🦃 Friendsgiving

Aaaand we’re back! If you celebrate, I hope you had a wonderful holiday break last week!

For me, I hosted a small Friendsgiving at my place.

I don’t often host groups. It’s been that way for a long time, but I’ve never really reflected why.

After thinking for a bit, I believe it’s at least partly because of insecurity: subconsciously I was worried people would judge the decor, or not show up, and it’d feel like rejection.

People did show up, and we had a great time!

The main reason I decided to host was a friend recently moved to the Bay Area and I wanted to make sure he and his partner had something fun to do on Thanksgiving.

I’m not going to lie, it feels awkward to share this, but hopefully it’s helpful for someone.

Is there something you would like to do more of, but hold back? Why do you think that is?

Alright enough feelings, it’s hacking time 🤘 *elaborate heavy metal guitar riff*

Sponsor

📣 Application Security Posture Management (ASPM) Deep Dive

You’ve probably heard of ASPM by now—the newest acronym in AppSec promising to transform your application security program into a holistic, risk-based strategy.

But why do we really need ASPM? And what are the must-haves for an ASPM to really provide that time-saving, risk-reducing value? 

Go deep(er) on those answers in this guide to:

• Get a breakdown of ASPM

• Learn what really goes into prioritizing application risk

• Explore what an AppSec control plane can do for you

• Understand if ASPM is for you

AppSec

Building a free Burp Collaborator with Cloudflare Workers
Gabriel Schneider describes how to use Cloudflare Workers to receive out-of-band connections during your web app testing (e.g. track when blind XSS triggers) and pipe the results to Discord, without paying for Burp Collaborator.

OMGCICD - Attacking GitLab CI/CD via Shared Runners
Pulse Security’s Denis Andzakovic describes attacking the docker-in-docker executor in GitLab, as well as general GitLab runner security risks and hardening steps.

The docker-in-docker executor requires the container to run in Privileged mode, when combined with Instance-level runner configuration effectively allows any user to compromise the runner Docker infrastructure and gain access to all information and secrets for any project which uses that runner (e.g. environment variables that include production creds).

50 Shades of Vulnerabilities: Uncovering Flaws in Open-Source Vulnerability Disclosures
Aqua’s Ilay Goldman and Yakir Kadkoda highlight the risk of early exposure of CVEs in the public domain (e.g. via GitHub issues, commits, or PRs) before there’s a fix. Attackers could use this window to develop exploits.

They also released CVE-Half-Day-Watcher, a tool that leverages the National Vulnerability Database (NVD) API to identify recently published CVEs with GitHub references before an official patch is released.

I’ve wondered for awhile if people were doing this, neat to see someone execute it and release a tool. Bonus points if you build automation that leverages an LLM to automatically write an exploit (example post). I’d be surprised if nation states and criminal orgs weren’t already prototyping this…

Sponsor

📣Continuous Monitoring + Compliance Automation from Vanta

When you're the person responsible for your company’s security, things can get complex fast. One solution? Continuous monitoring from Vanta.

Vanta automates compliance monitoring for your most critical programs and workflows. By streamlining vendor security reviews and asset discovery, you can quickly find and eliminate points of unauthorized access and proactively address potential threats.

And because Vanta automates up to 90% of the work for SOC 2, ISO 27001, and more, you’ll be able to focus on strategy and security, not maintaining compliance.

Try Vanta free for 7 days — no costs or obligations.

Conferences

BlueHat 2023 Videos Live
Some talks on AI security that look neat, and I’m looking forward to watching my bud Jason Haddix’s keynote.

BSidesSF CFP Deadline: December 11
BSidesSF is one of my favorite conferences: super sharp attendees, great talks and networking, and it’s right before RSA. You should submit a talk or workshop! *gestures encouragingly* I always go, hope to see you there 😃 

Cloud Security

AWS Blog

• Use scalable controls for AWS services accessing your resources - How to mitigate ‘confused deputy’ attacks using two new AWS IAM condition keys: aws:SourceOrgID and aws:SourceOrgPaths

• Establishing a data perimeter on AWS: Require services to be created only within expected networks using tools like IAM condition keys, AWS Config, and AWS Security Hub.

• Building sensitive data remediation workflows in multi-account AWS environments

secengjeff/awskillswitch
By Jeffrey Lyon: A Lambda function that streamlines containment of an AWS account and IAM roles during a security incident.

AWS pre:Invent 2023
Chris Farris gives a great overview of 40+ recent AWS announcements related to security and governance, with his usual delightful snark. “Kubernetes was the ancient Greek God of resume-padding.”

State of Cloud Security
Great report by Datadog analyzing the security posture data from thousands of orgs that use AWS, Azure, or GCP. Interesting stats across long-lived access keys, MFA, IMDSv2 enforcement, over-privileged workloads, and more.

Container Security

How to create an AMI hardening pipeline and automate updates to your ECS instance fleet
How to create a workflow to enhance Amazon ECS-optimized AMIs by using the CIS Docker Benchmark and automatically updating your EC2 instances in your ECS cluster with the newly created AMIs.

cloudflare/serverless-registry
A Docker registry implementation in Cloudflare Workers that uses R2 (Cloudflare’s version of S3).

pete911/kubectl-iam4sa
A tool to debug IAM roles for service accounts in Kubernetes. Includes commands for retrieving cluster information, listing service accounts, and verifying the OIDC provider.

The Ticking Supply Chain Attack Bomb of Exposed Kubernetes Secrets
Aqua’s Yakir Kadkoda and Assaf Morag describe using the GitHub API and regexes to locate Kubernetes secrets configuration files containing base64-encoded secrets. They found secrets that would allow registry-based supply chain attacks on major companies like SAP, two top blockchain companies, and various other Fortune 500 companies.

Gitleaks, TruffleHog, and Trivy did not detect these secrets at the time of testing.

Blue Team

BushidoUK/Breach-Report-Collection
By @BushidoToken: A collection of companies that disclose adversary TTPs after they have been breached, with links to the reports.

The Spelling Police: Searching for Malicious HTTP Servers by Identifying Typos in HTTP Responses
NCC Group’s Margit Hazenbroek describes her research sampling 800,000 HTTP responses from public Censys scan data and using Levenshtein distance to detect anomalies, with the intuition that typos might indicate a malicious server.

Result: benign typos happen often, so they are not sufficient to detect malicious behavior.

My thought: I love when people post “negative results” (“I tried this and it didn’t work”), as that can be as or even more instructive than attempts that work out as expected.

Red Team

Building your first Metasploit exploit
Kevin Joensen walks through creating a Metasploit exploit (for the authenticated RCE vulnerability in PRTG), including setting up the development environment, building the exploit, and submitting it to Metasploit's public repository.

Hunting Vulnerable Kernel Drivers
Takahiro Haruyama describes how the Carbon Black Threat Analysis Unit identified 34 unique vulnerable Windows drivers that could be exploited to disable security software or install bootkits (an attacker without the system privilege could erase/alter firmware, and/or elevate privileges). They released the IDAPython script, results, and exploit PoCs.

Abusing Slack for Offensive Operations
SpecterOps’ Cody Thomas describes how Slack stores user cookies in plaintext on disk, which you can use to impersonate the user in all the workspaces they’ve logged into, even if they have MFA. You can: list the Slack workspaces a user is in, the files they’ve downloaded, log into a workspace even without knowing their password, etc.

Machine Learning + Security

Meta disbanded its Responsible AI team
It’s not like they’re releasing powerful, open source models. What could go wrong? 😅 

Adversarial Attacks on LLMs
Great overview post by Lilian Weng covering the threat model, types of attacks (token manipulation, gradient based attacks, jailbreaking, human in the loop red teaming, model red teaming), and mitigations. Love the paper references.

DHS, CISA and UK NCSC Release Joint Guidelines for Secure AI System Development
A new 20 page PDF on why AI security is different, and guidelines and recommendations for AI system development covering: secure design, secure development, secure deployment, secure operation and maintenance, and more.

Introducing Vanta AI
Features:

• Assess vendor security practices faster by automatically extracting relevant info from SOC 2 reports, DPAs, and other vendor documents.

• Auto-fill out vendor security questionnaires based on your existing library, previous responses, and uploaded policies and documents.

• If you want to add a new framework, it will automatically suggest the best tests and policies for each control based on what you already have.

LLMs are great at text. Notice how these applications are basically a) extract relevant info from text or b) answer questions based on an existing knowledge base.

The same “primitive” can apply to many domains. Here a) is for compliance, but a previous tl;dr sec included MITRE essentially doing the same to extract TTPs from cyber threat intelligence (CTI) reports.

Where else might these primitives apply at your work?

Machine Learning

I had basically a full newsletter worth of links this week, so to keep this email short, I created a standalone page for it.

Check it out for GPTs, tons of advancements in music, images and video, understanding what happened at OpenAI, and more.

Misc

• Bjarne Stroustrup Quotes 

  • “Proof by analogy is fraud.”

  • “If you think it’s simple, then you have misunderstood the problem.”

  • “Always be suspicious of ‘of course’: ‘of course’ is not a reason.”

  • “Beware of ‘obvious’; it often means ‘I haven’t thought carefully about it.’”

• Famous Pickpocket Apollo Robbins Demonstrates Tricks of the Trade to Tim Ferris

• Washington's Dream - A truly hilarious SNL sketch

• Tynan: Gear Post 2024

Athena-OS/athena-iso
An Arch Linux-based distro focused on cybersecurity, with a range of blue team, red team, pen testing, bug bounty, forensics, mobile analysis, and more tools.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgiblerp