintentionally become a regular section in tl;dr sec. I hope you find it interesting and not annoying 😅
I’ve long been an AI skeptic (and even wrote about it), as I felt many vendors drastically overclaimed how powerful AI made their product, or the companies where “AI” was really low-cost analysts in another country.
I still don’t think AI is a silver bullet, but the amazing advances (and rate of improvement) over the past year or two, to me, makes it impossible to ignore.
The explosion of tools, single-purpose AI driven websites, integration into existing apps, and more does feel a bit like the Renaissance, or the early days of the Internet, or some other period in which creativity flourished.
What a time to be alive.
📢 The First Security Communications Center of Excellence
Discernible is a multidisciplinary team with a single mission: to make your security team the most effective communicators in your company. Why? Because effective communicators drive behavior, earn influence, and get things done.
We’re a one-stop-shop for addressing all of your communication challenges including board presentations, conference CFPs and public speaking, customer support, and external Trust Centers. Looking for a regular cadence of technical blog posts authored by your team or an updated plan for IR communications? We do that. All of it.
Trusted by security teams at Twilio, Yahoo, and Trail of Bits.
📜 In this newsletter...
Conferences: BSidesSF, The Diana Initiative 2023
Web Security: Exploit padding oracle issues, write-up of an account takeover vulnerability affecting ChatGPT, The Bug Hunter's Methodology Live
AppSec: GPT + nmap, How Semgrep and Nuclei Are Shaping the Future of Security Engineering
Cloud Security: amazon-cognito-passwordless-auth, Implementing Magic Links with Amazon Cognito, Using Service Control Policies to protect security baselines, scrape SSL certs from AWS IP ranges, aws-cost-cli, serverless infra to track newly registered domains
Container Security: Awesome k8s threat detection, turning the Kubernetes API Server into a port scanner, top 15 kubectl plugins for security engineers
Blue Team: awesome-detection-rules, CISA's untitledgoosetool, Introducing Microsoft Security Copilot, 2022 Zero-Day Exploitation Trends
Misc: Make a PDF look like it was manually scanned, "Lots of cyber security companies are going to fail this year", Star Wars as a Scrolling Infographic, The Last Question, CLI tool to query JSON, CSV and more
Machine Learning: ChatGPT Plugins, run a fast ChatGPT-like model locally on your device, Cheating is All You Need, Democratizing the magic of ChatGPT with open models, Sam Altman on Lex Fridman Podcast, The secret history of Elon Musk, Sam Altman, and OpenAI, "Secret" ChatGPT plugins leaked via the API, How to Move from AI “Prompts” to AI Whispering, The Age of AI has begun, The Prospect of an AI Winter, Big tech and the pursuit of AI dominance
One of my favorite conferences is coming up soon– April 22-23 (right before RSA). If you’re going to be in town, I highly recommend checking it out. I’ll be there, come say hi 😀
The Diana Initiative 2023
A one day hacker conference dedicated to creating a more inclusive infosec industry, taking place Monday August 7, 2023 to kick off Hacker Summer Camp. Their CFP is still open and tickets are on sale. If your company is interested in increasing diversity in the infosec industry, consider sponsoring.
📢 Start Secure, Stay Secure!
Cloud misconfiguration is the third highest cause of security breaches.
Misconfigurations are easier to prevent than to fix. Developers report it can take days to weeks to provision infrastructure, and it shouldn't!
Creating a win-win is possible. Where developers get the cloud infrastructure they need faster than they can get a coffee break. The best part – it's built on a library of golden patterns and protected by guardrails. Netflix Information Security teams call these solutions paved roads.
Resourcely offers cloud infrastructure paved roads as a service.
Write-up of an account takeover vulnerability affecting ChatGPT
By Nagli: tl;dr: steal their JWT via web cache deception. Nice walkthrough. This would let you takeover someone’s account, view their chat history, and access their billing information without them ever realizing it.
The Bug Hunter’s Methodology Live
My bud Jason Haddix will be teaching the course live July 15-16 and another weekend. Jason’s Bug Hunter Methodology talks have been some of my favorites, cool to see them extended into a course. Also, I’m really stoked that Jason has started a newsletter (Executive Offense), that I immediately signed up for.
Harnessing the Hive Mind: How Semgrep and Nuclei Are Shaping the Future of Security Engineering
This post by Travis Biehn is an excellent overview of the benefits of open source security tooling, modern security engineering, and where things are headed.
Passwordless authentication with Amazon Cognito: FIDO2 (WebAuthn), Magic Link, SMS OTP Step Up.
Using Service Control Policies to protect security baselines
Wiz’s Scott Piper illustrates a specific use case of SCPs that protects the security baseline, or landing zone, configuration you’ve created for accounts.
A tool by Jason Haddix to scrape SSL certificates from all AWS IP ranges, searching for specific keywords in the certificates’ Common Name (CN), Organization (O), and Organizational Unit (OU) fields.
Serverless Domain Hunting: Track Newly Registered Domains With Ease
How to set up Lambdas that continuously poll for newly registered domains to detect potential phishing or other malicious domains.
Fun with SSRF - Turning the Kubernetes API Server into a port scanner
Datadog’s Rory McCune shows how to leverage existing functionality on Kubernetes to perform scans from the perspective of the API server using validating admission webhooks (PoC).
Top 15 Kubectl plugins for security engineers
By Sysdig’s Nigel Douglas. Stern plugin, RBAC-tool, Cilium Plugin, Kube Policy Advisor, Kubectl-ssm-secret, Kubelogin, Kubectl-whisper-secret, Kubectl-capture, Kubectl-trace, Access-matrix, Rolesum, Cert-manager, np-viewer, ksniff, Inspektor-Gadget.
By CISA: A robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments.
Introducing Microsoft Security Copilot
Basically you can use a ChatGPT-esque command prompt to query your infrastructure/SIEM/etc. during incident response, threat hunting, security reporting, and more. The demo video is worth watching, and includes asking the system to reverse engineer a malicious Powershell script and create a visual diagram of what it does. Very cool.
Move, Patch, Get Out the Way: 2022 Zero-Day Exploitation Continues at an Elevated Pace
Mandiant’s James Sadowski and Casey Charrier share interesting trends and A+ song references in section titles.
55 0days exploited in 2022, which was lower than the 81 in 2021, but still ~3X the number from 2020.
Chinese state-sponsored cyber espionage groups exploited the most 0days, which is consistent with previous years.
Four were exploited by financially motivated threat actors, 3/4 linked to ransomware operations.
Products from Microsoft, Google, and Apple made up the majority of zero-day vulnerabilities in 2022, consistent with previous years.
Most exploited product types: operating systems (19), browsers (11), security, IT, and network management products (10), and mobile OS (6).
Make a PDF look like it was manually scanned
Using a quick shell script.
“Lots of cyber security companies are going to fail this year.”
Thread by GreyNoise’s Andrew Morris on how money becoming”expensive” will affect security start-ups, and what to do about it.
Star Wars as a Scrolling Infographic
The Last Question
Famed SciFi writer Isaac Asimov averaged a new magazine article, short story, or book every two weeks for 50 years. This was his favorite short story.
Language models can now search the Internet, run computations, and use third-party services. Very cool and incredibly powerful, the demos are worth watching.
Run a fast ChatGPT-like model locally on your device. This combines the LLaMA foundation model (from Facebook) with an open reproduction of Stanford Alpaca, a fine-tuning of the base model to obey instructions.
Cheating is All You Need
When Steve Yegge blogs, it’s worth reading. He shares stories of how things that start as a small demo (e.g. AWS, Kubernetes, talking to someone over the Internet) can become massive, shares a nice overview about LLMs, discusses productivity improvements, and more.
Sam Altman: OpenAI CEO on GPT-4, ChatGPT, and the Future of AI | Lex Fridman Podcast
A discussion very much worth listening to, on GPT-4, bias, AI safety, Artificial General Intelligence, and more.
The secret history of Elon Musk, Sam Altman, and OpenAI
In 2018, Musk wanted to take control of OpenAI and run it, but when Altman and other founders rejected that proposal he left, and didn’t donate the large sum of money he said he would. Interestingly, Altman has no equity in OpenAI.
From the founder of HashiCorp.
Response Shaping: How to Move from AI “Prompts” to AI Whispering
Actionable and concrete tips by Daniel Miessler on how to get consistently high-quality results from the AIs you interact with.
The Age of AI has begun
Long post by Bill Gates on why he believes AI is as revolutionary as mobile phones and the Internet, his thoughts on applications in education, healthcare, climate change, workplace productivity, and more.
The Prospect of an AI Winter
Are we in an AI bubble? Erich Grunewald walks through potential critiques, like Moore’s Law is slowing down, chip production is centralized and reaching physical limits, could AI applications be unprofitable, could they run out of data to train on, etc.
Big tech and the pursuit of AI dominance
Nice overview of Apple, Meta, Microsoft, Alphabet, and Amazon’s job listings, acquisitions, investments, etc. in AI.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!