• tl;dr sec
  • Posts
  • [tl;dr sec] #139 - 60 RCE in 60 minutes, Free Sigstore Course, Cloud Risk Encyclopedia

[tl;dr sec] #139 - 60 RCE in 60 minutes, Free Sigstore Course, Cloud Risk Encyclopedia

A presentation with many real world RCE examples, new free course on using Sigstore for supply chain security, list of 1,200+ cloud security risks.

Hey there,

I hope you’ve been doing well!

LocoMocoSec 🏖️

This week I’m at LocoMocoSec in Honolulu.

I’ve been wanting to attend for a number of years, because I feel like the talks are consistently high quality and in areas I care about.

After attending- can confirm, the talks have been great, and I’ve met a ton of super sharp people. And that it’s sunny and right next to the beach doesn’t hurt either.

(Dinner with David Belcher, Philippe De Ryck, Dino Dai Zovi, Colleen Dai, and friends whose social links I don’t know yet 😅)

But to keep this from becoming Keeping up with the Clintdashians (the pilot script is ready to be optioned, hit up me streaming platforms), I wanted to share a little more behind the scenes:

  • I spent most of the flight out answering emails and reading articles for this newsletter.

  • My first full day in Honolulu was mostly working on the newsletter in my hotel room so I could relax during the conference.

  • Right now it’s 11:30pm and I’m in my hotel room finishing this newsletter while friends went swimming in the ocean.

I wanted to share this because social media and people talking about events publicly are almost always a misrepresentation, or at least a skewed representation of what actually happened.

People share the “look at me having fun” photos and not the “look at me eating Cheerios in my hotel room in Hawaii because I’m finishing my newsletter” photos.

If the latter sounds too specific to be made up, trust your instincts.

Sponsor

📢 Face vulnerabilities faster with a holistic view of your vulnerability data

Identifying & resolving security vulnerabilities is painful and time consuming—but it doesn't have to be. Monad solves this problem by consolidating and correlating data from across all your vulnerability management tools and enrichment sources, such as AWS. Using an open data model, this enables security engineers to ticket and resolve vulnerabilities from a central source of truth. Eliminate the need to context switch between security tools, saving significant engineering hours for security teams with Monad. Find out more!

📜 In this newsletter...

  • AppSec: Finding command execution sinks in decompiled JVM languages, Semgrep rules for PHP security assessments

  • Web Security: Building an AppSec pipline with Burp data, a tale of 60 RCE in 60 minutes

  • Supply Chain: Automate pinning of CI/CD workflow versions, evaluate GitHub org/repo/user setting security with OPA, SLSA L3 Golang native builder for GitHub Actions, free course on getting started with Sigstore

  • Infrastructure as Code: Terraform Cloud adds drift detection

  • Cloud Security: Tool to simulate the EC2 instance metadata service, cloud risk encyclopedia, cloud service provider agents add attack surface

  • Blue Team: Sigma overview and how to write your own rules, tool to help building for air gapped environments

  • Politics / Privacy: Guides on opt-ing out from data brokers, Chinese threat actor uses ransomware as a smokescreen for espionage, how China is policing the future, takeaways on China's expanding surveillance state, Microsoft's lessons learned from defending Ukraine

  • Misc: Draw your cloud system architecture in Python, a no-code API testing platform that generates test cases, newsletter to learn about patents, entrepreneur's guide to business loan interest rates, a thorough analysis of SF breakfast burritos

AppSec

Finding command execution sinks in decompiled JVM languages
There are a number of languages that compile to JVM bytecode. GitLab’s Dominic Couture walks through looking for command execution calls in decompiled Kotlin, Groovy, Scala, and Clojure.

Semgrep rules for PHP security assessmentHN Security’s Federico Dotta shares some general PHP and YII framework Semgrep rules he created, focusing on SQL injection, XSS, and authorization bypass.

Web Security

Building on an AppSec Pipeline with Burp Suite data - Part 1
Willis Vandevanter walks through using burpsuite-project-file-parser to extract traffic history from Burp project files, and then in part 2 presents 8 bug hunting examples using this approach. For example, “find me all requests that have a URL parameter named url”, and then test the endpoint for SSRF and/or use ffuf.`

1001 ways to PWN prod: A tale of 60 RCE in 60 minutes
Neat slides with tons of examples, by @TheLaluka. Takeaways for defenders:

Supply Chain

sethvargo/ratchet
By Google’s Seth Vargo: a tool for improving the security of CI/CD workflows by automating the process of pinning and unpinning upstream versions. It’s like Bundler, NPM, or Pip, but for CI/CD workflows. Currently supports Circle CI, GitHub Actions, Google Cloud Build.

Evaluate Your Source Control Security Posture with GitGat
Scribe Security announces GitGat, a tool that uses OPA policies to evaluate GitHub organization/repositories/user accounts security: access controls, permissions, branch protection, and file modification tracking.

General Availability of SLSA 3 Go native builder for GitHub Actions
There’s now a GitHub Action you can use that fulfills the properties of SLSA level 3. This allows you to:

  • Detect rollback attacks, invalid source (due to expired and invalid domains), recycled GitHub accounts, and recreated GitHub repos

  • Validate the process used to build the binary

  • Check how an artifact was built (dev vs prod build, was the build sanitized or hardened with security options like PIE, etc.)

Get Started with Sigstore (Free Course!)
Chainguard’s Lisa Tagliaferri and John Speed Meyers announce a new Sigstore course to educate the industry on how to digitally sign software artifacts to ensure a safer chain of custody that can be traced back to the source. Contents:

  1. Introducing Sigstore

  2. Cosign: Container Signing, Verification, and Storage in an OCI Registry

  3. Fulcio: A New Kind of Root Certificate Authority For Code Signing

  4. Rekor: Software Supply Chain Transparency Log

  5. Sigstore: Using the Tools and Getting Involved with the Community

Infrastructure as Code

Terraform Cloud Adds Drift Detection for Infrastructure Management
This new feature of Terraform Cloud continuously checks infrastructure state to detect and notify operators of any changes, minimizing risk, downtime, and costs. It’ll be interesting to see if this impacts any security vendors who similarly offer drift detection.

Cloud Security

aws/amazon-ec2-metadata-mock
A tool to simulate Amazon EC2 instance metadata service for local testing.

Cloud Risk Encyclopedia
By Orca Security: “Search 1200+ cloud security risks or filter by cloud vendor, compliance framework, risk category, and criticality. 3 cloud platforms. 47 compliance frameworks. 18 risk categories. 4 risk levels.”

The cloud gray zone—- secret agents installed by cloud service providers
By Wiz’s Nir Ohfeld and Shir Tamari: Cloud service providers install proprietary software on customers’ virtual machines typically without the customer’s awareness or explicit consent. This cloud middleware software, which bridges customers’ virtual machines and cloud providers’ managed services, can introduce new potential attack surface.

Wiz has launched a GitHub page to map all the agents that cloud providers are installing on customers’ machines along with the additional attack surface they introduce.

Blue Team

A deep dive into Sigma rules and how to write your own threat detection rules
Sigma rules are a common language that enable defenders to share detections, and avoid vendor lock-in, easily running the same rules on many SIEMs. FourCore’s Hardik Manocha walks through the structure of Sigma rules and how to write your own.

Hoppr
Hoppr helps your applications and build dependencies hop between air gapped environments. It’s a framework that supports packaging, transfer, and delivery of dependencies. Hoppr relies on the principles of Linux Foundation’s focus on SPDX and the extended functionality of CycloneDX to define Software Bill-of-Materials and supply chain management.

Sponsor

📢 Conveyor's Vendor Trust platform: Never send another vendor security questionnaire

Tired of chasing vendors, tracking down SOC 2 reports, and trying to get them to fill out your security questionnaire?

Conveyor’s Vendor Trust platform speeds vendor reviews by 5X by parsing your vendors' security docs, answering your questions for you, highlighting exceptions, and mapping their policies to your controls. Try it for free.

Politics / Privacy

Delete Me: Opt-Out Guides
Massive list of how to guides to opt out of various data brokers.

Chinese Threat Actor Uses Ransomware as a ‘Smokescreen’ For Espionage
A Chinese-based threat actor has been launching ransomware attacks against organizations in the U.S. and other countries, but researchers believe that the threat actor’s end goal is stealing intellectual property as opposed to financial gain, and they estimated that 75 percent of the known victims would be of interest to Chinese government-sponsored groups focused on espionage based on the victims’ geographic locations and industry verticals.

With a simple fill-in-the-blank menu, the police can base alarms on specific parameters, including where a blacklisted person appears, when the person moves around, whether he or she meets with other blacklisted people and the frequency of certain activities. The police could set the system to send a warning each time two people with a history of drug use check into the same hotel or when four people with a history of protest enter the same park.

Whether or not he triggered the system, Mr. Zhang has noticed a change. Whenever he turns off his phone, he said, officers show up at his house to check that he hasn’t left on a new trip to Beijing.

 

China’s ambition to collect a staggering amount of personal data from everyday citizens is more expansive than previously known, a Times investigation has found. Phone-tracking devices are now everywhere. The police are creating some of the largest DNA databases in the world. And the authorities are building upon facial recognition technology to collect voice prints from the general public.

This report represents research conducted by Microsoft’s threat intelligence and data science teams with the goal of sharpening our understanding of the threat landscape in the ongoing war in Ukraine. The report also offers a series of lessons and conclusions resulting from the data gathered and analyzed. Notably, the report reveals new information about Russian efforts including an increase in network penetration and espionage activities amongst allied governments, non-profits and other organizations outside Ukraine. This report also unveils detail about sophisticated and widespread Russian foreign influence operations being used among other things, to undermine Western unity and bolster their war efforts. We are seeing these foreign influence operations enacted in force in a coordinated fashion along with the full range of cyber destructive and espionage campaigns.

Misc

Diagram as Code
Draw your cloud system architecture in Python code and track it in version control. Currently supports six major cloud providers (AWS, Azure, GCP, etc), on-premise nodes, and programming languages and frameworks.

keploy/keploy
By Keploy: A no-code API testing platform that generates test cases and data mocks from API calls. Dependency-mocks are automatically generated with the recorded request/responses.

Patent Drop Newsletter
Every week @thisisneer provides a summary of 3 new patents from big tech companies and a wider list of all patents from these companies.

Supporting Your Team When the News Is Terrible
Tips by Harvard Business Review for managers during stressful times.

An Extremely Thorough Analysis of Breakfast Burritos in SF
Now this is some research I can get behind 😍

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint