- tl;dr sec
- Posts
- [tl;dr sec] #251 - Vuln Discovery at Scale, Multi-Cloud Testing Tool, AI-powered Container Scanning
[tl;dr sec] #251 - Vuln Discovery at Scale, Multi-Cloud Testing Tool, AI-powered Container Scanning
Finding dangling DNS records and secrets at scale, new tool with 80+ attack techniques, NVIDIA's AI blueprint to auto-triage your container CVEs
Hey there,
I hope you’ve been doing well!
💎🙌 Diamond Hands
A friend recently told me a pretty crazy story.
Apparently there’s this software company called MicroStrategy that, instead of just investing in its business, has been buying $Billion’s worth of Bitcoin, and making $Billion’s worth of profit.
I’m trying to imagine the board pitch: “So yeah, we could make our product better, but… what if we just bought Bitcoin instead?”
And here I am working for a paycheck, apparently I am the fool 😂
✍️ By the way, I’ve included some additional details on a number of links in this issue, but only on the web version to keep this email short.
👋 P.S. I’m chatting LIVE with Scott Behrens, the strategic tech lead for all of Security, Privacy, and Risk at Netflix just 2.5 hours after you receive this email. Join us and ask questions here.
Sponsor
📣 AI Risk Management Frameworks Guide
Ready to unlock the power of AI while staying ahead of potential risks? This essential resource provides you with a clear overview of the latest frameworks, practical strategies for risk assessment, and expert insights to help you navigate the complexities of AI deployment. Equip yourself with the knowledge to manage AI risks effectively and drive your projects with confidence. Read our guide today and lead your organization towards secure, responsible AI innovation.
👉 Read Now 👈
Nice, it’s great to see an overview of AI risk frameworks (e.g. NIST) in one place, so we can empower our colleagues to innovate safely 👍️
AppSec
Shout-outs
My friend Zack Allen for his excellent Detection Engineering Weekly newsletter hitting 10K subscribers 🙌
My bud Matt Johansen has started a “Newsroom,” covering relevant current events in security (e.g. Government Wiretaps in U.S. Internet Providers Infiltrated by Chinese Hackers)
Probing Slack Workspaces for Authentication Information and other Treats
PaperMtn describes how Slack exposes workspace information to unauthenticated requests, including workspace name, ID, SSO status, 2FA requirements, and approved domains for auto-provisioning accounts, as well as potential red team and blue team implications. Slack Watchman's new 'unauthenticated probe' feature automates gathering this info.
Insecurity through Censorship: Vulnerabilities Caused by The Great Firewall
Assetnote’s Shubham Shah et al discovered that China's Great Firewall systematically poisons DNS queries, causing subdomains to resolve to random IP addresses based on specific keywords (e.g. “proxy”), affecting any domain using Chinese infrastructure. The post describes two main attack vectors exploiting this behavior: claiming poisoned subdomains on Fastly to steal cookies/data, and exploiting XSS on vulnerable cPanel instances returned by poisoned DNS. Known keywords that trigger this behavior and a testing tool are shared at the bottom.
Sponsor
Learn to build on hardened and minimal images with Chainguard! 💜
Want to achieve zero CVEs on your base images? Join Chainguard's Jason von Zyl, Software Engineer, creator of Maven & founder of Sonatype to learn how to migrate a Dockerfile multi-stage build for a Java application using JDK and JRE Chainguard Images and implement effective debugging techniques for containerized Java applications. Enhance your security practices, streamline your Java development process, and address critical risks associated with vulnerabilities in your images! You won't want to miss it on Tuesday, October 29th at 12 PM ET. 📚
👉 Save Your Spot 👈
I’ve heard a number of security leaders sing the praises of zero CVE images. They were off-key, but the passion was there 👨🎤
Cloud Security
Halberd: The Open-Source Tool Democratizing Multi-Cloud Security Testing
Vectra’s Arpan Sarkar announces Halberd, a new open source security tool designed to simplify and streamline cloud security assessments across multiple platforms including Entra ID, M365, AWS, and Azure. Halberd offers a web interface for executing 80+ attack techniques, easy multi-cloud access management, and an Automator feature for creating and sharing multi-step attack playbooks.
Hacking misconfigured Cloudflare R2 buckets
Intigriti discusses common security misconfigurations in Cloudflare R2 buckets, focusing on the R2.dev feature that makes R2 buckets publicly accessible. The post explains how to identify R2 buckets using regex patterns in HTTP responses and search engine dorking. Since Cloudflare doesn't provide Access Control Lists or Bucket Policies (or similar functionality to control access), developers are responsible for using a middleware that performs basic authorization checks.
Using Lightweight Formal Methods to Validate a Key-Value Storage Node in Amazon S3
SOSP 2021 paper by AWS’ James Bornholt et al on their experiences applying lightweight formal methods to validate the correctness of ShardStore, a new key-value storage node implementation for S3. By “lightweight” they mean a pragmatic approach to verifying the correctness of a production storage node that is under ongoing feature development by a full-time engineering team.
Their approach decomposes correctness into independent properties, each checked by the most appropriate tool (property-based testing, symbolic execution, …), and develops executable reference models as specifications to be checked against the implementation. Their work prevented 16 issues from reaching production, including subtle crash consistency and concurrency problems. H/T Xebia’s Amar Patel for sharing!
Secrets and Shadows: Leveraging Big Data for Vulnerability Discovery at Scale
This was an excellent 🔥 read, highly recommend. Bill Demirkapi describes clever ways to find dangling DNS records and leaked secrets at scale using creative data sources, finding >66K vulnerable domains (Google, Amazon, NYT, …) and >15K secrets.
How: passive DNS + some account tricks to enumerate Google Cloud’s pool of IPs (virtual credit cards from Privacy and more), and using VirusTotal’s RetroHunt feature + YARA rules to scan for secrets at scale (with a neat serverless scanning setup).
How to get all those secrets revoked? Create GitHub Gists containing the secrets so GitHub’s existing automation revokes them 😆 :chefskiss:
Cloud providers are not doing enough to protect customers against misconfigurations they incentivize. The customer creates these vulnerabilities, but how platforms are designed directly controls whether such issues can exist at all.
Instead of taking accountability and enforcing secure defaults, most providers expect that a few documentation warnings that most will never read will mitigate their liability. This research demonstrates how this is far from enough and the compounding risk of abuse with hardcoded secrets.
The Security at Scale Mindset
- Start with the vulnerability, not the target.
- Work backwards using creative data sources.
- Must contain relationships indicative of the targeted vulnerability class.
- Must be feasible to search this data at scale.
Container Security
silascutler/dockerhoneypot-logs
Silas Cutler shares Docker honeypot logs from 2021 - 2024, collected via a Python/Flask app emulating a publicly accessible Docker instance, designed to catch low-effort attempts by third parties to remotely deploy containers.
Safe Ride into the Dangerzone: Reducing attack surface with gVisor
This post describes how Dangerzone, a tool for safely opening suspicious documents (e.g. for journalists), improved its security by integrating gVisor, a container security solution from Google. The new architecture uses nested containers - an outer Docker/Podman container for portability and an inner gVisor container for strict isolation. This significantly reduces the attack surface by preventing direct access to the Linux kernel, implementing a strict syscall filter, unmapping the host user, and making the filesystem read-only.
💡 Very cool and technical blog post with some great diagrams 👌
Supply Chain
bndr/pipreqs
By Vadim Kravcenko: Generate a pip requirements.txt file based on the imports of any project.
Securing the software supply chain with the SLSA framework
Trail of Bits’ Cliff Smith gives an overview of SLSA (Supply-chain Levels for Software Artifacts) and how it aims to secure the software supply chain through signed build provenance files, describing its three compliance levels and integration challenges. Cliff highlights PEP 740 for PyPI SLSA support and provides practical steps for leveraging SLSA as a consumer, including using npm's built-in verification and slsa-verifier for other package managers.
Recommended prioritization: start with container image verification, then implement a SLSA checklist for new dependencies, add provenance verification to existing dependencies over time, and finally request SLSA provenance from vendors.
Red Team
MalwareSupportGroup/PolyDrop
By Malware Support Group: The Bring-Your-Own-Script-Interpreter toolkit enables the deployment of malicious payloads by leveraging 13 scripting languages (e.g., PHP, Python, NodeJS) through trusted applications, evading detection by most AV and EDR solutions, including MS-Defender.
Red Teaming in the age of EDR: Evasion of Endpoint Detection Through Malware Virtualisation
Boudewijn Meijer and Rick Veldhoven describe Fox-IT's evolving evasive tool for red team engagements, which uses virtualization and polymorphism to evade EDR detection. The tool implements a custom virtual machine with encrypted bytecode instructions and a polymorphic engine to obfuscate both the virtual machine and payload. Very cool work.
AI + Security
Deepfake Ukrainian diplomat targeted US senator on Zoom call
In what appears to be an attempt at election interference.
How My Projects Fit Together
My bud Daniel Miessler gives an overview of the roughly 1 million projects he’s doing, and how they’re aimed at helping people transition to what he calls "Human 3.0" - a vision for self-actualized individuals living purposeful lives in the age of AI.
Substrate to make the world transparent and discussable, Fabric to solve everyday problems with AI, Telos to capture, articulate, and improve things you care about, Daemon to make anything (including yourself) available as an API, and Human 3.0 to (optionally) be guided through learning how to use all of this to become your upgraded, best self.
NVIDIA and Global Partners Launch NIM Agent Blueprints for Enterprises to Make Their Own AI
NVIDIA announced NIM Agent Blueprints, a catalog of customizable AI workflows for building and deploying generative AI applications. The initial blueprints include a digital human for customer service, a PDF data extraction for enterprise RAG, and a virtual screening blueprint for drug discovery. Partners like Accenture, Deloitte, and Dell are integrating these blueprints into their AI solutions and platforms.
Vulnerability Analysis for Container Security
With this NVIDIA blueprint security analysts can shorten the process of determining whether a software package includes exploitable and vulnerable components using LLMs and event-driven RAG, triggered by the creation of a new software package or the detection of a CVE. (Demo here, H/T Kyle Kelly for sharing)
The LLM researches and investigates reported CVE risks to confirm vulnerabilities, finds false positives, generates investigation checklists of tasks, and determines true exploitability. After the required data is processed, a unique checklist is generated and sent to agents, and analysis is looped until all checklist items are triaged. The application then summarizes the findings, generates action justifications, and passes them to a human analyst to decide appropriate next steps. Demo here.
Introducing Java fuzz harness synthesis using LLMs
Google’s OSS-Fuzz team have extended OSS-Fuzz-gen to automatically generate Java fuzzing harnesses using LLMs, describing challenges like object creation and constructors, handling exceptions, managing AutoCloseable resources, choosing suitable targets, and providing proper context to LLMs. Sample generated prompts here.
They evaluated the approach on 106 Java projects in OSS-Fuzz, successfully building 280 out of 592 synthesized harnesses, with 102 achieving new edge coverage. The generated harnesses found 2 potential security issues and 4 reliability bugs across various projects including jakarta.mail, jettison.json, sqlite-jdbc, and jolt.
See also a video overview of LLM-based Fuzz Harness generation with OSS-Fuzz-gen and a prior blog on on generating fuzz harnesses for arbitrary C/C++ repos that aren’t already fuzzing (GitHub repo → OSS-Fuzz and ClusterFuzzLite project). OSS-Fuzz-Gen has found 25 bugs total so far.
OSINT / Recon
attacksurge/ax
An open-source tool for bug hunters and penetration testers to efficiently manage and scale scanning operations across multiple cloud providers by deploying and controlling fleets of cloud instances.
A Guide To Subdomain Takeovers 2.0
Ed (EdOverflow) Foudil on identifying, exploiting, and reporting subdomain takeovers. The article covers techniques for enumerating subdomains using tools like MassDNS and Amass, automating detection with Nuclei (including writing custom templates), and exploitation scenarios such as manipulating or stealing cookies, CORS misconfigurations, OAuth domain whitelisting, CSRF, and bypassing CSP.
How to build a secure recon network using Tailscale
Bugcrowd’s Rami Tawil demonstrates how to use Tailscale to create a secure, private network for bug bounty recon. He walks through setting up Tailscale on a VPS and other devices, configuring firewall rules with UFW, using the VPS as an exit node to anonymize traffic, sharing files with Taildrive, and using Tailscale SSH for keyless remote access.
Misc
sq - Like jq for databases and documents
Jason Chan on security at Microsoft
Chord Chart Memo - A mobile app designed for musicians and songwriters which lets you input chords with just two taps.
Why does man print "gimme gimme gimme" at 00:30? Delightful 😂
Ben Horowitz has switched his support from Trump to Harris - Why? 💰️ He wants to be on the winning side.
EFF How to Stop Advertisers From Tracking Your Teen Across the Internet
Thread on North Korean IT workers with fake identities getting jobs at 5+ blockchain companies
Meta smart glasses can be used to dox anyone in seconds - Two Harvard students linked a pair of Meta Ray Bans 2 to the PimEyes face search engine, and have a demo video of quickly identifying strangers and personal details like their name, address, and phone number just from looking at them. In their Google Doc, the students provide instructions for people to remove their faces from reverse face search engines like PimEyes and Facecheck ID, as well as people search engines like FastPeopleSearch, CheckThem, and Instant Checkmate.
Trying a Dozen New Workouts Helped Me Move (Literally) Through the Trauma of a Major Breakup
Ali Abdaal: How to Design Your Dream Life (in 7 Minutes)
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,
Clint
@clintgibler