- tl;dr sec
- [tl;dr sec] #176 - Cloud Security Atlas, Semgrep + AI, Finding Malicious PyPi packages
[tl;dr sec] #176 - Cloud Security Atlas, Semgrep + AI, Finding Malicious PyPi packages
A searchable database of real-world attacks, vulns, and misconfigurations in cloud environments, Semgrep Assistant supports auto-triaging and fix suggestions using GPT-4, overview of malicious PyPi packages in 2023.
I hope you’ve been doing well!
You know, sometimes you try your best to fit in with work culture, and it still doesn’t work out.
Insensitivity like that at work gits me real fired up.
📢 Tailscale, a frustratingly simple VPN
Tailscale is the simple and secure way to build and manage your team’s network.
We handle network configurations on your behalf to navigate firewalls and routers, so you don’t need to hassle with manual configuration or port forwarding. Authenticating is effortless with SSO, and Tailscale enables roaming so teammates stay connected wherever they go, even if they switch between Wi-Fi and cell networks.
Plus, you can get started in minutes. Just install and authenticate Tailscale on two or more devices, and you’re ready to roll.
📜 In this newsletter...
Web Security: debugHunter, exploiting prototype pollution in Node without the filesystem
GitHub: ToBeReviewedBot, VS Code GitHub Actions extension, GitHub vulnerability management integrations, GitHub Copilot X: The AI-powered developer experience
Cloud Security: AI infra as code generator, CLI tool to more easily enumerate your AWS account, what happens when you publish your AWS Access Key to GitHub, A Guide to S3 Logging, Automate IAM credential reports for large Orgs, Exploring Amazon VPC Lattice, Pentesting AWS, Datadog's Cloud Security Atlas
Container Security: Deploy services to AWS ECS from docker-compose files
Blue Team: Check if a list of domains can be spoofed based on SPF and DMARC records, How we built DMARC Management using Cloudflare Workers
Supply Chain: Finding Malicious PyPi Packages in the Wild, Introducing SafeDep vet, chainloop: a software supply chain control plane, attackers have better things to do than corrupt your builds
Politics / Privacy: Help, My Therapist Is Also an Influencer!, Australian Parliament's Exploration of CCP's Ties to TikTok, The FBI Just Admitted It Bought US Location Data
Misc: Tabloid: The Clickbait Headline Programming Language, protect your time like your life
Machine Learning: YakGPT, D&D with ChatGPT4 as the DM, scrapeghost, Segment Anything, 6 Phases of the Post-GPT World, Existential risk, AI, and the inevitable turn in human history
Exploiting prototype pollution in Node without the filesystem
If you’ve detected Server-Side Prototype Pollution, Portswigger’s Gareth Heyes describes how to use the --import CLI flag in Node to execute arbitrary code without requiring a local file. There’s also a learning lab to practice on.
📢 Attacks can happen anywhere. So, Cloudflare is everywhere.
Your workers, applications, and data are now everywhere. Your security should be too. That's why Cloudflare has taken a fundamentally different approach – a unified platform, powered by an intelligent global network that sees and stops 136 billion threats per day. With over 25 security services delivered on a single control plane, you can strengthen and simplify security everywhere you do business.
Announcing the GitHub Actions extension for VS Code
he official GitHub Actions VS Code extension provides support for authoring and editing workflows, and helps you manage workflow runs without leaving your IDE.
Introducing GitHub vulnerability management integrations for security professionals
GitHub now supports integration with the following vulnerability management providers: Brinqa, Kenna Security, Nucleus, and Threadfix.
Auto-generate PR description text based on code changes. Automatically warn if you’re missing sufficient testing for a pull request and then suggest potential tests.
GitHub Copilot Chat: ChatGPT-like experience in your editor. Get in-depth analysis and explanations of what code blocks are intended to do, generate unit tests, and even get proposed fixes to bugs. Can also just use your voice.
Use a chat interface to ask docs questions.
Copilot for CLI
Automate IAM credential reports for large AWS Organizations
How to automate IAM credential reports in AWS Organizations with many accounts. The reports list all AWS IAM users in your accounts and the status of their credentials, including passwords, access keys, and MFA devices.
Exploring Amazon VPC
LatticeIan Mckay walks through creating a simple VPC Lattice service using CloudFormation, and takes a look at the service overall. VPC Lattice is a service that enables you to connect clients to services within a VPC.
Adaptive techniques to scale AWS pentesting across hundreds of accounts and thousands of resources.
Exploitation, lateral movement, and privilege escalation methodology for those looking to get their start with AWS penetration tests.
Tool release to help extract the discovered vulnerabilities and generate boilerplate language for the report.
Identify and remediate common cloud risks with the Datadog CloudSecurity Atlas
DataDog’s Andrew Krug and Christophe Tafani-Dereeper announce Cloud Security Atlas, a searchable database of real-world attacks, vulnerabilities, and misconfigurations designed to help you understand and remediate risk in cloud environments. You can search and filter on your cloud provider platform, risk type, and sort by impact, exploitability, and recency.
Easily deploy your services to AWS ECS from your docker-compose files.
How we built DMARC Management using Cloudflare Workers
Cloudflare’s André Cruz and Nelson Duarte describes how Cloudflare’s new DMARC management was built, using Workers, R2, and other Cloudflare platform features. Cloudflare Workers seem neat, I keep meaning to play around with them more.
Finding Malicious PyPi Packages in the Wild
Insomni’Hack presentation by Christophe Tafani-Dereeper and Vladimir de Turckheim that provides an overview of malicious software packages in 2023 and approaches to detect them, describes GuardDog, their open source tool to detect malicious packages, and findings from continuously scanning PyPI. 900+ malicious package dataset here.
Introducing SafeDep vet 🚀
Madhu Akula and Abhisek Datta announce vet, a tool for identifying risks in open source software supply chains that lets you define organizational “policy as code” and enforce it in CI/CD.
An open source software supply chain control plane, a single source of truth for artifacts plus a declarative attestation crafting process. With Chainloop, SecOps teams can declaratively state the attestation and artifacts expectations for their organization’s CI/CD workflows, while also resting assured that latest standards and best practices are put in place.
Attackers have better things to do than corrupt your builds
Kelly Shortridge argues that exploiting a vulnerability in your build pipeline is not the most effective action for an attacker, as if they have that access they can do other things. Nice discussion of attack paths and the importance of understanding build processes as a security professional.
Politics / Privacy
Help, My Therapist Is Also an Influencer!
What happens when your therapist uses your session as inspiration for their growing TikTok following?
Australian Parliament’s Exploration of CCP’s Ties to TikTok
The 113-page doc details the CCP’s controls and its surveillance and propaganda aims, which contradict TikTok’s public statements. From the executive summary:
The FBI Just Admitted It Bought US Location Data
So they didn’t have to obtain a warrant.
H/T Zack Whittaker for the meme.
Tabloid: The Clickbait Headline Programming Language
A Turing-complete programming language for writing programs in the style of clickbait news headlines 🤣
A simple, locally running ChatGPT UI.
My kids and I just played D&D with ChatGPT4 as the DM
Wow, and it was really good.
An experimental library for scraping websites using OpenAI’s GPT.
A new AI model from Meta AI that can “cut out” any object, in any image, with a single click.We put GPT-4 in Semgrep to point out false positives & fix coder2c’s Bence Nagy describes the newly launched Semgrep Assistant, which provides automated recommendations for triaging findings and suggested code remediations, using Semgrep + GPT-4.
6 Phases of the Post-GPT World
What Daniel Miessler thinks is coming as a result of connecting GPT-4 to the Internet: companies and people become models/APIs, AI assistants, content authentication, knowledge work replacement, and the creativity explosion.
Existential risk, AI, and the inevitable turn in human history
Tyler Cowen argues that we should move forward with AI, and that in some ways it’s inevitable anyway.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!