[tl;dr sec] #141 - CIS Supply Chain Security Guide, Static Analysis on Binaries, Machine Learning

Hey there,

I hope you’ve been doing well!

MockuDocumentary

Short intro this week, because there are tons of great links below.

So I’ll just give you a brief glimpse into my upcoming memoir 🤣

Conferences

MITRE ATT&CKcon 3.0
Slides and videos posted!

BSidesSF 2022 YouTube Playlist
Tons of excellent talks, check it out!

Web Security

DOM Invader: Prototype Pollution
Last year Portswigger released DOM Invader, a tool to make it easier to find DOM XSS. In this video, Gareth Heyes walks through how DOM Invader can now make finding client-side prototype pollution as easy as a couple of clicks.

Cloud Security

AWS Identity and Access Management introduces IAM Roles Anywhere for workloads outside of AWS
“IAM Roles Anywhere allows your workloads such as servers, containers, and applications to use X.509 digital certificates to obtain temporary AWS credentials and use the same IAM roles and policies that you have configured for your AWS workloads to access AWS resources.” Ben Kehoe has a really nice thread about it.

Amazon Cognito - A Complete Beginner Guide
Great guide by Daniel at Be A Better Dev explaining the core concepts of Cognito from a beginner perspective. You’ll learn about User Pools, Identity Pools/Federated Identities, and how to tie them together.

Supply Chain

Optimizing CI/CD Credential Hygiene - A Comparison of CI/CD Solutions
Cider Security’s Asi Greenholts presents three common credential hygiene issues (unrotated static credentials, overly accessible credentials, credentials exposed in console logs), and discusses the strengths and weaknesses of four of the most popular CI vendors: Jenkins, GitHub Actions, CircleCI and GitLab CI/CD around these issues.

Where Do I Sign? Step-by-step Sigstore Adoption
Chainguard’s Jed Salazar recommends, from simple to more complex: start with git signing, then signing build artifacts, and finally protecting the build system itself.

CIS Software Supply Chain Security Guide v1.0
100+ recommendations organized into 5 main categories: source code, build pipelines, dependencies, artifacts, and deployment.

aquasecurity/chain-bench
By Aqua Security: An open-source tool for auditing your software supply chain stack for security compliance based on the new CIS Software Supply Chain benchmark.

Machine Learning

Amazing, the future is now.

The DALL·E 2 Prompt Book
A free 82 page e-book by Guy Parsons on styles and terms to use with DALL-E 2, with tons of tips and examples. Simply incredible.

I’ve played around with DALL-E 2 a bit, and it is engrossing. Like, you start typing in a few words, see something surprisingly neat and fun, and then all of the sudden you look up and it’s an hour+ later.

AutoRegex: Convert from English to RegEx with Natural Language Processing
This site uses GPT-3 to generate regular expressions from plain English and can also explain a regular expression in English 🤯

H/T Ollie Whitehouse’s excellent Blue & Purple Team Newsletter for this and other great links.

I’m not sure if this site came before or after Simon Willison’s blog post walking through the same thing.

Practical Attacks on Machine Learning Systems
NCC Group Chief Scientist (and all-around gentleman and scholar) Chris Anley aggregates over 5 years of literature review as well as NCC Group’s research and applied experiences of attacking infield systems. It includes:

• A taxonomy of attacks on ML systems

• Exploit techniques for SciKit-Learn, Keras, PyTorch & TensorFlow

• Replication of key results from several canonical ML security papers

Mac

The Art of Mac Malware
Free(!) book by Patrick Wardle on uncovering Mac malware’s infection methods, persistence strategies, and insidious capabilities. Learn to use common reverse engineering tools, unpack protected malware, use a debugger to understand how it works, and finally put the lessons into practice by analyzing a complex Mac malware specimen on your own.

How to Reverse Malware on MacOS without Getting Infected
~40 page free PDF by SentinelOne’s Phil Stokes on setting up a safe lab environment to test malware, relevant tools (e.g. otool, LLDB) and how to use them, and more.

Apple expands commitment to protect users from mercenary spyware
I love this. Apple has released a new “Lockdown Mode,” designed to protect people who might be targeted by mercenary spyware. Bypassing Lockdown mode can earn you a $2M bounty, not too shabby. Apple is also making a $10M grant to support organizations that investigate, expose, and prevent highly targeted cyberattacks.

Dan Guido weighs in as well:

Blue Team

Building a TLS-compatible Honeypot
How to setup a honeypot with an IDS, ELK and TLS traffic inspection, by Nils Hanke.

SOC2: The Screenshots Will Continue Until Security Improves
Helpful and practical advice from Thomas Ptacek, with some fun snark as a bonus.

Red Team

Two faces of a same PDF document
Fraktal Ltd’s Toni Huttunen describes a how it’s possible to create a malicious PDF document that presents different content based on the reader application used (using fallback pages or PDF reader-specific proprietary features).

netero1010/RDPHijack-BOF
By Aon’s Chris Au: “Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking. With a valid access token / kerberos ticket (e.g., golden ticket) of the session owner, you will be able to hijack the session remotely without dropping any beacon/tool on the target server.”

Automating binary vulnerability discovery with Ghidra and Semgrep
HN Security’s Marco Ivaldi describes automating vulnerability discovery in binaries by extracting pseudo-code generated by the Ghidra decompiler and scanning it with custom Semgrep rules he wrote.

The Convergence of Source Code and Binary Vulnerability Discovery – A Case Study
Academic paper linked in HN Security’s Marco Ivaldi’s above blog post. The authors ran 8 open source and commercial SAST tools against a number of code bases with known CVEs, observed if the tools found those CVEs, then ran the tools again against the decompiled versions of those same programs.

Misc

Startup Markets, Summer 2022 Edition
Interesting post by Elad Gil on how he feels the next 3-18 months will play out.

The Culture Map: Breaking Through the Invisible Boundaries of Global Business
Book recommended by Steve Dotson after last week’s issue on cross cultural communication. Thanks Steve!

Uber broke laws, duped police and secretly lobbied governments, leak reveals
Some serious tech #hotgoss here. Uber offered financial stakes to influential figures around the world, paid academics to produce research supporting its economic claims, knowingly ignored and evaded local laws, and secretly met with and schmoozed world leaders.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint

Hey there,

I hope you’ve been doing well!

MockuDocumentary

Short intro this week, because there are tons of great links below.

So I’ll just give you a brief glimpse into my upcoming memoir 🤣

Conferences

MITRE ATT&CKcon 3.0
Slides and videos posted!

BSidesSF 2022 YouTube Playlist
Tons of excellent talks, check it out!

Web Security

DOM Invader: Prototype Pollution
Last year Portswigger released DOM Invader, a tool to make it easier to find DOM XSS. In this video, Gareth Heyes walks through how DOM Invader can now make finding client-side prototype pollution as easy as a couple of clicks.

Cloud Security

AWS Identity and Access Management introduces IAM Roles Anywhere for workloads outside of AWS
“IAM Roles Anywhere allows your workloads such as servers, containers, and applications to use X.509 digital certificates to obtain temporary AWS credentials and use the same IAM roles and policies that you have configured for your AWS workloads to access AWS resources.” Ben Kehoe has a really nice thread about it.

Amazon Cognito - A Complete Beginner Guide
Great guide by Daniel at Be A Better Dev explaining the core concepts of Cognito from a beginner perspective. You’ll learn about User Pools, Identity Pools/Federated Identities, and how to tie them together.

Supply Chain

Optimizing CI/CD Credential Hygiene - A Comparison of CI/CD Solutions
Cider Security’s Asi Greenholts presents three common credential hygiene issues (unrotated static credentials, overly accessible credentials, credentials exposed in console logs), and discusses the strengths and weaknesses of four of the most popular CI vendors: Jenkins, GitHub Actions, CircleCI and GitLab CI/CD around these issues.

Where Do I Sign? Step-by-step Sigstore Adoption
Chainguard’s Jed Salazar recommends, from simple to more complex: start with git signing, then signing build artifacts, and finally protecting the build system itself.

CIS Software Supply Chain Security Guide v1.0
100+ recommendations organized into 5 main categories: source code, build pipelines, dependencies, artifacts, and deployment.

aquasecurity/chain-bench
By Aqua Security: An open-source tool for auditing your software supply chain stack for security compliance based on the new CIS Software Supply Chain benchmark.

Machine Learning

Amazing, the future is now.

The DALL·E 2 Prompt Book
A free 82 page e-book by Guy Parsons on styles and terms to use with DALL-E 2, with tons of tips and examples. Simply incredible.

I’ve played around with DALL-E 2 a bit, and it is engrossing. Like, you start typing in a few words, see something surprisingly neat and fun, and then all of the sudden you look up and it’s an hour+ later.

AutoRegex: Convert from English to RegEx with Natural Language Processing
This site uses GPT-3 to generate regular expressions from plain English and can also explain a regular expression in English 🤯

H/T Ollie Whitehouse’s excellent Blue & Purple Team Newsletter for this and other great links.

I’m not sure if this site came before or after Simon Willison’s blog post walking through the same thing.

Practical Attacks on Machine Learning Systems
NCC Group Chief Scientist (and all-around gentleman and scholar) Chris Anley aggregates over 5 years of literature review as well as NCC Group’s research and applied experiences of attacking infield systems. It includes:

• A taxonomy of attacks on ML systems

• Exploit techniques for SciKit-Learn, Keras, PyTorch & TensorFlow

• Replication of key results from several canonical ML security papers

Mac

The Art of Mac Malware
Free(!) book by Patrick Wardle on uncovering Mac malware’s infection methods, persistence strategies, and insidious capabilities. Learn to use common reverse engineering tools, unpack protected malware, use a debugger to understand how it works, and finally put the lessons into practice by analyzing a complex Mac malware specimen on your own.

How to Reverse Malware on MacOS without Getting Infected
~40 page free PDF by SentinelOne’s Phil Stokes on setting up a safe lab environment to test malware, relevant tools (e.g. otool, LLDB) and how to use them, and more.

Apple expands commitment to protect users from mercenary spyware
I love this. Apple has released a new “Lockdown Mode,” designed to protect people who might be targeted by mercenary spyware. Bypassing Lockdown mode can earn you a $2M bounty, not too shabby. Apple is also making a $10M grant to support organizations that investigate, expose, and prevent highly targeted cyberattacks.

Dan Guido weighs in as well:

Blue Team

Building a TLS-compatible Honeypot
How to setup a honeypot with an IDS, ELK and TLS traffic inspection, by Nils Hanke.

SOC2: The Screenshots Will Continue Until Security Improves
Helpful and practical advice from Thomas Ptacek, with some fun snark as a bonus.

Red Team

Two faces of a same PDF document
Fraktal Ltd’s Toni Huttunen describes a how it’s possible to create a malicious PDF document that presents different content based on the reader application used (using fallback pages or PDF reader-specific proprietary features).

netero1010/RDPHijack-BOF
By Aon’s Chris Au: “Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking. With a valid access token / kerberos ticket (e.g., golden ticket) of the session owner, you will be able to hijack the session remotely without dropping any beacon/tool on the target server.”

Automating binary vulnerability discovery with Ghidra and Semgrep
HN Security’s Marco Ivaldi describes automating vulnerability discovery in binaries by extracting pseudo-code generated by the Ghidra decompiler and scanning it with custom Semgrep rules he wrote.

The Convergence of Source Code and Binary Vulnerability Discovery – A Case Study
Academic paper linked in HN Security’s Marco Ivaldi’s above blog post. The authors ran 8 open source and commercial SAST tools against a number of code bases with known CVEs, observed if the tools found those CVEs, then ran the tools again against the decompiled versions of those same programs.

Misc

Startup Markets, Summer 2022 Edition
Interesting post by Elad Gil on how he feels the next 3-18 months will play out.

The Culture Map: Breaking Through the Invisible Boundaries of Global Business
Book recommended by Steve Dotson after last week’s issue on cross cultural communication. Thanks Steve!

Uber broke laws, duped police and secretly lobbied governments, leak reveals
Some serious tech #hotgoss here. Uber offered financial stakes to influential figures around the world, paid academics to produce research supporting its economic claims, knowingly ignored and evaded local laws, and secretly met with and schmoozed world leaders.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint