The Razor: ep 3

Private things where they shouldn't be, stopping the ships, MOVEit body count increases, almost no mention of OpenAI.

Wow, where did November go?! I guess with the holidays it flies by quicker than other months. I'm sure for all those that celebrate Thanksgiving there was a lot of food, and for the rest of us it was ๐Ÿฟ time as we witnessed whatever it was that happened at OpenAI.

Secure-by-design

  • ๐Ÿ‘ต๐Ÿป Long-lived credentials are still a problem: DataDog published their State of Cloud Security report. Lots of great stuff in there and things we need, as an industry, to do better at. Leading the report: stop using long-lived credentials everywhere!!
  • ๐Ÿงข BlueHat conference videos are up: Microsoft's Security Response Center hosted their BlueHat conference in October, and the videos are now online. I've had a chance to watch a couple but they've already been quite eye opening. Laura Plein & Dr. Segio Coronado give a demo of RatGPT โ€” their proof of concept for using Large Language Models to dynamically generate malware and ransomware code that could be automatically executed by a victim and incredibly difficult to detect using usual malware tools because of the fact it's generated on the fly ๐Ÿ˜ฌ. Luke Jennings covers the evolution of cyber attacks and what the landscape looks like given we've moved to a SaaS & remote-first world. Dr. Nestori Syynimaa gives some examples of vulnerabilities where the initial response was it's working that way "by design"... so obviously I had to include that talk!
  • ๐Ÿ™ˆ Private keys in public places: I'm still playing catch-up on the DefCon talks from two months ago so I've only just caught this wonderful one that resonates from Tom Pohl about how private keys, certs, encryption keys, etc. keep ending up in places where they can be found.
  • ๐Ÿข Getting hacked slowly: Matt Johansen explains something that has intuitively made sense to me for a while but that I've never put words to before - getting hacked doesn't happen suddenly like a car crash, it's a gradual thing that happens over months or years.
  • โ˜๏ธ Keep those EC2 instances safe: Lior Zatlavi @ Tenable gives an example of how an EC2 instance that is vulnerable to Server-side Request Forgery (SSRF) can then generate signed URLs to grant an attacker access to other services.
  • ๐Ÿงฑ Lock down your ECS containers: If you're using ECS to manage your container workloads then you need to read this detailed list of ECS security best practices from Mutaz Hajeer, Ibtissam Liedri, and Temi Adebambo at AWS.
  • ๐Ÿฆ€ Memory safe sudo: Prossimo, Tweede Golf, and Ferrous Systems teamed up to build a memory safe implementation of sudo that is written in Rust. Given the escalation risks inherent in using sudo I'm sure this will be a much appreciated contribution by everyone concerned with building secure systems.
  • โš ๏ธ Explaining supply chain threats: OpenSSF has published an entire site and framework dedicated to assessing the security of software supply chains. I found the page detailing threats particularly interesting for both the visual of where they can occur (i.e., everywhere!) and also how they call out specific historical examples of it occuring in the wild.
  • ๐Ÿ‘ท Moar in supply chain security: Russ Cox (of Golang fame!) gave a talk about both the history of supply chain attacks and some of the initiatives in place at Google to address the problem.
  • ยฝ What's between a 0-day and 1-day? Ilya Goldman and Yaki Kadkoda explore the definition and impact of vulnerabilities that sit somewhere in the middle of our common terminology.
  • ๐Ÿ‘ฎ SolarWinds CISO Charged: The SEC charged the SolarWinds CISO with securities fraud relating to their breach back in 2020.
  • ๐Ÿฅท Time to compromise < 5mins: William Gamazo and Nathaniel Quist from Palo Alto Networks show that it takes less than 5 minutes for an exposed IAM credential to be exploited!
  • ๐Ÿ” Are SSH keys still safe? Keegan Ryan and a team of researchers show a new attack that can potentially expose private SSH keys.

Exposed

There's been such a regular drumbeat of high-profile breaches I thought I'd break this out into its own section.

DX

  • ๐ŸŽ—๏ธ Never forget a pentest command: If you do pentesting then remembering all of the arguments for all of the tools is a non-trivial ask. Thankfully Arsenal has your back. It's a CLI tool that lets you search for a command and will then prefill your terminal with the arguments you need.
  • ๐Ÿค– AI-powered AppSec: Asha Chakrabart & Laura Paine cover just a handful of dozens of advanced security features GitHub has released over the past year.

Product spotlight

  • ๐Ÿง‘โ€๐Ÿณ What are we cooking up? We've space for 5 more alpha testers for something we've been working on. If you're interested in taking it for a spin and you're willing to record & share with us a video of yourself trying it out (so that we can see any UX issues you run into and fix them) please reply to this email and let me know!

๐ŸŽฌ That's a wrap! I might squeeze one more edition in before we disappear for the holidays. If not, I wish you all a happy new year and look forward to hearing from you all in 2024.

Thanks,

Glenn
Glenn

Want to meet people that are interested in these topics?

๐Ÿ‘พย Join the Build Trust communityย on Discordย ๐Ÿ‘พ

Want more? Not subscribed?

We save you time, and your inbox, by emailing you only once a monthย โ€”ย  with a round-up of the best articles on cybersecurity, inspiring developer experiences, building systems that are secure-by-design, and related tooling.

Build Trust

Get a Demo

Learn

Get started

Ockam Command

Programming libraries

Cryptographic & messaging protocols

Documentation

ยฉ 2024 Ockam.io All Rights Reserved