🧹 Defying Gravity

Recently I saw the “Wicked” movie, and it was delightful! 🥰 

If you’re not familiar, Wicked started as a very popular musical that tells the story of the Wizard of Oz from the perspective of the green Wicked Witch of the West.

Tons of interesting themes, like: are people born wicked or does their life lead them there? Doing the hard and moral thing vs being popular. Finding a common enemy to bring people together. The power of narrative in misleading the populace.

The visuals and dancing were quite the spectacle (check out this epic breakdown of Dancing Through Life), Ariana Grande had great comedic timing, and the singing was impressive.

Unfortunately I didn’t reach out to the creators in time to get you a discount code (e.g. #JonChuPlzCastTLDRSEC).

If you know how to leverage a cybersecurity newsletter or Internet points to get involved in the screen industry or musicals, hit up ya boi 👋 

P.S. I’m going to be joining my friends Seth Law and Ken Johnson on Absolute AppSec next Tuesday Dec 10th at noon ET / 9am PT, livestream link here. Hope to see you there!

Sponsor

📣 Modern infrastructure NEEDS modern privileged access

Modern, ephemeral infrastructure is a complex beast to manage. Scaling privileged access across it all presents unique challenges, and relying on traditional PAM technology alone is insufficient (or, requires significant overhead… 😬)

Read this “Modern Infrastructure Demands a Modern Approach to Privileged Access” guide to explore (and start solving) the key challenges that arise when scaling access control across the dynamic multi-cloud, cloud-native, and containerized infrastructure of today. Key challenges include credential sprawl, manual management burden, and limited compatibility with modern DevOps toolkits.

👉 Read the Guide 👈

AppSec

mike-engel/jwt-cli
By Mike Engel: A super fast CLI tool to decode and encode JWTs built in Rust.

2024 CWE Top 25 Most Dangerous Software Weaknesses
Updated list from MITRE. The top 10 in order are: XSS, out-of-bounds write, SQL injection, CSRF, path traversal, out-of-bounds read, OS command injection, use after free, missing authorization, unrestricted upload of file with dangerous type.

ComplianceAsCode/content
Security automation content in SCAP, Bash, Ansible, and other formats. The project’s purpose is to create security policy content for various platforms (Red Hat, Fedora, Ubuntu, Debian, …) and products (e.g. Firefox, Chromium), delivering security guidance, baselines and associated validation mechanisms.

ComplianceAsCode also links back to compliance requirements in order to ease deployment activities, such as certification and accreditation, for the U.S. Government as well as the financial services and health care industries.

Drilling the redirect_uri in OAuth
@YShahinzadeh describes various OAuth attack scenarios, such as manipulating the redirect_uri parameter or chaining redirect_uri + open redirect when the server doesn’t check the state parameter. The post walks through example exploitable situations, and encourages focusing on custom flows that deviate from the standard.

See also OAuth Non-Happy Path to ATO by Omid Rezaei.

Sponsor

📣 Cloud security can feel like a game of whack-a-mole

Every day, your CNAPP/CSPM spits out more alerts than anyone has time or people to handle, and what you do get to investigate, you investigate in a hurry. When you send over tickets to engineering, they only get to it at the very last moment before you breach some SLA.

That’s where Tamnoon’s Managed Cloud Security service comes in - we take all your CNAPP/CSPM alerts, enrich and prioritize them, perform AI-powered impact analysis, and then offer concrete remediation plans (verified by human cloud security experts!) for your developers to use.

👉 See it In Action 👈

AI-augmented managed services make a lot of sense to me: you get the benefit of scalability (prioritization, auto-enrichment) + a human expert in the loop. Looking forward to seeing where this goes 🤘 

Cloud Security

Quicklinks

• Introducing resource control policies (RCPs) to centrally restrict access to AWS resources

• Amazon EC2 now provides lineage information for your AMIs

• AWS announces Block Public Access for Amazon Virtual Private Cloud

AWS pre:Invent 2024
Chris Farris brings the snark (“Pre:Invent wasn’t the GenAI wankshow I expected it to be.”), and highlights 15 security-relevant announcements. If you’re attending, check out his and Rich Mogull’s Security Invariants breakout session!

Hands-On Security Tips For Centralize Root Access In AWS(AssumeRoot)
Mitiga’s Or Aspir explains AWS's new centralized root access management feature for AWS Organizations, which allows organizations to manage root user credentials across multiple accounts from a single location, and even delete root user credentials. The feature introduces new API calls like AssumeRoot and policies such as IAMAuditRootUserCredentials that limit actions a principal assuming root can perform, enabling more granular control and attack surface reduction. Or also describes some CloudTrail logging details and cloud detection and response tips.

How to use AWS Resource Control Policies
Wiz’s Scott Piper walks through Resource Control Policies (RCPs), a new feature that allows setting organization-wide constraints on resource access, similar to Service Control Policies (SCPs). RCPs can enforce data perimeters, restrict IAM role assumptions to trusted accounts, limit OIDC access (e.g. limiting GitHub Actions to a specific org), and prevent undesired actions by external accounts. Scott recommends using Access Analyzer to review existing access patterns before deploying RCPs, and suggests a phased deployment approach starting with sandbox accounts and progressing through dev, staging, and production environments.

Creating a Data Perimeter with Resource Control Policies (RCPs) and AWS KMS
Fog Security’s Jason Kao shares 5 examples of how to use RCPs to build multi-layered data perimeters, including: using KMS policies creatively to protect data in services not directly supported by RCPs, limiting cross-environment data access, preventing KMS key lockout, enforcing KMS encryption for S3, and protecting secrets from public exposure.

What Do Hackers Know About Your AWS Account?
For a number of attacks on various AWS resources (as shown recently in attacks on CDK deployments, SQS queues, ECR repositories) an attacker needs an identifier for what’s been targeted. And there’s been research showing how identifiers can be guessed, validated, discovered, leaked, and predicted.

Tying it all together: Plerion’s Daniel Grzelak introduces Awseye, an open-source intelligence (OSINT) and reconnaissance service that analyzes publicly accessible data for AWS identifiers like account IDs, IAM keys, Amazon hosts, resource IDs, and resource names. How: mention scraping, direct listing, guess and validate, and miscellaneous Milo-fueled Aussie magic. You can sign up for free to be notified when identifiers related to your company are shared publicly so you can fix/harden appropriately.

Blue Team

Babyhamsta/Malcrow
Malcrow creates fake processes and registry keys that makes your Windows 10/11 look like a malware analysis environment, which will cause some malware to not run so as to avoid being reversed.

When Guardians Become Predators: How Malware Corrupts the Protectors
Trellix’s Trishaan Kalra describes a malicious campaign that exploits a legitimate Avast Anti-Rootkit driver (aswArPot.sys) to terminate security processes and disable protective software. Recommendation: use BYOVD (Bring Your Own Vulnerable Driver) protection mechanisms.

Phishing-Resistant MFA Success Story: USDA’s FIDO Implementation
CISA article about how the USDA implement FIDO-based phishing-resistant authentication for 40,000 users, including seasonal workers and lab employees. They leveraged Windows Hello for Business, FIPS-140 validated security keys, and Microsoft Entra ID integration with their existing SSO platform to protect Windows logon, M365, VPN, and 600+ internal applications.

💡 Insert Smokey the Bear poster: If the USDA can adopt FIDO, so can you!

Understanding the Efficacy of Phishing Training in Practice
An academic paper analyzing the results of an 8-month randomized controlled experiment involving ten simulated phishing campaigns sent to over 19,500 employees at a large healthcare organization. “Our results suggest that these efforts offer limited value.”

They found no significant relationship between recent training and the likelihood of falling for a phishing attack, low differences between people who had and hadn’t received training content, and for specific types of training content, and that users who receive and complete more instances of the training can have an increased likelihood of failing subsequent phishing simulations.

Red Team

roadwy/DefenderYara
Extracted Yara rules from Windows Defender mpavbase and mpasbase.

hackirby/skuld
A Go proof-of-concept tool for stealing from Discord, Chromium-based & Firefox-based browsers (cookies, credit cards, history), crypto wallets and more, from every user on every disk. Features: terminates debugging tools, disables Windows Defender and blocks access to AV websites, detects and exits when running VMs. “For educational purposes only.” 😂 

From Guardian to Gateway: The Hidden Risks of EDR Vulnerabilities
Neodyme’s Konstantin demonstrates how EDR tools like Wazuh can become attack vectors by walking through two critical vulnerabilities, a heap buffer overflow and a command injection. The latter was found through code review, the former through fuzzing using LibAFL with QEMU userspace emulation and Nautilus for mutation.

AI + Security

Quicklinks

• Pragmatic Engineer interview with Simon Willison on AI tools for software engineers - Some very interesting, tactical useful tips. Really neat to hear Simon’s personal workflows and tooling.

• AI CEO Breaks Down How He Gets 10x Leverage - Great discussion of some pretty detailed AI workflows built in to a product.

• State of AI Report 2024 - Excellently detailed slides covering research, industry, politics, safety, and predictions.

Autonomous Discovery of Critical Zero-Days
ZeroPath’s Raphael Karger describes how their program analysis (SAST) + AI vulnerability detection approach has found 19+ vulnerabilities in open source projects, including RCE, authentication bypasses, and IDORs. Their approach (more here):

1. Use AI agents to investigate what apps are in a repo (e.g. for monorepos, microservices) and gather basic data about how they work.

2. Generate ASTs for the code using tree-sitter and build a call graph.

3. Enrich the graph with contextual info like endpoints (request paths, HTTP methods), middleware, AuthN/AuthZ mechanisms.

4. Find taint-style vulnerabilities (SQLi, XSS, …) using static analysis, leverage AI (tree-of-thoughts, ReAct) to find business logic flaws and AuthN/AuthZ issues.

5. To validate findings, they use the Monte Carlo Tree Self-refine (MCTSr) algorithm.

Investigating and Benchmarking Large Language Models for Vulnerability Analysis in Decompiled Binaries
Academic paper by Dylan Manuel et al introducing DeBinVul, a novel decompiled binary code vulnerability dataset that’s multi-architecture and multi-optimization, focusing on C/C++. They curated 150,872 samples of vulnerable and non-vulnerable decompiled binary code for the task of (i) identifying; (ii) classifying; (iii) describing vulnerabilities; and (iv) recovering function names. They fine tuned several LLMs using DeBinVul and observed a performance increase of 19% (CodeLlama), 24% (Llama3), and 21% (CodeGen2) in detecting binary code vulnerabilities. Using DeBinVul, “we report a high performance of 80-90% on the vulnerability classification task.”

Leveling Up Fuzzing: Finding more vulnerabilities with AI
Oliver Chang, Dongge Liu and Jonathan Metzman give an overview of Google’s efforts to have AI augment the fuzzing process (using LLM-generated fuzz targets to increase code coverage), which has already lead to finding 26 new vulnerabilities in open source projects, including one in OpenSSL. The LLM can draft an initial fuzz target, fix compilation issues that arise, run the fuzz target and fix mistakes causing runtime issues, and run the corrected fuzz target and triage crashes.

One improvement they’ve made is automatically generating more relevant context in prompts - including project-specific context, like functions, type definitions, cross references, and existing unit tests in the project.

Future work: improving the automated triaging of results, and creating an Agent-based architecture that lets the LLM autonomously plan the steps to solve a problem and give it access to tools (e.g. a debugger) to get more info and validate results.

Misc

• The Insane Story of How the Onion Bought InfoWars (and How Alex Jones Is Trying to Steal It Back)

• What’s Coming: The Changing Domestic and World Orders Under the Trump Administration - Thoughtful, detailed post by Ray Dalio

• The Compelling Case for Optimism - Some of the awesome things humans are doing right now.

• Software engineering productivity research conducted at Stanford of >50K engineers from 100s of companies found that ~9.5% of software engineers do virtually nothing

• 6 strategies from a two-time world debating champion - I especially like this part: “Argue their strongest point. Don’t settle for arguing against a weak or flawed statement. When you address their strongest point, you create real progress. Build up their case if needed.”

• The truth about addiction - “People think that addiction has to do with drugs and alcohol. The drug people are using to numb themselves is not the problem, it’s the solution. The real issue of addiction is the underlying issue that the addict is attempting to address through the self numbing behavior.”

Wicked

• 'Wicked' composer Stephen Schwartz breaks down his iconic 'Defying Gravity'

• Jazz Pianist Hears Defying Gravity For The First Time

• Wicked's ‘Dancing Through Life’ Full Scene Breakdown: Choreography, VFX & More - Holy cow this was an impressive scene 🤯 

• How ‘Wicked’ Built Immersive Real-Life Sets, From Shiz To Emerald City - Wow, a surprising amount of things were real (vs CGI). Neat to see the inspiration for the sets as well.

• 'Wicked' Director Jon M. Chu Talks Cynthia Erivo's Flight, Friendship, & the Culture of Munchkinland

• Before ‘Wicked’ was a smash, it was stumbling in San Francisco - Some history about the original production.

• Wicked: Tiny Desk Concert - Stephen Schwartz plays piano, and shares some additional “making-of” context.

• Ariana Grande SNL appearances

• 2 bros listening to the new Wicked soundtrack 😂 

• An interview with director Jon Chu on his career

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler