• tl;dr sec
  • Posts
  • [tl;dr sec] #176 - Cloud Security Atlas, Semgrep + AI, Finding Malicious PyPi packages

[tl;dr sec] #176 - Cloud Security Atlas, Semgrep + AI, Finding Malicious PyPi packages

A searchable database of real-world attacks, vulns, and misconfigurations in cloud environments, Semgrep Assistant supports auto-triaging and fix suggestions using GPT-4, overview of malicious PyPi packages in 2023.

Hey there,

I hope you’ve been doing well!

Workplace Challenges

You know, sometimes you try your best to fit in with work culture, and it still doesn’t work out.

Insensitivity like that at work gits me real fired up.

Sponsor

 📢 Tailscale, a frustratingly simple VPN

Tailscale is the simple and secure way to build and manage your team’s network.

We handle network configurations on your behalf to navigate firewalls and routers, so you don’t need to hassle with manual configuration or port forwarding. Authenticating is effortless with SSO, and Tailscale enables roaming so teammates stay connected wherever they go, even if they switch between Wi-Fi and cell networks.

Plus, you can get started in minutes. Just install and authenticate Tailscale on two or more devices, and you’re ready to roll.

📜 In this newsletter...

  • Web Security: debugHunter, exploiting prototype pollution in Node without the filesystem

  • GitHub: ToBeReviewedBot, VS Code GitHub Actions extension, GitHub vulnerability management integrations, GitHub Copilot X: The AI-powered developer experience

  • Cloud Security: AI infra as code generator, CLI tool to more easily enumerate your AWS account, what happens when you publish your AWS Access Key to GitHub, A Guide to S3 Logging, Automate IAM credential reports for large Orgs, Exploring Amazon VPC Lattice, Pentesting AWS, Datadog's Cloud Security Atlas

  • Container Security: Deploy services to AWS ECS from docker-compose files

  • Blue Team: Check if a list of domains can be spoofed based on SPF and DMARC records, How we built DMARC Management using Cloudflare Workers

  • Supply Chain: Finding Malicious PyPi Packages in the Wild, Introducing SafeDep vet, chainloop: a software supply chain control plane, attackers have better things to do than corrupt your builds

  • Politics / Privacy: Help, My Therapist Is Also an Influencer!, Australian Parliament's Exploration of CCP's Ties to TikTok, The FBI Just Admitted It Bought US Location Data

  • Misc: Tabloid: The Clickbait Headline Programming Language, protect your time like your life

  • Machine Learning: YakGPT, D&D with ChatGPT4 as the DM, scrapeghost, Segment Anything, 6 Phases of the Post-GPT World, Existential risk, AI, and the inevitable turn in human history

Web Security

devploit/debugHunterBy Daniel Púa:
A Chrome extension that scans websites for debugging parameters and notifies you when it finds a URL with modified responses.

Exploiting prototype pollution in Node without the filesystem
If you’ve detected Server-Side Prototype Pollution, Portswigger’s Gareth Heyes describes how to use the --import CLI flag in Node to execute arbitrary code without requiring a local file. There’s also a learning lab to practice on.

Sponsor

 📢 Attacks can happen anywhere. So, Cloudflare is everywhere.

Your workers, applications, and data are now everywhere. Your security should be too. That's why Cloudflare has taken a fundamentally different approach – a unified platform, powered by an intelligent global network that sees and stops 136 billion threats per day. With over 25 security services delivered on a single control plane, you can strengthen and simplify security everywhere you do business.

GitHub

tailscale/ToBeReviewedBot
A GitHub App to watch for PRs merged without a reviewer approving, by Tailscale.

Announcing the GitHub Actions extension for VS Code
he official GitHub Actions VS Code extension provides support for authoring and editing workflows, and helps you manage workflow runs without leaving your IDE.

Introducing GitHub vulnerability management integrations for security professionals
GitHub now supports integration with the following vulnerability management providers: Brinqa, Kenna Security, Nucleus, and Threadfix.

  • Auto-generate PR description text based on code changes. Automatically warn if you’re missing sufficient testing for a pull request and then suggest potential tests.

  • GitHub Copilot Chat: ChatGPT-like experience in your editor. Get in-depth analysis and explanations of what code blocks are intended to do, generate unit tests, and even get proposed fixes to bugs. Can also just use your voice.

  • Use a chat interface to ask docs questions.

  • Copilot for CLI

Cloud Security

gofireflyio/aiac
AI Infrastructure as Code generator, by Firefly.

oguzhan-yilmaz/balcony By Oğuzhan Yılmaz:
Effortlessly enumerate your AWS Account with Balcony - a CLI tool that utilizes the AWS API and automatically populates required parameters.

Public Access Key - 2023
Chris Farris walks through the timeline of what happened when he intentionally published an AWS Access Key and its secret to GitHub.

A Guide to S3 Logging
Rami McCarthy on what you should do about S3 logging, comparing S3 logs (data events vs server access logs), working with Server Access Logs, and more.

Automate IAM credential reports for large AWS Organizations
How to automate IAM credential reports in AWS Organizations with many accounts. The reports list all AWS IAM users in your accounts and the status of their credentials, including passwords, access keys, and MFA devices.

Exploring Amazon VPC
LatticeIan Mckay walks through creating a simple VPC Lattice service using CloudFormation, and takes a look at the service overall. VPC Lattice is a service that enables you to connect clients to services within a VPC.

Welcome to the Jungle: Pentesting AWS
Presentation by Black Hills Information Security’s Mike Felch on:

  1. Adaptive techniques to scale AWS pentesting across hundreds of accounts and thousands of resources.

  2. Exploitation, lateral movement, and privilege escalation methodology for those looking to get their start with AWS penetration tests.

  3. Tool release to help extract the discovered vulnerabilities and generate boilerplate language for the report.

Identify and remediate common cloud risks with the Datadog CloudSecurity Atlas
DataDog’s Andrew Krug and Christophe Tafani-Dereeper announce Cloud Security Atlas, a searchable database of real-world attacks, vulnerabilities, and misconfigurations designed to help you understand and remediate risk in cloud environments. You can search and filter on your cloud provider platform, risk type, and sort by impact, exploitability, and recency.

Container Security

ECS Compose-X
Easily deploy your services to AWS ECS from your docker-compose files.

Blue Team

MattKeeley/Spoofy
A program that checks if a list of domains can be spoofed based on SPF and DMARC records, by Matt Keeley.

How we built DMARC Management using Cloudflare Workers
Cloudflare’s André Cruz and Nelson Duarte describes how Cloudflare’s new DMARC management was built, using Workers, R2, and other Cloudflare platform features. Cloudflare Workers seem neat, I keep meaning to play around with them more.

Supply Chain

Finding Malicious PyPi Packages in the Wild
Insomni’Hack presentation by Christophe Tafani-Dereeper and Vladimir de Turckheim that provides an overview of malicious software packages in 2023 and approaches to detect them, describes GuardDog, their open source tool to detect malicious packages, and findings from continuously scanning PyPI. 900+ malicious package dataset here.

Introducing SafeDep vet 🚀
Madhu Akula and Abhisek Datta announce vet, a tool for identifying risks in open source software supply chains that lets you define organizational “policy as code” and enforce it in CI/CD.

chainloop-dev/chainloop
An open source software supply chain control plane, a single source of truth for artifacts plus a declarative attestation crafting process. With Chainloop, SecOps teams can declaratively state the attestation and artifacts expectations for their organization’s CI/CD workflows, while also resting assured that latest standards and best practices are put in place.

Attackers have better things to do than corrupt your builds
Kelly Shortridge argues that exploiting a vulnerability in your build pipeline is not the most effective action for an attacker, as if they have that access they can do other things. Nice discussion of attack paths and the importance of understanding build processes as a security professional.

Much of what we seek from a security perspective is enveloped by reliability. Security is ultimately a subset of software quality. This is a lesson that more security professionals should heed, especially those that protest that software engineers “don’t care about security.”

Instead of barking up errant trees, security professionals should seek opportunities to invest in reliability with auxiliary security benefits so everyone wins.

Politics / Privacy

Help, My Therapist Is Also an Influencer!
What happens when your therapist uses your session as inspiration for their growing TikTok following?

Australian Parliament’s Exploration of CCP’s Ties to TikTok
The 113-page doc details the CCP’s controls and its surveillance and propaganda aims, which contradict TikTok’s public statements. From the executive summary:

The FBI Just Admitted It Bought US Location Data
So they didn’t have to obtain a warrant.

The Department of Homeland Security, for one, is reported to have purchased the geolocations of millions of Americans from private marketing firms. In that instance, the data were derived from a range of deceivingly benign sources, such as mobile games and weather apps. Beyond the federal government, state and local authorities have been known to acquire software that feeds off cellphone-tracking data.

H/T Zack Whittaker for the meme.

Misc

Tabloid: The Clickbait Headline Programming Language
A Turing-complete programming language for writing programs in the style of clickbait news headlines 🤣

Machine Learning

YakGPT
A simple, locally running ChatGPT UI.

scrapeghost
An experimental library for scraping websites using OpenAI’s GPT.

Segment Anything
A new AI model from Meta AI that can “cut out” any object, in any image, with a single click.We put GPT-4 in Semgrep to point out false positives & fix coder2c’s Bence Nagy describes the newly launched Semgrep Assistant, which provides automated recommendations for triaging findings and suggested code remediations, using Semgrep + GPT-4.

6 Phases of the Post-GPT World
What Daniel Miessler thinks is coming as a result of connecting GPT-4 to the Internet: companies and people become models/APIs, AI assistants, content authentication, knowledge work replacement, and the creativity explosion.

Existential risk, AI, and the inevitable turn in human history
Tyler Cowen argues that we should move forward with AI, and that in some ways it’s inevitable anyway.

For my entire life, and a bit more, there have been two essential features of the basic landscape:

In other words, virtually all of us have been living in a bubble “outside of history.”

Hardly anyone you know, including yourself, is prepared to live in actual “moving” history. It will panic many of us, disorient the rest of us, and cause great upheavals in our fortunes, both good and bad.

The reality is that no one at the beginning of the printing press had any real idea of the changes it would bring. No one at the beginning of the fossil fuel era had much of an idea of the changes it would bring. No one is good at predicting the longer-term or even medium-term outcomes of these radical technological changes.

Astral Codex Ten argues why this is a bad way to look at it. Tyler Cowen’s reply.

✉️ Wrapping Up 

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint