[tl;dr sec] #183 - The 3 Metrics to Focus On, Build a Purple Team Lab, Damn Vulnerable Android and iOS Apps
If you can only choose 3 metrics, what to choose? How to build a Kubernetes purple teaming lab, vulnerable Android and iOS apps to learn on.
I hope you’ve been doing well!
Once More, with Swag
Thank you everyone who took the time to fill out the quick swag survey I shared a few weeks ago!
I really appreciate your input, and your kind words put a massive smile on my face.
People shared some neat swag ideas that I didn’t originally include in the survey, including: socks, hats, cat toys, fidget toys, branded planters/mini succulents, D20 dice, a Clint plushie, a tl;dr sec bong, and “date-crashing as a service.”
Special shout-out to the person who left this wisdom:
If you also want to influence the future of tl;dr sec swag, you can do so here.
📢 The 2023 Cloud Threat Report
The Wiz cybersecurity research team uncovered dozens of new cloud risks across multiple AWS, Azure, and Google Cloud services. We’ve compiled their findings in this 12-page report which includes the full list of breaches in 2022 and best practices to safeguard your cloud. Also included are:
The latest cloud security threats
Emerging cloud-native threat actors
Bonus: Free checklist to implement strategies adopted by leading cloud security organizations in the world.
Get the complete report to adapt your security strategy in 2023 and beyond.
📜 In this newsletter...
AppSec: Secure Application Development for NGOs, The 3 Metrics to Focus On
Mobile Security: Damn vulnerable Android and iOS apps, Detecting Android Content Provider APIs with Semgrep Rules
Cloud Security: Clean up over-permissioned GCP IAM accounts, malicious Google ads for AWS Console login pages
Container Security: Automate Docker container base image updates, Building Chainguard's Container Image Registry
Blue Team: Building a Kubernetes purple teaming lab, The Rambo Architecture and Third Party Risk
Red Team: Function call graph tracer for C, C++, Rust and Python
Conferences: Threat detection and IR track at re:Inforce 2023, Reflections on Black Hat Asia 2023, Momentum Cyber's RSA Conference 2023 Recap
Machine Learning: Quicklinks, drag and drop images, ChatGPT iOS, AI’s Next Big Thing is Digital Assistants, AI Influencer Goes Rogue, LLMs and plagiarism
Misc: Map bug bounty programs to GitHub orgs, breaking Trezor T wallets, Poverty Is 4th Leading Cause of Death in US
Secure Application Development for NGOs and Others: Part I
Four part guide by Eleanor Saitta on developing for NGOs or other orgs who serve potentially high risk groups, covering software development lifecycle, organizational maturity, participatory design, security design, development documentation, requirements, and selecting a design team and security designer.
Subsequent parts cover threat modeling, architecture design, crytography, frameworks, testing, and much more.
You Only Get 3 Metrics - Which Ones Would You Pick?
If you could only pick 3 metrics that ideally maximize the coverage of other risks and are leading (rather than lagging) indicators, Google Cloud CISO’s Phil Venables recommends:
What percentage of your software is continuously reproducible in a secure build pipeline?
What percentage of your systems and business services have a predictable and tested cold-start recovery time?
What percentage of your data is kept under an assured data governance regime?
Detecting Android Content Provider APIs with Semgrep Rules
Dropbox’s Shivasurya S on how Semgrep can be a part of your mobile pentesting suite and a walkthrough of writing a Semgrep rule to find exported content providers that allow arbitrary file read and write within the app sandbox.
📢 Make tangible progress toward least privilege + practical advice on JIT access
Your company relies on you to keep your infrastructure secure — but it’s hard to manage safe, temporary access while moving quickly and staying above water.
With the Sym SDK, you can build temporary access workflows for AWS IAM and SSO, deployed in an easy-to-use requests app in Slack.
Sym gives you peer approval, privilege escalation and de-escalation, and all the integrations you need to automate decisions, getting you to least privilege, with the least hassle.
A smorgasboard of a bug chain: postMessage, JSONP, WAF bypass, DOM-based XSS, CORS, CSRF…
Julien Cretel provides a comprehensive breakdown of a bug chain that included an insecure message event listener, a JSONP endpoint, a WAF bypass, a DOM-based XSS on an out-of-scope subdomain, and a permissive CORS configuration. These components were combined to execute a one-click CSRF attack on a public bug bounty program.
Tool by kd3vhck and Rohit Sehgal to clean up over-permissioned GCP IAM accounts in an automated way. It fetches the recommendations and insights from GCP IAM recommender, scores them and enforces those recommendations automatically.
Gather Round the Watering Hole, We have a Story to TellPermiso’s Ian Ahl writes about watering hole attacks and how attackers can purchase ad space for specific search terms in Google to deliver phishing pages. Using a recent AWS phishing campaign as an example, Ian investigates the attack flow and infrastructure used by the attacker to harvest account credentials.
A process for automating Docker container base image updates.
Building Chainguard’s Container Image Registry
Chainguard’s Jason Hall describes a few changes to the way they host and distribute Images over the last year to increase security, give themselves more control over the distribution, and most importantly to keep costs under control using Cloudflare R2 (no egress fees!). Check out the “secure by design” section.
📢 AppOmni Labs sees a 300+% rise in Salesforce Community attacks. Is your Salesforce data safe?
Threats to Salesforce instances are growing since Brian Krebs first reported on significant Salesforce data leaks in late April. And the AppOmni Labs team has noted a 300+% increase in threat activity on Salesforce Community sites, along with other major SaaS apps, shortly after Krebs’ story broke.
Understand your Salesforce data leak risks with AppOmni’s free Salesforce Community Cloud Scanner. AppOmni will evaluate your Salesforce instances for misconfigurations and data exposure, reveal if the recently disclosed issues are present, and provide clear steps for remediation.
Building a Kubernetes purple teaming lab
Anton Ovrutsky from Sumo Logic offers a comprehensive guide on setting up a Kubernetes purple team lab. This step-by-step tutorial will teach you how to gather relevant telemetry, track your testing activities, and explore a variety of techniques, tactics and procedures (TTPs).
A function call graph tracer for C, C++, Rust and Python programs by Google’s Namhyung Kim. It can trace both user and kernel functions, as well as library functions and system events providing an integrated execution flow in a single timeline.
Your guide to the threat detection and incident response track at re:Inforce 2023
AWS’ Celeste Bishop and Himanshu Verma share a list of 30 talks, including hands-on sessions for the threat detection and incident response track at re:Inforce. Topics include: learn to detect suspicious activity in Amazon S3, simulate and detect unwanted IMDS access resulting from SSRF, and more.
Reflections on Black Hat Asia 2023: Learning, Networking, and Inspiration
Rewanth Tammana shares his thoughts on the presentations that stood out, arsenal tools, and more.
Snoop Dogg on AI risk: “Sh–, what the f—?” - You and me both man.
Introducing 100K Context Windows - Wow, Anthropic has expanded Claude’s context window to ~75,000 words. This means you can now submit hundreds of pages of materials for Claude to digest and analyze.
GPT-4 can currently handle ~25K words.
BarGPT - Describe what you want and it’ll give you a recipe.
Modding Age of Empires II with a Sprite-Diffuser - Neat examples of reimagining Age of Empires II buildings differently using Stable Diffusion.
imartinez/privateGPT - Interact privately with your documents. Built with LangChain, GPT4All, LlamaCpp, Chroma and SentenceTransformers.
DiagramGPT - Paste in a schema, infrastructure definition, or code snippet, or describe your diagram in plain language –> generate diagram.
Web LLM - LLM and LLM-based chatbot functionality in your browser. Private, everything runs inside your browser with no server support, accelerated with WebGPU.
DragGAN: A New Method for Manipulating Generated Images
Very impressive demos of “dragging” different points in an image to update it- opening or closing mouths or eyes, adjusting a dog’s ears or feet, rotating an object or person, etc.
Introducing the ChatGPT app for iOS
Syncs your history across devices, integrates Whisper, their open-source speech-recognition system, enabling voice input, and ChatGPT Plus subscribers can access GPT-4. Android app coming soon.
Influencer Rents Out AI Version of Herself Which Immediately Goes Rogue
23-year-old social media influencer Caryn Marjorie created Caryn.ai, an AI chatbot version of herself trained on her Youtube videos, which will act like a guy’s girlfriend for $1 per minute. However, it’s been going beyond the intended “flirty and fun” to sexually explicit conversations.
Crypto Security Firm Unciphered Claims Ability to Physically Hack Trezor T Wallet
Unciphered claims to have found an “unpatchable hardware vulnerability with the STM32 chip that allows us to dump the embedded flash and one-time programmable (OTP) data,” allowing them to retrieve the wallet’s seed phrase and pin. Check out the demo video for some soldering fun.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!