[tl;dr sec] #204 - Following Attackers' CloudTrail, SSH Security Tools, Secure by Design

🤖 AI Meetups Erry’ Day

Living in the Bay Area, there appears to be an ever-increasing number of AI-related events.

No one has (yet) approached me with matching outfits and a book, offering to teach me the Good Word about AGI. But it’s close.

Over the last few weeks, I’ll have attended a few AI evening events, two half-day summits, and a private potluck 😆 

I wonder if living through this is like witnessing the Cambrian explosion of creativity and innovation that occurred in the early days of the invention of the personal computer.

Despite me going on record in this 2020 Forbes article saying machine learning in cybersecurity (at the time) was more hype than realized potential, I do think there’s something here.

I don’t think LLMs will solve all problems, and there’s certainly much more work to be done, but personally I’ve found it’s added some fun to tasks: whether it’s rapidly prototyping one-offs scripts, generating writing in a certain style, or creating fantastical images I could never draw.

Anywho, just wanted to share, I hope I’m not coming off like this.

Sponsor

📣 Hear the Latest in InfoSec Directly from Today’s InfoSec Leaders

Whether you’re just getting started, or you’re an experienced Information Security professional yourself, it always helps to hear from others in the field what’s important to them, what they’ve experienced, what has worked for them, and even what hasn’t. We’ve started a new monthly live streaming series where Hyperproof’s own Field CISO, Kayne McGladrey, interviews a new InfoSec thought leader each week to discuss:

- Best practices in cybersecurity
- The evolution of information security
- Work-life balance
- And more…

You can even watch recordings of the latest episodes on our Brighttalk channel now.

📜 In this newsletter…

• Web Security: Two tools to find the origin server behind Cloudflare

• AppSec: Free Harvard intro to security class, CISA Secure by Design whitepaper update, research project to ‘distill’ old military software, leading cybersecurity with a control vs resilience strategy

• Cloud Security: Reference architecture for FedRAMP AWS builds, AWS support responds differently to leaked access keys, meeting FedRAMP crypto requirements in AWS, following attackers’ CloudTrail

• Container Security: Improve your k8s security posture with one label, bootstrap an air gapped cluster with kubeadm

• Supply Chain: OpenSSF’s threat model for OSS supply chain risk, a YAML spec for describing your repo’s security properties

• Blue Team: SSH server and client security auditing tool, a daemon to monitor OpenSSH servers and record all activity, you should know EPSS

• Red Team: Tool to harvest passwords automatically from OpenSSH, a general purpose RE API and hybrid debugger

• Machine Learning + Security: Multi-modal prompt injection via images, securing ChatGPT and GitHub Copilot use in your company

• Machine Learning: Google’s got your legal back in court if you use their LLMs, auto-generate Terraform test files, AI predicting new COVID strains, open questions for AI engineering

• Misc: Rust to Assembly, HashiCorp CEO on needing new OSS licensing expectations, California’s Delete Act, vulns with logos, end of life software list.

Web Security

gwen001/cloudflare-origin-ip
By Gwendal Le Coguic: Try to find the origin IP of a web app protected by Cloudflare by comparing the HTTP response of the given subdomain to HTTP responses of a list of IP addresses.

christophetd/CloudFlair
By Christophe Tafani-Dereeper: Find origin servers of websites behind CloudFlare by using Internet-wide scan data from Censys. Companion blog post.

Sponsor

📣 Uncover Hidden Risk

Most cloud risk isn’t invisible, just unseen.

That’s why 35% of Fortune 100 companies rely on Wiz to answer their most burning cloud security questions:

• What are the most critical risks in your cloud environment?

• Which CVEs require attention? Which ones are noise?

• What toxic combinations are inadvertently increasing your risk profile (and how to reduce them)?

• Which lateral movement paths can attackers use to access sensitive resources?

• What is the context behind each risk? Because that’s the holy grail for security teams.

Curious to see how Wiz can detect and prioritize risk in your cloud environment?

Book a platform tour with a Wiz expert. You’ll learn how Wiz works and what hidden risks it can uncover across your cloud.

AppSec

HarvardX: CS50's Introduction to Cybersecurity
An introduction to cybersecurity for technical and non-technical audiences. Free, self-paced, 2-6 hours/week over 5 weeks.

Secure by Design: Principles and Approaches for Secure by Design Software
CISA has released the second version of its whitepaper, covering 3 principles of software product security, secure by design tactics, and more. H/T Bob Lord, Jack Cable, Lauren Zabierek, and Grant Dasher.

‘Distilling’ Outdated Software Could Save Defense Dept. Millions in Time and Money
Overview blog post about some Georgia Tech researchers (Brendan Saltaformaggio et al) who are building tools that can lift a binary executable into a highly abstract representation (HAR) so that a reviewer can understand what the code does, make changes, and then reassemble it into another binary that can replace the original. It can also remove old code that is no longer necessary.

Leading Cybersecurity with a Control vs. Resilience Strategy
Kelly Shortridge outlines two paths we can pursue for our cybersecurity strategy. Why do people follow the “control” strategy? It’s easier and you can blame users when they don’t follow the high friction path you’ve laid out for them. “Humans don’t interact with software or systems to be secure, they interact to perform a task to achieve a goal.”

Cloud Security

Coalfire-CF/Coalfire-AWS-RAMPpak
A reference architecture for FedRAMP AWS builds, by Coalfire. Announcement blog.

The Consistently Inconsistence response to Access Key Leaks
Once more Chris Farris committed eight different access keys to a public GitHub repo for eight different AWS accounts, and shares the inconsistent responses from AWS support.

Meeting the FedRAMP FIPS 140–2 requirement on AWS
LaunchDarkly’s Alex Smolen discusses why FedRAMP requiring FIPS modules is bad, and, after you’ve shed the appropriate tears of self-loathing, tactical advice on handling FIPS encryption in transit and at rest.

Following attackers’ (Cloud)trail in AWS: Methodology and findings in the wild
Datadog’s Martin McCloskey, Frederic Baguelin, and Christophe Tafani-Dereeper discuss threat hunting in AWS environments using CloudTrail, covering real attacker activity across various attack scenarios, such as creating IAM users for persistence, creating security groups or EC2 key pairs, and the most common enumeration techniques for determining permissions assigned to stolen AWS credentials. They conclude with high-confidence detections in CloudTrail SQL format.

Container Security

Only one label to improve your Kubernetes security posture, with the Pod Security Admission
Mathieu Benoit describes how in Kubernetes 1.25 the Pod Security admission (PSA) controller replaces PodSecurityPolicy (PSP), making it easier to enforce predefined Pod Security Standards (PSS) by simply adding a label to a namespace (privileged, baseline, restricted). This can limit the default privileged capabilities of containers, minimizing risk.

Bootstrap an Air Gapped Cluster With Kubeadm
Rob Mengert walks through bootstrapping a Kubernetes cluster in an air-gapped lab environment (no Internet access) using Fedora Linux and kubeadm. See also Zarf, a tool that takes a declarative approach to software packaging and delivery, including air gap.

Supply Chain

Threat Modeling the Supply Chain for Software Consumers
Citi’s Jonathan Meadows shares the OpenSSF’s initial threat model diagram for a typical enterprise open source software consumer with common software assets, including high-level threats against each component.

OpenSSF introduces the Specification Security Insights 1.0
Luigi Gubello, Eddie Knight, and Michael Scovetta describe a YAML specification through which maintainers can provide information about their projects’ security processes in a machine-processable way. Sections include: security contacts, security policy, bug bounty scope, and more.

Blue Team

jtesta/ssh-audit
An SSH server & client security auditing tool: banner, key exchange, encryption, mac, compression, compatibility, security, etc., by Positron Security's Joe Testa.

sshlog/agent
A free Linux daemon that passively monitors OpenSSH servers via eBPF to record all SSH session activity (commands and output) to log files for any connecting user, watch SSH sessions and post Slack messages or run arbitrary commands when specific activity occurs, forward all SSH events to a remote syslog server, and more.

Vulnerability Management: You should know about EPSS
Ryan McGeehan walks through the value of the Exploit Prediction Scoring System (EPSS), which spits out a probability of a CVE being exploited in the wild within 30 days. This helps you prioritize your remediation efforts, as most vulnerabilities (even those with CVSS High and Critical) are not exploited in the wild.

Red Team

jm33-m0/SSH-Harvester
Tool to harvest passwords automatically from OpenSSH server, by Jing Mi. Companion blog post: SSHD Injection and Password Harvesting.

codereversing/ted_api
By Alex Abramov: A general purpose reverse engineering API and hybrid debugger, that allows for inspection and modification of a program's inner workings. It works by being injected into a target process and starting a gRPC server, which clients can then connect to.

Machine Learning + Security

Multi-modal prompt injection image attacks against GPT-4V
Simon Willison walks through several image-based prompt injection attacks on GPT-4 Vision, including visible written instructions, exfiltrating data, and visually hiding the prompt injection.

A framework to securely use LLMs in companies Part 3: Securing ChatGPT and GitHub Copilot
Sandesh Anand and Ashwath Kumar discuss both broad principles and specific guidelines in using ChatGPT and GitHub Copilot securely in a business.

Machine Learning

Quicklinks

• Like Microsoft, Google Cloud will assume responsibility for any legal risks, if you’re challenged on copyright grounds due to using Duet AI or Vertex AI.

• New: Terraform can now auto-generate test files for private modules using generative AI

• Harvard and University of Oxford researchers are harnessing AI to predict threatening new strains of COVID-19 and other viruses. It successfully predicted the most frequent mutations and dangerous variants of SARS-CoV-2.

Open questions for AI engineering
Blog post version of Simon Willison's AI Engineer Summit keynote. I liked the two questions he likes to ask himself of any new technology:

• What does this let me do that was previously impossible?

• What does this let me build faster?

Simon argues that ChatGPT ultimately helps programmers by flattening the learning curve and rapidly getting you to an 80% solution, even if you’re not familiar with the language.

Also, TIL you can extend ChatGPT Code Interpreter by uploading Python dependencies (that it can then use), or a JavaScript or Lua interpreter, for example. 🤯 

Misc

Quicklinks

• Rust to Assembly: Understanding the Inner Workings of Rust

• HashiCorp’s CEO predicted there would be “no more open source companies in Silicon Valley” unless the community rethinks how it protects innovation, as he defended the firm’s license switch at its user conference this month.

  • I am not a lawyer, but to be honest, “All production uses are allowed other than hosting or embedding the software in an offering competitive with HashiCorp commercial products, hosted or self-managed” seems reasonable to me 🤷 

California Governor Gavin Newsom has signed the Delete Act, mandating the creation of a tool by 2026 that allows Californians to request data brokers to delete their personal information in a single request.

Designer Vulnerabilities
Over 400 historical vulnerabilities that have been given names/logos, like BEAST, Lucky Thirteen, etc. by Mike Sass.

endoflife.date
Documents EOL dates and support lifecycles for ~265 products. See also xeol.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler