[tl;dr sec] #176 – Cloud Security Atlas, Semgrep + AI, Finding Malicious PyPi packages

Hey there,

I hope you’ve been doing well!

Workplace Challenges

You know, sometimes you try your best to fit in with work culture, and it still
doesn’t work out.

Insensitivity like that at work gits me real fired up.

Web Security

devploit/debugHunter
By Daniel Púa: A Chrome extension that scans
websites for debugging parameters and notifies you when it finds a URL with
modified responses.

Exploiting prototype pollution in Node without the filesystem
If you’ve detected Server-Side Prototype Pollution, Portswigger’s Gareth Heyes describes how to use the --import CLI flag in Node to execute arbitrary code without requiring a local file. There’s also a learning lab to practice on.

GitHub

tailscale/ToBeReviewedBot
A GitHub App to watch for PRs merged without a reviewer approving, by Tailscale.

Announcing the GitHub Actions extension for VS Code
The official GitHub Actions VS Code extension provides support for authoring and editing workflows, and helps you manage workflow runs without leaving your IDE.

Introducing GitHub vulnerability management integrations for security professionals
GitHub now supports integration with the following vulnerability management providers: Brinqa, Kenna Security, Nucleus, and Threadfix.

GitHub Copilot X: The AI-powered developer experience

• Auto-generate PR description text based on code changes. Automatically warn if you’re missing sufficient testing for a pull request and then suggest potential tests.
• GitHub Copilot Chat: ChatGPT-like experience in your editor. Get in-depth analysis and explanations of what code blocks are intended to do, generate unit tests, and even get proposed fixes to bugs. Can also just use your voice.
• Use a chat interface to ask docs questions.
• Copilot for CLI

Cloud Security

gofireflyio/aiac
AI Infrastructure as Code generator, by
Firefly.

oguzhan-yilmaz/balcony
By Oğuzhan
Yılmaz:
Effortlessly enumerate your AWS Account with Balcony – a CLI tool that utilizes
the AWS API and automatically populates required parameters.

Public Access Key – 2023
Chris Farris walks through the timeline of what
happened when he intentionally published an AWS Access Key and its secret to
GitHub.

A Guide to S3 Logging
Rami McCarthy on what you should do about
S3 logging, comparing S3 logs (data events vs server access logs), working with
Server Access Logs, and more.

Automate IAM credential reports for large AWS Organizations
How to automate IAM credential reports in AWS Organizations with many accounts. The reports list all AWS IAM users in your accounts and the status of their credentials, including passwords, access keys, and MFA devices.

Exploring Amazon VPC Lattice
Ian Mckay walks through creating a simple VPC Lattice service using CloudFormation, and takes a look at the service overall. VPC Lattice is a service that enables you to connect clients to services within a VPC.

Welcome to the Jungle: Pentesting AWS
Presentation by Black Hills Information Security’s Mike Felch on:

1. Adaptive techniques to scale AWS pentesting across hundreds of accounts and thousands of resources.
2. Exploitation, lateral movement, and privilege escalation methodology for those looking to get their start with AWS penetration tests.
3. Tool release to help extract the discovered vulnerabilities and generate boilerplate language for the report.

Identify and remediate common cloud risks with the Datadog Cloud Security Atlas
DataDog’s Andrew Krug and Christophe Tafani-Dereeper announce Cloud Security Atlas, a searchable database of real-world attacks, vulnerabilities, and misconfigurations designed to help you understand and remediate risk in cloud environments. You can search and filter on your cloud provider platform, risk type, and sort by impact, exploitability, and recency.

Container Security

ECS Compose-X
Easily deploy your services to AWS ECS from your docker-compose files.

Blue Team

MattKeeley/Spoofy
A program that checks if a list of domains can be spoofed based on SPF and DMARC records, by Matt Keeley.

How we built DMARC Management using Cloudflare Workers
Cloudflare’s André Cruz and Nelson
Duarte describes how Cloudflare’s
new DMARC management was built, using Workers, R2, and other Cloudflare platform
features. Cloudflare Workers seem neat, I keep meaning to play around with them more.

Supply Chain

Finding Malicious PyPi Packages in the Wild
Insomni’Hack presentation by Christophe Tafani-Dereeper and Vladimir de Turckheim that provides an overview of malicious software packages in 2023 and approaches to detect them, describes GuardDog, their open source tool to detect malicious packages, and findings from continuously scanning PyPI. 900+ malicious package dataset here.

Introducing SafeDep vet 🚀
Madhu Akula and Abhisek Datta announce vet, a tool for identifying risks in open source software supply chains that lets you define organizational “policy as code” and enforce it in CI/CD.

chainloop-dev/chainloop
An open source software supply chain control plane, a single source of truth for artifacts plus a declarative attestation crafting process. With Chainloop, SecOps teams can declaratively state the attestation and artifacts expectations for their organization’s CI/CD workflows, while also resting assured that latest standards and best practices are put in place.

See also Software Supply Chain Attestation the Easy Way by Chainloop’s Miguel Martinez Trivino.

Attackers have better things to do than corrupt your builds
Kelly Shortridge argues that exploiting a vulnerability in your build pipeline is not the most effective action for an attacker, as if they have that access they can do other things. Nice discussion of attack paths and the importance of understanding build processes as a security professional.

Much of what we seek from a security perspective is enveloped by reliability. Security is ultimately a subset of software quality. This is a lesson that more security professionals should heed, especially those that protest that software engineers “don’t care about security.”

Instead of barking up errant trees, security professionals should seek opportunities to invest in reliability with auxiliary security benefits so everyone wins.

Politics / Privacy

Help, My Therapist Is Also an Influencer!
What happens when your therapist uses your session as inspiration for their
growing TikTok following?

Australian Parliament’s Exploration of CCP’s Ties to TikTok
The 113-page doc details the CCP’s controls and its surveillance and propaganda aims, which contradict TikTok’s public statements. From the executive summary:

The FBI Just Admitted It Bought US Location Data
So they didn’t have to obtain a warrant.

The Department of Homeland Security, for one, is reported to have purchased the geolocations of millions of Americans from private marketing firms. In that instance, the data were derived from a range of deceivingly benign sources, such as mobile games and weather apps. Beyond the federal government, state and local authorities have been known to acquire software that feeds off cellphone-tracking data.

H/T Zack Whittaker for the meme.

Misc

Tabloid: The Clickbait Headline Programming Language
A Turing-complete programming language for writing programs in the style of
clickbait news headlines 🤣

Machine Learning

YakGPT
A simple, locally running ChatGPT UI.

My kids and I just played D&D with ChatGPT4 as the DM
Wow, and it was really good.

scrapeghost
An experimental library for scraping websites using OpenAI’s GPT.

Segment Anything
A new AI model from Meta AI that can “cut out” any object, in any image, with a
single click.

We put GPT-4 in Semgrep to point out false positives & fix code
r2c’s Bence Nagy describes the newly launched Semgrep Assistant, which provides automated recommendations for triaging findings and suggested code remediations, using Semgrep + GPT-4.

6 Phases of the Post-GPT World
What Daniel Miessler thinks is coming as a result of connecting GPT-4 to the Internet: companies and people become models/APIs, AI assistants, content authentication, knowledge work replacement, and the creativity explosion.

Existential risk, AI, and the inevitable turn in human history
Tyler Cowen argues that we should move forward with AI, and that in some ways it’s inevitable anyway.

For my entire life, and a bit more, there have been two essential features of the basic landscape:

1. American hegemony over much of the world, and relative physical safety for Americans.
2. An absence of truly radical technological change.

In other words, virtually all of us have been living in a bubble “outside of history.”

Hardly anyone you know, including yourself, is prepared to live in actual “moving” history. It will panic many of us, disorient the rest of us, and cause great upheavals in our fortunes, both good and bad.

The reality is that no one at the beginning of the printing press had any real idea of the changes it would bring. No one at the beginning of the fossil fuel era had much of an idea of the changes it would bring. No one is good at predicting the longer-term or even medium-term outcomes of these radical technological changes.

Astral Codex Ten argues why this is a bad way to look at it. Tyler Cowen’s reply.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them 🙏

Thanks for reading!

Cheers,
Clint


@clintgibler