[tl;dr sec] #194 - CNAPPGoat, KubeFuzz, tl;dr sec swag
Multi-cloud open source tool to deploy vulnerable-by-design cloud resources, fuzzing Kubernetes Admission Controllers, where you can get tl;dr sec swag at Hacker Summer Camp
I hope you’ve been doing well!
Hacker Summer Camp
This is the first time I’m attending the Vegas conferences since the pandemic, and I’ve been having a blast reconnecting with friends and meeting new people.
I’ve also been chipping away at this issue in the mornings and evenings, like right now, at 11:37pm Wednesday when my friends are at a pool party 😅
To save time in the mornings, I bought some Cheerios and milk from a nearby CVS. But I didn’t have a bowl, so I improvised by getting some containers from Popeyes I’ve been eating out of.
I didn’t choose the glam life, it chose me.
Reminds me of when I was also eating Cheerios in my hotel room in Hawai’i at LocoMocoSec 😆
🎁 tl;dr sec Swag
I’ve been handing out tons of tl;dr sec t-shirts and stickers.
If you want some, find me, or I’ve stashed some 👇️
AppSec Village - Friday
Workshop: Finding bugs & scaling your security program w/ Semgrep - 3pm-5pm
A masterclass with my buds Lewis Ardern and Pieter De Cremer.
At the Miscreants booth.
This could be you!
📣 Rampant cloud activity?
Cloud risk can grow faster than your AWS bill (true story).
That’s why Wiz partnered with Wiley to create the AWS Security for Dummies ebook. This free PDF contains 46 pages of expert tips to harden your AWS environment, including:
How to get the basics right to help scale security when your footprint (inevitably) grows
How to secure specific resources based on your usage (VMs, S3, Cloudtrails, and more)
Which critical weaknesses to prioritize so you aren’t caught off guard
Grab your free digital copy now and boost your AWS security posture.
📜 In this newsletter…
Web Security: Attack surface detector, tool to check for NGINX path traversal vulnerabilities, exploiting POST-based XSS
AppSec: “Hot takes” with Caleb Sima
Cloud Security: Security implications of signing URLs in GCP, "Attacks As A Service" framework built on Google Workflows, CNAPPGoat
Container Security: Talk: Testing and Fuzzing the Kubernetes Admission Configuration, a tool to fuzz k8s admission controllers
Red Team: Ghidra plugin for mapping out code coverage data
Politics / Privacy: China influence campaigns in the U.S.
Machine Learning + Security: AI vulnerability database, AI incident database, mitigating stored prompt injection
Machine Learning: Searchable list of AI tools, nice GUIs to write/manage prompts, tool to add guardrails to LLM conversational systems, Adversarial Policies Beat Superhuman Go AIs
Misc: CLI JSON viewer, layoffs at NCC Group, Do Burnout and Addiction Have the Same Root Cause?, The Past is Not True
By hahwul and ksg97031: An attack surface detector that automatically extracts endpoints and web resources from source code. Seamlessly integrates with proxy tools like ZAP, Burp Suite, and Caido.
Chaining Vulnerabilities to Exploit POST Based Reflected XSS
Normally POST-based reflected XSS is tough to exploit, but TrustedSec's Drew Kirkpatrick shares how it can be done by chaining other vulnerabilities, such as method tampering, CSRF, and spoofed JSON with CSRF. Drew walks through each and releases postBasedXSS, a vulnerable lab where you can practice.
📣 Just-in-time access for your cloud infrastructure with ConductorOne
Managing access to cloud infrastructure can be a headache.
ConductorOne’s Cloud PAM solution gives teams just-in-time (JIT) access to cloud resources, drastically reducing standing access and permissions. No more tickets. No more waiting.
Learn how you can take control of accounts and permissions throughout your environment and achieve least privilege access for AWS, GCP, AzureAD, Snowflake and more.
"Hot Takes" with CISOs & CyberSecurity Leaders - Caleb Sima
New series by Cloud Security Podcast’s Ashish Rajan in which he interviews CISOs while eating spicy food.
Signing URLs in GCP: Convenience vs. Security
Leviathan's Vladyslav Horodivskyi delves into the distinctions between signing URLs using a service account key and employing the signBlob IAM method. The latter approach can potentially lead to privilege escalation within your GCP environment if the service account becomes compromised (e.g. due to SSRF, RCE, or local file read). Vladyslav has also created a Terraform script that sets up a vulnerable environment for testing purposes.
By Kat Traxler: DeRF (Detection Replay Framework) is an "Attacks As A Service" framework built on Google Workflows that allows the emulation of offensive techniques and the creation of replicable detection samples in a cloud-based environment.
CNAPPgoat: The Multicloud Open-Source Tool for Deploying Vulnerable-by-Design Cloud Resources
Ermetic's Lior Zatlavi introduces CNAPPgoat, an open-source project that can modularly provision vulnerable-by-design components across AWS, Azure, and GCP. It can spin up atomic vulnerable scenarios, encompassing identity and entitlement management, exposure of workloads to vulnerabilities, and misconfiguration of cloud infrastructure components.
Testing and Fuzzing the Kubernetes Admission Configuration
Avolens' Benjamin Koltermann and Maximilian Rademacher's Troopers 2023 talk discussing admission controller best practices, real world examples, and the challenges of testing admission controllers in practice. They also introduce kubefuzz, described below.
Tool Release: Cartographer
NCC's Austin Peavy introduces Cartographer, a Ghidra plugin for mapping out code coverage data. It simplifies the complexities of reverse engineering by allowing researchers to visually observe which parts of a program were executed, obtain details about each function’s execution, compare different runs of the same program, and more.
Politics / Privacy
Pro-China influence campaign allegedly financed staged protests in Washington
Mandiant believes a new Chinese influence campaign used newswire services, staged protests, and billboard ads to spread pro-Beijing propaganda in the U.S.
The Chinese marketing firm also supposedly ran 72 fake news sites worldwide, posing as independent news outlets while actually spreading content “strategically aligned with the political interests of China.” This is a meaningful escalation in China’s influence efforts.
Machine Learning + Security
AI Vulnerability Database
An open-source knowledge base of failure modes for AI models, datasets, and systems. Two focuses: a Taxonomy of the different avenues through which an AI system can fail, and a Database of evaluation examples that contain structured information on individual instances of these failure (sub)categories.
AI Incident Database
A database (currently >1,000 incidents) dedicated to indexing the collective history of harms or near harms realized in the real world by the deployment of artificial intelligence systems. Like similar databases in aviation and computer security, it aims to help us learn from experience so we can prevent or mitigate bad outcomes.
Mitigating Stored Prompt Injection Attacks Against LLM Applications
NVIDIA's Joseph Lucas discusses how info you pull in from external sources (e.g. vector databases) to include in prompts to provide relevant contextual information to answer a user's request can be a source of prompt injection, and potential options for mitigating this risk, like adding sanitizing or transforming steps.
ChainForge - An open-source visual programming environment for prompt engineering, LLM evaluation and experimentation. Evaluate the robustness of prompts and text generation models with little to no coding required.
PromptKnit - Another nice UI around building and managing prompts.
An open-source toolkit for easily adding programmable guardrails to LLM-based conversational systems.
Adversarial Policies Beat Superhuman Go AIs
Clear implications for applying AI to security.
jless - A CLI JSON viewer designed for reading, exploring, and searching through JSON data.
Beyoncé’s tour has 14 culinary professionals, including an English pastry chef, a vegan chef, and 3 personal chefs just for her and her inner circle. #tldrsectour2024
Moar Layoffs at NCC Group - Sad, NCC was a really formative place for me, and I got to work with some incredible people, many of whom are still friends today.
Do Burnout and Addiction Have the Same Root Cause?
Daniel Miessler posits that a strong and positive purpose in life may immunize you against both.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!