🏜️ Hacker Summer Camp: Part 1

Phew, I’m now about halfway through my 6 day Vegas trip.

I’m trying to really lean into the multi-conference montage being a marathon, not a sprint.

By: ~8 hours of sleep a night, daily exercise, eating healthy, minimal alcohol, extra vitamin C 2x/day, and of course, continuing a multi-step face skincare routine (gotta keep the money maker in good condition 🤌 ).

I brought a high protein mix thing to eat for breakfast. I realized I didn’t bring a bowl or spoon, so yesterday I put some mix in a cup with water and stirred it with my finger, and then drank it.

As you can see, newsletter writers live a pretty high roller life 😂 

Also, I wanted to say a HUGE thank you to everyone I’ve met who’ve said they enjoy tl;dr sec— that’s been fuel that’s kept me going, as I spend hours in my hotel room writing this very email.

Hope you’re surviving the heat, or more sanely, staying home!

P.S. I’m going to be at the LevelUp party tonight (Thursday) at 7pm at MGM Grand, come say hi (and get stickers)! See other Semgrep stuff here. I’ll also probably be around the DEF CON AI village.

P.P.S. If you were wondering if all the security newsletters folks know each other, of course the answer is yes. Shout-out also to my friends Ross Haleliuk, Ashish, and Shilpi who came later.

Sponsor

📣 2024 Gartner® Market Guide for CNAPP 

Find recommendations for evaluating and adopting a CNAPP in the 2024 Gartner Market Guide for CNAPP.

Read the report to learn:

• The benefits of a CNAPP solution in your cloud security strategy

• Key capabilities and characteristics to look for in a CNAPP, including deep relationship graph analytics expertise

• Recommendations for how you should approach a CNAPP evaluation and deployment

👉 Get the Report 👈

Cloud Security

Sponsor

📣 Discover, secure, and govern genAI use

Nudge Security has discovered over 500 unique genAI apps in customer environments to date, without the need for agents, browser plug-ins, network proxies, or any prior knowledge of an app’s existence. 

Within minutes of starting a free trial, you’ll have a full inventory of all genAI apps in use (along with every other SaaS app) and security profiles for each provider to quickly vet new or unfamiliar tools. 

Get your free genAI inventory today. 

👉 Free Trial 👈

Nice! Getting visibility into how your colleagues are #yolo using AI is quite useful. I’ve heard good things about Nudge Security from a few friends 👍️ 

Container Security

Kubernetes Security Fundamentals
Great video series by Datadog's Rory McCune on Kubernetes and container security fundamentals, covering Kubernetes API security, AppArmor, Linux capabilities and namespaces, and more. Rory has also done a blog series on the same topics, see below.

Kubernetes security fundamentals: Authorization
Datadog's Rory McCune dives into Kubernetes authorization, describing various authorization modules like RBAC (role-based access control), ABAC (attribute-based access control), Node Authorizer, and Webhook Authorization, and their roles in managing permissions within a cluster. Also, be aware of the system:masters group, which bypasses all authorization checks.

Supply Chain

GitHub Actions exploitation: untrusted input
Synacktiv's Hugo Vincent explores three common misconfigurations (expression injection, dangerous artifacts and dangerous checkouts) that can be exploited to gain write access to a GitHub repository or extract sensitive secrets. The author provides vulnerable examples for each misconfiguration, affecting repositories from companies like Microsoft, Apache or Excalidraw.

They also released octoscan, a static vulnerability scanner for GitHub Action workflows.

Compromising ByteDance's Rspack using GitHub Actions Vulnerabilities
Praetorian's Adam Crosser and John Stawinski discovered critical Pwn Request vulnerabilities in the GitHub Actions for the Rspack repository. These vulnerabilities allowed them to retrieve the NPM deployment key used to push new Rspack packages and a GitHub Personal Access Token with administrative privileges on the Rspack repository.

Configure GitHub Artifact Attestations for secure cloud-native delivery
GitHub Artifact Attestations is now generally available, which allows you to create provenance and integrity guarantees to verify what you have built within GitHub Actions can be traced back to its source code, meeting SLSA v1.0 Build Level 2 requirements.

You can create attestations for any type of artifact (executable, package, container registry, or even a .zip file), and the post walks through setting up a Kubernetes admission controller to validate deployments against attested images.

Blue Team

Engineering a SIEM part 3: Creating Cost-Effective, Scalable Detections
Rippling’s Piotr Szwajkowski outlines requirements of a cost-effective, scalable detection engine, AWS Lambda, Snowflake, and DynamoDB to manage alert deduplication, customizable alert routing, and CI/CD pipelines for automated testing and deployment.

💡 This meaty post (and part 1 & 2), are such great examples of really thinking through detection engineering tooling and workflows. It’s not often I see this level of detail in “how and why I build this security tooling this way.” Great read!

DuneGroup/ice-axe
A Snowflake Native Application to threat hunt in your Snowflake environment (efficiently audit and monitor login history, user activities, and system usage), from some former senior Snowflake security leaders (Jacob Salassi, Michele Freschi, as well as Jacolon Walker).

💡 Pro-tip: If you want inbound reach outs from VCs, work at a few reputable companies, then have “Co-founder at Stealth” in your LinkedIn bio. Apparently there’s also an X account that does this.

Red Team

wikiZ/RedGuard
RedGuard is a Go-based C2 front flow control tool designed to evade detection by blue teams, AVs, and EDRs, with features including IP allowlisting, domain fronting, and identifying requests from cloud sandboxes based on JA3 fingerprints (so they can be ignored).

EDR Telemetry Blocking via Person-in-the-Middle Attacks
Tier Zero Security’s Eito Tamura describes how EDR telemetry can be blocked using a person-in-the-middle attack via ARP spoofing, using Server Name Indication (SNI) in TLS handshakes to selectively filter traffic (e.g. to Microsoft Defender, Crowdstrike), and has released edr_blocker to do it.

Phishing the anti-phishers: Exploiting anti-phishing tools for internal access
Ophion Security’s Rojan and Tanner describe how anti-phishing tools (e.g. Proofpoint, Barracuda Networks, Palo Alto Networks Cortex XSOAR) can be used to gain unauthorized access to internal SaaS services by abusing email verification processes that do not require authentication.

Basically: you register for a SaaS app like Atlassian with an email like [email protected] → the anti-phishing tool automatically scans the email verification email and clicks the “confirm” link → boom, now you can log in and view internal workspaces. See also Exploiting Application Logic to Phish Internal Mailing Lists.

AI + Security

Apple Intelligence’s system prompts
Broke: prompt engineer Apple Intelligence to reveal its system prompt
Woke: just search for a .txt file containing the prompts lol.
H/T Max Woolf.

Llama 3.1 and CyberSecEval 3
Nice overview by Joshua Saxe on what Meta’s team did (extensive cybersecurity testing, capabilities evaluation, and risk mitigation) before Llama 3.1’s release, and reflections on the current state of things. He links to the CyberSecEval 3 paper and updated security tooling: offensive cybersecurity content moderation capabilities in Llama Guard 3, and improved prompt injection detection with PromptGuard.

Utilizing Generative AI and LLMs to Automate Detection Writing
Dylan Williams shares an excellently detailed post about using LLMs to write detections. I like how he shares a number of useful prompt engineering resources, different prompting strategies, discusses Retrieval Augmented Generation (RAG), gives an example prompt, and shares general tips. He also recently open sourced DIANA, see below.

dwillowtree/diana
DIANA (Detection and Intelligence Analysis for New Alerts) is a tool by Dylan Williams that a) automates the creation of detections from threat intelligence (given example detections, logs, and your detection writing process), and b) can spin up a crew of autonomous AI agents that perform threat detection research on your topic of choice.

Misc

Tech Analysis: Addressing Claims About Falcon Sensor Vulnerability
CrowdStrike’s write-up on how the out-of-bounds memory read bug provides no mechanism to write to arbitrary memory addresses or control program execution, even under ideal circumstances, and the steps they take to protect the Falcon Sensor from malicious tampering (certificate pinning, checksum validation, access control list(s) on directories and files, anti-tampering detections).

• Brutally Honest Advice for Men To Win In Their 20s - A shot of motivation from Alex Hormozi straight into your heart. I’m not in my 20s, but I still found it useful.

• My First Million podcast: 10 AI Business Ideas From The Queen of AI ft. Sarah Guo

• Leaked Documents Show Nvidia Scraping ‘A Human Lifetime’ of Videos Per Day to Train AI

• Parody site ClownStrike refused to bow to CrowdStrike’s DMCA takedown

• Study: Partisan bot accounts on X amplify divisive content, getting >4B views. I thought Elon was going to fix the bot problem? 🤔 

• Wiz CEO’s letter to employees after turning down Google’s $23B acquisition offer - “As we always say: LFG.”

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler