[tl;dr sec] #201 – CloudRecon, LLM Security, Okta for Red Teamers


I hope you’ve been doing well!

📣 Accepting Sponsors for 2024!

Hi! Clint here with a special TV newsletter offer.

Do you have an awesome security product?

Would you like to showcase your security product and brand to over 25,000 security professionals, ranging from senior individual contributors to CISOs?

Well I won’t bury the lead (😉), you can, by sponsoring this very newsletter.

  • Prior sponsors: “We’ll buy as many issues as you’ll sell us.” “tl;dr sec is our highest signal channel.”

  • In under 4 years, five start-ups who sponsored tl;dr sec have been acquired.

  • Many companies have come back for additional, often bigger sponsorships.

Email 👉️ [email protected] 👈️ and you’ll also get stickers, and a year’s supply of high fives, knowing nods, and finger guns at conferences.

We generally book out at least a few months in advance, so now’s the time to spend that end of year budget.

I’m waiting by my rotary phone*, talk to you soon!

*If you’re Gen Z, sorry if you feel excluded by that joke. You can look it up on the TikToks.

📣 CNAPP for Dummies

A clear, friendly guide to mastering the hot new category in cloud-native security that’s taking the industry by storm.

Wiz partnered with Wiley to create the Cloud Native Application Protection Platform (CNAPP) for Dummies eBook. This free 48-page PDF includes everything you *need* to know to secure the changing landscape of cloud-native applications and protect your cloud environment today.

> The fundamentals of cloud-native security
> Powerful tactics to strengthen security measures
> Best practices for getting started
> Techniques to shift security up the pipeline (and ahead of threats)
> 10 strategies for maximizing the potential of your CNAPP

Wiz has been the fastest software company to get to $100M ARR and a $10B valuation. They also sponsor tl;dr sec. 😉 

AppSec

  • hashicorp/cap – A collection of authentication Go packages related to OIDC, JWKs, Distributed Claims, LDAP.

  • gl-infra/pmv – A tiny utility for working with the 1Password CLI.

  • Passkeys are generally available
    All GitHub.com users can now register a passkey to sign in without a password.

boringtools/git-alerts
A tool to help detect and monitor public repositories creation under the organization and organization users as well, which could leak secrets, internal info, code, etc. The latter you can’t control easily as an admin, and some studies have shown that many times org secrets are leaked in an individual’s git repo, not necessarily an org repo.

📣 Consolidate access privileges for humans and machines with Teleport

Adding new software, onboarding employees, and expanding infrastructure means complexity that increases as you scale.

With Teleport, teams no longer have to choose between good security and making engineers happy. Rather than creating more “security theater” with solutions that either don’t get adopted or are just flat-out bypassed, Teleport provides a secure solution to manage infrastructure access that doesn’t get in the way.

Learn how you can implement true zero trust, move away from static credentials towards short-lived certificates, and more below.

Increasing security and keeping friction low? I’m about it!

Web Security

Client-side JavaScript Instrumentation
Doyensec’s Dennis Goodlett delves into client-side JavaScript instrumentation and his methodology for identifying security issues within large and complex codebases. Dennis introduces Eval Villain, a web extension designed to hook both native and non-native JavaScript functions across all frames and pages before their usage, among other capabilities. This is really cool work!

Cloud Security

aws-samples/aws-customer-playbook-framework
A repos that offers a set of sample templates for security playbooks to address various scenarios encountered when using AWS, including responses to compromised IAM credentials, unauthorized network changes, bitcoin and cryptojacking, among others.

AWS Console Session Traceability: How Attackers Obfuscate Identity Through the AWS Console
Gem’s Itay Harel discusses a new technique that attackers use to exploit the default configuration of AWS when SourceIdentity is not set. A federated console session lets you convert a CLI session into a console session, and through this “Console Conceal” quirk, every action carried out through the AWS Console will not be logged with the temporary access key of the attacker’s role session, but with an access key ID that isn’t the same as the one that appears in the AssumeRole event.

Supply Chain

The massive bug at the heart of the npm ecosystem
Oh JavaScript 🤦 Darcy Clarke describes how npm package manifests are published independently from their tarball, manifests are never fully validated against the tarball’s contents, and thus how any tooling that assumes they are the same can be tricked.

Manifest Confusion in PyPI
Stian Kristoffersen discusses manifest confusion attacks on PyPi, which refers to the fact that package managers (e.g. pip, poetry) resolve dependencies differently than security tools (SCA or malicious dependency vendors). This can lead to malicious or vulnerable packages being installed.

Further, an attacker could add, or change binary distributions at a later point, so what was initially scanned by the security vendor may not be what’s currently in the package.

Blue Team

jamf/aftermath
By Stuart Ashenbrenner et al: An open-source incident response framework for macOS that collects and analyzes data from compromised hosts. The tool can be deployed from an MDM or run independently from the user’s command line.

Red Team

google/bindiff
Google has open sourced BinDiff, a comparison tool for binary files that assists vulnerability researchers and engineers in finding differences and similarities in disassembled code. For example, identifying and isolating fixes for vulnerabilities in vendor-supplied patches.

Okta for Red Teamers
TrustedSec’s Adam Chester discusses post-exploitation techniques for Okta, including Okta Delegated Authentication, hijacking the Okta AD Agent, hijacking Okta AD as an admin, and using a fake SAML provider.

Politics / Privacy

“The described capability could allow attackers to target individuals based on demographic and behavioral characteristics collected by ad networks [and thus] target people from a specific ethnic group or retarget individuals who have visited an independent media website critical of the government.”

“Without teaching grandma to suck eggs, all war is cognitive. It’s never about killing everybody, it’s about bending people to your will, and getting them to behave in the way you want them to behave.”

Machine Learning + Security

pruzko/hakuin
By Jakub Pruzinec: A blind SQL Injection optimization and automation framework that uses pre-trained and adaptive language models to efficiently extract textual data from databases.mlbr3it

Note: this happens at a fairly low percentage of the prompt attempts, and many of the generated secrets are not valid (wrong structure), so I’d read this paper for the details.

Machine Learning

  • SeaGOAT – A local search tool that leverages vector embeddings to enable to search your codebase semantically, by Dániel Kántor.

  • Magentic – Add the @prompt decorator to create Python functions that return structured output from an LLM.

  • OpenAI Cookbook – Guides on how to do common tasks with LLMs.

  • Podcast about AI podcasting (text → audio, other languages, …), featuring Wondercraft.ai.

  • Introducing Mozilla.ai: Investing in trustworthy AI

  • ChatGPT can now browse the Internet

  • ChatGPT can now see, hear, and speak – “Snap a picture of a landmark while traveling and have a live conversation about what’s interesting about it.”

Siqi Chen: How to get GPT4 to teach you anything
“Teach me how works by asking questions about my level of understanding of necessary concepts. With each response, fill in gaps in my understanding, then recursively ask me more questions to check my understanding.”

Mike Crittenden: Atomic habit building with ChatGPT
“Imagine I want to develop the habit of [insert the desired habit here]. Can you provide creative ideas for each of the Four Laws of Behavior Change? Specifically, suggest a cue that will remind me to start the habit, a way to make the habit attractive and create a craving, a method to make the habit easy to perform as a response, and a reward that will make the habit satisfying.“

Career

The Dark Side of Tech Culture
“A lot of the dissatisfaction that professionals have with their work environment stem from not recognizing (or refusing to recognize) their employer’s cultural priorities. The employer that prioritizes productivity above all else likely doesn’t care about your burnout or professional fulfilment — as long as you’re productive.”

Sergio Pereira: How to effectively highlight your experience
Including: dig into what you concretely achieved, highlight specific programming languages and tools you worked with as well as vendors/partner APIs, mention if you were involved with building important workflows (e.g. authn/authz, payments, etc.), etc.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them 🙏





Source link