[tl;dr sec] #204 – Following Attackers’ CloudTrail, SSH Security Tools, Secure by Design

Living in the Bay Area, there appears to be an ever-increasing number of AI-related events.

No one has (yet) approached me with matching outfits and a book, offering to teach me the Good Word about AGI. But it’s close.

Over the last few weeks, I’ll have attended a few AI evening events, two half-day summits, and a private potluck 😆 

I wonder if living through this is like witnessing the Cambrian explosion of creativity and innovation that occurred in the early days of the invention of the personal computer.

Despite me going on record in this 2020 Forbes article saying machine learning in cybersecurity (at the time) was more hype than realized potential, I do think there’s something here.

I don’t think LLMs will solve all problems, and there’s certainly much more work to be done, but personally I’ve found it’s added some fun to tasks: whether it’s rapidly prototyping one-offs scripts, generating writing in a certain style, or creating fantastical images I could never draw.

Anywho, just wanted to share, I hope I’m not coming off like this.

Whether you’re just getting started, or you’re an experienced Information Security professional yourself, it always helps to hear from others in the field what’s important to them, what they’ve experienced, what has worked for them, and even what hasn’t. We’ve started a new monthly live streaming series where Hyperproof’s own Field CISO, Kayne McGladrey, interviews a new InfoSec thought leader each week to discuss:

– Best practices in cybersecurity
– The evolution of information security
– Work-life balance
– And more…

• Web Security: Two tools to find the origin server behind Cloudflare

• AppSec: Free Harvard intro to security class, CISA Secure by Design whitepaper update, research project to ‘distill’ old military software, leading cybersecurity with a control vs resilience strategy

• Cloud Security: Reference architecture for FedRAMP AWS builds, AWS support responds differently to leaked access keys, meeting FedRAMP crypto requirements in AWS, following attackers’ CloudTrail

• Container Security: Improve your k8s security posture with one label, bootstrap an air gapped cluster with kubeadm

• Supply Chain: OpenSSF’s threat model for OSS supply chain risk, a YAML spec for describing your repo’s security properties

• Blue Team: SSH server and client security auditing tool, a daemon to monitor OpenSSH servers and record all activity, you should know EPSS

• Red Team: Tool to harvest passwords automatically from OpenSSH, a general purpose RE API and hybrid debugger

• Machine Learning + Security: Multi-modal prompt injection via images, securing ChatGPT and GitHub Copilot use in your company

• Machine Learning: Google’s got your legal back in court if you use their LLMs, auto-generate Terraform test files, AI predicting new COVID strains, open questions for AI engineering

• Misc: Rust to Assembly, HashiCorp CEO on needing new OSS licensing expectations, California’s Delete Act, vulns with logos, end of life software list.

Most cloud risk isn’t invisible, just unseen.

That’s why 35% of Fortune 100 companies rely on Wiz to answer their most burning cloud security questions:

• What are the most critical risks in your cloud environment?

• Which CVEs require attention? Which ones are noise?

• What toxic combinations are inadvertently increasing your risk profile (and how to reduce them)?

• Which lateral movement paths can attackers use to access sensitive resources?

• What is the context behind each risk? Because that’s the holy grail for security teams.

Curious to see how Wiz can detect and prioritize risk in your cloud environment?

Book a platform tour with a Wiz expert. You’ll learn how Wiz works and what hidden risks it can uncover across your cloud.

Leading Cybersecurity with a Control vs. Resilience Strategy
Kelly Shortridge outlines two paths we can pursue for our cybersecurity strategy. Why do people follow the “control” strategy? It’s easier and you can blame users when they don’t follow the high friction path you’ve laid out for them. “Humans don’t interact with software or systems to be secure, they interact to perform a task to achieve a goal.”

Bootstrap an Air Gapped Cluster With Kubeadm
Rob Mengert walks through bootstrapping a Kubernetes cluster in an air-gapped lab environment (no Internet access) using Fedora Linux and kubeadm. See also Zarf, a tool that takes a declarative approach to software packaging and delivery, including air gap.

jtesta/ssh-audit
An SSH server & client security auditing tool: banner, key exchange, encryption, mac, compression, compatibility, security, etc., by Positron Security’s Joe Testa.

sshlog/agent
A free Linux daemon that passively monitors OpenSSH servers via eBPF to record all SSH session activity (commands and output) to log files for any connecting user, watch SSH sessions and post Slack messages or run arbitrary commands when specific activity occurs, forward all SSH events to a remote syslog server, and more.

Vulnerability Management: You should know about EPSS
Ryan McGeehan walks through the value of the Exploit Prediction Scoring System (EPSS), which spits out a probability of a CVE being exploited in the wild within 30 days. This helps you prioritize your remediation efforts, as most vulnerabilities (even those with CVSS High and Critical) are not exploited in the wild.

codereversing/ted_api
By Alex Abramov: A general purpose reverse engineering API and hybrid debugger, that allows for inspection and modification of a program’s inner workings. It works by being injected into a target process and starting a gRPC server, which clients can then connect to.

• Like Microsoft, Google Cloud will assume responsibility for any legal risks, if you’re challenged on copyright grounds due to using Duet AI or Vertex AI.

• New: Terraform can now auto-generate test files for private modules using generative AI

• Harvard and University of Oxford researchers are harnessing AI to predict threatening new strains of COVID-19 and other viruses. It successfully predicted the most frequent mutations and dangerous variants of SARS-CoV-2.

Simon argues that ChatGPT ultimately helps programmers by flattening the learning curve and rapidly getting you to an 80% solution, even if you’re not familiar with the language.

Also, TIL you can extend ChatGPT Code Interpreter by uploading Python dependencies (that it can then use), or a JavaScript or Lua interpreter, for example. 🤯 

• Rust to Assembly: Understanding the Inner Workings of Rust

• HashiCorp’s CEO predicted there would be “no more open source companies in Silicon Valley” unless the community rethinks how it protects innovation, as he defended the firm’s license switch at its user conference this month.

  • I am not a lawyer, but to be honest, “All production uses are allowed other than hosting or embedding the software in an offering competitive with HashiCorp commercial products, hosted or self-managed” seems reasonable to me 🤷 

California Governor Gavin Newsom has signed the Delete Act, mandating the creation of a tool by 2026 that allows Californians to request data brokers to delete their personal information in a single request.

endoflife.date
Documents EOL dates and support lifecycles for ~265 products. See also xeol.

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them 🙏