- tl;dr sec
- Posts
- [tl;dr sec] #207 - Web Security Interview Questions, EKS Cluster Games, Supply Chain Resources
[tl;dr sec] #207 - Web Security Interview Questions, EKS Cluster Games, Supply Chain Resources
Rapidly ramp up your web security knowledge, new EKS CTF, big list of supply chain security resources
G’day!
You alright mate?
🦘 Crikey!
This week I’ve been in Sydney, the first time I’ve ever been in Australia.
It’s been great!
I’ve been enjoying the architecture and food, the streets are clean, public transport is convenient, and unlike BART, I’ve never sat a few seats away from someone sharpening a knife.
There have been some fun #PeakAustralia learnings, like the slang (brekky, mozzie, sickie, bottle-o, avo, devo). When in doubt, just shorten the word and add an -y or -o sound at the end 😂
You can also stay overnight at the Taronga Zoo, which I highly recommend. My room literally overlooked a space with kangaroos.
It seems like Aussies do zoos differently- there were multiple open area spaces where animals freely roamed. I had kangaroos, echidnas, emus, and more walk by literally 2 feet from me.
Where will I be next? Tune in next week and click on all sponsor links for more 😉
Sponsor
📣 What constitutes material impact? The SEC needs you to know.
The SEC announced new regulations that go into effect in December, requiring public companies to disclose security incidents deemed material to investor confidence.
Amidst a growing cloud risk gap, the open question is – what is “material impact”?
While there’s no silver bullet, heightened security posture requires a holistic approach to the full threat lifecycle – steering away from the incessant game of whack-a-mole towards security & operations force multipliers.
For the cloud office – Microsoft 365 & Google Workspace – Material Security reduces risk in otherwise hard-to-address critical areas.
Mac
Quicklinks
maxgoedjen/secretive: An app for storing and managing SSH keys in your Mac’s Secure Enclave.
Apple has launched a new iMessage feature, Contact Key Verification, that’s designed to detect sophisticated attacks against iMessage servers and allow users to verify that they’re messaging only with whom they intend.
File Access Monitoring with Osquery: Weaponize your entire macOS fleet into a filesystem-based honeypot
Material Security’s Chris Long and Orchard Labs’ Sharvil Shah teamed up to enhance osquery with a new file access monitoring feature (triggered on any open() syscall) for macOS. You can specify paths to watch and processes to ignore, making it easy to set up for example, cloud honeytokens, to better detect initial access and reconnaissance activity.
Sponsor
📣 Cracking the Code to Vulnerability Management
Vulnerability management in the cloud is no longer just about patches and fixes. In this latest report, the Wiz Security Research team put vulnerability management theory into practice using recently identified vulnerabilities as examples.
You’ll learn:
Which technology & vulnerability types to prioritize
How to leverage CVSS metrics
The essential questions to ask when triaging
All this and more can be found in the 2023 Cloud Vulnerability Report.
AppSec
The First Stable Release of a Memory Safe sudo Implementation
Internet Security Research Group’s (the folks behind Let’s Encrypt) Josh Aas announces the release of sudo-rs, a Rust rewrite of sudo.
sshx
A web-based, collaborative terminal that lets you share your terminal with anyone by link. It has real-time collaboration, with remote cursors and chat, and is end-to-end encrypted.
Machine Learning + Security
Blackberry announced a new Generative AI powered assistant for Security Operations Center (SOC) teams.
North Korea experiments with AI in cyber warfare: US official
Specifically around using AI models to help accelerate writing malicious software and finding systems to exploit.
How to Stop Feeding AWS’s AI With Your Data
Corey Quinn calls out how AWS may be using your data to train its AI models (you may have unwittingly consented to it), and walks through the complex hoops you need to jump through to opt out. Opting out feels purposefully hard?
The Promptfather: An Offer AI Can’t Refuse
Joseph “The Promptfather” Thacker provides a methodology to research and test AI-powered features and applications.
Sponsored Tool
⚔️ It's your chance to be the hero of your company in the battle against questionnaires! ⚔️
Answering security questionnaires is full of mind-numbing work that's…
well, almost like you’re battling Bowser in the old-school version of Super Mario Bros.
So we wrote you (the trusty security hero) into our version of an 8-bit video game.
It’s an interactive adventure about how you can use Conveyor’s AI security questionnaire automation software to destroy pesky ‘questionnaire villains’.
With the most accurate AI answers on the market, we’ve got all the features weapons you need to cruise through every portal and horror-inducing multi-tab Excel you encounter.
Scroll through the quick game (it’s fun, we promise).
Filling out security questionnaires is a great use of AI. I actually called it out as such in my talk a month or two ago before I’d seen Conveyor doing this.
Also, this game was cute and fun, I played to the end even though I should have been finishing this newsletter 😅
Machine Learning
OpenAI Dev Day Announcement
OpenAI announced a truly epic amount of things at their recent conference.
New GPT-4 Turbo model that is more capable and supports a 128K context window.
GPT-4 and 3.5 are 2X - 3X cheaper.
You can use GPT Vision, DALL-E 3 and text-to-speech via API.
ChatGPT: knowledge cut-off is now April 2023, you can use all of the extensions (DALL·E, browsing, and data analysis) without switching between them.
You can attach files to let ChatGPT search PDFs and other document types.
I feel a great disturbance in AI, as if millions of OpenAI thin wrapper start-ups suddenly cried out in terror and were suddenly silenced.
New Assistants API - support for building agents that have goals and can call models and tools.
They’ve launched GPTs, essentially an app marketplace for developers to build and charge for custom versions of ChatGPT that combine instructions, extra knowledge, and any combination of skills.
I highly recommend watching the keynote.
Cloud Security
The deputy is confused about AWS Security Hub
If you’re building a product that integrates with AWS Security Hub, Plerion’s Daniel Grzelak describes a number of 'confused deputy' issues that can arise, for example, findings could be sent to the wrong customer due to lack of account ownership validation.
CloudKeys in the Air: Tracking Malicious Operations of Exposed IAM Keys
Palo Alto Network’s William Gamazo and Nathaniel Quist walk through an active campaign that automatically targets exposed IAM credentials in public GitHub repos within 5 minutes of exposure.
Interesting tidbits: GitHub automatically reports exposed creds to AWS who then apply a quarantine policy. The researchers removed the quarantine policy to better monitor attacker behavior, and created Terraform to programmatically spin up unrelated-appearing honeypot cloud environments for attackers to find and exploit.
Container Security
Announcing the EKS Cluster Games
Wiz’s Nir Ohfeld and Ronen Shustin announce a new CTF event with 5 scenarios to help you identify and learn about common Amazon EKS security issues.
Security considerations for running containers on Amazon ECS
AWS post covering 6 considerations: managing ECS access with IAM policies, securing the ECS network, secrets management, securing the ECS task and runtime, implementing ECS logging and monitoring, and ensuring ECS security compliance.
Career
Most awards, certifications and press features you see are actually "pay-to-play"
@levelsio on Webby awards, 30 under 30 type lists, and more.
x1trap/websec-answers
More in-depth answers for web security interview questions by Tib3rius. This content is unreasonably good. I feel like if I had been able to read this when I first started as a security consultant I would have saved like 1-2 years of getting better.
Breaking In: My Journey from Code to Cybersecurity
Tae'lur Alexis shares her journey in detail, covering how and what she studied, how she handled rejections and persevered through her job search, and ultimately how she landed her first cybersecurity role.
How to Lower Your Heart Rate Before Public Speaking
Daniel Miessler shares a tip I plan to start using. TIL Wim Hoff breathing: 20-30 super deep and fast hyperventilating breaths, on the last one, hold the exhale as long as you can, then take a super deep breath and hold that as long as you can.
Supply Chain
SLSA: Supply chain threats
SLSA docs page providing an introduction and nice diagram overview to possible attacks throughout the supply chain and how SLSA can help.
npm-sbom
The npm command-line now has a subcommand for generating a Software Bill of Materials (SBOM) listing the dependencies for the current project. SBOMs can be generated in either SPDX or CycloneDX format.
SBOM Benchmark
Quickly evaluate SBOM for quality, compliance and errors. Includes a collection of SBOM examples in CycloneDX and SPDX formats, generated for common open source repositories and container images using open-source SBOM tools (like trivy or syft).
vishalgarg-sec/Software-Supply-Chain-Security
A big collection of resources by Vishal Garg: initiatives, standards, regulations, organizations, vendors, tooling, books, articles and a plethora of other learning resources from the web.
Blue Team
google/localtoast
A scanner for running security-related configuration checks such as CIS benchmarks in an easily configurable manner.
Red Team
Enelg52/OffensiveGo
Repo by @RistBS, @Enelg & @dreamkinn containing some examples of offensive tools & utilities rewrote in Golang that can be used in a red team engagement.
efchatz/pandora
By Efstratios Chatzoglou: A red team tool that assists with extracting/dumping master credentials and/or entities from different password managers.
Politics / Privacy
Cover Your Tracks
Project by the EFF to test your browser to see how well you are protected from tracking and fingerprinting.
AI Cameras Took Over One Small American Town. Now They're Everywhere
404Media’s Joseph Cox describes how Fusus, a system for linking a town’s security cameras into one central hub and adding AI to them, has spread across the country. Fusus apparently allows integrating basically any camera feed, and then they overlay functionality on it. Surveillance state ftl 👎️
Misc
Quicklinks
See the history of a method with git log -L funcname
Doltgresql: Version Controlled PostgreSQL
No Way Out: The Changing World of Cybersecurity Exits
Cole Grolmus walks through the numbers of how cybersecurity has too many companies with high valuations for all of them to have successful exits.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,
Clint
@clintgibler