💓📚️ Resources on the Feelz

OK this is a bit random, but please send me any YouTube videos, podcast episodes, books, or blog posts that you’ve personally found very useful about relationships, marriage, communication, emotions, etc.

Perhaps something that’s made an impact on you, or that you come back to.

The why behind this ask will become clear over the next month or two :)

And if you send me something, you’ll get an early preview!

Thankee kindly 🙏 

Sponsor

📣 7 steps to an airtight GRC strategy

The information security landscape is constantly changing, which is why it’s important to have a scalable and secure strategy that evolves alongside it. 

Implementing a GRC program can provide your organization with a structured, proactive approach to managing its IT security that helps your business meet its goals.

Learn how to implement a GRC framework with this tactical guide. Here’s what’s inside:

• Overview of GRC strategy

• The three components that make up a GRC framework

• The steps needed to implement GRC for your organization

👉 Download now 👈

AppSec

sarperavci/ctf-writeups-search
By Sarper AVCI: A search engine for CTF (Capture The Flag) writeups and solutions, powered by Typesense. Search through a curated collection of 35,000+ CTF writeups with instant results and smart filtering.

You're thinking about passkeys wrong
Yawar Amin proposes a user-friendly approach to implementing passkeys alongside magic links for authentication, handling the case of when users have multiple devices.

A Tour of WebAuthn
The web version of a book written by Adam Langley that provides a great overview of how Universal Second Factor (U2F) improves on passwords, FIDO2 and passkeys, WebAuthN, implementation considerations, and more.

siamthanathack/Passkey-Raider
A Burp extension by Siam Thanat Hack for testing passkey systems. Features: it can decode and encode passkey data in HTTP requests, automatically replace the public key in passkey registration flows with a generated public key, and automatically sign data in passkey authentication flows using a generated private key.

Sponsor

📣 [Webinar] 5 Ways New AI Agents Can Automate Identity Attacks

Struggling to filter AI hype from genuine threats? Join Luke Jennings from Push Security on February 27th for his latest threat research webinar where he’ll be demonstrating 5 ways new AI agents can be used to automate identity attacks.

• Reconnaissance to discover a company’s SaaS tenants

• Initial access through scaling up credential stuffing attacks

• Persistence following account takeover

• Lateral movement to compromise additional apps and accounts

• Exfiltration through mass data collection

See you there!

👉 Register Now 👈

I’ve included Luke’s great security research in tl;dr sec a number of times. Seeing how he can scale identity attacks with AI agents will probably be pretty rad 👌 

Cloud Security

CVE-2025-0693: AWS IAM User Enumeration
Rhino Security Labs’ Nate Wilson describes two username enumeration vulnerabilities in the AWS Web Console. One was fixed, one an “accepted risk.”

Abusing FIDO2 passkeys to take over Global Administrators in Entra ID
Secura’s Max Rozendaal describes an attack path in which an attacker with Application Administrator privileges can provision a FIDO2 passkey for a user with the Global Administrator role, and use that passkey to sign into Azure services as the victim user, escalating their privileges, without needing to have the user’s plaintext password or MFA.

How does Sendbird secure AWS?
Laxman Eppalagudem gives a nice high level overview of Sendbird’s journey in securing their AWS environment, from their initial setup to later improvements. A few improvements they made: using Okta SSO for all users via AWS IAM Identity Center, removing IAM users for engineers, giving developers secure access to EC2/Kubernetes via Teleport instead of SSH, managing Terraform via Atlantis, using break glass role approvals via Okta OIG, adding SCPs, and more.

whoAMI: A cloud image name confusion attack
Datadog’s Seth Art describes a name confusion attack that exploits when AMIs are retrieved by name but the owner (e.g. amazon, ubuntu, …) is omitted, allowing an attacker to publish an AMI with the same or similar name and get code execution in the victim’s account when the malicious AMI is ran. Roughly 1% of the organizations monitored by Datadog were affected as well as internal AWS non-production systems.

As a result, Amazon released Allowed AMIs, a guardrail that lets you provide an allowlist of AMI sources. Datadog has published a Semgrep rule to find vulnerable code patterns and the tool whoAMI-scanner, which audits your currently running EC2 instances and lets you know if any of them were launched from AMIs that are both public and from unverified accounts.

Blue Team

Living Off the Living Off the Land
A collection of >25 Living Off the Land projects (GTFOBins, Living Off The Land Drivers, etc.), curated by Justin Ibarra.

turbot/tailpipe
By Turbot: An open source SIEM for instant log insights, powered by DuckDB. Analyze millions of events in seconds, right from your terminal. Collects logs from cloud, container and application sources. MITRE ATT&CK-aligned queries, prebuilt detections, benchmarks, and dashboards.

Detection engineering at scale: one step closer (part two)
Sekoia’s Guillaume C. and Erwan Chevalier describe a five step detection engineering process: detection rule creation, Alerting and Detection Strategy Framework (ADS), documentation, CI/CD and versioning, continuous testing, and automated documentation generation. The CI/CD process leverages GitHub Actions and includes syntax checking, test coverage verification, and event replay against log parsers in pre-production and production environments.

An inside look at NSA (Equation Group) TTPs from China’s lense
Lina Lau shares insights she gained from reviewing intelligence reports published by China’s Qihoo 360, Pangu Lab, and the National Computer Virus Emergency Response Center (CVERC) that have been attributed to the NSA (APT-C-40), with a focus on attacks on China’s Northwestern Polytechnical University. The post shares some neat details on how the attacks were attributed to the NSA (attack times in EST working hours and not during American holidays, human errors, and toolkits connected to the Shadow Brokers leak) as well as tools and TTPs across initial access, persistence and lateral movements, data exfiltration, and evasion.

Across NSA, China and Russia, there seems to be a consistent focus on edge devices, IoT, and network appliances - generally don’t have XDR/EDR, great for initial access and persistence. One difference is that Chinese cybersecurity organizations seem more collaborative, openly acknowledging and publicizing their partnerships, while the industry collaboration in the West is more through closed invite-only groups.

Red Team

Introducing Raccoon
LRQA’s Alexandros Vavakos introduces Raccoon, a tool developed during a red team engagement to capture screenshots of minimized windows, specifically targeting 2FA applications.

MorDavid/BloodHoundViewer
By Mor David: A Chrome extension that enhances BloodHound Community Edition with additional features including query history navigation, improved layout controls, and a Neo4j button.

Exploit Development: Investigating Kernel Mode Shadow Stacks on Windows
Impressive deep dive by Connor McGarr into the Windows implementation of kernel-mode Intel CET (Control-flow Enforcement Technology).

Bring Your Own Trusted Binary (BYOTB) - BSides Edition
The blog version of JumpSec Labs’ David Kennedy’s BSides London 2024 talk on bringing trusted binaries to a system and using them in an adversarial fashion. The talk focused on binaries that allow for the passing of 5 scenarios:

• Proxy my Kali tools, and tunnel traffic into an environment

• Bypass EDR (e.g. CrowdStrike), on dropping to disk and on execution

• Firewall friendly

• A good alternative to network tunnelling tools (e.g. Ligolo)

• Doesn’t require a pre-installed SSH client

AI + Security

Quicklinks

• Scammers clone Italian defence minister's voice with AI in ransom scheme

• OpenAI is IBM

Workshop: Teaching Semgrep Assistant to filter out the noise with memories
A hands-on workshop for learning how to use human language to teach Semgrep Assistant about trusted data sources, internal sanitizers, and other mitigating context specific to your organization, so you can don’t have to repeatedly triage similar findings.

💡 Being able to customize a tool’s results using human language is pretty nifty, no DSL learning time required!

From CVE to Template: The Future of Automating Nuclei Templates with AI
ProjectDiscovery describes how they use AI to automate Nuclei template generation for new CVEs: fetching CVEs via CVEmap, extracting technical details from POC URLs using ChatGPT, and generating templates with a custom internal API called TemplateMan. Challenges included difficulty in summarizing POC from various sources, weak matchers that could lead to FPs, and inconsistent data (CVE data occasionally had inaccuracies, such as misclassified vulnerabilities).

VulnWatch: AI-Enhanced Prioritization of Vulnerabilities
Anirudh Kondaveeti describes Databricks' AI-driven system for detecting, classifying, and prioritizing vulnerabilities, achieving 85% accuracy in identifying business-critical issues, and “no false negatives in back-tested data.” 🤯 The system ingests CVE data from multiple sources, extracts relevant features (CVSS, EPSS, availability of exploit or patch, …), and uses an ensemble of scores (severity, component, topic) to prioritize vulnerabilities.

It leverages LLMs and vector similarity to match the identified library with existing Databricks libraries, and employs automated instruction optimization to improve accuracy. This approach has reduced manual workload by 95%, allowing the security team to focus on the most critical 5% of vulnerabilities.

Misc

• OSX-PROXMOX - Install macOS on any computer

• SQL Noir - Solve mysteries through SQL

• Cursed fire or #define black magic

• How to turn off in-app rating and review requests by iOS apps

• 50 years of travel tips

• David Perell - $100M CEO’s Writing System (Alex Hormozi Interview)

• The Onion - GigSlave Goes Public With $84 Billion Valuation

• SNL - New York 50th Musical

• Em Beihold - Numb Little Bug (piano version)

• The School of Life - The Psychology of Male Loneliness

• Matthew Hussey - Dating Disappointments: Why You’re Closer to Love Than You Think

• A Notebook System for Your Life - Bullet journaling structure: Notes (what we think), Actions (what we do), Moods (what we feel), Events (what happened)

• Gina Trapani - My Life in Weeks - Neat visualization

• How Diablo hackers uncovered a speedrun scandal - “Investigators decompiled the game to search through 2.2 billion random dungeon seeds.” Now this is a level of thoroughness I can get behind 😂 

• Basketball is a solved sport

• Andrew Wilkinson’s deep dive after getting diagnosed with adult ADHD

• Bruce Schneier - DOGE as a National Cyberattack

• Govt offices gutted by mass layoffs - Including the head of InfoSec of Veterans Affairs

• The candidate for National Cyber Director is a lawyer with basically no previous experience in InfoSec. The prior person had decades at CIA and NSA.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler