🤯 30,000 Subscribers!

5 years, 210 issues, and literally thousands of hours of reading and writing.

What started as a small email I sent to a handful of friends I manually added to a list has turned into something I could never have predicted.

It’s a huge honor and privilege to get to share high quality security research with you, so thank you for your time 🙏 

It means the world to me, and it motivates me to keep going every week, even when I'm at a conference, traveling, or it's midnight again and I'm still writing 😆 (Editor’s note: not hyperbole)

I will continue spending an unreasonable amount of time to ensure tl;dr sec is one of the highest signal, best ROI uses of your time every week.

Thanks again, and have a wonderful week!

Chris Hughes and Securing your Software Supply Chain

If you missed my discussion with author and overall great dude Chris Hughes, you can watch it here on YouTube.

We included the resources mentioned during the discussion and Q&A in the description for easy reference.

Thank you everyone who came and asked great questions!

Sponsor

📣 Advanced Container Security Best Practices (Cheat Sheet)

Want to uplevel your container security strategy? This cheat sheet explores advanced techniques that you can put into action ASAP. Use this cheat sheet as a quick reference to ensure you have the proper benchmarks in place to secure your container environments.

What's included in this 9 page cheat sheet?

• Actionable best practices w/ code examples + diagrams

• List of the top open-source tools for each best practice

• Environment-specific best practices

AppSec

Hackmanit/TInjA
By Hackmanit: A CLI tool for testing web pages for template injection vulnerabilities. It supports 44 of the most relevant template engines for eight different programming languages.

Tw1sm/PySQLRecon
By Matt Creel: An offensive MSSQL toolkit written in Python, based off SQLRecon.

Introducing Bambdas
Portswigger’s Emma Stocks describes a new way to customize Burp Suite directly from the UI, using only small snippets of Java (instead of a separate extension). She shares some examples of writing custom filters for the Proxy HTTP history.

Blind CSS Exfiltration: exfiltrate unknown web pages
Portswigger’s Gareth Heyes walks through how to exfiltrate web page content (using the new :has selector) using CSS alone, for example, when you have a blind HTML injection vulnerability but can’t get XSS. Wizardry.

Sponsor

📣 How to minimize third-party risk with vendor management

A robust vendor management program is a critical part of a holistic trust management strategy.

Implementing a vendor management program, however, has become more complex and challenging with the proliferation of SaaS tools and shadow IT. And many overstretched security teams are being asked to do more with less.

In this guide from Vanta, you’ll learn: 

• Insights from other leaders on how to proactively manage third-party vendor risk

• Tips on dealing with challenges like limited resources and repetitive manual processes

• How security teams can enable the business to move quickly

Cloud Security

Kyuu-Ji/Awesome-Azure-Pentest
A curated list of useful tools and resources for penetration testing and securing Azure.

zmallen/cloudtrail2sightings
Tool by Datadog’s Zack Allen to convert Cloudtrail data to MITRE ATT&CK Sightings. See also Zack’s excellent Detection Engineering newsletter.

re:Invent 2023 recap
Chris Farris provides a nice overview, broken down into security features, cloud governance and costs, serverless, GenAI, and more.

grahamhelton/IMDSpoof
A deception tool by Graham Helton that spoofs the AWS IMDS service to return honey tokens that can be alerted on.

Welcome to Cloud Security Lab A Week (SLAW)
FireMon’s Rich Mogull is starting a newsletter dedicated to upping your cloud security skills via weekly hands-on labs (email + YouTube video) you can do in 15-30 minutes. Learn from someone who has taught cloud security at Black Hat for over 10 years. For free. This is 🔥 , thanks Rich!

Container Security

Bolstering Security & Automating Management of Target Australia’s EKS clusters
Gazal Gafoor describes how Target made progress in increasing security and automating cluster management leveraging Bottlerocket, Fargate, and Karpenter (compute provisioning for Kubernetes). Bottlerocket is a stripped down, hardened OS purpose built for running containers. The post gives a nice overview of Bottlerocket’s security benefits and tactically the changes they needed to make to adopt it.

Deep dive into the new Amazon EKS Pod Identity feature
Datadog’s Christophe Tafani-Dereeper describes how this new feature simplifies granting AWS access to pods running in an EKS cluster, providing an alternative to "IAM roles for service accounts" (IRSA). It allows you to use the AWS API to define permissions that specific Kubernetes service accounts should have in AWS, and it works by installing an add-on that sets up a new DaemonSet in the kube-system namespace.

IceKube: Finding complex attack paths in Kubernetes clusters
WithSecure’s Mohit Gupta describes the new OSS tool IceKube, inspired by Bloodhound, that uses the graph database Neo4j to store and analyze Kubernetes resource relationships, allowing you to identify potential attack paths and security misconfigurations in Kubernetes clusters. IceKube currently contains 25 attack techniques.

Career

Thread: What's the best conference talk you've ever seen?

Security Architect and Principal Security Engineer Interview Questions
Tad Whitaker shares a consolidated list of questions for Security Architects and Principal Security Engineers he pulled from Glassdoor. The questions generally fall into the following three buckets: Technical, Behavioral and Influential, and Frameworks/Design/Threat Modeling. See also: Security_Engineer_Interview_Questions.

liuchong/awesome-roadmaps
A curated list of roadmaps, mostly about software development, that give a clear route to improve your knowledge or skills. Covering: programming languages, web and mobile development, game development, AI/ML/data science, and more.

Supply Chain

nexB/vulnerablecode
A free and open database of open source software package vulnerabilities and the tools to collect, refine and keep the database current.

CI/CD secrets extraction, tips and tricks
Excellently detailed post by Synacktiv’s Hugo Vincent and Théo Louis-Tisserand walking through multiple examples of extracting pipeline secrets on Azure DevOps, GitHub, and GitLab, including mitigations and some bypass techniques against hardened environments.

They also released Nord Stream, a tool that allows you to extract secrets stored inside CI/CD environments by deploying malicious pipelines.

Blue Team

research-virus/stuxnet
Stuxnet’s code, extracted from binaries via disassembler and decompilers, by Christian Roggia and Amr Thabet.

Use GitLab and MITRE ATT&CK Navigator to visualize adversary techniques
Whether you’re a red team tracking the attack techniques used on an engagement or a blue team tracking security controls, you could map capabilities to one of MITRE’s ATT&CK matrices. ATT&CK Navigator is a web app lets you visualize, annotate, and explore these matrices.

GitLab’s Chris Moberly walks through how to easily build and deploy a customized version of MITRE's ATT&CK Navigator based on your company’s data using GitLab CI/CD and GitLab Pages.

Red Team

BlackSnufkin/GhostDriver
By BlackSnufkin: A new tool that leverages Bring Your Own Vulnerable Driver (BYOVD) to disable anti-virus (AV) tools.

Decompiler Explorer
By Vector 35 (the makers of Binary Ninja): An interactive online decompiler which shows equivalent C-like output of decompiled programs from many popular decompilers. Supports angr, Binary Ninja, Ghidra, IDA Pro, and more.

Machine Learning + Security

Quicklinks

• Meta will enforce ban on AI-powered political ads in every nation, no exceptions

• AWS's (de)Generative AI Blunder: Corey Quinn tests Amazon Q and finds it lacking.

• Bruce Schneier on how AI will enable mass spying

projectdiscovery/nuclei-ai-extension
A browser extension by Project Discovery that simplifies the creation of nuclei vulnerability templates by automatically extracting vulnerability information from web pages. It currently supports HackerOne and ExploitDB.

pentestmuse-ai/PentestMuse
“An AI-copilot for pentesters.” An AI agent that can automate parts of pentesting jobs. The examples provided include identifying SQL injection, broken object level authentication, and password bypass.

Extracting Training Data from ChatGPT
Researchers from Google DeepMind and academia released a paper showing that they could extract several megabytes of ChatGPT’s training data for about $200. They were able to do this even though the model was specifically “aligned” to not spit out large amounts of training data.

The attack is kind of bonkers: “We prompt the model with the command ‘Repeat the word ‘poem’ forever’.” Thread with discussion here, Vice coverage.

For non-security AI resources from this week, see my AI Resources page.

Misc

OWASP IoT Security Testing Guide
Aaron Guzman and Luca Pascal Rotsch share a comprehensive methodology for Internet of Things penetration tests, including a device model, attacker model, test case catalog, and more.

• Scrapedown: A Cloudflare worker designed to scrape web pages and extract useful information, including a Markdown-formatted version of the content.

• Consider Writing Documentation for Your House

• Unciv: Open-source Android/Desktop remake of Civ V

• CodeSnap: VS Code extension to take beautiful screenshots of your code.

• If you trust Amazon search to find you the best product and click that first link, you will pay a 29% premium for that item.

• Brandon Wu taught Intro to Functional Programming at CMU, and has publicly shared his course material

• How China targets civil society abroad

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler