• tl;dr sec
  • Posts
  • [tl;dr sec] #222 - NSA's Top 10 Cloud Security Strategies, Secure by Design, Claude 3 + Fuzzing

[tl;dr sec] #222 - NSA's Top 10 Cloud Security Strategies, Secure by Design, Claude 3 + Fuzzing

Ten CloudSec guides from NSA & CISA, new Google whitepaper, auto-generating fuzzing code with Claude 3

Hey there,

I hope you’ve been doing well!

🎭️ Big Data

My latest #PeakBayArea experience was watching a play called Big Data, featuring BD Wong (who played Whiterose in Mr. Robot!).

BD plays a sort of personification of the surveillance economy, coming into people’s houses and asking them questions about themselves. He’s curious and just wants to learn about them.

Some people are resistant, but gradually open up as they want to be seen (as their partner is too busy) or as he offers some benefit (e.g. job opportunities that would allow better supporting their family).

I found it interesting to see all of these characters rushing about their days and lives, struggling for the next milestone, the next promotion, the next whatever, and failing to connect to the people right next to them. 🤔 

Have you seen any good shows recently?

Hope you’re having a great week!

Sponsor

📣 Hottest Kubernetes Security Questions – Answered

Is it more secure to host Kubernetes? Who is ultimately responsible for managing IAM? Should you give developers direct access to the Kubernetes API through kubectl? What causes misconfiguration in Kubernetes clusters?

Listen to five Kubernetes community experts – Frederick Kautz, Kat Cosgrove, Divya Mohan, Chris Short, and Kunal Kushwaha – answer some of the hottest security questions.

P.S. Going to KubeCon EU in Paris next week? Stop by booth #E15 and chat with Teleporters for more insights about the easiest and most secure way to access and protect all your infrastructure.

Love the transcript also right there on the page. Great discussion! 🔥 

AppSec

noraj/haiti
By Alexandre Zanni: A CLI tool and library to identify hash types (hash type identifier). 632+ hash types detected, supports modern algorithms (SHA3, Blake2), Hashcat and John the Ripper references, and more.

Product security: barking up the wrong tree
lcamtuf argues that as an industry we’re broadly investing in product security correctly, but lagging behind in enterprise security, failing at basics like meaningful asset inventories, privilege reduction, and comprehensive access control.

Death Knell of the NVD?
Aquia’s Chris Hughes on how the NIST National Vulnerability Database (NVD) is facing criticism due to a vague announcement on upcoming changes and a significant drop in the rate at which it’s analyzing new CVEs. The backlog means the ecosystem of security tools built on top of it may not report complete results. Chris shares other vulnerability databases, such as the Sonatype OSS Index, Google’s OSV, and GitHub’s Advisory Database.

Tackling cybersecurity vulnerabilities through Secure by Design
I love this new 8 page whitepaper by Google’s Christoph Kern, highly recommend reading. Google offers four principles for Secure by Design: user/customer-centric design, developers are users too, thinking in terms of invariants (security properties that should always hold), and design for understandability and assurance.

“It is essential to design developer ecosystems such that they take responsibility for ensuring key security properties of the resulting software, rather than leaving this responsibility to individual software engineers and development teams.“

See also Google’s Perspective on Memory Safety (“We see no realistic path for an evolution of C++ into a language with rigorous memory safety guarantees that include temporal safety”), and Christoph’s AppSec Cali 2016 talk Preventing Security Bugs through Software Design, which is still great and relevant.

Sponsor

📣 What actually is ASPM? Acronymically Speaking, Purely Marketing? 🤔

Say goodbye to overwhelming AppSec backlogs, chaotic security code reviews, and haphazard risk assessments. With application security posture management (ASPM), those are things of the past. Or at least that’s what everyone claims…

To help you navigate this buzzwordy space, we created this straightforward guide. Learn what ASPM actually is (we promise it's not just marketing), its 4 core components, how different approaches compare, and why context (sorry for the buzzword 🙃) is the key to risk prioritization, remediation, prevention, and measurement.

I hear about ASPM a fair amount these days, nice to learn more about it 👍️ 

Cloud Security

ServerlessHorrors
A blog containing various stories of people wracking up big serverless bills.

From Lighthouse to Loran - Navigating GCP Security Auditing Tools
Alex Morgan surveys first-party and open-source security audit tools for GCP. First-party tools: Security Command Center, gcp_scanner, GCP Policy Analyser, and IAM Recommender. Third party tools: Prowler, Scout Suite, CloudSploit, Cloud Custodian, Steampipe, and many more.

Cloud Security Maturity Model Assessment v2.0
Securosis' Rich Mogull breaks down version 2 of the Cloud Security Maturity Model. The model breaks a cloud security program down into three domains (Foundational, Structural, Procedural), containing twelve total categories. There are ~100 control objects (ex. "MFA is required for access to the cloud console/portal"), many of which are mapped to AWS specific technical controls.

I'm excited by this revision, which leans into the original CSMM's strengths as a framework, versus the initial pitch as a diagnostic. Shout out to Securosis, IANS, and the Cloud Security Alliance for releasing this all for free (and without a content gate)!

NSA’s Top Ten Cloud Security Mitigation Strategies
An great set of documents on cloud security from the tag team of the NSA and CISA. Each of the ten strategies is its own comprehensive PDF. They all contain tactical mitigation guidance, map back to MITRE ATT&CK, and consolidate and amplify evergreen and cloud specific guidance like:

  • Require the use of phishing-resistant MFA for user accounts

  • Use infrastructure as code to deploy infrastructure resources from a centralized location.

  • KMS APIs may add new operations over time. Granting access to all API operations in a key policy could lead to unintended access permissions.

  • and much more!

Sponsored

📣 Forrester Wave Report: Cloud Workload Security

Unlock findings from the latest Forrester Wave™ Cloud Workload Security, Q1 2024, which analyzed the top 13 Cloud Workload Security (CWS) providers in the market today.  

Download your copy of this report to learn:  

  • A comprehensive view of the top CWS solutions in the market  

  • How the CWS market is rapidly consolidating previously siloed security solutions  

  • Which CWS solution best meets your business needs  

A free analyst report without donating my remaining kidney, I’m in! 🤘 

Container Security

Kubernetes LAN Party
Wiz’s Nir Ohfeld and Shir Tamari have created a Kubernetes CTF with 5 mini-challenges on Kubernetes network security, focused on real issues you might face where you deploy your K8s environment (AWS, Azure, GCP, etc.).

Kubernetes RBAC: Role-Based Access Control
RAD Security’s (formerly KSOC) Jimmy Mesta provides a nice overview of Kubernetes RBAC, “security context” in Kubernetes, RBAC best practices, top 5 over-permissions, open source tools (Krane, Kubiscan, Kubescape, rbac-police), and more. One of RAD’s cultural values: “Anyone Can Cook.”

Speed Meets Security: How Bottlerocket Optimizes EKS Workloads
Autify’s Matthew Hopkins compares Amazon Linux 2, Amazon Linux 2023, and Bottlerocket, finding it has faster worker node startup times and better security: more minimal attack surface (minimal deps, no interpreters and shells), has a read-only root file system, SELinux in enforcing mode by default, image-based updates via TUF, ensures all executables are built with hardening flags, and enables Secure Boot on platforms that support UEFI boot.

Blue Team

Free Monitor Certificate expiry via RSS
An entirely free service that monitors the expiry of TLS certificates via RSS without any sign-up. It’ll send you a notification 30 days, 7 days and 1 day in advance.

badsectorlabs/ludus
By Bad Sector Labs: Build easy-to-use cyber environments for testing and development, with Proxmox and Ansible. Comes with Game of Active Directory and vulhub templates.

You can not simply publicly access private secure links, can you?
Vin01 offers a great overview of the problem that malware and URL analysis tools (like urlscan.io and Cloudflare Radar) often reveal submitted URLs publicly by default. This can lead to a security issue when the submitted URL is a capability URL (aka Secret URL) or a link to a private file that aren't protected with authentication. Vin01 also reproduces earlier research from Positive Security's Fabian Bräunlein, by using canary files to see people automatically scanning submitted links.

Check out Lessons learned: Using a cybersecurity vendor to check for malicious links, when Dropbox was caught by this footgun.

👉️ Read Online if Clipped 👈️

Red Team

skelsec/evilrdp
By SkelSec: A GUI and CLI RDP client library, made for red teamers. In addition to commands allowing automated control of the target, it also has built in support for using the client as a SOCKS proxy via RDP.

Persistence - Visual Studio Code Extensions
Pentest Lab describes how Visual Studio Code extensions can be exploited for persistence in a compromised development environment. Activation events in the package.json file can be used for persistence (e.g. on startup), how extension code can run commands or execute locally stored implants, how PowerShell can be used to execute a fileless payload, and how Edge.js can run .NET code inside Node.js.

Git-Rotate: Leveraging GitHub Actions to Bypass Microsoft Entra Smart lockout
Aura Infosec's Daniel Underhay shares a technique for bypassing IP-based password spray blocking using Github Actions. A demo implementation, hard-coded for the Microsoft login portal, was released at dunderhay/git-rotate.

I like Daniel's framework for identifying possible candidates for IP rotation: can rotate IP address with each (or a few) request(s), can be used programmatically, free or cheap, large IP address space.

AI + Security

Chinese national charged with stealing AI secrets from Google
This is more China’s MO than an isolated incident.

BishopFox/llm-testing-findings 
An open source collection of LLM Integration & Application Findings from Bishop Fox. Consider using these for a “tabletop” assessment of your own LLM integrations and applications.

referefref/gitdoorcheck
By James Brine: A static analysis tool that uses OpenAI's gpt-4-turbo-preview model to scan git repos for backdoors and malicious code. Uses the prompt: "Analyze the following source code for any potential backdoors, extraction of credentials, secrets or access tokens, vulnerabilities, privilege escalation, persistence or any other potentially malicious functions. ..."

Claude 3 writing a fuzzer for a small C GIF decoding library
VERY cool thread 🔥 from Brendan Dolan-Gavitt (moyix): “I gave Claude 3 the entire source of a small C GIF decoding library I found on GitHub, and asked it to write me a Python function to generate random GIFs that exercised the parser. Its GIF generator got 92% line coverage in the decoder and found 4 memory safety bugs and one hang.” Brendan shares the fuzzer, the coverage report, GIFs generated, etc.

The kicker: “As a point of comparison, a couple months ago I wrote my own Python random GIF generator for this C program by hand. It took about an hour of reading the code and fiddling to get roughly the same coverage Claude got here zero-shot.

Separately, the importance of doing due diligence in your LLM experiments (read the full thread for context). Sean Heelan’s reproduction repo is 👌 

Misc

📖 The Security Path
Friends of the newsletter Mark Hillick and Will Bengston have released a new book on building your career in cybersecurity. I contributed a chapter, as did a number of other awesome folks. They were kind enough to give me a 40% discount code to share with you all: tldrsec (Note: limited to first 250 people).

Using socially responsible marketing to fund non-commercial open source security tools
Crash Override announces their Open Source Fellowship program, that will pay core maintainers of important OSS security projects (first project: ZAP), instead of “setting up a security research team, to find and publish vulnerabilities that will get eyeballs on our brand and product.” ZAP has a nice blog post with an analysis of various funding models.

Personally I love open source and I think it’s great to experiment with how as an industry we can make open source development and maintenance sustainable.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler