• tl;dr sec
  • Posts
  • [tl;dr sec] #120 - Supply Chain & Hardening CI, Automate Yourself out of Oncall Burnout, Eliminating Subdomain Takeovers

[tl;dr sec] #120 - Supply Chain & Hardening CI, Automate Yourself out of Oncall Burnout, Eliminating Subdomain Takeovers

A thoughtful redesign of CI to mitigate harm from malicious dependencies, how to automate your IR playbooks, tool to eliminate dangling Elastic IP takeovers.

Author

Clint Gibler
February 16, 2022

Hey there,

I hope you’ve been doing well!

An Academic’s Love Language

In Gary Chapman’s famous book The Five Love Languages (summary), he presents the crucial insight that different people prefer to both give and receive love differently.

For example, you may often tell your partner how much you love them, but to them, physical affection is how they feel loved. And your partner may buy you presents to show their affection, but you’d perhaps prefer they helped with chores around the house.

Worth thinking about.

As a former academic, I know there are particular phrases so wonderful for us that they can instantly double our heart rate.

So for all the current and former academics out there:

Look for future content like this in the upcoming companion newsletter, tl;dr romance.

Semgrep’s February 2022 Updates

Last week we announced a whole bunch of things:

  • Semgrep is now 2x-3x faster.

  • Better taint tracking and fancy program analysis features.

  • More languages: C#, Kotlin, Scala, C++, Dockerfile, Hack, Solidity.

  • Developer Feedback: Developers can now easily provide feedback about any rule that fired on their PR, so you can see what’s working and what to improve.

  • A new full-screen Editor to more easily write rules in your browser.

Read more about it here.

Also, want to work with me? r2c is remote-friendly and hiring! 🙌

  • Senior Security Reseacher - Deep dive into languages and frameworks, codify the world’s security expertise, and make it easily available to everyone in an automated way.

  • Senior Security Engineer - Help harden r2c’s security posture.

  • And whole bunch of other roles here.

Sponsor

📢 2022 Cloud-Native Security and Usage Report from Sysdig

Did you know 75% of containers have critical vulnerabilities that are patchable? Get real-world practical insights from Sysdig’s 2022 Cloud-Native Security and Usage Report to help as you work to develop best practices for securing and monitoring your cloud-native environments.

📜 In this newsletter...

  • AppSec: Static analysis tool for Clojure, what BeyondCorp actually is and why it's so hard

  • Web Security: Portswigger's top 10 web hacking techniques of 2021, prototype pollution scanner

  • Cloud Security: Cloud Security RoadMap, DevOps the Hard Way, eliminating dangling elastic IP takeovers

  • Supply Chain: GitBOM, compromising NPM packages via expired owner email domains, a pluggable framework for supply chain security, building a hardened CI on self-hosted GitHub Action runners and GKE

  • Container Security: Homebrew for Kubernetes

  • Blue Team: Tool to analyze the memory of compromised Linux systems, automating yourself out of oncall burnout

  • Network Security: SSH into your private machines from anywhere with Cloudflare Tunnel

  • Politics / Privacy: Tracking your spouse with AirTags, what if China weaponized TikTok for subverting values, we're closer to Bradbury's dystopia than Orwell's or Huxley's

  • Misc: How to recover sensitive info from pixelated text, the history of Valentine's day

  • Aphorism: A gut punch to take action from Epictetus

AppSec

clj-holmes/clj-holmes
A CLI SAST (static application security testing) tool to find vulnerable Clojure code via rules that use a simple pattern language.

BeyondCorp is dead, long live BeyondCorp
Tailscale’s Maya Kaczorowski describes what zero trust architecture / BeyondCorp actually mean (beyond the hype), how difficult it is (even Google isn’t fully BeyondCorp), the importance of device trust, and what an ideal solution looks like.

Web Security

Top 10 web hacking techniques of 2021
Another annual round-up by Portswigger. Several on HTTP Request Smuggling, as well as fuzzing for XSS, JSON interoperability vulnerabilities, cache poisoning at scale, attacking HTTP/2, and more. #1: Dependency Confusion.

raverrr/plution
A prototype pollution scanner using headless Chrome, by David Bate. By default uses a hardcoded payload that can detect 11 of these cases.

Cloud Security

Cloud Security Podcast: Cloud Security RoadMap with Scott Piper
Ashish Rajan interviews Summit Route’s Scott Piper on his Cloud Security Podcast, covering what to prioritize as a start-up, challenges for medium to large companies, continuous compliance, getting started in cloud security, and more.

If you’re interested in cloud security, I’d give Ashish’s Cloud Security Podcast a look, he interviews a number of super solid people, and has recently been doing series on AWS, GCP, and Azure security.

AdminTurnedDevOps/DevOps-The-Hard-Way-AWS
Free labs, documentation, and diagrams for setting up an environment that is using DevOps technologies and practices for deploying apps and cloud services/cloud infrastructure to AWS, by Mike Levan.

Eliminating Dangling Elastic IP Takeovers with Ghostbuster
When you create a DNS record pointing to an IP but don’t remove the DNS record after the EC2 instance has been destroyed or given a new IP, you become vulnerable to subdomain takeover attacks. Assetnote’s Shubham Shah describes Ghostbuster, a new tool they’re releasing that can detect these dangling Elastic IP addresses.

Ghostbuster works by enumerating all the elastic/public IPs associated with every AWS account you own, and then checking if there are any DNS records pointing to elastic IPs that you don’t own in any of your AWS accounts.

Supply Chain

GitBOM
A minimalistic scheme for build tools to:

  1. Build a compact artifact tree, tracking every source code file incorporated into each built artifact.

  2. Embed a unique, content-addressable reference for that artifact tree, the GitBOM identifier, into the artifact at build time.

“Zero-Days” Without Incident - Compromising Angular via Expired npm Publisher Email Domains
Fun fact: Email addresses for all maintainers on npm are public. Matthew Bryant shows how you can use this for nefarious ends.

  1. Scrape all npm package maintainer email addresses.

  2. Filter to custom owned domains (e.g. [email protected]).

  3. See which of those domains are expired or expiring.

  4. Register those domains and use it to reset the victim user’s npm password.

  5. Backdoor their repo, profit $$$.

testifysec/witness
A pluggable framework for supply chain security by TestifySec.

Witness prevents tampering of build materials and verifies the integrity of the build process from source to target. It works by wrapping commands executed in a continuous integration process.

Defense Against Novel Threats: Redesigning CI at Mercari
Mercari’s Michael Findlater describes how they’ve rearchitected their CI to protect against malicious third-party dependencies. The post gives a nice overview of aspects to consider, like disallowing CI config modification without review, limiting CI egress to prevent exfiltration of data, running jobs ephemerally in clean, isolated environments, integrating with secret management tools, and more. They use self-hosted GitHub Action runners on GKE.

One key point, which I’ve called out a number of times in effective security engineering work from various companies, is they worked closely with Developer Experience teams to ensure it doesn’t slow down development, fits in nicely to existing dev processes, etc.

They’ve also integrated some default setup into a microservice-starter-kit Terraform module that’s used for new microservices, likely leading to easier, widespread adoption 👌

Please allow me to shamelessly include a slide from my BSidesSF 2020 talk How to 10X Your Security:

Container Security

kbrew-dev/kbrew
Homebrew for Kubernetes.

Blue Team

cado-security/rip_raw
A small tool to analyse the memory of compromised Linux systems that enables you to analyse systems without needing to generate a profile, by Cado Security’s Chris Doman.

How we automated ourselves out of on-call burnout… and you can too!
Segment’s Prima Virani describes how in 6 months they’ve partially or fully automated approximately 85% of their incident response playbooks using Twilio’s SOCless tool, which basically aims to make it easy to convert workflows to a series of Lambdas handling each step.

The post contains a number of useful hardening steps the Segment team took, and some good advice:

  • Sort alerts by frequency and automate the most frequent alerts first for maximum impact.

  • It’s better to partially cover many alerts instead of entirely automating one playbook, as oftentimes an automation can close out a response before later manual steps are reached.

  • Communicate outcomes at every step so humans know where to pick up, and so you can easily troubleshoot errors.

Sponsor

📢 The best lessons come from experience. 7 cybersecurity leaders share their tales

In this exclusive eBook from JupiterOne, seven cybersecurity leaders share their stories of failure and success, roadmaps you can use to improve your cybersecurity programs, and their visions for the future of cybersecurity.

Network Security

SSH into your private machines from anywhere, for free, using Cloudflare Tunnel
Guide by Ben Butterworth to using Cloudflare Tunnel, which will filter traffic to your machines through Cloudflare’s network, including authenticating you.

Politics / Privacy

I Used Apple AirTags, Tiles and a GPS Tracker to Watch My Husband’s Every Move
A NY Times reporter tests 3 location tracking tools, with permission, on her husband. Even when you know they’re there, they’re not easy to find.

Behavior Shaping
A snippet from Daniel Miessler’s most recent newsletter that made me think. And wince.

Here’s a crazy idea. Since TikTok is a content surfacing and rewarding platform, and it’s Chinese-controlled, wouldn’t it be interesting if they rewarded different behavior for different populations? What if they rewarded science and engineering and creativity in China, but in Europe and the US they rewarded promiscuity, anti-government, or hate-oriented content? Wouldn’t that be an ingenious way to incentivize the raising of your own society while contributing to the downfall of an enemy? I wonder if anyone’s done any analysis of what gets surfaced or rewarded in different geographies.

Bradbury predicted that people, disturbed by confusing or challenging ideas, might one day demand censorship for themselves and protection from any information that pierced the veil of their own simplified reality.

Bradbury was right that people would choose self-censorship, led into ignorance by technological innovations that make open discourse and thought unpalatable. Were it a government that imposed such a rule, there would be an uproar, at least in Western societies. But gently coaxed by algorithms, people have voluntarily gravitated towards simple, comfortable ideas and begun to reject complexity, nuance, and the possibility that contrary opinions are not necessarily immoral or even incorrect.

Misc

Never Use Text Pixelation To Redact Sensitive Information
Bishop Fox’s Dan Petro discusses why pixelation is a bad approach for redacting sensitive info in images, and releases a tool, Unredacter, that reverses redacted pixelized text back into its unredacted form.

Valentine’s Day: The Wild, Pagan History Behind the Romantic Holiday
Some interesting history behind the modern celebration of consumerism love.

Aphorism

Shared by Steph Smith:

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint