tl;dr sec
Posts
[tl;dr sec] #107 - Supply Chain and CI/CD Security, Threat Modeling in HCL, Cracking PRNGs using ML

[tl;dr sec] #107 - Supply Chain and CI/CD Security, Threat Modeling in HCL, Cracking PRNGs using ML

Securing build pipelines and ATT&CK for CI/CD, threat modeling in Terraform, using ML to break pseudorandom number generators.

Clint Gibler
October 27, 2021

Hey there,

I hope you’ve been doing well!

Activities You Autumn Try

Two weekends ago I ventured forth from my mom’s basement home and did something seasonal: I went to a local corn maze.

The farm had a tractor ride, a pumpkin patch, and a pretty sizable corn maze in the shape of a UFO shooting down rays. It was amaizing.

I also learned about Maze Play, which is not a dark web Saw-esque kink site, but rather a corn-maze-as-a-service company. Neat.

In other news, I caught up with my bud Daniel Miessler, whose Unsupervised Learning newsletter is one of my favorite security newsletters. Definitely check it out if you haven’t already.

We’ve been swapping tips and ideas, and it’s been a blast. Also, he’s trying to convert me to Vim, and I’m trying to convert him to Emacs. Two households, both alike in dignity.

Sponsor

📢 Preparing for Tomorrow’s Security Challenges, Today

Join Tenable, AWS, Tech Mahindra and more at the virtual Code to Cloud Security Summit on Nov 10 to discuss how organizations can scale security to manage risk and address compliance requirements while accelerating release velocity. Don’t miss this opportunity to spend a half day with a panel of a dozen experts and visionaries to collaborate on real-world challenges, experiences, and strategies for successfully delivering security at scale. Free SnackMagic Box available to those who register by Oct 29!

📜 In this newsletter...

AppSec: Secret management at Elastic, repo for Google's security advisories and PoCs, document your threat model in HCL
Machine Learning: Cracking PRNGs using Machine Learning, guessing credit card PINs using deep learning
Web Security: Cheatsheet for checking if API tokens are valid, nuclei templates for checking the validity of many API tokens, SSRF fuzzer with built-in payloads
Cloud Security: CloudSecList newsletter, auto-disable old access keys, achieving least privilege with Netflix OSS tools
Supply Chain and CI/CD: GitHub Actions security best practices, attacking and securing CI/CD piplines talk, protecting open source projects from supply chain attacks
Network Security: Cracking WiFi networks at scale
Red Team: Awesome Linux rootkits, an advanced binary emulation framework
Politics / Privacy: Anti-ML clothing, NY Times journalist targeted by NSO Group malware, summary of unredacted Google antitrust filing, Facebook's weighting of emoji reactions, wokeism will elect Trump in 2024
Misc: Spotify track downloader

AppSec

elastic/harp
By Elastic: Harp provides a methodology to design your secret management, an SDK to create your own tools to orchestrate your secret management pipelines, and a CLI for secret management implementation. Unlike Vault, harp can handle secret provisioning for you.

google/security-research
This repo hosts security advisories and their accompanying proof-of-concepts related to research conducted at Google which impact non-Google owned code.

xntrik/hcltm
Document your threat model in HCL with this tool by Christian Frichot. This allows DevOps and AppSec engineers to use a common familiar language. Spince it’s not just Markdown, you can programmatically interact with the threat models, generate data flow diagrams, and more.

And Daniel Bilar had the idea - if your threat models are codified in HCL, you could write lightweight Semgrep rules to lint your threat models to ensure they’re well constructed, find potential dangerous things, etc. 🤯

Machine Learning

Cracking Random Number Generators using Machine Learning – Part 1: xorshift128
NCC Group’s Mostafa Hassan shows how machine learning can predict the sequence of xorshift128’s random numbers using previously generated numbers without the knowledge of the seed. In part 2, he tackles Mersenne Twister.

Credit card PINs can be guessed even when covering the ATM pad
“Researchers have proven it’s possible to train a special-purpose deep-learning algorithm that can guess 4-digit card PINs 41% of the time, even if the victim is covering the pad with their hands.”

Web Security

streaak/keyhacks
A cheatsheet for how to check if an API token is valid across many APIs and services.

Token Spray - Introduction to self-contained template
Project Discovery’s Nuclei self-contained templates now allow easily checking the validity of 63+ types of API/service tokens.

swisskyrepo/SSRFmap
By Swissky: Given a Burp request file as input and a parameter to fuzz, this tool attempts to perform an SSRF attack on that parameter against other systems. It has built-in payloads for reading meta-data or user data from AWS/GCE/Digital Ocean, Redis and GitHub Enterprise RCE, MySQL, Docker, port scanning, and more.

Cloud Security

CloudSecList: The Cloud Security Reading List
I’ve called this newsletter out many a time, and I will again: Marco Lancini’s CloudsecList is one of my favorite cloud and container-security related sources of info. Highly, highly recommend it.

te-papa/aws-key-disabler
“A small Lambda script that will disable access keys older than a given amount of days.” By… the Museum of New Zealand’s GitHub org?! Noice!

Achieving least-privilege at FollowAnalytics with Repokid, Aardvark and ConsoleMe
FollowAnalytics’s Guilherme Sena Zuza describes how they used these open source Netflix tools to remove static keys and overall get closer to least privilege IAM policies in AWS.

Supply Chain and CI/CD

Github Actions Security Best Practices
Salesforce Heroku’s Reethi Kotti describes what can go wrong with GitHub Actions as well as best practices for third-party Actions to use, writing secure workflows, using GitHub Secrets securely, GitHub hardening settings, and more.

Attacking and Securing CI/CD Pipelines
Code Blue 2021 talk by Mercari’s Hiroki Suezawa covering why CI/CD pipeline security is important and relevant public breaches, an ATT&CK-like matrix focus on CI/CD Pipeline specific risk (GitHub repo), several attack scenarios, and how to defend.

Protect your open source project from supply chain attacks
Google’s Anne Bertucio presents best practices for supply chain security in a quiz game format. Topics: protecting dev accounts from takeover, avoiding merging malicious commits, protecting secrets, avoiding compromise during build time, evaluating dependency security, securing build processes, and more.

Network Security

Cracking WiFi at Scale with One Simple Trick
CyberArk’s Ido Hoorvitch describes how he cracked 70% out of 5,000 sampled WiFi networks in Tel Aviv. You know, just a normal day in Tel Aviv 🤣 I wonder if, from a computer security point of view, living in Tel Aviv is like living at DEF CON (assume everything is compromised, all the time).

Red Team

milabs/awesome-linux-rootkits
Repo with links to source code of 10s of Linux rootkits, both user mode and kernel mode, by Ilya Matveychikov.

qilingframework/qiling
An advanced binary emulation framework. Built on Unicorn, but also understands the OS: it has executable format loaders, dynamic linkers (so we can load & relocate shared libraries), syscall & IO handlers. You can build your own dynamic analysis tools on top of it using Python, can perform dynamic instrumentation, and more.

Politics / Privacy

UNLABELED — Camouflage Against the Machines
An artist group / textile brand developing items containing patterns designed to cause AI systems to not correctly identify you. The future is now! 😅

New York Times Journalist Ben Hubbard Hacked with Pegasus after Reporting on Previous Hacking Attempts
By Citizen Lab: “New York Times journalist Ben Hubbard was repeatedly targeted with NSO Group’s Pegasus spyware over a three-year period from June 2018 to June 2021. The targeting took place while he was reporting on Saudi Arabia, and writing a book about Saudi Crown Prince Mohammed bin Salman.”

@fasterthanlime sharing someone’s thoughts on 173 pages of the unredacted Google antitrust filing
I haven’t read the full filing but it sounds… not great.

• Google has a secret deal with Facebook called “Jedi Blue” that they knew was so illegal that it has a whole section describing how they’ll cover for each other if anyone finds out.

• Google appears to have a team called gTrade that is wholly dedicated to ad market manipulation.

• Google is willing to do almost everything to prevent people from circumventing their ad exchanges. This is what AMP is about.

• Google habitually insider trades on their ad exchanges in every way you can think of and every way you can’t. Too many ways to list here.

• Ad exchanges are also rigged so that Google wins on bids where they aren’t the highest bidder.

Facebook weighted reaction emojis, including “angry,” as 5x the value of “likes”
Over the integrity team’s warnings.

Wokeism Will Elect Trump in 2024
Daniel Miessler argues:

Middle America and The South, i.e., the people who vote for Trump, need a non-Trump option that doesn’t make them feel like the backwash of our country.

TL;DR: The extreme right and left are the problem, and the reason we’re in so much shit right now is that there are no center candidates that respect the 50% who are moderates in this country.

When the moderates have nowhere to go, they pick a side, and Wokeism is pushing far more people to the right side than the left. Quietly.

Misc

Footsiefat/zspotify
Download music from Spotify to local mp3 files. Search by track, album, playlist, or artist.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint