👋 Welcome Back!

Happy New Year! I hope you had a great holiday break.

For me, I had this unfamiliar feeling of “free time” and “not writing a newsletter.”

I haven’t done my annual review or 2025 plan yet, so if you have any prompts, resources, guides, etc. that you really like, I’d appreciate you sharing!

A few memorable moments from my holidays:

• Doing a hot (~105°F) HIIT pilates class with my sister, being 50% of the men in a class of 30, and managing to not pass out ✊ 

• Spending NYE with a few friends, just hanging out and talking about what’s been going well and our hopes for next year.

• My brother bringing down his karaoke speaker, and my young cousin playing some rap with… adult lyrics 😂 

• My uncle turned 70, and we did this thing where we gave him ornaments based on specific memories we had of him, how he had affected our lives, etc. It was very sweet, and neat to see so many dimensions of the same person (from his kids, spouse, siblings, etc.). I had never done this before, but would recommend- at the end you have a tree full of memories from people who love you 🥰 

Alright, enough of that mushy stuff, time to HACK! 👨‍💻

*Pulls black hoodie up over my Christmas sweater. Cranks the techno. Yells upstairs to mom to put in another frozen pizza. Cracks open another Celsius.*

We’re in.

Sponsor

📣 Secure Your Entire Data & AI Lifecycle

Embedding AI into applications requires a new set of processes, tools, and technologies: the Data & AI Lifecycle. It also comes with a new set of risks.

At Noma, we’re taking an end-to-end approach to securing the Data & AI Lifecycle—from development to production and classic data engineering to GenAI. 

What does that mean? From securing your AI supply chain to protecting AI applications in runtime, Noma detects and prevents threats like misconfigured data pipelines, vulnerabilities in Notebook environments, malicious models, and yes, even adversarial AI attacks like prompt injection.

👉 See Noma in action 👈

AppSec

mmaitre314/picklescan
By Matthieu Maitre: A security scanner for detecting Python Pickle files performing suspicious actions. See also fickling by Trail of Bits.

OGP CTF 2024
A web CTF by Eugene Lim to train developers in bug hunting and secure coding while having fun. Currently 13 challenges ranging from easy to hard. Built on Vercel + NextJS, CTFd, and Cloudflare Access to protect boxes.

38C3: Illegal Instructions
The 38th Chaos Communication Congress (38C3) 2024 videos are now live, covering everything from technical talks on vulnerabilities, to hardware, AI, fighting The Man, and more.

💡 Like DEF CON, C3 is a neat blend of technical and random topics that wouldn’t fit in in most standard conference venues. Awesome. I’ve heard it’s amazing in person but I haven’t attended yet.

How We are Self Hosting Code Scanning at Reddit
Charan Akiri and Christopher Guerra discuss Reddit’s custom “Code Scanner” service that can perform commit-level or scheduled scans of any repository using any CLI tool. Results are sent to BigQuery via Kafka and critical findings trigger Slack alerts. The post contains some great info on architecture choices and implementation details, love it 😍 

Code Scanner currently use TruffleHog for secret detection and OSV for scanning third party dependencies, with future plans to add SBOM generation, surfacing repo hygiene checks to devs a la Chime’s Monocle, Semgrep, and more.

“Our main driving force is to find security bugs and instill a culture where Reddit services are ‘secure by default’ based on what we learn from our common bugs.”

💡 TIL Reddit’s Application Security team is 4 engineers supporting >700 devs, and they have at least 2,200 repos.

Sponsor

📣 One-click, zero-maintenance SaaS audit log connectors

You can’t detect active threats in your SaaS sprawl without ingesting those audit logs into the SIEM of your choice. Tarsal helps SecOps teams at companies like Robinhood, Upstart, and TripActions collect & normalize SaaS audit logs with one-click, zero-maintenance connectors.

Our self-healing connectors gracefully handle outages, API changes, and more. And your logs always arrive normalized – making for easy analytics and correlations.

👉 Free trial 👈

SaaS logs were actually one of the top 3 challenges security leaders mentioned in Maya’s excellent recent What Sucks in Security post. Sounds like they’re onto something! 👀 

Cloud Security

Top AWS re:Invent Announcements for Security Teams 2024
Wiz’s Scott Piper highlights key security-focused announcements, including Resource Control Policies (RCPs), which allow org-wide rules for resource sharing and access, Declarative Policies, which simplify EC2-related security settings across accounts (e.g. enforce IMDSv2), VPC Block Public Access, the new root user access management feature enables controlled access for critical tasks, and other updates.

From Remediation to Mitigation: Addressing Insecure-by-Design Flaws
Vectra’s Kat Traxler discusses the concept of "insecure-by-design" vulnerabilities in cloud services, contrasting them with feature abuse and traditional bugs. Kat recommends creating guardrails that enforce security policies and standards, detection and response to handle edge cases/workloads that rely on insecure functionality, and a phased approach for sunsetting insecure features (detect abuse → implement guardrails → sunset functionality).

Farris's Three Laws of Auto Remediation
Chris Farris’ recommendations if you’re going to do cloud (or any) security auto remediation: 1) A bot must never harm stateful data or allow stateful data to come to harm, 2) A bot must act quickly so functionality doesn’t become dependent on a misconfiguration, and 3) A bot must announce its existence and tell a human what it did and why.

💡 See also the excellent BSidesSF 2024 talk by Lily Chau and Lakshmanan Murthy: WhizBangLambdaFix: where AWS Misconfigurations meet Auto-Fix-It Antics.

From Detection to Enforcement: Migrating from IMDSv1 to IMDSv2
Datadog’s Isabelle Kraemer et al describe an approach for migrating from IMDSv1 to IMDSv2:

1. Discovery: Find workloads still making IMDSv1 calls, using for example CloudWatch’s MetadataNoToken metric, CloudTrail’s ec2RoleDelivery property, or AWS’s aws-imds-packet-analyzer.

2. Attribution: Which teams/codebases own those workloads?

3. Migration: Update workloads to stop using IMDSv1 (explicit calls to IMDSv1 endpoints, outdated libraries).

4. Enforcement: At the Auto Scaling group (ASG) level, or more broadly with service control policies (SCPs).

Supply Chain

Less effort, more insight: Introducing Dependency Graph for Supply Chain
Leif Dreizler et al announce Semgrep’s new Dependency Graph, which makes it easy to understand how and where transitive dependencies are introducing vulnerabilities (and thus what to remediate), and that Semgrep can now scan for vulnerabilities even when there are no lockfiles present.

Falling Stars
Checkmarx’s Eugene Rojavski investigates the current state of “starjacking” (basically making a package look popular by linking to a popular GitHub repo that isn’t actually the one associated with that package) across 21 package repositories.

PyPI has implemented a Trusted Publisher Management feature that only displays verified GitHub stats for packages uploaded through authenticated workflows. npm and CPAN still show unverified GitHub statistics, and most repositories display unverified package metadata links. Sad :(

ossf/package-analysis
Project by the OpenSSF that performs static and dynamic analysis on open source packages to detect malicious behavior: what files are accessed, what addresses they connect to, commands ran, etc. Packages are ran in a sandbox using gVisor, which allows it to capture strace data (how is the package interacting with the system) and packet data (network connections could be used to leak sensitive data or allow remote access).

The project also tracks changes in how packages behave over time, to identify when previously safe software begins acting suspiciously. They’re currently scanning NPM, PyPI, and RubyGems, and the resulting data is stored in a public BigQuery dataset.

Blue Team

Spying on Scammers
Fun video by my bud John Hammond on getting access to a scammer’s machine, watching what they do, and then doing OSINT on them and their “company.”

Threat actor MUT-1244 targets offensive actors, leaking hundreds of thousands of credentials
Datadog’s Christophe Tafani-Dereeper, Matt Muir, and Adrian Korn describe a campaign composed of phishing targeting thousands of academic researchers and a large number of trojanized GitHub repositories, such as proof-of-concept code for exploiting known CVEs. The threat actor also acquired >390,000 WordPress credentials via a backdoored “credentials checker” tool for WordPress.

💡 TL;DR: Be careful running PoC code from GitHub. There was a campaign a bit ago with a threat actor DM-ing offensive security folks and trying to get them to run backdoored software. Hosting trojanized PoC repos on GitHub is a pretty clever way to compromise security professionals.

Dissecting JA4H for improved Sliver C2 detections
Webscout walks through using JA4H fingerprints to pivot from known indicators to discover related malicious infrastructure, including how to find malicious JA4H "fingerprint neighbors" by making subtle changes in existing fingerprints based on known malware behavior, using exploitation of Palo Alto Networks firewall vulnerabilities as an example. Using this approach, they found additional Sliver C2 servers, and show how default C2 configurations often provide detection opportunities. Neat!

Red Team

PShlyundin/GPOHunter
A security assessment tool for analyzing Active Directory Group Policy Objects (GPOs) to identify misconfigurations and vulnerabilities.

logangoins/Krueger
By Logan Goins: A .NET proof-of-concept tool that uses Windows Defender Application Control (WDAC) to remotely disable Endpoint Detection and Response (EDR) systems by deploying a WDAC policy and rebooting the target device, preventing the EDR service from starting on boot.

EDR Silencers and Beyond: Exploring Methods to Block EDR Communication - Part 1
Fabian Bader describes how to use Windows' Name Resolution Policy Table (NRPT) to silently block EDR agents from communicating with their servers by redirecting DNS queries for EDR domains to localhost, as well as detection opportunities (looking for PowerShell commands involving Add-DnsClientNrptRule, registry changes).

EDR Silencer and Beyond: Exploring Methods to Block EDR Communication - Part 2
Mehmet Ergene highlights other methods attackers can use to block EDR communication, including modifying the Hosts or hosts.ics files, and adding custom routes to the Windows routing table, as well as potential mitigations (e.g. the Zero Trust DNS model, currently in private preview).

AI + Security

Hacking CTFs with Plain Agents
Paper by Rustem Turtayev et al in which they solve 95% of the challenges in InterCode-CTF, a high school level offensive security benchmark, using prompting, tool use, and multiple attempts, beating prior work (72%). Their ReAct&Plan prompting strategy solves many challenges in 1-2 turns without complex engineering or advanced harnessing. GitHub repo here.

dreadnode/burpference
By Dreadnode: A Burp Suite extension designed to capture in-scope HTTP requests and responses from Burp's proxy history and ship them to a remote LLM API in JSON format. Configure custom system prompts, select from numerous model providers, and more.

Brainstorm tool release: Optimizing web fuzzing with local LLMs
Invicti’s Bogdan Calin announces brainstorm, a web fuzzing tool that combines local LLM models and ffuf to optimize directory and file discovery, finding more endpoints with fewer requests. It combines traditional web fuzzing techniques (ffuf) with AI-powered path generation to discover hidden endpoints, files, and directories in web applications.

How to build an offensive AI security agent
Anshuman Bhartiya describes, and shares the code, for an agent that:

• Analyzes JavaScript files to identify API endpoints.

• Uses GPT-4 to identify custom headers and hardcoded secrets that might be required to send API requests.

• Dynamically crafts curl requests to each discovered endpoint, based on the derived requirements.

• Scans HTTP response data for sensitive information and other disclosures.

Learnings and observations: Claude Sonnet 3.5 is an excellent coding assistant, Cursor is worth playing with, consider using the Langgraph agent framework, focus on a really small scope initially when building Agentic Apps, understand what works and what doesn't, and then gradually build up the scope.

💡 It’s neat seeing how rapidly prototypes can be created with AI code generation!

Misc

Humor

• PenTest - No, no, no! - Love this parody by Tanya Janca 😂 

• The Onion - What Are Your Amateur … Videos Telling Employers About You?

• Will taking ayahuasca help you maximize shareholder value?

Relationships

• just another day - A Christmas song for sad single people

• Chris Williamson - The Sad Truth About Male Vulnerability

• WSJ The Economics Of - How Dating Apps Make Money and Why It’s Changing

• Masters of Love - Nice overview of some John Gottman’s work. For more, see Gottman’s The Seven Principles for Making Marriage Work book, which I thought was excellent.

Other

• An OSINT deep dive into Luigi Mangione - Using only public data, Nathaniel Fried et al uncover his accounts, addresses, Google reviews, and much more.

• Tim Ferris - Some favorite life advice for 2025

• Mark Manson - The Most Important Question of Your Life - What pain do you want in your life? What are you willing to struggle for? What is the pain that you want to sustain? Who you are is defined by the values you are willing to struggle for.

• My First Million - Jesse Itzler - How to plan an epic 2025 in 56 minutes. 1) Misogi - every year, do one year-defining thing. 2) One day every other month do something that you normally wouldn't do → you will add 6 new adventures this year that you otherwise wouldn't have had. 3) Add a new winning habit every quarter. More. Super motivating 🔥 

Ask yourself: Have you designed a life you’re happy to live?

"Your calendar isn't just recording your time - it’s exposing your lies" -Shane Parrish

“The important thing is to be able at any moment to sacrifice what we are for what we could become.” —Charles Dubois

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler