🎉 BSidesSF and RSA

This week has been an awesome whirlwind of catching up with friends and meeting cool people.

I’ll share a few quick thoughts, more next week:

• Shout out to Flee and Matt Johansen for throwing an awesome event at Reddit, it was really fun to see the office (a dream of college nerd, and current nerd Clint).

• I recorded an episode for the AI CyberSecurity Podcast with my buds Ashish and Caleb Sima that’ll come out in a few weeks.

• Big thanks to Ari for an excellent AI x Cybersecurity demo night.

• I had a great chat with someone whose delightfully snarky blog I’ve enjoyed for some time.

• I heard an ex-three letter agency senior official talk off the record about TikTok skewing what’s being shown to U.S. viewers on divisive issues, and whispers of what future frontier models might be able to do as well as potential scaling challenges.

Thank you to everyone who came up and said hi!

It was so nice to meet you, and it’s incredibly gratifying to hear that you find tl;dr sec useful, and humbling to hear how much people read and share it.

And it keeps me motivated on nights like tonight (Wed), where other people are out having fun and socializing while I just have these teardrops on my keyboard.

Sponsor

📣 WorkOS, enterprise-grade auth for B2B SaaS

WorkOS is a modern identity platform that supports SSO, SCIM, user management, and RBAC. 

It recently acquired Warrant, a Fine Grained Authorization service based on Zanzibar, designed by Google to power Google Docs and YouTube. Warrant enables fast authorization checks at enormous scale while maintaining a flexible model that can be adapted to even the most complex use cases.

WorkOS is already used by hundreds of high-growth startups like Vercel, Perplexity, and Webflow.

If you need enterprise features like SSO, consider WorkOS—a drop-in replacement for Auth0. Best of all, it's free up to 1 million MAUs.

👉️ Read more about the acquisition 👈️

Conference

BSidesSF Summaries
I live tweeted summaries of Caleb Sima’s keynote AI is the Key to CISOs Top Challenges and Evan Johnson’s Startup Security 2.0.

RSA Conference 2024 – Announcements Summary (Day 1)
Nice overview by Security Week. Lots of AI, as you’d expect. See also Day 2.

AppSec

HexaCluster/pgdsat
A PostgreSQL Database Security Assessment Tool that checks around 70 security controls of your PostgreSQL clusters, including all recommendations from the CIS compliance benchmark.

intigriti/misconfig-mapper
A tool by Intigriti that can identify and enumerate instances of services used by a company (e.g. Jira, Jenkins, Gitlab, …) and detect security misconfigurations at scale.

PCI DSS 4.0; Certificate Transparency Monitoring is mandatory!
Scott Helme describes the new PCI DSS changes, and how Certificate Transparency (CT) monitoring, which ensures all publicly trusted certificates issued for your domains are detected and inventoried, can enable you to detect an attacker tricking a Certificate Authority into issuing a cert for your domain.

Sponsor

📣 Compete in a Lacework CTF Challenge

You’ll have one hour to complete as many cloud security challenges as possible and the top 3 scorers will win a Valve Steam Deck. Due to popular demand, there is an additional session on May 22. Spots are limited, so register now.

👉️ Register now 👈️

Free CTF and the potential to win a Valve Steam Deck?! Let’s go! 🥳 

Cloud Security

hac01/gcp-iam-brute
By @Hac10101: A tool that leverages the testIamPermissions feature in GCP to perform fuzz testing for different permissions to identify potential security vulnerabilities or misconfigurations.

scp-deny-making-agreements-purchases-and-reservations
A Service Control Policy (SCP) by Michael Kirchner that prevents member accounts from entering long-term financial agreements or making long-term reservations.

Patch Diffing CVE-2024-3400 from a Palo Alto NGFW Marketplace AMI
If you’re interested in vulnerability research, I found this post by Sprocket Security’s Will Vandevanter interesting. Methodology: they downloaded a Palo Alto NGFW AWS Marketplace AMI that was patched, then downgraded it to a vulnerable version (Device > Software). They snapshotted the running instance, downloaded it with RhinoSecurityLabs’ dsnap, ran it in a VM, and then they could review the diff of the two versions to hone in on the fix (and thus the bug).

How an empty S3 bucket can make your AWS bill explode
Maciej Pocwierz describes how S3 charged him for unauthorized requests, which means anyone who knows the name of one of your S3 buckets can ramp up your AWS bill. S3 has said they will change this behavior so that you’re not charged for unauthorized requests.

This occurred because a popular open source tool had a default config to store their backups in S3 using a placeholder bucket name that happened to be the one he chose. When he opened the bucket to public writes he collected 10GB of data in <30 seconds!

💡 Research idea: Someone should go through all the popular OSS tools and see if you can register those bucket names, ideally before attackers do…

Container Security

doitintl/kube-no-trouble
By DoiT International: Easily check your Kubernetes clusters for use of deprecated APIs.

remorses/docker-phobia
By Tommy D. Rossi: A tool to analyze Docker images and make them slim. Generates a visual representation of the size of each folder or file in the image, grouped by layer.

Hardened Container Images: Images for a Secure Supply Chain
Chainguard’s John Speed Meyers and Paul Gilbert share insights from their inaugural “Hardened Container Images” report, including:

• As you’d expect, most popular unhardened Debian-based images have many CVEs (~300), using Grype to scan.

• Updating operating system packages reduced CVEs by ~5%, debloating containers using tech like Rapidfort reduced CVEs by ~64%.

• In terms of CVEs, Canonical’s Chisselled images > U.S. Air Force’s Iron Bank > Red Hat-provided images.

Sponsor

📣 How-To: Generate identity for Workloads with SPIFFE to achieve Zero Trust

Want to know how you can generate identity specific to workloads and services, enabling your full modern infrastructure stack to operate with zero trust authentication? Join Noah and Dave as they explain how you can do that with Teleport Workload Identity and the SPIFFE standard from the CNCF.

🗓️ May 23 @ 10 AM PT

👉️ Register Now 👈️

Supply Chain

octo-sts/app
Chainguard has released the source code for octo-sts, a GitHub app that functions as a Security Token Service (STS) for the GitHub API, aiming to eliminate the need for personal access tokens by producing short-lived tokens for GitHub interaction based on OpenID Connect (OIDC) tokens and trust policies. The original blog post was referenced a few issues ago.

Nearly 20% of Docker Hub Repositories Spread Malware & Phishing Scams
JFrog’s Andrey Polkovnichenko, Brian Moussalli, Shachar Menashe describe how they discovered three large-scale malware campaigns that planted millions of “imageless” repositories (no content except for the repository’s documentation) with malicious metadata, and found that ~18.7% of Docker Hub public repositories (~2.81M repositories) actually hosted malicious content. The content ranged from simple spam that promotes pirated content, to malware and phishing sites.

How I hacked into Google’s internal corporate assets
Michael Hyndman describes how he was able to get code execution on Google internal corporate assets, a self-driving car company’s CI/CD pipeline, and more via dependency confusion (registering a package name on a public package manager like NPM that matches a company’s internal package name). He found potential package names by reviewing dependency files (e.g. package.json) and looking for imported packages (import ‘packagename’) on GitHub, as well as trying to extract them from live JavaScript on websites.

💡 I would guess that Google has the maturity and resources to lock down their environment more than most companies, so if they’re still affected by dependency confusion, I would expect most companies are to varying extents.

Blue Team

cisagov/parsnip
By CISA: A tool developed to assist in the parsing of protocols using the open source network security monitoring tool Zeek. It’s specifically designed to be applied towards developing Industrial Control Systems (ICS) protocol parsers, but can be applied to any protocol.

ATT&CK v15 Brings the Action: Upgraded Detections, New Analytic Format, & Cross-Domain Adversary Insights
MITRE’s Amy Robertson describes the latest ATT&CK update, which focuses on actionable detection engineering upgrades, and includes new TTPs, expanding the Cloud matrix, a new analytics format in a real-world query language style, ICS, mobile, threat intelligence, and more.

Red Team

Diverto/IPPrintC2
A proof of concept for using Microsoft Windows printers for persistence / command and control via Internet Printing. Sneaky 😱 

CCob/okta-terrify
By Ceri Coburn: A tool to demonstrate how passwordless solutions such as Okta Verify's FastPass or other FIDO2/WebAuthn type solutions can be abused once an authenticator endpoint has been compromised.

AI + Security

Cloud-Native Threat Modeling GPT
A custom GPT by Jon Zeolla that’s been pre-populated with a knowledge base that understands modern innovations in security assessments and digital transformation, and it suggests improvements in security that also improve quality and observability.

cybershujin/Threat-Actors-use-of-Artifical-Intelligence
By Rachel James: A collection of uses of AI by threat actors (Fancy Bear, Lazarus, and more), mapping public reports to LLM techniques, tactics, and procedures (TTPs), including leveraging LLMs to write scripts, reconnaissance, etc.

Companies Are Just a Graph of Algorithms
Daniel Miessler argues that companies are really just a graph of algorithms, from the overall workflow when users use the product, to internal functions like marketing. Each workflow step can be represented like a node in a graph, and gradually AI will be used to optimize both the overall workflows and individual steps, either streamlining or automating them.

Consultancies like McKinsey will take a break from wildly profiting from pushing opioids and giving countries like Saudia Arabia a journalist hitlist to help businesses become more efficient and need fewer people.

See also: AI is Mostly Prompting.

Misc

• Debugging Tech Journalism - Why a huge proportion of tech journalism is characterized by scandals, sensationalism, and shoddy research, and how we might fix it.

• The Czech illegals: Husband and wife outed as GRU spies aiding bombings and poisonings across Europe

• Quiet on Set: The Dark Side of Kids TV - A new docuseries on some inappropriate behavior by some of the adults producing Nickelodeon shows.

• Jason Haddix on JavaScript to auto-accept all LinkedIn requests

• I keep making things out of checkboxes - Crazy animations

• Supposedly Athletic Greens pays influencers $25 per month for any customer they refer

• An SF Chronicle reporter went undercover in high school - The real life version of the “hey fellow kids” meme.

• Tips for Linking Shell Companies to their Secret Owners

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler