[tl;dr sec] #181 - Awesome CloudSec Labs, Red Team Infra in 2023, Privilege Escalation in EKS
Free cloud-native security learning labs, the essential components for modern robust red teaming infra, how to privesc from a compromised EKS pod and defeat Kubernetes NodeRestriction.
I hope you’ve been doing well!
Life Advice from VCs
This week I found myself at a dinner with a few VCs, founders, and other tech folks.
The conversation ranged from strangest start-up pitch (one founder who, wanting to remain anonymous, entered and remained in a mask throughout their pitch) to the origin of IPA beers.
At one point the conversation turned to relationship and life advice. Most of these will likely ring true, but I bet The Last One Will Shock You™.
✅ Be with someone who makes the boring day-to-day stuff fun (e.g. grocery shopping or laundry).
❌ If you meet your partner’s friends and you don’t like any of them. Who your partner chooses to spend time with is indicative of who they are, and you’re going to have to spend time with their friends.
✅ If your partner has a close relationship with their parents and received a lot of love growing up.
In life, Happiness = Expectations / Reality
Finally, this incredibly friendly Brazilian woman shared some advice that I hope you never have to use:
There you have it- never let it be said that tl;dr sec doesn’t also give you practical street smarts 😂
📢 5 best practices for securing Kubernetes runtime workloads
A comprehensive Kubernetes security strategy requires a defense-in-depth approach that is able to detect attacks in-progress, unusual behavior, and attempts to exploit misconfigurations or vulnerabilities in running clusters.
While hardening Kubernetes workload configuration or Kubernetes Role-Based Access Controls (RBAC) is a necessary best practice, it’s just the tip of the iceberg when securing Kubernetes clusters.
Learn best practices for securing Kubernetes runtime workloads in this article by Lacework®, the leader in cloud security that keeps you secure from code to cloud.
📜 In this newsletter...
AppSec: Catching XXE bugs in Java with Semgrep taint labels, Mitigating Risky PRs with Monocle Risk Advisor
Web Security: AngularJS gadget to bypass CSP in Piwik PRO, the dangers of not specifying the right Content-Type
Cloud Security: AWS Nitro System API & Security Claims, An Adventure in Google Cloud threat detection, The Service Mesh Landscape, Awesome CloudSec Labs, My Love/Hate Relationship with Cloud Custodian
Container Security: K8s operator for creating temporary resources, PrivEsc in EKS
Blue Team: You can now use passkeys on your personal Google Account, Living Off The Land Drivers, Tailscale now supports network flow logs and log streaming
Red Team: Building a Red Team Infrastructure in 2023, Introducing resocks - An Encrypted Back-Connect SOCKS Proxy for Network Pivoting
Politics / Privacy: Chinese hackers outnumber FBI cyber agents by 'at least 50 to 1'
Machine Learning: How to build a tool-using agent with LangChain, Hackers are increasingly using ChatGPT lures to spread malware on Facebook, FTC Chair says she’s on alert for AI violating antitrust or consumer protection laws, Google "We Have No Moat, And Neither Does OpenAI", The Spherical Cow of ML Security
Misc: The best picket signs of the Hollywood writers' strike, the best five books on any topic, eBPF for beginners
Catching XXE bugs in Java with Semgrep taint labels
Great detailed video by Pieter De Cremer. See also Pieter’s videos:
Mitigating Risky Pull Requests with Monocle Risk
Advisor David Trejo discusses how Chime has introduced guardrails and security control checks in their GitHub PR workflow in a tool called Monocle Risk Advisor. Risk Advisor makes it easy for their auditors to track deviations from controls, and these are tracked as tickets in Jira. OPA is used to implement checks.
📢 Tailscale, a frustratingly simple VPN
Tailscale is the simple and secure way to build and manage your team’s network.
We handle network configurations on your behalf to navigate firewalls and routers, so you don’t need to hassle with manual configuration or port forwarding. Authenticating is effortless with SSO, and Tailscale enables roaming so teammates stay connected wherever they go, even if they switch between Wi-Fi and cell networks.
Plus, you can get started in minutes. Just install and authenticate Tailscale on two or more devices, and you’re ready to roll.
Ambushed by AngularJS: a hidden CSP bypass in Piwik PRO
PortSwigger’s Gareth Heyes discusses an AngularJS gadget that could be exploited as a CSP bypass in Piwik PRO, which could be turned into XSS if chained with an HTML injection.
Odoo: Get your Content Type right, or else!
Dennis Brinkrolf and Thomas Chauchefoin from Sonar Source discuss the security implications of the Content-Type header returned by web applications and discuss an XSS discovered in Odoo that resulted from a misconfigured Content-Type header set on an API endpoint.
An Adventure in Google Cloud threat detection
DataDog’s Martin McCloskey and Day Johnson share common threats and exploits in Google Cloud, including techniques known to be used by threat actors (e.g. the creation or use of service account keys outside of Google Cloud) as well as likely techniques, such as data extraction via Google Cloud SQL or the creation of a privileged service account.
The Service Mesh Landscape
A comparison of various service meshes, including Linkerd, Istio, Consul, NGINX service mesh, and Network Service Mesh.
My Love/Hate Relationship with Cloud Custodian
Chandrapal Badshah writes about his experience using Cloud Custodian, a rules engine for cloud security, cost optimization, and governance. Chandrapal highlights its ability to detect misconfigurations in near-real-time or at periodic intervals and auto-mitigate those issues thanks to the customizable detection rules engine, while remaining cost-effective.
Areas for improvement: lack of documentation and its difficult to create custom notification messages.
Privilege escalation in AWS Elastic Kubernetes Service (EKS)
Calif’s An Trinh on achieving privilege escalation from a compromised pod in EKS and how to defeat Kubernetes NodeRestriction, a security mechanism enabled by default on all EKS versions.
📢 Salesforce Community site data leaks persist. Is your Salesforce instance secure?
Krebs on Security reported that significant Salesforce data leaks have exposed numerous customers’ sensitive data hosted in Salesforce Community websites. Since Krebs shared his findings, AppOmni Labs has noted a 300+% spike in threat activity on Salesforce Community sites and other major SaaS apps.
To help keep Salesforce data secure, AppOmni has launched a free Salesforce Community Cloud Scanner. AppOmni will evaluate your Salesforce instances for misconfigurations and data exposure risks, reveal if the recently disclosed issues are present, and provide clear steps for remediation.
So long passwords, thanks for all the phish
Google’s Arnar Birgisson and Diana K. Smetters announce that you can now use passkeys on your personal Google Account, a more secure and convenient alternative to passwords and two-step verification. You can sign in by unlocking your computer or mobile device with your fingerprint, face recognition or a local PIN.
Living Off The Land Drivers
Michael Haag announces the LOLDrivers project, which aims to consolidate vulnerable and malicious Windows drivers that can be used by adversaries to bypass security controls into a single location.
Announcing network flow logs and log streaming
Tailscale’s Pouyan Aminian and Jairo Camacho announce the release of network flow logs, a new Tailscale feature that records metadata about your network traffic to assist you in monitoring network activity in your tailnet, identifying threats, investigating security incidents, troubleshooting network issues, and maintaining compliance with your network security policies.
Building a Red Team Infrastructure in 2023
Secure Systems Engineering GMBH’s André Tschapeller explores the essential components needed for robust red teaming infrastructure. André provides an overview of the system as a whole then dives into each separate element, including the C2 infrastructure, HTTPS and DNS redirectors, and using GoPhish in conjunction with a postfix redirector for the phishing server.
Introducing resocks - An Encrypted Back-Connect SOCKS Proxy for Network Pivoting
RedTeam Pentesting unveils their new tool: Resocks, a reverse/back-connect SOCK5 proxy tunnel that enables users to route traffic through an otherwise inaccessible system while ensuring the traffic is encrypted. Resocks uses mTLS and generates certificates based on a connection key to guarantee secure communication.
Politics / Privacy
Chinese hackers outnumber FBI cyber agents by ‘at least 50 to 1’
Says FBI Director Christopher Wray.
How to build a tool-using agent with LangChain
Jupyter notebook walkthrough by OpenAI on using LangChain to augment an OpenAI model with access to external tools using an agent approach: allow it to do chain of reasoning, search the Internet for answers, retain a memory of the conversation and use it as context for subsequent steps, or reference a custom knowledge base using a vectorstore like Pinecone.
Hackers are increasingly using ChatGPT lures to spread malware on Facebook
Meta has seen threat actors create malicious browser extensions available in official web stores that claim to offer ChatGPT-based tools, then they’d promote these malicious extensions on social media and through sponsored search results to trick people into downloading malware.
Google “We Have No Moat, And Neither Does OpenAI”
Fascinating leaked internal Google document claims open source AI will outcompete Google and OpenAI. Very much worth reading. The timeline at the bottom is quite neat to see the pace of innovation.
Measuring and externally auditing the model’s efficacy guarantees.
Real-world challenges include difficulties in accurately measuring the efficacy of the ML, addressing sampling bias, and guarding against privacy issues or model theft.
Theoretical challenges, such as adversarial examples.
The best picket signs of the Hollywood writers’ strike
About ChatGPT, good memes, and more.
The best five books on a variety of topics, selected by experts in those areas, ranging from food to AI, science fiction, thrillers, history, and more.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!