I hope you’ve been doing well!
✈️ In Plane Sight
I’ve gotta get something off my chest.
Normally on planes I read or get work done, but recently I did something else.
As we were taking off, I saw that a person in the row in front of me was starting to watch a TV show on their phone. Season 1 Episode 1 of Reacher on Amazon Prime.
I thought, “Nice, I haven’t missed anything, I wonder what this show is about. I’ll go back to reading in a second.”
The person had headphones in but subtitles on, so I could follow.
About 10 minutes in, I realize I’m engaged and I decide to just finish the episode. At the end of the episode, he immediately starts Episode 2.
Well, I am curious what happens next, so I keep watching. From a row behind. On this guy’s phone. Reading the subtitles 😂
After Episode 4, I have to use the restroom (these are 40min episodes), but I don’t want to go, because then I’m going to miss what happens. Should I ask him to pause? I don’t know how he’ll take it. So I decided to just hold it.
By the end of the flight we’d watched about half a season of Reacher together. I felt a bond with him even though we’d never spoken.
Lesson: When you use a screen protector, you could be missing out on some quality connections. 🤣
A clear, friendly guide to mastering the hot new category in cloud-native security that’s taking the industry by storm.
Wiz partnered with Wiley to create the Cloud Native Application Protection Platform (CNAPP) for Dummies eBook. This free 48-page PDF includes everything you *need* to know to secure the changing landscape of cloud-native applications and protect your cloud environment today.
-
The fundamentals of cloud-native security
-
Powerful tactics to strengthen security measures
-
Best practices for getting started
-
Techniques to shift security up the pipeline (and ahead of threats)
-
10 strategies for maximizing the potential of your CNAPP
AppSec
Google OAuth is broken (sort of)
Truffle Security’s Dylan Ayrey describes a Google OAuth vulnerability that allows employees at companies to retain indefinite access to applications like Slack and Zoom, after they’re off-boarded and removed from their company’s Google organization. Google has not made changes to mitigate this risk.
Burp Extension Development Part 1: Setup & Basics
The first part in a new series by Tib3rius on adding new features to Burp and exploring the Burp Extension API. In this video, he covers setting up your dev environment, creating your first extension, and modifying request headers using the extension.
Panic!! At the YAML
GreyNoise’s Ron Bowes gives a great overview of a SnakeYAML deserialization vulnerability, including how to figure things like this out yourself: building a sample vulnerable application, adapting public exploit code, understanding how it works, troubleshooting errors, and lots of related work cited. Nice.
Research has been at the core of ESET and its technology since the company’s inception.
The journey began in 1987 when ESET co-founders uncovered one of the world’s first computer viruses, which they named “Vienna,” and wrote a program to detect it. Many other discoveries quickly followed.
More than 30 years later, ESET remains at the forefront of cybersecurity research, operating 13 R&D centers across the world that analyze, monitor and anticipate new threats.
The research below contains a view of the H2 2023 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts.
Cloud Security
aws-samples/aws2tf
Automates the importing of existing AWS resources into Terraform and outputs the Terraform HCL code.
How to Securely let Frontend Apps to Directly Access AWS services
Yan Cui describes how a frontend can talk directly to AWS services like DynamoDB and S3, without an intermediary like API Gateway or Lambda, using Cognito Identity Pools, which can issue temporary AWS credentials that are then used for authn/authz. I feel like this might not be a great approach in most cases, but it’s interesting that it can be done.
AWS Account Security Onboarding Mind Map
AUTO1 Group’s Artem Marusov shares a succinct and structured mind map to act like a checklist when onboarding new AWS accounts to an existing AWS Organization, covering SCPs, logging, alerting, AWS security services, and more.
Setting secure AWS defaults and avoiding misconfigurations
Excellent guide by Wiz’s Scott Piper covering a number of useful secure defaults and potential misconfigurations, including preventing resources from being made public (e.g. S3 buckets, AMIs), preventing risky feature (e.g. IAM users and access keys, IMDSv1) and enforcing security measures (restricting network modifications, restricting admin access with network controls).
For each, Scott provides useful CLI commands to action what he’s describing and/or Service Control Policies (SCP) to enforce good posture.
Container Security
wagoodman/dive
By Alex Goodman: A tool for exploring a Docker image, layer contents, and discovering ways to shrink the size of your Docker/OCI image.
How to use Dockerfiles with wolfi-base images
Chainguard’s Adrian Mouat describes how to use wolfi-base with Docker tooling to create hardened, low vulnerability images, including for images and static binaries, when you need libraries or runtimes like the JDK and JRE, if you need matching build and runtime dependencies (e.g. Python), or including tools at specific versions.
The authors also share threat detection opportunities based on the newly available CloudTrail events associated with this feature.
Blue Team
center-for-threat-informed-defense/adversary_emulation_library
An open library by MITRE Engenuity of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs. The library contains two types of adversary emulation plans: full emulation, which emulates a specific adversary, e.g. FIN6, from initial access to exfiltration, and micro emulation, emulating compound behaviors seen across multiple adversaries, like webshells.
Ghost in the Web Shell: Introducing ShellSweep
Splunk’s Michael Haag discusses ShellSweep, a new tool designed to hunt down and flag potential web shells. It can scan multiple directories at once, filter known good files by SHA256 or path, scan specific file extensions, and evaluate the potential maliciousness of files based on their entropy.
My bud Kurt Boberg also wrote a tool, Border Collie (blog), that continuously watches the file system, runs Semgrep rules to find potential reverse shells, and automatically chmod’s them to non executable when found.
Red Team
MegaManSec/SSH-Snake
By Joshua Rogers: Finds SSH private keys on a system → sees what other hosts may accept those keys → tries to SSH everywhere possible using all private keys discovered. Attempts to create a map of a network and its dependencies, identifying to what extent a network can be compromised using SSH and SSH private keys starting from a particular system. Blog
EvilSlackbot: A Slack Attack Framework
Andrew Steinberg shares a new tool that can be used during red teams if you acquire a Slack API token to send spoofed Slack messages, phishing links, files, and search for secrets leaked in Slack. It can also be used to conduct Slack phishing simulations via providing a list of employee emails.
Career
Preparing for a Security Engineering Interview
TryHackMe’s Ellie Gillard discusses some common behavioral and technical interview questions, across blue team, network security, web and application security, and more. I’m not sure these are the technical topics I would personally focus most on, but I’m sharing because examples of questions are generally useful.
Machine Learning + Security
WithSecureLabs/damn-vulnerable-llm-agent
By WithSecure: A sample chatbot powered by an LLM ReAct agent, implemented with Langchain. It’s designed to be an educational tool for people to understand and experiment with prompt injection attacks in ReAct agents.
Daniel believes everyone will get a Digital Assistant (DA) that knows everything about them, that everything (restaurants, the people around you) will have APIs, DA’s will constantly advocate on our behalf and mediate our interactions with the world, and more. He also discusses security and privacy implications. Well worth the read.
I’m also stoked to be attending Daniel’s upcoming course Augmented: How to Integrate AI into Life and Work, a 3-hour live AI course on January 13th, this Saturday. Today is the last day to sign up. If you’re a paid member to Unsupervised Learning, which I’ve been for years, you get $200 off the course.
Misc
Things you’re allowed to do
“A list of things you’re allowed to do that you thought you couldn’t, or didn’t even know you could,” across learning and decision making, interpersonal, support and accountability, making the most of your resources, and professional. I bet you’ll find at least something useful in this list.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.
If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them 🙏