I hope you’ve been doing well!
Hacker Summer Camp
This is the first time I’m attending the Vegas conferences since the pandemic, and I’ve been having a blast reconnecting with friends and meeting new people.
I’ve also been chipping away at this issue in the mornings and evenings, like right now, at 11:37pm Wednesday when my friends are at a pool party 😅
To save time in the mornings, I bought some Cheerios and milk from a nearby CVS. But I didn’t have a bowl, so I improvised by getting some containers from Popeyes I’ve been eating out of.
I didn’t choose the glam life, it chose me.
Reminds me of when I was also eating Cheerios in my hotel room in Hawai’i at LocoMocoSec 😆
🎁 tl;dr sec Swag
I’ve been handing out tons of tl;dr sec t-shirts and stickers.
If you want some, find me, or I’ve stashed some 👇️
📣 Rampant cloud activity?
Cloud risk can grow faster than your AWS bill (true story).
That’s why Wiz partnered with Wiley to create the AWS Security for Dummies ebook. This free PDF contains 46 pages of expert tips to harden your AWS environment, including:
-
How to get the basics right to help scale security when your footprint (inevitably) grows
-
How to secure specific resources based on your usage (VMs, S3, Cloudtrails, and more)
-
Which critical weaknesses to prioritize so you aren’t caught off guard
Grab your free digital copy now and boost your AWS security posture.
📜 In this newsletter…
-
Web Security: Attack surface detector, tool to check for NGINX path traversal vulnerabilities, exploiting POST-based XSS
-
AppSec: “Hot takes” with Caleb Sima
-
Cloud Security: Security implications of signing URLs in GCP, “Attacks As A Service” framework built on Google Workflows, CNAPPGoat
-
Container Security: Talk: Testing and Fuzzing the Kubernetes Admission Configuration, a tool to fuzz k8s admission controllers
-
Red Team: Ghidra plugin for mapping out code coverage data
-
Politics / Privacy: China influence campaigns in the U.S.
-
Machine Learning + Security: AI vulnerability database, AI incident database, mitigating stored prompt injection
-
Machine Learning: Searchable list of AI tools, nice GUIs to write/manage prompts, tool to add guardrails to LLM conversational systems, Adversarial Policies Beat Superhuman Go AIs
-
Misc: CLI JSON viewer, layoffs at NCC Group, Do Burnout and Addiction Have the Same Root Cause?, The Past is Not True
Web Security
hahwul/noir
By hahwul and ksg97031: An attack surface detector that automatically extracts endpoints and web resources from source code. Seamlessly integrates with proxy tools like ZAP, Burp Suite, and Caido.
hakaioffsec/navgix
By celesian: A multi-threaded Golang tool that checks for NGINX alias traversal vulnerabilities using heuristics and brute-force techniques.
📣 Just-in-time access for your cloud infrastructure with ConductorOne
Managing access to cloud infrastructure can be a headache.
ConductorOne’s Cloud PAM solution gives teams just-in-time (JIT) access to cloud resources, drastically reducing standing access and permissions. No more tickets. No more waiting.
Learn how you can take control of accounts and permissions throughout your environment and achieve least privilege access for AWS, GCP, AzureAD, Snowflake and more.
Cybersecurity is just a symptom of a root cause.
The root cause is— in engineering and infrastructure, what are your best practices?
If you have really good engineering and infrastructure hygiene, it resolves 80% of a lot of your cybersecurity symptoms problems.
So the one thing I’d change is that cybersecurity should no longer be a team that layers on top but instead I think engineering needs to eat cybersecurity.
Caleb Sima
Cloud Security
Signing URLs in GCP: Convenience vs. Security
Leviathan’s Vladyslav Horodivskyi delves into the distinctions between signing URLs using a service account key and employing the signBlob IAM method. The latter approach can potentially lead to privilege escalation within your GCP environment if the service account becomes compromised (e.g. due to SSRF, RCE, or local file read). Vladyslav has also created a Terraform script that sets up a vulnerable environment for testing purposes.
vectra-ai-research/derf
By Kat Traxler: DeRF (Detection Replay Framework) is an “Attacks As A Service” framework built on Google Workflows that allows the emulation of offensive techniques and the creation of replicable detection samples in a cloud-based environment.
Red Team
Tool Release: Cartographer
NCC’s Austin Peavy introduces Cartographer, a Ghidra plugin for mapping out code coverage data. It simplifies the complexities of reverse engineering by allowing researchers to visually observe which parts of a program were executed, obtain details about each function’s execution, compare different runs of the same program, and more.
Politics / Privacy
The Chinese marketing firm also supposedly ran 72 fake news sites worldwide, posing as independent news outlets while actually spreading content “strategically aligned with the political interests of China.” This is a meaningful escalation in China’s influence efforts.
Machine Learning + Security
AI Vulnerability Database
An open-source knowledge base of failure modes for AI models, datasets, and systems. Two focuses: a Taxonomy of the different avenues through which an AI system can fail, and a Database of evaluation examples that contain structured information on individual instances of these failure (sub)categories.
AI Incident Database
A database (currently >1,000 incidents) dedicated to indexing the collective history of harms or near harms realized in the real world by the deployment of artificial intelligence systems. Like similar databases in aviation and computer security, it aims to help us learn from experience so we can prevent or mitigate bad outcomes.
Machine Learning
-
Future Tools – A searchable, filterable list of almost 2,000 AI tools, by Matt Wolfe.
-
ChainForge – An open-source visual programming environment for prompt engineering, LLM evaluation and experimentation. Evaluate the robustness of prompts and text generation models with little to no coding required.
-
PromptKnit – Another nice UI around building and managing prompts.
NVIDIA/NeMo-Guardrails
An open-source toolkit for easily adding programmable guardrails to LLM-based conversational systems.
We attack the state-of-the-art Go-playing AI system KataGo by training adversarial policies against it, achieving a >97% win rate against KataGo running at superhuman settings. Our adversaries do not win by playing Go well. Instead, they trick KataGo into making serious blunders. Our attack transfers zero-shot to other superhuman Go-playing AIs, and is comprehensible to the extent that human experts can implement it without algorithmic assistance to consistently beat superhuman AIs. The core vulnerability uncovered by our attack persists even in KataGo agents adversarially trained to defend against our attack. Our results demonstrate that even superhuman AI systems may harbor surprising failure modes.
Misc
-
jless – A CLI JSON viewer designed for reading, exploring, and searching through JSON data.
-
Beyoncé’s tour has 14 culinary professionals, including an English pastry chef, a vegan chef, and 3 personal chefs just for her and her inner circle. #tldrsectour2024
-
Moar Layoffs at NCC Group – Sad, NCC was a really formative place for me, and I got to work with some incredible people, many of whom are still friends today.
Aim a laser pointer at the moon, then move your hand the tiniest bit, and it’ll move a thousand miles at the other end. The tiniest misunderstanding long ago, amplified through time, leads to piles of misunderstandings in the present.
We think of the past like it’s a physical fact – like it’s real. But the past is what we call our memory and stories about it. Imperfect memories, and stories built on one interpretation of incomplete information. That’s “the past”.
You can change your history. The actual factual events are such a small part of it. Everything else is perspective, open for re-interpretation. The past is never done.
Derek Sivers
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.
If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them 🙏