🤫 Vegas Tales

Somehow I managed to spend 6 days in Vegas around lots of people without getting sick. The extra sleep, vitamins, and animal sacrifices must have worked 🐐 

I may write a longer round-up post at some point, but some highlights:

Caleb Sima’s White Rabbit launch party. Lots of cool folks, and shout-out to Decibel for always throwing great events.

Hearing the inside scoop of major security events that were in the news.

The surreal experience of playing Cards Against AppSec (shout-out to my friend Tanya Janca for making it!), and observing people playing a card with my name on it 😅 

Hanging out with the Trail of Bits AIxCC folks (H/T Michael, Ian, Evan, and Suha). Always a blast catching up with Dan Guido as well.

Embarrassingly, I remembered the night before DEF CON that I failed to buy a ticket ahead of time, did not bring enough cash, and only had credit cards, not debit cards (ATMs not happy). Fortunately, I asked my former three-letter-agency friend if I could borrow some cash, and he pulled out the biggest roll of $20’s I have ever seen in person, and lent me enough to buy a ticket. Phew.

It was great grabbing dinner with a bunch of the OpenAI security team (shout-out Jennifer and Josh). When splitting the bill, I took a photo and tried to have ChatGPT add up sub totals based on our annotations. It got the math right but missed an item or two. For shame!

If you attended, I hope you had a great time as well, and hope you’re resting up!

💌 Email me if you spoke about AI in Vegas this year

Hey! I’m thinking about creating a page that indexes all of the cool AI-related talks and tools from BSidesLV, BlackHat, and DEF CON this year.

So if you or a friend gave a talk about either applying AI to security or securing AI, I’d love to hear from you!

Please send me:

• A link to your talk’s abstract on the conference page

• Links to your slides, video recording, tool, whitepaper, etc.

• A link to the preferred social media profile (X, LinkedIn, ...) of all speakers

Thanks so much! 🙏 

Sponsor

📈 Attacks targeting infrastructure increased by 75% YoY in 2023

Discover why new approaches are needed for securing modern infrastructure, why cryptographic identity, zero trust, and ephemeral privileges are key elements to combating identity-center attacks, and why it matters today.

Read “Changing the Paradigm: Modernizing Secure Access to Infrastructure” by IAM analyst Jack Poller, a critical guide on hardening your infrastructure. Get your free copy today.

👉 Read Now 👈

Web Security

omar2535/GraphQLer
By Omar Tsai: A dependency-aware (aware of dependencies between objects queries and mutations) GraphQL API fuzzing tool.

Splitting the email atom: exploiting parsers to bypass access controls
The blog version of the BlackHat talk by Portswigger’s Gareth Heyes, on how discrepancies in email address parsers can be exploited to bypass access controls and even achieve RCE, using Unicode overflows, encoded-word, and Punycode. He provides real-world examples of exploiting GitHub, Zendesk, GitLab and Joomla, and shares tooling to exploit these vulnerabilities, including Hackvertor tags and a Turbo Intruder script.

💡 A great example of complex RFC → differing implementations → bugs.

Listen to the whispers: web timing attacks that actually work
Portswigger’s James Kettle describes how to make web timing attacks practical and scalable, minimizing network and server jitter: “in the space of ten seconds you can now reliably detect a sub-millisecond differential with no prior configuration or 'lab conditions' required.”

James describes several attacks, including discovering hidden attack surface, server-side injection vulnerabilities, and misconfigured reverse proxies. The attack techniques are available in the Param Miner Burp extension, and there’s a CTF to hone your skills.

💡 Both of these Portswigger posts are excellent write-ups and walk throughs of the research thought process and trial and error, and I love the release of tools + labs to practice.

Sponsor

📣 Are we using that SaaS app that was just breached?

When a popular SaaS app is breached, how confident would you be in your ability to answer that question? The sprawling nature of modern SaaS adoption makes it hard to really know who is using what, and to mitigate the impact when a popular SaaS app is breached. 

Nudge Security solves this problem by discovering and categorizing every account for every SaaS app ever created by anyone in your organization within minutes of starting a free trial. 

And, you’ll be alerted of security breaches impacting your SaaS providers, and their providers (4th party risks).

Get your free SaaS inventory today.

👉 Free Trial 👈

If I had $1 for every company that I knew had a full inventory of all the SaaS apps in use in their company I would… not be able to buy an avocado toast. Tough but important.

Hacker Summer Camp

There were way too many talks and tools released to possibly cover them all, but I’ve tried to include a few things that stuck out, in this and other sections.

In the categories of “Things Probably Not Helping to Create a Welcoming Environment” and “Errr, Weird?”, there were women dressed with branded lampshades over their heads, and a female leadership breakfast that offered samples of anti-ageing cosmetics. (If you’re thinking about doing a skincare or spa event, hit your homeboy up though 👋 )

The hacker community rallying to support Ray [REDACTED]’s son setting a world record in climbing at the Olympics ❤️

Overviews

• BlackHat Innovators & Investors Quick Hits - by Darwin Salazar.

• Francis Odum’s key takeaways from almost 100+ conversations with Founders, Investors, and Operators

Watch How a Hacker’s Infrared Laser Can Spy on Your Laptop’s Keystrokes
At DEF CON, Samy Kamkar debuted his own open source version of a laser microphone—a spy tool that can invisibly pick up the sounds inside your home through a window, and even the text you’re typing. This is impressive engineering work 🤯 

Apple Prototypes and Corporate Secrets Are for Sale Online—If You Know Where to Look
Matthew Bryant (“Mandatory”) found a trove of Apple corporate data, a Mac Mini from the Foxconn assembly line, an iPhone 14 prototype, and more.

At DEF CON, Matthew “presented findings from a months-long project in which he scraped secondhand electronics listings from sites like eBay, Facebook Marketplace, and China's Xianyu, and then ran computer vision analysis on them in an attempt to detect devices that were once part of corporate IT fleets.” Neat!

Cloud Security

StevenSmiley/aws-mine
By Steven Smiley: An AWS honey token manager designed to create and monitor AWS access keys. Built using AWS Amplify, notifies users via Amazon SNS within ~4 minutes when keys are used.

Shorten your detection engineering feedback loops with Grimoire
Hot off a DEF CON Cloud Village talk, Datadog’s Christophe Tafani-Dereeper announces the release of Grimoire, an open-source tool that simplifies the process of building data sets based on AWS CloudTrail logs for common attack techniques. Grimoire streamlines detection rule creation by detonating attacks (either through Stratus Red Team or an interactive shell), and then accurately identifying the specific logs generated via a unique HTTP user agent Grimoire injects per detonation. Clever!

Bucket Monopoly: Breaching AWS Accounts Through Shadow Resources
Aqua Security’s Yakir Kadkoda, Ofek Itach, and Michael Katchinskiy describe critical vulnerabilities discovered in six AWS services. Basically, AWS services (like CloudFormation) will automatically create S3 buckets with predictable names in the background to support their functionality (“shadow resources”). An attacker can preemptively create buckets with these names across all regions, which the victim’s AWS service would then use. The impact can range from remote code execution, full-service user takeover, manipulation of AI modules, exposing sensitive data, data exfiltration and denial of service.

See their BlackHat slides here and an overview by SC Magazine here.

Supply Chain

ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artifacts
Palo Alto’s Yaron Avital describes how GitHub Actions artifacts can leak sensitive tokens, including GitHub tokens and third-party cloud service credentials, which impacted open source projects owned by Red Hat, Google, AWS, Canonical (Ubuntu), Microsoft, and OWASP.

One way this can occur is when a repo uses the actions/checkout GitHub Action and accidentally includes the .git folder in the uploaded artifact, which will include the GITHUB_TOKEN.

Yaron walks through how to exploit the leaked tokens, and shares upload-secure-artifact, an Action that runs an open source secret scanner on the source directory and blocks the artifact from being uploaded if a secret is detected.

Grand Theft Actions: Abusing Self-Hosted GitHub Runners at Scale
DEF CON talk by Adnan Khan and John Stawinski in which they describe the GitHub Action research they’ve been doing, which if you’ve been reading tl;dr sec, you’ve seen has led to them finding multiple “game over,” Internet-scale supply chain vulnerabilities, like being able to backdoor PyTorch, Puppet, GitHub’s own runner-images repo, Microsoft and Google repos, and more.

They’ve released Gato-X, to help other security researchers find these types of vulnerabilities at scale.

💡 I need to give Adnan and John a special shout-out, because it’s not often that you can say one or a few people has had a measurable impact on the state of supply chain security across the industry, but they’ve found and had fixed (in my opinion) multiple XZ backdoor impact level vulnerabilities, if exploited by a malicious actor. Keep up the great work 🙌 

AI + Security

Exploring Adversarial Machine Learning
A modified, self-service version of the NVIDIA AI Red Team's BlackHat course. Instead of $$$$, it’s $90. Covers: model evasion, model extraction, assessments, inversion, poisoning, and LLM Attacks.

Created by NVIDIA's Will Pearce, Rich Harang, John Irwin, Becca Lynch, and Joseph Lucas, H/T Joseph for sharing.

Trail of Bits’ Dan Guido’s thread overview of AIxCC
AIxCC is DARPA’s AI Cyber Challenge hosted at DEF CON this year, where teams built Cyber Reasoning Systems (CRS) that combined traditional techniques like fuzzing and static analysis with AI and ML to automatically find and fix software vulnerabilities.

Trail of Bits shared a nice overview of their approach leading up to the event here, an overview after the event here, and I enjoyed Chris Rohlf’s take on patching and reliable exploitation:

“Both require understanding of program semantics, function (and ideally whole program) synthesis and extensive reliability testing. But intelligent scalability pays more dividends for defenders than most classes of attackers. And LLMs can provide that scalability and automation in these areas in ways I believe will uniquely benefit defenders.”

Misc

• The 30 Best Comedy Movies of All Time

• Do More Plates Equal More Dates?

• “You Can’t Be In The Top 1% And Live A Balanced Life” - Scott Galloway talks about how his students say they expect to be in the top 1% in income earners when they’re 35, but they also expect work/life balance. “You can have it all, just not all at once.” I appreciate the real talk.

• China’s manufacturers are going broke

• A few simple tips and lifestyle changes to minimize hand, eye and brain strain when using your phone

• Twitter thread: How to Deal with Passive Aggressive Attacks. Interesting examples from various celebrity interviews.

• SponsorBlock - An open-source crowdsourced browser extension and open API for skipping sponsor segments in YouTube videos.

• How to Fix Every Common Zipper Problem

• "We ran out of columns" - The best, worst codebase - If you want to read a harrowing, hilarious tale of a dev environment, here it is.

• Retention.com CEO Adam Robinson on the shifting value of BDR teams

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler