[tl;dr sec] #186 – Enterprise Purple Teaming, Cloud CTFs, Code Review with LLMs


I hope you’ve been doing well!

New Platform, Who Dis? 👋 

Hello and welcome to the first edition of tl;dr sec on Beehiiv!

If you reached out to me in an effort to try to ensure email filters let this issue reach you, I’m hugely thankful 🙏 

I will respond to your email, I’m just a bit behind.

I’ve included some brief points at the bottom because a few people asked why I switched.

In short: if you’re going to start a newsletter today, I think it’s almost definitely the best option, but happy to chat in more detail about it.

Keep an eye out Thursday mornings (PST) in case you’re not receiving tl;dr sec like normal.

Lots of AI Content This Time

📣 How to automate the detection and prioritization of complex behavioral threats with AWS CloudTrail and Kubernetes audit logs

Monitoring AWS CloudTrail and Kubernetes audit logs are a critical part of maintaining security in your AWS cloud because it provides visibility into your account activity across your infrastructure. Because this data contains all actions performed by all authenticated users, identification of the attackers becomes extremely hard.

Learn from Jeff Vogt, Field CTO at Lacework (and former Senior DevOps Engineer), on how to automate the detection and prioritization of threats from your CloudTrail data so that you can easily (and quickly!) identify attacks such as compromised credentials, potential AWS defense evasion, cloud ransomware, and cloud-based cryptomining.

📜 In this newsletter…

  • AppSec: Awesome Security Challenges, Semgrep Turbo Mode

  • macOS Security: Passkey improvements, a number of new privacy and security features announced 

  • Web Security: A web path fuzzing tool, GraphQLmap

  • Cloud Security: The Big IAM Challenge, tool to find exploitable attack paths in cloud infra, a gamified cloud hacking sandbox

  • Blue Team: Enterprise Purple Teaming, HTTP agnostic software honeypot framework

  • Red Team: A collection of PoC and offensive techniques, breaking down reverse shell commands

  • Machine Learning + Code Auditing: Using AI to find vulns in XNU, evaluating Codex for Solidity code auditing

  • Machine Learning + Security: LLM security Twitter account, Google’s Secure AI framework, typosquatting ChatGPT hallucinated packages

  • Machine Learning: ML for document extraction, OpenAI updates (function calling), JSONformer, Microsoft’s prompt engine library

  • Misc: Social media protocol on DNS, Tanya Janca on getting better sleep

  • Why Beehiiv?: A few thoughts on why I switched from MailChimp

AppSec

…But we were pressed for time, so we instead wrote a temporary hack that would make functional programmers sick to their stomach. We exploited the fact that JavaScript objects are mutable and…

macOS Security

I love to see privacy and security as selling points  

Passkeys
Passkeys allow you to authenticate with apps and services using Face ID or Touch ID instead of remembering a password.

Apple now enables the synchronization of Passkeys with external providers such as password managers, and lets you share your passwords and passkeys from iCloud Keychain with groups or family members.

  • Major updates to Safari Private Browsing (advanced tracking and fingerprinting protections), Communication Safety, and Lockdown Mode, as well as app privacy improvements.

  • Link Tracking Protection in Messages, Mail, and Safari Private Browsing removes extra information from links to protect users from tracking and more.

📣 We Hack Purple – Everything You Need to Learn Secure Coding, and More!

Learn how to create secure software, from industry experts! Our fun, live, virtual training teaches developers to code more securely, with checklists, free access to on-demand courses, and a supportive online community, all for one price. Hire us to train your AppSec team, as we build your custom application security program, together! With customized training available, we have something that fits every organization’s software security training needs.

Cloud Security

Introducing Cloudfoxable: A Gamified Cloud Hacking Sandbox
Bishop Fox’s Seth Art introduces Cloudfoxable, an intentionally vulnerable AWS environment created to teach AWS cloud penetration testing, with scenarios based on real cloud pen tests.

What sets CloudFoxable apart is its focus on creating as many distinct vulnerable resources and flags as possible – rewarding users for finding new entry points, lateral movement paths, and data access strategies.

Red Team

Breaking down Reverse shell commands
Aditya Telange provides a visual overview of some of the most common reverse shell commands, including interactive shells, file descriptors, and read lines, offering a detailed explanation of the various parameters and options involved.

[tl;dr sec] #186 - Enterprise Purple Teaming, Cloud CTFs, Code Review with LLMs

Machine Learning + Code Auditing

Editor’s note: I’ve seen a number of blog posts where people use LLMs for auditing source code. Some of them have pretty poor methodologies. The Trail of Bits post below is probably the best one I’ve seen so far in teasing out nuances.

I think there’s a lot of improvements and potential future work in this space, I just want to point out the challenges and nuances so next time you see a blog post or company like, “ZOMG LLMs can find every vulnerability evar!” you’ll think critically about their approach and methodology.

Also, TIL about Fill-Mask: mask some of the words in a sentence and predict which words should replace those masks.

In the current state of the AIs used (Which could VERY well be due to my misuse of them), I did not find this a compelling use case. Perhaps if I understood things better and had the time/patience/more effort to put into this it could’ve been better (And likely would be!).

There is no particularly good way to determine if one prompt is better than another or if you’re on the right track. Similarly, when a prompt fails against an input, it is frustratingly difficult to figure out why and to determine, programmatically, which prompts are merely returning the wrong result versus completely hallucinating and misbehaving.

Unit tests are also problematic; the results are not guaranteed to be the same across runs, and newer models may not provide the same results as prior ones. There is certainly a solution here, but again, the tooling developers expect just wasn’t present.

Machine Learning + Security

LLM Security
Twitter account that shares nice LLM + security resources.

[tl;dr sec] #186 - Enterprise Purple Teaming, Cloud CTFs, Code Review with LLMs

Machine Learning

deepdoctection/deepdoctection
A Python library that orchestrates document extraction and document layout analysis tasks using deep learning models.

OpenAI – Function calling and other API updates
More steerable versions of GPT-4 and gpt-3.5-turbo, 16k context version of gpt-3.5-turbo, some models are now cheaper, and function calling allows you to have the LLM take your prompt and output JSON containing well structured arguments to the functions you’ve defined for it (e.g. calling external APIs).

1rgs/jsonformer
A bulletproof way to generate structured JSON from Language Models Resources.

[tl;dr sec] #186 - Enterprise Purple Teaming, Cloud CTFs, Code Review with LLMs
[tl;dr sec] #186 - Enterprise Purple Teaming, Cloud CTFs, Code Review with LLMs

Misc

jonny/DNSocial
A truly decentralized social media protocol that works by posting directly to DNS 😂 Any domain or subdomain is a feed. Posts for that feed are TXT records.

#WeHackHealth Getting Better Sleep
My friend Tanya Janca shares her tips on getting better sleep, discussing caffeine, lowering the lights and removing blue lights when the sun sets, amber/warm vs blue lightbulbs, TV and phone use, blackout curtains, sun lamps, magnesium, sleep rituals, journals/lists, jetlag, diets and eating window, meditation, snoring and sleep apnea, and more.

I’ll write a post about this at some point, but because a few people asked:

  • Modern, clean UI and nice writing experience.

  • Solid analytics for understanding how people find your newsletter and built-in growth mechanisms (referral program, recommendations, etc.).

  • Creator-friendly business model – they charge you a flat monthly fee and don’t take 10% of subscriptions like Substack does.

  • They ship features faster than potentially almost any company I’ve ever seen. Unbelievable.

I have a referral link here, but honestly I would recommend Beehiiv regardless.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them 🙏



Source link