[tl;dr sec] #201 - CloudRecon, LLM Security, Okta for Red Teamers
Tool to find ephemeral assets in cloud infra, Dropbox's LLM security scripts, post-exploitation techniques for Okta
I hope you’ve been doing well!
📣 Accepting Sponsors for 2024!
Hi! Clint here with a special TV newsletter offer.
Do you have an awesome security product?
Would you like to showcase your security product and brand to over 25,000 security professionals, ranging from senior individual contributors to CISOs?
Well I won’t bury the lead (😉), you can, by sponsoring this very newsletter.
⭐️ Customer Reviews
Prior sponsors: “We’ll buy as many issues as you’ll sell us.” “tl;dr sec is our highest signal channel.”
In under 4 years, five start-ups who sponsored tl;dr sec have been acquired.
Many companies have come back for additional, often bigger sponsorships.
Email 👉️ [email protected] 👈️ and you’ll also get stickers, and a year’s supply of high fives, knowing nods, and finger guns at conferences.
We generally book out at least a few months in advance, so now’s the time to spend that end of year budget.
I’m waiting by my rotary phone*, talk to you soon!
*If you’re Gen Z, sorry if you feel excluded by that joke. You can look it up on the TikToks.
📣 CNAPP for Dummies
A clear, friendly guide to mastering the hot new category in cloud-native security that's taking the industry by storm.
Wiz partnered with Wiley to create the Cloud Native Application Protection Platform (CNAPP) for Dummies eBook. This free 48-page PDF includes everything you *need* to know to secure the changing landscape of cloud-native applications and protect your cloud environment today.
> The fundamentals of cloud-native security
> Powerful tactics to strengthen security measures
> Best practices for getting started
> Techniques to shift security up the pipeline (and ahead of threats)
> 10 strategies for maximizing the potential of your CNAPP
Wiz has been the fastest software company to get to $100M ARR and a $10B valuation. They also sponsor tl;dr sec. 😉
A tool to help detect and monitor public repositories creation under the organization and organization users as well, which could leak secrets, internal info, code, etc. The latter you can’t control easily as an admin, and some studies have shown that many times org secrets are leaked in an individual’s git repo, not necessarily an org repo.
📣 Consolidate access privileges for humans and machines with Teleport
Adding new software, onboarding employees, and expanding infrastructure means complexity that increases as you scale.
With Teleport, teams no longer have to choose between good security and making engineers happy. Rather than creating more “security theater” with solutions that either don’t get adopted or are just flat-out bypassed, Teleport provides a secure solution to manage infrastructure access that doesn't get in the way.
Learn how you can implement true zero trust, move away from static credentials towards short-lived certificates, and more below.
Increasing security and keeping friction low? I’m about it!
By Gunnar Andrews and Jason Haddix: A suite of three tools for red teamers and bug hunters to find ephemeral and development assets in cloud infrastructure by scanning IP addresses/CIDRs and inspecting SSL certificates.
A repos that offers a set of sample templates for security playbooks to address various scenarios encountered when using AWS, including responses to compromised IAM credentials, unauthorized network changes, bitcoin and cryptojacking, among others.
AWS Console Session Traceability: How Attackers Obfuscate Identity Through the AWS Console
Gem's Itay Harel discusses a new technique that attackers use to exploit the default configuration of AWS when SourceIdentity is not set. A federated console session lets you convert a CLI session into a console session, and through this “Console Conceal” quirk, every action carried out through the AWS Console will not be logged with the temporary access key of the attacker’s role session, but with an access key ID that isn’t the same as the one that appears in the AssumeRole event.
The massive bug at the heart of the npm ecosystem
Manifest Confusion in PyPI
Stian Kristoffersen discusses manifest confusion attacks on PyPi, which refers to the fact that package managers (e.g. pip, poetry) resolve dependencies differently than security tools (SCA or malicious dependency vendors). This can lead to malicious or vulnerable packages being installed.
Further, an attacker could add, or change binary distributions at a later point, so what was initially scanned by the security vendor may not be what's currently in the package.
By Stuart Ashenbrenner et al: An open-source incident response framework for macOS that collects and analyzes data from compromised hosts. The tool can be deployed from an MDM or run independently from the user's command line.
A tool by Alexander Popov for checking the security hardening options of the Linux kernel. See also his Linux Kernel Defence Map, a graphical representation of the relationships between security hardening features and the corresponding vulnerability classes or exploitation techniques.
Google has open sourced BinDiff, a comparison tool for binary files that assists vulnerability researchers and engineers in finding differences and similarities in disassembled code. For example, identifying and isolating fixes for vulnerabilities in vendor-supplied patches.
Okta for Red Teamers
TrustedSec's Adam Chester discusses post-exploitation techniques for Okta, including Okta Delegated Authentication, hijacking the Okta AD Agent, hijacking Okta AD as an admin, and using a fake SAML provider.
Politics / Privacy
China is flooding Taiwan with disinformation
With elections looming, China wants Taiwanese voters to think America is their greatest threat
Israeli Cyber Firms Have Developed an 'Insane' New Spyware Tool. No Defense Exists
Some Israeli firms have developed the capability to use ad networks to serve targeted malware. Yikes. More.
“The described capability could allow attackers to target individuals based on demographic and behavioral characteristics collected by ad networks [and thus] target people from a specific ethnic group or retarget individuals who have visited an independent media website critical of the government.”
British Army general says UK now conducting ‘hunt forward’ (offensive) operations
Some interesting context about how the UK is going about things, the war in Ukraine and their investment in upskilling more people. Also, he sounds…nice.
“Without teaching grandma to suck eggs, all war is cognitive. It's never about killing everybody, it's about bending people to your will, and getting them to behave in the way you want them to behave.”
Machine Learning + Security
NSA, FBI, and CISA Release Cybersecurity Information Sheet on Deepfake Threats
By Jakub Pruzinec: A blind SQL Injection optimization and automation framework that uses pre-trained and adaptive language models to efficiently extract textual data from databases.mlbr3it
Do Not Give Away My Secrets: Uncovering the Privacy Issue of Neural Code Completion Tools
Academic paper in which they searched GitHub for code containing hard-coded secrets, removed the secrets, and then prompted GitHub Copilot and Amazon CodeWhisperer to complete the code, thus seeing if the models would “leak” secrets from code they were trained on. The Register’s overview.
Note: this happens at a fairly low percentage of the prompt attempts, and many of the generated secrets are not valid (wrong structure), so I’d read this paper for the details.
Magentic - Add the
@promptdecorator to create Python functions that return structured output from an LLM.
OpenAI Cookbook - Guides on how to do common tasks with LLMs.
Introducing Mozilla.ai: Investing in trustworthy AI
ChatGPT can now browse the Internet
ChatGPT can now see, hear, and speak - “Snap a picture of a landmark while traveling and have a live conversation about what’s interesting about it.”
It can also convert Figma designs into working React components.
AutoGen: Enabling next-generation large language model applications
This open source project by Microsoft looks potentially hugely powerful. “AutoGen enables complex LLM-based workflows using multi-agent conversations. AutoGen agents are customizable and can be based on LLMs, tools, humans, and even a combination of them.”
Siqi Chen: How to get GPT4 to teach you anything
"Teach me how works by asking questions about my level of understanding of necessary concepts. With each response, fill in gaps in my understanding, then recursively ask me more questions to check my understanding."
Mike Crittenden: Atomic habit building with ChatGPT
“Imagine I want to develop the habit of [insert the desired habit here]. Can you provide creative ideas for each of the Four Laws of Behavior Change? Specifically, suggest a cue that will remind me to start the habit, a way to make the habit attractive and create a craving, a method to make the habit easy to perform as a response, and a reward that will make the habit satisfying.“
The Dark Side of Tech Culture
“A lot of the dissatisfaction that professionals have with their work environment stem from not recognizing (or refusing to recognize) their employer’s cultural priorities. The employer that prioritizes productivity above all else likely doesn’t care about your burnout or professional fulfilment — as long as you’re productive.”
Also, a cheeky ad re: your employer needing you
Sergio Pereira: How to effectively highlight your experience
Including: dig into what you concretely achieved, highlight specific programming languages and tools you worked with as well as vendors/partner APIs, mention if you were involved with building important workflows (e.g. authn/authz, payments, etc.), etc.
Day-1 Skills That Cybersecurity Hiring Managers Are Looking For
Daniel Miessler walks through the skills needed to perform several common security engineer tasks, such as selecting a security vendor, doing a security assessment, preparing for and handling an audit, integrating a new security product, creating a new tool, and soft skills.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!