• tl;dr sec
  • Posts
  • [tl;dr sec] #201 - CloudRecon, LLM Security, Okta for Red Teamers

[tl;dr sec] #201 - CloudRecon, LLM Security, Okta for Red Teamers

Tool to find ephemeral assets in cloud infra, Dropbox's LLM security scripts, post-exploitation techniques for Okta

Author

Clint Gibler
September 28, 2023

Hey there,

I hope you’ve been doing well!

📣 Accepting Sponsors for 2024!

Hi! Clint here with a special TV newsletter offer.

Do you have an awesome security product?

Would you like to showcase your security product and brand to over 25,000 security professionals, ranging from senior individual contributors to CISOs?

Well I won’t bury the lead (😉), you can, by sponsoring this very newsletter.

⭐️ Customer Reviews

  • Prior sponsors: “We’ll buy as many issues as you’ll sell us.” “tl;dr sec is our highest signal channel.”

  • In under 4 years, five start-ups who sponsored tl;dr sec have been acquired.

  • Many companies have come back for additional, often bigger sponsorships.

Email 👉️ [email protected] 👈️ and you’ll also get stickers, and a year’s supply of high fives, knowing nods, and finger guns at conferences.

We generally book out at least a few months in advance, so now’s the time to spend that end of year budget.

I’m waiting by my rotary phone*, talk to you soon!

 

*If you’re Gen Z, sorry if you feel excluded by that joke. You can look it up on the TikToks.

Sponsor

📣 CNAPP for Dummies

A clear, friendly guide to mastering the hot new category in cloud-native security that's taking the industry by storm.

Wiz partnered with Wiley to create the Cloud Native Application Protection Platform (CNAPP) for Dummies eBook. This free 48-page PDF includes everything you *need* to know to secure the changing landscape of cloud-native applications and protect your cloud environment today.

You’ll learn:

> The fundamentals of cloud-native security
> Powerful tactics to strengthen security measures
> Best practices for getting started
> Techniques to shift security up the pipeline (and ahead of threats)
> 10 strategies for maximizing the potential of your CNAPP

Wiz has been the fastest software company to get to $100M ARR and a $10B valuation. They also sponsor tl;dr sec. 😉 

AppSec

Quicklinks

  • hashicorp/cap - A collection of authentication Go packages related to OIDC, JWKs, Distributed Claims, LDAP.

  • gl-infra/pmv - A tiny utility for working with the 1Password CLI.

  • Passkeys are generally available -
    All GitHub.com users can now register a passkey to sign in without a password.

boringtools/git-alerts
A tool to help detect and monitor public repositories creation under the organization and organization users as well, which could leak secrets, internal info, code, etc. The latter you can’t control easily as an admin, and some studies have shown that many times org secrets are leaked in an individual’s git repo, not necessarily an org repo.

Sponsor

📣 Consolidate access privileges for humans and machines with Teleport

Adding new software, onboarding employees, and expanding infrastructure means complexity that increases as you scale.

With Teleport, teams no longer have to choose between good security and making engineers happy. Rather than creating more “security theater” with solutions that either don’t get adopted or are just flat-out bypassed, Teleport provides a secure solution to manage infrastructure access that doesn't get in the way.

Learn how you can implement true zero trust, move away from static credentials towards short-lived certificates, and more below.

Increasing security and keeping friction low? I’m about it!

Web Security

redrays-io/WS_RaceCondition_PoC
By RedRays’ Vahagn Vardanian: A simple PoC for demonstrating Race Conditions on Websockets.

Client-side JavaScript Instrumentation
Doyensec's Dennis Goodlett delves into client-side JavaScript instrumentation and his methodology for identifying security issues within large and complex codebases. Dennis introduces Eval Villain, a web extension designed to hook both native and non-native JavaScript functions across all frames and pages before their usage, among other capabilities. This is really cool work!

Cloud Security

g0ldencybersec/CloudRecon
By Gunnar Andrews and Jason Haddix: A suite of three tools for red teamers and bug hunters to find ephemeral and development assets in cloud infrastructure by scanning IP addresses/CIDRs and inspecting SSL certificates.

aws-samples/aws-customer-playbook-framework
A repos that offers a set of sample templates for security playbooks to address various scenarios encountered when using AWS, including responses to compromised IAM credentials, unauthorized network changes, bitcoin and cryptojacking, among others.

AWS Console Session Traceability: How Attackers Obfuscate Identity Through the AWS Console
Gem's Itay Harel discusses a new technique that attackers use to exploit the default configuration of AWS when SourceIdentity is not set. A federated console session lets you convert a CLI session into a console session, and through this “Console Conceal” quirk, every action carried out through the AWS Console will not be logged with the temporary access key of the attacker’s role session, but with an access key ID that isn’t the same as the one that appears in the AssumeRole event.

Supply Chain

panki27/npm-manifest-check
A Python script to check npm packages for manifest mismatches, by Felix Pankratz.

The massive bug at the heart of the npm ecosystem
Oh JavaScript 🤦 Darcy Clarke describes how npm package manifests are published independently from their tarball, manifests are never fully validated against the tarball's contents, and thus how any tooling that assumes they are the same can be tricked.

Manifest Confusion in PyPI
Stian Kristoffersen discusses manifest confusion attacks on PyPi, which refers to the fact that package managers (e.g. pip, poetry) resolve dependencies differently than security tools (SCA or malicious dependency vendors). This can lead to malicious or vulnerable packages being installed.

Further, an attacker could add, or change binary distributions at a later point, so what was initially scanned by the security vendor may not be what's currently in the package.

Blue Team

Survey on CTI Networking (2023 Sequel)
Pulsedive’s Grace Chi is doing another survey on cyber threat intelligence networking practices, results, and attitudes. 2022 report here.

jamf/aftermath
By Stuart Ashenbrenner et al: An open-source incident response framework for macOS that collects and analyzes data from compromised hosts. The tool can be deployed from an MDM or run independently from the user's command line.

a13xp0p0v/kernel-hardening-checker
A tool by Alexander Popov for checking the security hardening options of the Linux kernel. See also his Linux Kernel Defence Map, a graphical representation of the relationships between security hardening features and the corresponding vulnerability classes or exploitation techniques.

Red Team

google/bindiff
Google has open sourced BinDiff, a comparison tool for binary files that assists vulnerability researchers and engineers in finding differences and similarities in disassembled code. For example, identifying and isolating fixes for vulnerabilities in vendor-supplied patches.

Okta for Red Teamers
TrustedSec's Adam Chester discusses post-exploitation techniques for Okta, including Okta Delegated Authentication, hijacking the Okta AD Agent, hijacking Okta AD as an admin, and using a fake SAML provider.


 

Politics / Privacy

China is flooding Taiwan with disinformation 
With elections looming, China wants Taiwanese voters to think America is their greatest threat

Israeli Cyber Firms Have Developed an 'Insane' New Spyware Tool. No Defense Exists
Some Israeli firms have developed the capability to use ad networks to serve targeted malware. Yikes. More.

“The described capability could allow attackers to target individuals based on demographic and behavioral characteristics collected by ad networks [and thus] target people from a specific ethnic group or retarget individuals who have visited an independent media website critical of the government.”

British Army general says UK now conducting ‘hunt forward’ (offensive) operations
Some interesting context about how the UK is going about things, the war in Ukraine and their investment in upskilling more people. Also, he sounds…nice.

“Without teaching grandma to suck eggs, all war is cognitive. It's never about killing everybody, it's about bending people to your will, and getting them to behave in the way you want them to behave.”

Machine Learning + Security

Quicklinks

pruzko/hakuin
By Jakub Pruzinec: A blind SQL Injection optimization and automation framework that uses pre-trained and adaptive language models to efficiently extract textual data from databases.mlbr3it

dropbox/llm-security
By Dropbox’s Mark Breitenbach and Adrian Wood: Scripts and related documentation that demonstrate attacks against large language models using repeated character sequences.

Do Not Give Away My Secrets: Uncovering the Privacy Issue of Neural Code Completion Tools
Academic paper in which they searched GitHub for code containing hard-coded secrets, removed the secrets, and then prompted GitHub Copilot and Amazon CodeWhisperer to complete the code, thus seeing if the models would “leak” secrets from code they were trained on. The Register’s overview.

Note: this happens at a fairly low percentage of the prompt attempts, and many of the generated secrets are not valid (wrong structure), so I’d read this paper for the details.

Machine Learning

Quicklinks

AutoGen: Enabling next-generation large language model applications
This open source project by Microsoft looks potentially hugely powerful. “AutoGen enables complex LLM-based workflows using multi-agent conversations. AutoGen agents are customizable and can be based on LLMs, tools, humans, and even a combination of them.”

Siqi Chen: How to get GPT4 to teach you anything
"Teach me how works by asking questions about my level of understanding of necessary concepts. With each response, fill in gaps in my understanding, then recursively ask me more questions to check my understanding."

Mike Crittenden: Atomic habit building with ChatGPT
“Imagine I want to develop the habit of [insert the desired habit here]. Can you provide creative ideas for each of the Four Laws of Behavior Change? Specifically, suggest a cue that will remind me to start the habit, a way to make the habit attractive and create a craving, a method to make the habit easy to perform as a response, and a reward that will make the habit satisfying.“

Career

The Dark Side of Tech Culture
“A lot of the dissatisfaction that professionals have with their work environment stem from not recognizing (or refusing to recognize) their employer’s cultural priorities. The employer that prioritizes productivity above all else likely doesn’t care about your burnout or professional fulfilment — as long as you’re productive.”

Also, a cheeky ad re: your employer needing you

Sergio Pereira: How to effectively highlight your experience
Including: dig into what you concretely achieved, highlight specific programming languages and tools you worked with as well as vendors/partner APIs, mention if you were involved with building important workflows (e.g. authn/authz, payments, etc.), etc.

Day-1 Skills That Cybersecurity Hiring Managers Are Looking For
Daniel Miessler walks through the skills needed to perform several common security engineer tasks, such as selecting a security vendor, doing a security assessment, preparing for and handling an audit, integrating a new security product, creating a new tool, and soft skills.

Misc

Quicklinks

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler