• tl;dr sec
  • Posts
  • [tl;dr sec] #147 - Twitter Whistleblower, CI/CD Security, How to Think About Endpoint Security

[tl;dr sec] #147 - Twitter Whistleblower, CI/CD Security, How to Think About Endpoint Security

Mudge's accusations of Twitter's security posture, identity management risks in GitHub orgs, comparing 6 CI providers and examining GH workflows at scale, Ryan McGeehan offers valuable context on how to think of Mudge's Twitter endpoint comments and thinking about endpoint security at your company.

Author

Clint Gibler
August 24, 2022

Hey there,

I hope you’ve been doing well!

Status Updates

When someone keeps asking you for incident response or status updates in general, feel free to share this.

Errata

Last week I messed up the following link, apologies: RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromise (and slides).

It was fixed quickly on the blog after the email was sent, but here it is for your convenience.

Sponsor

📢 Just Released: Q3 2022 State of API Security Report

Do you have visibility into your organization's API attack surface? If you experienced an API security incident last year, you're not alone. 94% of organizations have had API security problems. Industry-leading research from Salt Security examines how companies secure APIs, the challenges they face, and how their API security strategies are evolving. Download the

to benchmark yourself and improve API security for your company.

📜 In this newsletter...

  • AppSec: Experimental Elixir support in Semgrep, GitHub now supports SSH commit verification, tool to simplify review and management of threat models in documents

  • Web Security: Client side desync CTF exercise, collection of tools for web hackers, awesome browser security resources

  • CI/CD: The Consequences of Inadequate Identity Management in your GitHub Organization, academic paper examining GitHub Action workflow security and 5 other CI providers

  • Cloud Security: Three AWS Lambda guardrails, detecting suspicious activity in your AWS account using decoy resources

  • Container Security: Small Linux VM ready to run containers for macOS on ARM, auditing Kubernetes RBAC

  • Blue Team: Tool to deobfuscate Log4Shell payloads, BloodHound but for the blue team, endpoint security: intuition around the Mudge disclosures

  • Politics / Privacy: See what JavaScript is injected in in-app browsers, TikTok's commitment to ~~undermining~~ U.S. election integrity

  • Misc: They say all strongment are dumb, Twitter advanced search cheatsheet, how to ask and get a yes

  • Twitter & Security: Coverage on Mudge's whistleblowing from a number of outlets and perspectives

AppSec

Experimental Elixir support in Semgrep!
By Podium’s Holden Oullette and others. Super neat to see community contributions like this that make Semgrep better for everyone.

GitHub now supports SSH commit verification, so you can sign commits and tags locally using a self-generated SSH public key, which will give others confidence about the origin of a change you have made. If a commit or tag has an SSH signature that is cryptographically verifiable, GitHub makes the commit or tag “Verified” or “Partially Verified.”

threatware
A tool by Dave Soldera that simplifies the review and management of threat models in documents. threatware is an AWS lambda function (or CLI tool) with methods to help review threat models (e.g. validate formatting, output threat model in a machine-readable languages) and provide a process to manage threat models (e.g. like version control, for threat models). It works directly with threat models as documents in Confluence/Google Docs.

Web Security

Client Side Desync CTF exercise
CTF write-up here, H/T Lewis Ardern for the link.

Client Side Desync (CSD) was used as an intended solution in a CTF called “JustCTF” months prior to James Kettle dropped his research.

A real world nginx module exhibited the behavior in this case.

hahwul/WebHackersWeapons
By Hahwul: A collection of cool tools used by web hackers, grouped by tag and language. Types: Swiss Army Knife, recon, fuzzer, scanner, exploit, utils, etc.

cezary-sec/awesome-browser-security
A curated list of awesome browser security learning material by Opera’s Cezary Cerekwicki. Covers good intro material, security challenges and corresponding mitigations, attacks on browsers, and more.

CI/CD

The Consequences of Inadequate Identity Management in your GitHub Organization
Cider Security’s Omer Gil and Yaron Avital outline several risks when not using SSO (and SCIM) to authenticate to GitHub.

  • When inviting users by email address or GitHub user name, they could be using a non corporate email which you have no control over, and/or they could switch to using a private email in the future (which an attacker could compromise).

  • When users are logging in to GitHub not via SSO, removing them in your IdP will not remove them from your GitHub org- you’ll need to do that separately.

  • Deactivating a user in the IdP only prevents them from re-authenticating to GitHub’s website- their Personal Access Tokens and SSH keys will continue to work.

Characterizing the Security of Github CI Workflows
Usenix paper that defines four security properties that must hold to secure CI/CD platforms from supply-chain attacks: Admittance Control, Execution Control, Code Control, and Access to Secrets.

They then examine GitHub CI and five other public CI/CD platforms on these properties, and investigate how the security implications of how developers use workflows in GitHub CI.

Finally, they released GWChecker, a GitHub Action YAML auditing tool that looks for plaintext secrets using regex, tags for versioning, non-verified actions or actions not published on the marketplace, and insecure triggers. GWChecker also enforces a pre commit hook that ensures that the files committed are not in .github/workflow to avoid having workflows that commit other workflow-related files to the repository.

Cloud Security

Three Guardrails for AWS Lambda
Brian Tarbox describes three guardrails for Lambdas: code signing, decouple deploying from releasing with function versions and aliases, and do code scanning of new PRs using tools like Amazon CodeGuru Reviewer.

How to detect suspicious activity in your AWS account by using private decoy resources
AWS’s Maitreya Ranganath and Mark Keating describe how you can create low-cost private decoy AWS resources in your AWS accounts and configure them to generate alerts when they are accessed. See also the awesome canarytokens.org.

Container Security

apinske/virt
A small Linux VM, ready to run containers, for macOS on ARM, by Alexander Pinske.

Auditing RBAC - Redux
Rory McCune walks through the challenges of auditing Kubernetes authorization (there are multiple modes: Node, ABAC, webhook, RBAC), complexities around RBAC, and useful tools to assess RBAC rights.

Sponsor

📢 Find and act on sensitive, toxic, and exposed data

Data is the last mile in any breach. For security engineering teams trying to locate sensitive, toxic, and exposed data within hundreds or thousands of accounts, billions of objects, and petabytes of data (sound familiar?), existing tooling doesn't work. You need a new approach. Open Raven is secure, private, and budget-safe data security that just works. Our platform prevents leaks, breaches, and compliance incidents by fully mapping data locations, types, and security posture and applying guardrails. Download the ebook to learn how to classify and protect cloud data at scale.

Blue Team

ox-eye/Ox4Shell
Since the release of Log4Shell, many tools were created to obfuscate Log4Shell payloads. This tool by Oxeye lets you unravel the true contents of obfuscated Log4Shell payloads with ease.

BlueHound: Community Driven Resilience
Zero Networks’s Dekel Paz describes BlueHound, a tool that helps blue teams pinpoint the security issues that actually matter. By combining information about user permissions, network access and unpatched vulnerabilities, BlueHound reveals the paths attackers would take if they were inside your network.

Endpoint Security: Intuition around the Mudge Disclosures
Great post by Ryan McGeehan on the core things you should keep in mind about endpoint security, communicating with senior management, risk scenarios, measuring progress, practical realities, and more.

The question for ourselves and our teams is, what is our threshold and what is our baseline?

The operational work to follow up on findings is universally underappreciated by almost every team going down this path.

Endpoint deployments often have a sprint to deal with the worst findings immediately (malware) but then fade off as the original deployment team ventures off to tackle new risks. Who picks up these operations?

There are two big decisions:

• What is the baseline configuration?

• What threshold becomes an incident if exceeded?

The baseline configuration should codify some strategy: Maybe you want to prioritize compliance, responsiveness, prevention, or both.

Politics / Privacy

iOS Privacy: Announcing InAppBrowser.com - see what JavaScript commands get injected through an in-app browser
Follow up from Felix Krause after the popularity of his post on how Instagram tracks behavior (referenced two issues ago). Felix announces InAppBrowser.com, a website you can visit to see what JavaScript commands get injected through an in-app browser.

TikTok, when opening any website in their app, injects tracking code that can monitor all keystrokes, including passwords, and all taps.

Our commitment to election integrity
TikTok is rolling out an Election Center with authoritative info in 45 languages as U.S. midterms near.

Though trusting or relying on a Chinese company to not interfere with U.S. politics or attempt to influence public opinion (or rampantly steal IP) is like relying on McDonald’s to advocate for healthy living.

Though maybe Chinese companies are so good at censoring that they’ll actually do a better job at cracking down on misinformation (that doesn’t align with their interests) 🤔

Misc

They say all strongmen are dumb
This killed me 😂 

igorbrigadir/twitter-advanced-search
Twitter Advanced Search cheatsheet by recsyslabs’s Igor Brigadir. Search effectively by keyword, user, geo, time, tweet type, engagement, media, and more.

To increase the chance of getting a yes:

1. Write the ask

2. Highlight parts that benefit you

3. Highlight parts that benefit the other person

You may be surprised how much of your note is self-serving.

The key is to edit so the final version is ~90% about the other person.

You should frame your idea IN RELATION TO the other person. No one cares about your career goals, project, etc. They care about how it relates to them.

Bottom line: If you can’t think of why it would be rational for them to give you an enthusiastic yes, go back to the drawing board.

Twitter & Security

Phew, quite some 🌶️ takes and infosec (and tech in general) drama this week.

Ex-Twitter exec blows the whistle, alleging reckless and negligent cybersecurity policies
Peter Zatko (Mudge) filed a whistleblower complaint about Twitter, claiming things like: executive leadership is purposefully ignorant around the number of bots, there’s been a serial underinvestment in security, there are potential foreign agents on staff, and more.

See also his interview with Donie O’Sullivan.

Twitter has major security problems that pose a threat to its own users’ personal information, to company shareholders, to national security, and to democracy, according to an explosive whistleblower disclosure obtained exclusively by CNN and The Washington Post.

The disclosure, sent last month to Congress and federal agencies, paints a picture of a chaotic and reckless environment at a mismanaged company that allows too many of its staff access to the platform’s central controls and most sensitive information without adequate oversight. It also alleges that some of the company’s senior-most executives have been trying to cover up Twitter’s serious vulnerabilities, and that one or more current employees may be working for a foreign intelligence service.

The whistleblower, who has agreed to be publicly identified, is Peiter “Mudge” Zatko, who was previously the company’s head of security, reporting directly to the CEO. Zatko further alleges that Twitter’s leadership has misled its own board and government regulators about its security vulnerabilities, including some that could allegedly open the door to foreign spying or manipulation, hacking and disinformation campaigns. The whistleblower also alleges Twitter does not reliably delete users’ data after they cancel their accounts, in some cases because the company has lost track of the information, and that it has misled regulators about whether it deletes the data as it is required to do. The whistleblower also says Twitter executives don’t have the resources to fully understand the true number of bots on the platform, and were not motivated to.

Twitter CEO calls Mudge Zatko’s whistleblower report a ‘false narrative’
And that Mudge’s claims lack “important context.”

84 page PDF of Mudge’s whistleblower document
A redacted version of what was sent to the SEC, FTC, and DOJ.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint