I hope you’ve been doing well!
🎅 Last tl;dr sec until January 4th
This issue will be the last tl;dr sec for the year (I know, so sad).
I will be spending the break stressing about all the new links coming out I’m not summarizing relaxing.
I have some exciting new things planned for 2024 that I can’t wait to share with you.
I hope you have a wonderful, restful, break with friends and family.
Terraform. Vault. Vagrant. Packer.
HashiCorp builds some of the most widely used dev tools, but how do they build them securely?
I had the pleasure of chatting with Jamie Finnigan, the Director of Product Security at Hashicorp, and learned about:
-
The structure of HashiCorp’s Product Security Org
-
How they build developer-friendly security tooling
-
Some neat security engineering projects they’ve done, like eliminating server-side request forgery (SSRF) via secure defaults
-
and much more!
The shocking reality of critical vulnerabilities in publicly-exposed containers.
Kubernetes (K8s) has transformed the way applications are deployed and managed in the cloud-native landscape. Based on our scans of over 200,000 cloud accounts, the Wiz Security Research team exposes how many clusters are at risk, and what it means for your cloud defense. You’ll discover:
-
In-depth breakdown of Kubernetes attack chains
-
Statistics on security controls and mitigations
-
The best ways to defend against cloud attacks
Think of it as your playbook against cloud threats. All this and more can be found in the free 2023 Kubernetes Security Report.
AppSec
Azure DevOps Services Attack Toolkit
A modular tool by IBM X-Force Red’s Brett Hawkins that leverages Azure DevOps Services’ REST API, with modules supporting for reconnaissance, privilege escalation, and persistence attacks. See also Brett’s accompanying BlackHat EU slides and whitepaper here.
dub-flow/sessionprobe
By Florian Walter: A multi-threaded pentesting tool designed to assist in evaluating user privileges in web applications. It takes a user’s session token and checks if it’s possible to access a list of URLs, highlighting potential authorization issues.
The State of ASPM 2024
Cycode shares a report (ungated link) from surveying 500 CISOs/directors. One thing they found that stuck out to me: 95% of security professionals surveyed are currently using 20 or more security tools 😅
+1500 HuggingFace API Tokens were exposed
In a result that should surprise no one, existing popular secret scanning tools weren’t scanning for HuggingFace API tokens → Lasso Security found a bunch were leaked publicly across GitHub and HuggingFace repositories, including companies like Meta, Microsoft, Google, and VMWare. This could allow an attacker to modify a model to make it behave incorrectly, access private models or datasets, etc.
I thought how they got around GitHub search’s limitations (returning 100 results per query) interesting: by making their token prefix longer, brute forcing the first two letters of the token to receive fewer responses per request.
What many teams have discovered as they’ve grown their infrastructure is that traditional access control systems do not scale.
Not only does the risk of a breach increase with numerous credentials and standing privileges, but forcing developers to juggle hundreds of secrets to do their jobs limits productivity and encourages insecure workarounds.
This O’Reilly book explains the concept of identity-based infrastructure access and compares it with traditional methods that rely on secrets.
A free book, let’s go! 👆️
Cloud Security
Preventing Accidental Internet-Exposure of AWS Resources (Part 1: VPC)
Kevin Hock walks through how to prevent a frequent source of breaches, in this post, focusing on resources exclusively in a VPC (EC2 instances, ELBs, RDS databases, etc.). You can ban "ec2:CreateInternetGateway"
in subaccounts via SCP, and Kevin discusses 5 options for supporting egress in private VPC accounts, including: centralized egress via 1) Transit Gateway, 2) PrivateLink with Proxy, or 3) Gateway Load Balancer with Firewall, 4) VPC sharing or 5) IPv6.
How adversaries infiltrate AWS cloud accounts
Red Canary’s Thomas Gardner and Cody Betsworth describe how adversaries can use AWS’s Secure Token Service (STS) service for persistence, by creating multiple long term (AKIA) and short term (ASIA) access tokens to impersonate user identities and roles. By using the short term tokens for malicious activity, like exfiltrating S3 bucket data, the long term tokens may not be noticed by defenders.
Recommendations: Log all CloudTrail event data to a data lake for analysis (seven-day minimum), build alerting to detect role chaining events and MFA abuse, and build queries/dashboards to identify chained credentials by token or MFA device.
Container Security
openclarity/kubeclarity
A tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems. It can scan both runtime k8s clusters and CI/CD pipelines.
Considerations for Keeping Images Up to Date
A docs page by Chainguard covering image versioning and naming conventions, tools to automate updates (watchtower, FluxCD, Argo CD’s Image Update tool, digesta-bot), and recommends pinning to an image digest, not a tag, because an image digest is immutable (tags can change), ensuring reproducibility for your environment.
Kubernetes security fundamentals: API Security
Datadog’s Rory McCune gives a detailed breakdown of relevant Kubernetes components and ports, their purpose, security implications of their exposure, and how managed vs unmanaged Kubernetes differs. References: etcd, kube-apiserver, kube-proxy, and more.
Blue Team
Cloudypots: Our Latest Method for Uncovering Novel Attack Techniques
Cado Security’s Nate Bill describes Cloudypots, their new system that leverages OpenStack to run honeypot VMs. The VMs run popular software at known vulnerable versions (GitLab, Confluence, Docker, Jupyter, Kubernetes), with Thinkst canaries for AWS tokens, bait executables for common CLI tools exploited by attackers, and more, to detect what the attacker is trying to do- cryptomine, DoS, etc. Great end-to-end walkthrough of how it works.
tsale/EDR-Telemetry
A project by Kostas and Alex Teixeira that provides a list of telemetry features from EDR products and other endpoint agents, broken down by category, to enable security practitioners to compare and evaluate the telemetry potential from the tools while encouraging EDR vendors to be more transparent. I love the transparency, and the breakdown table is 🔥 .
Navigating the Maze of Incident Response
New free 74 page guide by Microsoft Security on how to structure the human elements of an incident response with recommendations and best practices to help navigate the crucial hours after a breach is first detected. They break it down into having an incident controller, and a governance, investigation, infrastructure, communications, and regulatory lead.
Red Team
m57/dnsteal
By Mitch Hines: A fake DNS server that allows you to stealthily extract files from a victim machine through DNS requests.
Tricard – Malware sandbox fingerprinting
Unicorn Security discusses the use of their Tricard tool in fingerprinting malware sandboxes, which can then be used to more effectively evade them. Tricard collects system info such as the running processes, loaded modules, network interface details, a registry dump, and more.
Machine Learning + Security
laiyer-ai/llm-guard
A security toolkit for LLM interactions by Laiyer AI offering sanitization, detection of harmful language, prevention of data leakage, and resistance against prompt injection attacks.
SyzGPT: When the fuzzer meets the LLM
PhD student Erin Avllazagaj evaluates the ability of Bing AI to automatically understand a kernel subsystem’s documentation to generate fuzz target code (including struct definitions) for the kernel fuzzer Syzlang. Bing AI did a pretty good job understanding the docs/describing what various syscalls were for.
The manually written fuzz harnesses yielded ~15% higher code coverage than the LLM-written ones. The key point here is not that AI-driven security efforts are better than humans (especially experts), but that you can get similar outcomes (“in 30 minutes”) with a fraction of the time/effort and less expertise.
Using AI to Automatically Fuzz Rust Projects from Scratch
Kudelski Security’s Nils Amiet discusses Fuzzomatic, a tool that can automatically generate fuzz targets for Rust projects from scratch (i.e. the projects aren’t doing fuzzing yet). Fuzzomatic uses libFuzzer and cargo-fuzz for fuzzing and OpenAI for code generation. Their approach generated at least one useful fuzz target for 34/37 projects, and found at least one bug in 14 projects (38%). Again, totally automated!
This post has really excellent and detailed descriptions of their methodology, challenges, different approaches, lessons learned, and potential further research. Well done 🫡
Misc
Managing Open Source and SBOM’s
Aquia’s Chris Hughes discusses the NSA’s new publication, “Securing the Software Supply Chain,” covering the 4 major areas of the guidance: Open Source Software Management, Creating and Maintaining a Company Internal Secure OSS Repository, Maintenance, Support and Crisis Management, and SBOM Creation, Validation and Artifacts.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.
If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them 🙏