[tl;dr sec] #179 - BSidesSF Summaries, Attacking Kubernetes, OpenAI Burp Suite
I wrote quick summaries of four BSidesSF presentations, common Kubernetes attack vectors and vulnerable lab, Burp Suite extension that uses OpenAI for recon.
I hope you’ve been doing well!
I have some amusing anecdotes from BSidesSF and RSA that I want to share, but I haven’t had time to write them up yet. Will share next week.
For everyone who came up and said hi during BSidesSF or RSA- it was lovely to meet you!
I’m always honored to hear when people find tl;dr sec useful, and it keeps me going when its *checks watch* much too late and I’m still writing. It truly does mean a lot to me.
I’ll leave you for now with a meme my bud Tanya Janca included in our RSA training, which is probably one of my favorite infosec memes of all times.
Last week I borked the following link: Two Ways to Access EKS: Kubernetes RBAC and AWS IAM. Thank you Dev for letting me know.
BSidesSF Talk Summary Threads
I wrote a few summary tweet threads of talks and panels I liked. Check them out for a quick tl;dr of the main points:
For another time when I did this (to the extent that it may have damaged personal relationships), see: What I Learned Watching All 44 AppSec Cali 2019 Talks.
📢 The Cloud Security Workflow Handbook
The Wiz research team surveyed security orgs at hyper-scaling enterprises to uncover how they’re adapting in 2023 and beyond. They packed their best-practices, frameworks, and templates into this playbook including:
A breakdown of the three pillars of the modern cloud security operating model best-in-class orgs are moving to.
A 4-step roadmap used by the fastest-growing companies to adapt to the new threat landscape.
Plus: Goals and KPI templates for your team to track based on maturity stage presented in a convenient cheat sheet.
📜 In this newsletter...
Ain't nobody got time to write a Table of Contents this week.
Look Mama, no TemplatesImpl
Hans-Martin Münch from MogwaiLabs provides an overview of how changes introduced in Java 16 have made exploiting native deserialization vulnerabilities much harder. He shares some examples on how it is still possible to achieve remote code execution in Java 17 and beyond using JDBC connections.
Java Exploitation Restrictions in Modern JDK Times
CODE WHITE’s Florian Hauser provides a deep dive into the evolution of Java deserialization gadgets in vulnerability research. Florian explores fresh approaches for executing Java code in the latest JDK versions (e.g. using a scripting engine to stay within the JVM to execute code, which is stealthier than exec()ing a child process), with a particular focus on OpenJDK and Oracle implementations.
Human passwords frequently have patterns in common.
Secret material is often shared or reused, especially among shared user pools
📢 Make sense of your security data, all of it.
According to Gartner, data fabric architecture is key to modernizing data management and integration because it can continuously identify and connect data from disparate applications. It does this by connecting data at the processing layer rather than the storage layer.
Avalor’s Data Fabric for Security™
integrates disparate data sources from legacy systems, data lakes, data warehouses, SQL databases, applications, or any source of data – in any format – to give security teams a holistic view of their data and business performance.
Understanding HTTP Request Smuggling with Hop-to-Hop Headers
Payatu’s Mukund Kedia discusses how HTTP request smuggling attacks can be performed using hop-to-hop headers, a technique that manipulates the HTTP headers of a request in a way that causes different interpretations of the request between two or more intermediaries that handle the request before it reaches its target. Akamai CDN’s cache was affected.
A tool that can integrate multiple SPDX JSON formatted Software Bill of materials (SBOMs) into a parent SBOM.
Introducing ‘Trusted Publishers’
PyPI maintainer Dustin Ingram shares how package maintainers can securely publish packages using OpenID Connect, which can be used in automated environments (e.g. GitHub Actions) to eliminate the need to use usernames/passwords or manually generated API tokens.
An AppEngine application that lets you manage just-in-time privileged access to Google Cloud projects.
Security best practices for Amazon S3
19 practical recommendations from AWS to enhance your S3 security policies with better security, monitoring, and auditing practices.
tl;dr: Manage IAM in YAML + some other nice features. “A multi-cloud identity and access management (IAM) control plane that centralizes and simplifies cloud access and permissions. It maintains an eventually consistent, human-readable, bi-directional representation of IAM in version control.”
Logging strategies for security incident response
AWS’ Anna McAbee, Ciaran Carragher and Pratima Singh outlines in this article how to develop an effective logging strategy for security incident response by identifying the logs to analyze (e.g. AWS account logs, OS and application logs, DB and network logs, access logs), determining where to store them, planning how to analyze them, and example queries.
Attacking Kubernetes (K8s) - Part 1
Redfox Security discusses Kubernetes security, including common attack vectors that can pose a threat to clusters. The post walks through the Insekube tryhackme vulnerable lab, demonstrating lateral movement techniques and how to pivot into K8s nodes.
Chatgpt scam attacks increasing
Palo Alto Networks’ Unit42 shares data and case studies that demonstrates how the increasing popularity of ChatGPT has made it a target for scammers- getting victims to install malware, stealing sensitive info, the usual. “Between November 2022 through early April 2023, we noticed a 910% increase in monthly registrations for domains related to ChatGPT.”
Politics / Privacy
Bao Fan: Why do Chinese billionaires keep vanishing?
If billionaires can randomly “disappear,” why would TikTok (which is built by people), not be under the control of the Chinese government?
Unrelated but amusing:
Meet Chaos-GPT: An AI Tool That Seeks to Destroy Humanity
When someone gave AutoGPT the parameter of being a “destructive, power-hungry, manipulative AI,” it created a 5-step plan to control humanity. It Googled for weapons of mass destruction, asked ChatGPT about destructive weapons, and when ChatGPT censored itself, as it’s been trained to not give out info like that, Chaos-GPT tried to manipulate ChatGPT to give it the info it wanted 😅
Lost in ChatGPT’s memories: escaping ChatGPT-3.5 memory issues to write CVE PoCs
Altin delves into ChatGPT’s memory limitations, offering solutions to escape the 4096-token limit, and outlining how to use ChatGPT as an assistant to analyze large codebases and write a CVE PoC for a resource exhaustion vulnerability discovered in Go’s textproto package.
On self-healing code and the obvious issue
In this article, Gynvael Coldwind reflects on Wolverine (when you run Python scripts with Wolverine, when they crash, GPT-4 edits them and explains what went wrong) and the use of ‘self-healing’ programs that can repair themselves with the help of AI.
Gynvael points out how a simple script could be used by a malicious actor to trick the program and add a prompt injection that might fix the code in an undesirable way. He advises developers to refrain from deploying self-healing code in real-world environments.
Building A ChatGPT-enhanced Python REPL
Logan Mortimer shares his experience in building a ChatGPT-enhanced Python REPL. Logan discusses the architecture and prompts used in his creation, named GEPL while exploring some software engineering patterns and paradigms that may arise when working with Large Language Models (LLMs).
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!