✉️ Securing your Email with Material Security

There's actually a fair amount of subtlety in email security.

I did a sponsored deep dive interview with Material’s Director of Security Chris Long and Director of Solutions Engineering Max Pollard, covering some nuances around email security, and how Material’s product works.

Some fun facts:

• You can actually rewrite emails from years ago (e.g. to protect PII).

• There are multiple ways attackers can persist access to your email even after password resets.

They also demo’d how to: find phishing attempts across your company, detect an attacker's lateral movement, find all the SaaS apps your company is using, get visibility into what sensitive data is in Google Drive and what's shared externally, and more.

If you want to learn more about email security or see a cool product demo, check it out!

👉️ Watch it here 👈️ 

👋 Would you like to see security product demos?

Hey friend! I’m always curious to hear more about what you’d find useful, so quick question:

Sponsor

📣 Protect healthcare infrastructure from next-gen cyberattacks

2024 has proven that nothing is off-limits for threat actors – including attacks on the digital infrastructure of healthcare companies. Identity-based attacks have highlighted the urgent need to strengthen infrastructure resiliency across the industry. Defense in depth approaches that leverage modern infrastructure access can secure even the most complex and heterogeneous infrastructure from a wide variety of attacks.

Download this white paper to explore the pivotal challenges facing healthcare IT operations teams of all sizes. Learn practical solutions to reduce risks, improve resiliency, and mitigate identity-based threats – all while continuing to enable groundbreaking clinical outcomes.

👉 Download White Paper 👈

AppSec

URL validation bypass cheat sheet
Payloads for bypassing URL validation by Portswigger. Useful for attacks like SSRF, CORS misconfigurations, and open redirects.

Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!
If you haven’t followed Orange Tsai’s work, you’re missing out. This post outlines their research presented at Black Hat USA 2024 that explores architectural issues within the Apache HTTP Server, highlighting technical debt within Httpd, including 3 types of Confusion Attacks, 9 new vulnerabilities, 20 exploitation techniques, and over 30 case studies. Outstanding example of really understanding a target at a deep level and shaking bugs out.

Cybersecurity technology adoption cycle and its implications for startups and security teams
Ross Haleliuk and Kane Narraway categorize security teams into three types—mature engineering-focused, mature non-engineering focused, and less mature or lacking resources—each with distinct approaches to adopting new cybersecurity tech. They highlight the unique inverted adoption cycle in cybersecurity, where large enterprises are early adopters, and offer best practices for security teams on build vs. buy decisions and strategies for startups to engage with different types of security teams effectively.

Platform Engineering: Build vs Buy
Great post by Kane Narraway on deciding when to build vs buy tooling. Kane recommends platform engineering teams spend their team building: new and innovative services, niche problems that don’t have a vendor ecosystem (“sub-venture scale problems”), and glue services that connect various internal and vendor services.

Other cases where you might want to build: where you can build it cheaper than what a vendor is offering, when you have issues with the vendor’s security posture, when the only vendors in that space are competitors you don’t want to give money to, to avoid vendor lock-in either because you think they’ll increase prices or not build out future features you require, or where the solutions provided can’t scale to your needs.

💡 A great, nuanced post. I especially liked the discussion around cost, and how the total cost of ownership ≠ just the upfront build the first prototype cost.

Sponsor

📣 Build secure defaults without disrupting developers

Tracking vulnerabilities and harassing developers to implement fixes is ineffective, resulting in isolated security teams and an overwhelming amount of noise.

Proactively prevent misconfiguration with Guardrails, giving developers secure defaults built into the tools they already use. 

Start building safeguards today and watch your vulnerability list start to shrink with Resourcely.

👉 Start Building 👈

I love secure guardrails/defaults: making it easy for devs to do the secure thing, and hard to do the wrong thing. And cloud config can be tough to get right, so it’s a great place to start 👌 

Cloud Security

Industrial IAM Service Role Creation
Rami McCarthy surveys various methods and tools for creating new IAM service roles in AWS, including domain-specific languages (policy_sentry), GUIs (AWS Policy Generator, ConsoleMe), natural language processing (ChatGPT plugin), tools that generate policies from actual API calls (iamlive, iamzero) or application code (iamfast, chalice). Rami also discusses strategies for converging on least privilege, like AWS IAM Access Analyzer and Netflix's Repokid.

A “Secure by default” comparison
Stefan Tita compares various AWS and Azure defaults, like the susceptibility of the Instance Metadata Service to SSRF, how easily S3 buckets/container registery images/etc. can be exposed publicly, AWS Access Keys vs Azure’s Interactive Login, AWS IAM Policies vs Azure Roles (RBAC), and more.

💡 Azure comes out ahead in Stefan’s comparison, but I feel like not being first to market, Azure had the opportunity to avoid footguns observed from AWS. Which is great. Also, if we’re talking about the security of the cloud provider itself, Azure seems to have had many more critical cross tenant issues.

AWS IAM: A Comprehensive Guide Toward Least Privilege
Cyscale’s Andrei Ștefănie recommends starting with broader permissions and gradually refining them, using AWS Organizations for account separation, and leveraging Service Control Policies (SCPs) for organization-wide guardrails. He highlights IAM Access Analyzer for detecting external access and unused permissions, and permission boundaries for controlling IAM entity creation. Andrei also references advanced topics like session policies, just-in-time access, attribute-based access control, and more.

Implementing CNAPP: Key Considerations for Success
PwC’s Naman Sogani covers:

• What is CNAPP?

• Tool selection criteria - Prioritize vendors that best address key use-cases, include stakeholders from different teams, require graph databases, agentless vuln scanning, comprehensive APIs, alignment with vendor roadmaps

• Day 1 focus areas - Prioritize CSPM operationalization, enable self-service consumption of findings, metrics and reporting, custom develop and fine-tune CSPM policies

Supply Chain

Introducing Bomctl
Ian Dunbar-Hall announces bomctl, a new OpenSSF sandbox project designed to simplify working with multiple SBOM documents across different formats. It’s a format-agnostic CLI tool, built on the protobom project, which allows users to fetch, store, and manipulate SBOMs in a cache database, with planned features including merging, redacting, splitting, and enriching SBOMs using GUAC and Transparency Exchange API.

Fake recruiter coding tests target devs with malicious Python packages
ReversingLabs’ Karlo Zanki describes a new malicious campaign linked to North Korea's Lazarus Group, targeting developers with fake job interviews and coding tests. The attackers use GitHub repositories containing malicious Python packages disguised as popular tools, with malware hidden in compiled PYC files.

Watch the Typo: Our PoC Exploit for Typosquatting in GitHub Actions
Orca Security’s Ofir Yakobi describes how they created GitHub orgs with names that typosquat popular GitHub Actions (e.g. circelci, actons), and forked the original repo so that when someone made the typos they still got the desired result. At least dozens to hundreds of repos are already making these typo mistakes, which would enable an attacker to run arbitrary code in the context of the victim repo (steal GitHub tokens and source code, backdoor code, etc.).

Revival Hijack - PyPI hijack technique exploited in the wild, puts 22K packages at risk
TIL when developers remove their projects from the PyPI repository, the associated package names immediately become available for registration by any other user 🤦‍♂️ JFrog’s Andrey Polkovnichenko and Brian Moussalli found that >22K packages could be hijacked in this way, and when they proactively registered these packages, they got 1000s of downloads in a few days, and have ~200K downloads in 3 months.

💡 I’m sure there are reasons why PyPI works this way, but this feels like someone in 2024 saying, “I’m going to build this new web app in C.” Like, my man, this would be OK 25+ years ago, in a more blissful and naive time, but we know more things now.

💡 Shout-out to ReversingLabs who apparently called out this package name republishing issue in… April 2023, over a year ago 🤦‍♂️ And you can search for malicious packages here.

Blue Team

rabbitstack/fibratus
By Nedim Šabić Šabić: A tool to detect, protect, and eradicate adversary tradecraft by analyzing system events with a behavior-driven rule engine and YARA memory scanner, offering real-time behavior detection, memory scanning, and forensic analysis.

Linux Detection Engineering - A Sequel on Persistence Mechanisms
Elastic’s Ruben Groenewoud continues the series on Linux persistence techniques, covering how each works and how to detect it, including: boot or logon initialization scripts (System V init, Upstart, RC scripts, Message of the Day), event triggered execution (udev, APT, YUM, DNF), git hooks, process capabilities, and more.

Detection Engineering and Threat Hunting: 🤝🏼
Danny Zendejas compares detection engineering and threat hunting, highlighting their distinct approaches and complementary roles. Detection Engineering focuses on creating and maintaining automated rules for known threats and TTPs, involving processes like managing false positives, continuous tuning, and CI/CD pipelines. Threat hunting proactively seeks unknown threats through broader queries and anomaly analysis.

Red Team

codemerx/CodemerxDecompile
The first standalone .NET decompiler for Mac, Linux and Windows, maintained by the original JustDecompile creators. H/T my bud Kurt Boberg for sharing.

Learning Rust for fun and backdoo-rs
HN Security’s Marco Ivaldi describes backdoo-rs, a simple Meterpreter stager written in Rust. Marco walks through creating it, relevant topics learned, and provides code snippets explaining key functions like payload reception and execution using Windows APIs through FFI. The post also shares a curated list of Rust learning resources, including books, courses, and practice exercises.

Why bother with argv[0]?
Argv[0], typically reflecting the program’s name/path when calling a CLI tool, can generally be set to an arbitrary value without affecting the process’ flow. Wietze demonstrates how it can be used to deceive security analysts, bypass detections and break defensive software, across all main operating systems.

💡Some delightfully devious examples, love it.

AI + Security

Cole Grolmus asks: Who is building AI agents for cybersecurity?

AI security fundamentals
Free 1.5 hour course from Microsoft covering the fundamentals of AI security (architecture layers, jailbreaking, prompt injection, model manipulation, data exfiltration), AI security controls, and an intro to AI security testing.

GPT-fabricated scientific papers on Google Scholar
“Our analysis of a selection of questionable GPT-fabricated scientific papers found in Google Scholar shows that many are about applied, often controversial topics susceptible to disinformation: the environment, health, and computing. The resulting enhanced potential for malicious manipulation of society’s evidence base, particularly in politically divisive domains, is a growing concern.”

Enhancing LinkedIn’s security posture management with AI-driven insights
LinkedIn’s Sagar Shah and Amir Jalali describes LinkedIn's Security Posture Platform (SPP), a dynamic infrastructure mapping system (catalogs assets from physical devices to cloud resources) that streamlines vulnerability management by automating data gathering and analysis across distributed security systems. SPP has increased vulnerability response speed by ~150% and digital infrastructure coverage by ~155%, incorporating dynamic risk assessments and automated decision-making to enhance LinkedIn's security posture at scale.

SPP has a GraphQL playground and API, but also lets you ask questions in English like: Are we affected by vulnerability X? Is vulnerability X on devices exposed to untrusted networks? Who is responsible for patching host A?

💡 Excellently detailed post, love it!

AI

Amazon CEO Andy Jassy on Improving Dev Productivity with AI
Supposedly AI helped Amazon significantly re: applying Java upgrades:

• Average time to upgrade an app to Java 17 went from usually 50 developer-days → a few hours (estimated savings: 4,500 developer-years of work).

• In <6 months, they upgraded >50% of production Java systemes to modernized Java. Devs shipped 79% of the auto-generated code reviews without any changes.

• The upgrades have enhanced security and reduced infrastructure costs, providing an estimated $260M in annualized efficiency gains.

Anthropic’s prompt engineering tutorials

1. Prompt Engineering Interactive Tutorial

2. Real world prompting course

Prompt caching with Claude
Enables developers to cache frequently used context between API calls. With prompt caching, customers can provide Claude with more background knowledge and example outputs—all while reducing costs by up to 90% and latency by up to 85% for long prompts.

Misc

The End of Work
Daniel Miessler argues that most companies are run fairly inefficiently, that companies don’t owe jobs to anyone, that the only reason companies employ people is because they have to to grow/make money, and as AI and automation software in general improves, companies are going to need fewer people to make more money. Thus, they will hire less or do layoffs.

“The ideal number of employees for a company is zero.”

• How Creators in LA Fake Luxury Lifestyles

• Matthew Perry’s assistant was acquiring ketamine for him and injecting him with it. He’s now facing potential prison time for it. Other Hollywood assistants are saying these types of asks are common.

• Kevin Rose interviews a doctor about using ketamine for mental health treatment, and shares a recording of him getting the treatment

• Anxious Avoidant First Date

• You can travel Japan for 2 weeks on $1,000

• Canva’s choreographed dance and rap about their product - Some people might judge this or think it’s cringe, but to be honest, if I had the budget, I could see myself doing something like this.

• Tim Ferris’s Are You Hunting Antelope or Field Mice? - Look at your to-do list and ask: “Which one of these, if done, would render all the rest either easier or completely irrelevant?” And: “Which undone item, if done, would liberate the most energy for me personally?”

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler