@sethsec.bsky.social
Security Research and Advocacy @ Datadog. Former Principal and Cloud Penetration Testing lead @BishopFox. I like to build, break, learn, and share. CloudFox, CloudFoxable, BadPods, IAM Vulnerable
The July edition of the Datadog Security Digest is out!
securitylabs.datadoghq.com/newsletters/...
• Cloud image investigator by @sethsec.bsky.social
• Our top picks for Black Hat / DEF CON
• A benchmark for LLM coding accuracy and security
• Malicious Homebrew installation campaign
.. and more
fwd:cloudsec is around the corner! Don't miss these 3 talks from Datadog researchers Seth Sec, Katie Knowles, Greg Foss, and Anthony Randazzo.
fwdcloudsec.org/conference/n...
@sethsec.bsky.social
@siigil.bsky.social
@gregfoss.com
The February edition of the Datadog Security Digest is out!
securitylabs.datadoghq.com/newsletters/...
featuring @sethsec.bsky.social, @mccune.org.uk, @karimscloud.bsky.social, @jcfarris.bsky.social, and more
The Datadog Security Digest is a monthly, practitioner-focused newsletter.
Don't miss our February edition going live tomorrow!
securitylabs.datadoghq.com/newsletters/...
whoAMI attacks give hackers code execution on Amazon EC2 instances
13.02.2025 23:59 — 👍 14 🔁 9 💬 0 📌 1When I first started reading this I though,t “is this really news, this issue has been around for years…” but then it gets interesting - kudos to the researchers on this one!
12.02.2025 20:25 — 👍 5 🔁 1 💬 0 📌 0
Need to hack thousands of AWS customers? What about on internal AWS systems? Datadog Security Research found that a number of tools, including one published by AWS, are susceptible to name confusion attacks, leading to RCE in vulnerable environments!
securitylabs.datadoghq.com/articles/who...
I’m excited to share our research on the “whoAMI” attack. We discovered that AWS customers pulling AMI IDs insecurely could accidentally use malicious images instead of the legitimate ones— leading to remote code execution.
securitylabs.datadoghq.com/articles/who...
We discovered a pattern in the way many projects retrieve Amazon Machine Images (AMIs), allowing attackers to publish AMIs with specially crafted names and gain code execution within vulnerable accounts.
securitylabs.datadoghq.com/articles/who...
by @sethsec.bsky.social
New year, new job!
I've joined the amazing @wiz_io research team
My goal is the "work for the security industry, at Wiz"
I wrote a blog post explaining why, and what that means:
ramimac.me/joining-wiz
Threat insights from Datadog Security Labs for Q4 2024
securitylabs.datadoghq.com/articles/202...
I'm not saying I'm an AWS expert… but I am saying I finally tracked down the random AWS account charging me small amounts every month and closed it.
02.01.2025 20:23 — 👍 57 🔁 4 💬 3 📌 2
weird interaction with a student this week. they kept coming up with weird "facts" ("greek is actually a combination of four other languages") that left me baffled. i said let's look this stuff up together, and they said ok, i'll open a search bar, and they opened... ch*tgpt
and i was like "this is not a search bar" and they were like "yes it is, you can search for anything in here" the thing that made me feel crazy is like. every kid that's using this as a browser is getting new BESPOKE false "facts." this isn't "a widespread misconception about X that stems from how it's taught in schools." each individual kid is now hooked into a Nonsense Machine with the "widespread misconception about X" you can start at a baseline. like, ok, in tenth grade we all talk about X thing from history, and that leaves us with some misguided concepts about X, but we can correct that as students get broader understandings of the world but with this, each child is getting UNIQUE wrong facts they are SURE are correct... because they did what we told them to do! they "looked it up"! they got it from somewhere! it's not a kid making up a belief on hearsay and assumption... it's something they think they LEARNED
this kid was extremely combative with me, and i understood why. i was sitting in front of him and telling him that the internet, a computer, technology, all these supposedly authoritative things... were wrong. and that i, one person, was right. he basically *couldn't* believe me. 8 135 3.8K 97K ... stillorangecrushed @stilloranged. 7h he decided that i was simply a teacher who'd made a mistake. he could check it, after all! he could look it up! he could find the REAL facts. i obviously hadn't done that, i was just an adult who'd decided i was smarter than him. hence the defensiveness. like i said: i understood 5 760 3.2K 82K stillorangecrushed @stilloranged. 7h ... it was so fucking rough. i did my best, but i am one person trying to work against a campaign of misinformation so vast that it fucking terrifies me. this kid is being set up for a life lived entirely inside the hall of mirrors
Well this is grim
06.07.2024 22:15 — 👍 13531 🔁 5375 💬 384 📌 1121Well now that I got this far down that thread I need to know also.
10.12.2024 04:20 — 👍 1 🔁 0 💬 0 📌 0Plenty of additional information about the compromise of OpenWRT’s online build service, involving command-injection and hash bypass 🧠
08.12.2024 21:32 — 👍 10 🔁 1 💬 0 📌 2
Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages
securitylabs.datadoghq.com/articles/int... by @ikretz.bsky.social
New open-source tool designed to transparently block known malicious PyPI and npm packages.
github.com/DataDog/supp...
Another cool little tool from Datadog Labs. #cybersecurity
https://github.com/DataDog/supply-chain-firewall
We're now officially on Bluesky!
Expect:
➔ New articles on Security Labs about cloud, container and application security
➔ OSS projects for cloud security practioners
➔ Conference talks at community conferences
See also our starter pack bsky.app/starter-pack... with our authors and researchers!
The self described “Shodan of AWS” is now live! This is an amazing project from Daniel Grzelak that helps democratize cloud resource enumeration for the masses. Very excited about this!
awseye.com
DualCore and I spoke at the Red Team Village this year. Here are the slides. QR code with link to gist with all the reference links on last page. Unfortunately it wasn't recorded.
docs.google.com/presentation...
#redteam #purpleteam #redteamvillage
- Tenacious Pungsan: A DPRK threat actor linked to Contagious Interview by Ian Kretz & Sebastián Obregoso
- Escalating from reader to contributor in Azure API Management by Christian August Holm Hansen
- IAM Condition operators explained by Cloud Copilot
and more...
🧵(3/3)
- Exploiting Fortune 500 through hidden supply chain links by Roni Carta
- Cloud guardrails by Mark Andersen, William Bengtson, Adam Cotenoff, ☁️ Houston Hopkins ☁️, Nicholas Siow, and Travis McPeak
🧵(2/3)
The November edition of the Datadog Security Digest is live!
securitylabs.datadoghq.com/newsletters/...
Featuring:
- Exploring Google Cloud default service accounts: deep dive and real-world adoption trends by Christophe Tafani-Dereeper
🧵(1/3)
Latest video in my Kubernetes Security Fundamentals series is out. Looking at some lesser known bits of Kubernetes authentication, bootstrap and static tokens!
youtu.be/1QNKj1rW5H0?...
Now as a starter pack: go.bsky.app/5HpWAcM
18.11.2024 15:40 — 👍 7 🔁 1 💬 1 📌 1
We made it easy for you to find us!
The Red Siege Starter Pack is now up!
Find the team here - go.bsky.app/ERU72bD
#infosec #cybersecurity
That word is the worst!
20.11.2024 17:23 — 👍 1 🔁 0 💬 1 📌 0This is such a good story about how "gotofail" started as a drunken brag in a bar and ended up being disclosed to Apple via a burner phone. It was Ryan all along, finally taking credit after all these years!
18.11.2024 10:53 — 👍 14 🔁 5 💬 1 📌 0I created a list of Cloud Security folks on here. bsky.app/profile/scot...
18.11.2024 00:57 — 👍 44 🔁 9 💬 4 📌 1Backdated posts are possible, and given what the API exposes, they are indistinguishable from normal posts 🤔
16.11.2024 13:00 — 👍 4 🔁 2 💬 2 📌 1
