🇮🇩 Indonesia!

The past few days I’ve been in Indonesia for the first time, and it’s been awesome!

My deepest thanks to everyone who kindly reached out with recommendations! I think more people responded to share thoughts on Bali than perhaps any security thing I’ve ever asked for feedback on 😂 Lots of Aussies.

I’ll share more when I have time, but a few quick thoughts:

• Locals and other tourists have been very friendly! I randomly met a restaurant owner and he invited me to his restaurant, sat with me and recommended dishes, and showed me around.

• So many beautiful temples, like Borobudur (H/T Aaron Liao)

• In one visit to Uluwatu, I saw monkeys steal things from like 5 people.

• Lots of people who self-describe their job as “influencer” 😂 

• I went to a large church in the shape of a… chicken.

More to come!

🌁 NEBULA:FOG:PRIME – AI x Security Hackathon

Some friends (shout-out Rob Ragan) are organizing a hackathon on January 25th for people excited to apply AI to security challenges.

Everyone is expected to build, and there will be an after party with music and networking.

I’ve been told it’s… already full 😅 But you might be able to get in, or at least be notified about future events: 🔗 https://nebulafog.ai

Sponsor

📣 Permiso Security’s CISO Guide to Detecting and Preventing Identity Attacks

This CISO guide addresses the key questions:

• How much visibility does the security team have into human and non-human identity-related activities and potential threats within your organization?

• What do cloud identity attacks look like across different cloud environments, and how do they differ from traditional on-premise identity attacks?

• What best practice strategies are available for detecting, preventing, and remediating identity-based attacks?

• Plus, many more.

👉 Download the eBook 👈

AppSec

EnableSecurity/wafw00f
By Enable Security: A tool to identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Second audit of Obsidian apps completed by Cure53
As an Obsidian user, it’s nice to see that they work with a top tier firm and fix issues quickly. The only serious issue found was “UXSS via bookmarks accepting JavaScript URI.” Worth skimming if you’re into Electron security.

Alice and Bob Learn Secure Coding
My friend Tanya Janca’s second book is now available for pre-order! She kindly shared a pre-release version with me, and I think it’s a great resource for developers (or security folks) to learn about secure software development. If you look closely, you might notice that there’s a testimonial from me on the Amazon page (and in the book!) 😎 

Cross-IdP impersonation: hijacking SSO using fraudulent IdPs
Push Security’s Dan Green describes “cross-IdP impersonation,” a technique where attackers can create accounts on unused identity providers (IdPs) to access your company’s SaaS apps via SSO (e.g. Log in with Apple), bypassing hardened primary IdP accounts.

Dan discusses recent examples, including a case where one could access a target company’s Zendesk support ticket history via spoofing a company’s support email, and later using it to access connected apps like Slack, as well as a Google domain verification bug. Recommendations: set alerts for IdP activation emails, enforce re-verification using the original method when a user adds a new SSO method, and prevent personal-to-corporate account conversions where possible.

💡 Yikes, this is a tricky issue and a great write-up. There are so many potential IdPs (Okta, AWS, Google, Apple, GitHub, …), all with likely varying behavior and security controls.

Sponsor

📣 Your Guide to SaaS Attacks

Offensive security drives defensive security.

Push Security is sharing a collection of SaaS attack techniques to help you understand the threats you face. In this SaaS Attacks Report, you’ll learn:

• The SaaS Attacks Matrix and how it can benefit your red and blue teams

• New SaaS-focused variations of older attacks

• Brand new attack techniques against SaaS-native and hybrid organizations

• What the cyber kill chain looks like when applied to SaaS-native and hybrid organizations

👉 Download for free 👈

I’ve been impressed by Push Security’s blog, tons of technical posts on subtle, tricksy SaaS attacks. It’s really neat to see all of the new attack angles they’re coming up with, I bet this guide is 🔥 

Cloud Security

Introducing the CAPICHE Detection Framework: An Open-source Tool to Simplify Cloud API-based Hunting
Permiso’s Dredhza Braina introduces CAPICHE, an open-source tool that simplifies cloud API detection translation, automating the process of translating cloud APIs into SDK-specific syntax (e.g. the CreateAccessKey API is translated to create-access-key for AWS CLI usage but create_access_key for Boto3 usage) and generating detection rules in formats like YARA, Sigma, and VirusTotal VTGrep.

Avoiding mistakes with AWS OIDC integration conditions
Wiz’s Scott Piper does an excellent round-up of the security risks of misconfigured OpenID Connect (OIDC) integrations with AWS, for example, accidentally allowing any GitHub user to create a GitHub Action that could assume a company’s GitHub <> AWS IAM role. Scott also shares a summarized list of recommended conditions for over 20 vendors.

In short: generally there should always be “aud” and “sub” conditions, but it varies. Also, just because a given condition value looks random, it could actually be the same value for all of the vendor’s customers.

Confidential computing at 1Password
Jasper Patterson explains how 1Password is leveraging confidential computing to process encrypted data securely in the cloud without compromising their end-to-end encryption model. This allows 1Password to support features like detailed reporting for enterprise customers while maintaining strong security guarantees. Their approach, built on AWS Nitro enclaves, includes verifiable guarantees, public transparency through Rekor, no operator access, trusted communication using Noise, and is implemented in Rust.

💡 I love the significant engineering that went into being able to make such strong security guarantees. Let’s go!

Implementing Security Invariants in an AWS Management Account
Chris Farris describes how to implement security invariants in AWS Organization Management (payer) accounts using permission boundaries, since SCPs and RCPs don't apply. He provides a comprehensive permission boundary policy that enforces invariants like only allowing the Cloud Admin team to modify CloudTrail, Organization settings, and assume sensitive roles. Chris also shares a GitHub repo that uses Lambda and Eventbridge to all IAM users and roles.

💡 This is awesome for Chris to share, but it would be nice if cloud providers made it easy to enforce sensible invariants instead of relying on community members. Every time I read about additional IAM nuances I feel like a fairy loses its wings.

Blue Team

AttackRuleMap
By Burak Karaduman: A mapping of Atomic Red Team attack simulations to open-source detection rules, such as Sigma and Splunk ESCU. Announcement blog.

Compound Probability: You Don’t Need 100% Coverage to Win
Andrew VanVleet uses compound probability to argue why defenders don't need 100% attack surface coverage to have a strong chance of detecting attackers. For example, if an attacker can accomplish their goal in 5 attack steps, and you have a 1/3 chance of detecting them at each step, then they only have a 1/3^5 = 13% chance of not being detected. Thus, as defenders you want to increase coverage and/or the required number of steps.

The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access
Volexity’s Sean Koessel, Steven Adair, and Tom Lancaster describe how a Russian APT breached a company’s network by compromising multiple organizations within Wi-Fi distance of the target so they could then use credentials found via password spraying to join the target’s Enterprise network (which did not require MFA). Great write-up of the investigation and tradecraft notes.

💡 I mean honestly, hats off to Fancy Bear, this is like from an action movie. Sidenote: I wonder if anyone in an APT reads tl;dr sec and is ever like, “Finally, a shout-out!” 🙌 

Red Team

NHAS/egressinator
Trying to get out of a network? Use this to find what ports are allowed.

Making Monsters: Part 1
@silentwarble describes the development of Hannibal, a C2 agent designed to be used with Mythic written in position independent C, with a tiny memory footprint, minimal dependencies, and swappable communication profiles.

Password Spraying with Selenium and Fireprox
Ben Kofman shares a methodology for password spraying attacks that avoids IP-based lockouts by using Fireprox (leverages AWS API Gateway to create pass-through proxies that rotate the source IP address with every request), creating custom Burp Suite proxy match and replace rules using Bambda to ensure requests are forwarded to the right location, and automating login attempts with Selenium.

AI + Security

Non-security

• Simon Willison: Things we learned about LLMs in 2024. Fantastic overview. If you haven’t already been following Simon’s blogs and videos, you’re missing out.

• Elon Musk wanted an OpenAI for-profit - OpenAI’s latest diss track

• STORM: New AI research tool from Stanford - enter a topic and it will search hundreds of websites to write an article about its major findings.

Awesome List of Cybersecurity and AI
Repo by Kris Oosthoek of background reading accompanying his talk “AI in Offensive and Defensive Cyber” at the 2024 One Conference in The Hague. Topics: attacking AI systems, public policy, frameworks, using AI for defense/offense, academic papers, and more.

Toward Intelligent and Secure Cloud: Large Language Model Empowered Proactive Defense
Academic paper that presents LLM-PD, a proactive defense architecture that can make decisions through data analysis and sequential reasoning, as well as dynamically creating and deploying actionable defense mechanisms on the target cloud. It can flexibly self-evolve based on experience learned from previous interactions and adapt to new attack scenarios without additional training. GitHub repo.

💡 I still need to read this paper in more detail, but quick thoughts: it’s interesting to see AI being applied in cloud security. I’ve seen that some, but more often in the detection and response space, bug bounty/offense/fuzzing, and then maybe AppSec.

Second, with the rise of Agents and “reasoning” models like OpenAI’s o1 and o3, I’m sure we will see more and more tools and products that do some amount of “action-ing” for you, not just synthesis or recommendations.

Misc

• Lars Kamp on the power of bundling in selling cybersecurity products. Palo Alto Networks is playing hard-ball against Wiz.

• Your CISO asks, “What are we doing about Russians exploiting 0days in AI?”

• Sleep paralysis but instead of a demon it’s just Alex Hormozi - “You must first become consistent before you can become exceptional.” “A focused fool can accomplish more than a distracted genius.”

• The books that have stayed with Andrej Karpathy - All short stories by Ted Chiang, The Selfish Gene, LOTR, The Martian, The Vital Question, How To Live by Derek Sivers, 1984, In Defense of Food by Pollan, The Accidental Superpower by Zeihan, …

• DOOM CAPTCHA - Verify you’re human by killing at least 3 enemies in nightmare mode

• The CIA using animal spies for espionage

• A song from the perspective of the hawk tuah girl

• 11 of Tim Ferriss’ favorite Paul Graham essays - Keep Your Identity Small. How to Think for Yourself. How to Do Great Work.

• Profitable Misery by my bud Matt Johansen - How Silicon Valley turned isolation into a business model, and what we can do about it.

• Even Terence Tao, one of the best living mathematicians, has paper rejections once or twice a year - I wish I had known this in grad school 😅 

• Is Zyn gonna kill me and the boys?

• Palantir CEO pops a zyn while spinning a book during an interview 😂 

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler