[tl;dr sec] #186 - Enterprise Purple Teaming, Cloud CTFs, Code Review with LLMs
Massive list of purple teaming resources, two new cloud CTFs to practice on, how effective are LLMs at doing secure code reviews?
I hope you’ve been doing well!
New Platform, Who Dis? 👋
Hello and welcome to the first edition of tl;dr sec on Beehiiv!
If you reached out to me in an effort to try to ensure email filters let this issue reach you, I’m hugely thankful 🙏
I will respond to your email, I’m just a bit behind.
I’ve included some brief points at the bottom because a few people asked why I switched.
In short: if you’re going to start a newsletter today, I think it’s almost definitely the best option, but happy to chat in more detail about it.
Keep an eye out Thursday mornings (PST) in case you’re not receiving tl;dr sec like normal.
Lots of AI Content This Time
Hope that’s OK 😅
📣 How to automate the detection and prioritization of complex behavioral threats with AWS CloudTrail and Kubernetes audit logs
Monitoring AWS CloudTrail and Kubernetes audit logs are a critical part of maintaining security in your AWS cloud because it provides visibility into your account activity across your infrastructure. Because this data contains all actions performed by all authenticated users, identification of the attackers becomes extremely hard.
Learn from Jeff Vogt, Field CTO at Lacework (and former Senior DevOps Engineer), on how to automate the detection and prioritization of threats from your CloudTrail data so that you can easily (and quickly!) identify attacks such as compromised credentials, potential AWS defense evasion, cloud ransomware, and cloud-based cryptomining.
📜 In this newsletter…
AppSec: Awesome Security Challenges, Semgrep Turbo Mode
macOS Security: Passkey improvements, a number of new privacy and security features announced
Web Security: A web path fuzzing tool, GraphQLmap
Cloud Security: The Big IAM Challenge, tool to find exploitable attack paths in cloud infra, a gamified cloud hacking sandbox
Blue Team: Enterprise Purple Teaming, HTTP agnostic software honeypot framework
Red Team: A collection of PoC and offensive techniques, breaking down reverse shell commands
Machine Learning + Code Auditing: Using AI to find vulns in XNU, evaluating Codex for Solidity code auditing
Machine Learning + Security: LLM security Twitter account, Google’s Secure AI framework, typosquatting ChatGPT hallucinated packages
Machine Learning: ML for document extraction, OpenAI updates (function calling), JSONformer, Microsoft’s prompt engine library
Misc: Social media protocol on DNS, Tanya Janca on getting better sleep
Why Beehiiv?: A few thoughts on why I switched from MailChimp
By Mike Privette: A curated list of Awesome Security Challenges aimed at helping beginners and experts alike upskill their ethical hacking, pentesting, and crypto skill through online challenges.
Cross-compiling OCaml to JS and Wasm: How we made the Semgrep Playground Fast
I love to see privacy and security as selling points ✊
Passkeys allow you to authenticate with apps and services using Face ID or Touch ID instead of remembering a password.
Apple now enables the synchronization of Passkeys with external providers such as password managers, and lets you share your passwords and passkeys from iCloud Keychain with groups or family members.
Major updates to Safari Private Browsing (advanced tracking and fingerprinting protections), Communication Safety, and Lockdown Mode, as well as app privacy improvements.
Link Tracking Protection in Messages, Mail, and Safari Private Browsing removes extra information from links to protect users from tracking and more.
An automated web path fuzzing tool targeted at bug bounty use cases, by @rapiddns.
A scripting engine to interact with a GraphQL endpoint for pentesting purposes, by Swissky.
📣 We Hack Purple – Everything You Need to Learn Secure Coding, and More!
Learn how to create secure software, from industry experts! Our fun, live, virtual training teaches developers to code more securely, with checklists, free access to on-demand courses, and a supportive online community, all for one price. Hire us to train your AppSec team, as we build your custom application security program, together! With customized training available, we have something that fits every organization’s software security training needs.
CloudFox: Find exploitable attack paths in cloud infrastructure
A command line tool to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure, by Bishop Fox’s Seth Art and Carlos Vendramini.
Introducing Cloudfoxable: A Gamified Cloud Hacking Sandbox
Bishop Fox’s Seth Art introduces Cloudfoxable, an intentionally vulnerable AWS environment created to teach AWS cloud penetration testing, with scenarios based on real cloud pen tests.
What sets CloudFoxable apart is its focus on creating as many distinct vulnerable resources and flags as possible – rewarding users for finding new entry points, lateral movement paths, and data access strategies.
Enterprise Purple Teaming: An Exploratory Qualitative Study
Xena Olsen has published her exploratory qualitative study examining the effectiveness of enterprise purple teaming in improving cybersecurity, as well as a big collection of purple team-related training materials, tools, frameworks and practitioner resources.
Introducing HASH: The HTTP Agnostic Software Honeypot framework
Datadog's Eslam Salem announces HASH, an open source unified framework for creating and launching low-interaction honeypots: mimic HTTP-based software with just a couple of YAML files.
Breaking down Reverse shell commands
Aditya Telange provides a visual overview of some of the most common reverse shell commands, including interactive shells, file descriptors, and read lines, offering a detailed explanation of the various parameters and options involved.
Machine Learning + Code Auditing
Editor's note: I’ve seen a number of blog posts where people use LLMs for auditing source code. Some of them have pretty poor methodologies. The Trail of Bits post below is probably the best one I've seen so far in teasing out nuances.
I think there's a lot of improvements and potential future work in this space, I just want to point out the challenges and nuances so next time you see a blog post or company like, "ZOMG LLMs can find every vulnerability evar!" you'll think critically about their approach and methodology.
Using AI to find software vulnerabilities in XNU
Tim Michaud shares his experience of using a codebert-c model (an open source model from HuggingFace) trained with the codeparrot/github-code-clean dataset to pinpoint a memory corruption vulnerability affecting XNU.
Also, TIL about Fill-Mask: mask some of the words in a sentence and predict which words should replace those masks.
Codex (and GPT-4) can’t beat humans on smart contract audits
Trail of Bits' Artem Dinaburg, Josselin Feist, and Riccardo Schirone discuss their initial investigations into using LLMs for security auditing Solidity code. In short, it's not great at it today and the tooling is nascent.
And a 🌶️ take:
people simping over AI based audits are going to lose their heads when they discover static analysis
— Benjamin Samuels (@thebensams)
Jun 4, 2023
Machine Learning + Security
Twitter account that shares nice LLM + security resources.
Introducing Google’s Secure AI Framework
Google’s Royal Hansen and Phil Venables introduce the Secure AI Framework (SAIF), a conceptual framework for secure AI systems. SAIF is designed to help mitigate risks specific to AI systems like stealing the model, data poisoning of the training data, injecting malicious inputs through prompt injection, and extracting confidential information in the training data.
Can you trust ChatGPT’s package recommendations?
Vulcan’s Bar Lanyado describes how an attacker can typosquat library names that ChatGPT is likely to hallucinate so that when developers use code recommended by the LLM they install the attacker’s malicious package instead.
A Python library that orchestrates document extraction and document layout analysis tasks using deep learning models.
OpenAI - Function calling and other API updates
More steerable versions of GPT-4 and gpt-3.5-turbo, 16k context version of gpt-3.5-turbo, some models are now cheaper, and function calling allows you to have the LLM take your prompt and output JSON containing well structured arguments to the functions you’ve defined for it (e.g. calling external APIs).
A bulletproof way to generate structured JSON from Language Models Resources.
A library for helping developers craft prompts for Large Language Models.
#WeHackHealth Getting Better Sleep
My friend Tanya Janca shares her tips on getting better sleep, discussing caffeine, lowering the lights and removing blue lights when the sun sets, amber/warm vs blue lightbulbs, TV and phone use, blackout curtains, sun lamps, magnesium, sleep rituals, journals/lists, jetlag, diets and eating window, meditation, snoring and sleep apnea, and more.
See also Andrew Huberman’s Toolkit for Sleep.
I’ll write a post about this at some point, but because a few people asked:
Modern, clean UI and nice writing experience.
Solid analytics for understanding how people find your newsletter and built-in growth mechanisms (referral program, recommendations, etc.).
Creator-friendly business model - they charge you a flat monthly fee and don’t take 10% of subscriptions like Substack does.
Much cheaper than MailChimp or ConvertKit by list size.
They ship features faster than potentially almost any company I’ve ever seen. Unbelievable.
I have a referral link here, but honestly I would recommend Beehiiv regardless.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!