[tl;dr sec] #141 - CIS Supply Chain Security Guide, Static Analysis on Binaries, Machine Learning
New CIS software supply chain security whitepaper and tool, finding vulnerabilities in binaries using static analysis, impressive ML tools and attacking ML systems.
I hope you’ve been doing well!
Short intro this week, because there are tons of great links below.
So I’ll just give you a brief glimpse into my upcoming memoir 🤣
📢 Benchmark your cloud configuration in minutes with JupiterOne.
See how your configuration compares against CIS Foundations benchmarks in just a few clicks. Once your cloud provider is integrated with JupiterOne, this framework is automatically imported based on which cloud provider you use, giving you greater understanding of how to improve your configuration and security posture.
📜 In this newsletter...
Conferences: MITRE ATT&CKcon 3.0 slides and videos posted, BSidesSF 2022 videos posted
Web Security: Portswigger's DOM Invader can now find client-side prototype pollution
Cloud Security: IAM Roles Anywhere for workloads outside of AWS, complete beginner's guide to Amazon Cognito
Supply Chain: Optimizing CI/CD credential hygiene, step-by-step Sigstore adoption recommendations, CIS Software Supply Chain Security Guide v1.0, tool to audit your posture against that benchmark
Machine Learning: DALL-E 2 prompt book, converting from English to regex and back using GPT-3, practical attacks on machine learning systems
Mac: Free book on analyzing Mac malware, a detailed guide on reversing malware, new iOS Lockdown Mode to protect people who might be targeted by advanced adversaries
Blue Team: Building a TLS-compatible honeypot, practical guide on lessons learned going through SOC2
Red Team: It's possible to create a PDF that presents different content based on the reader used, Cobalt Strike Beacon Object File that can perform local/remote RDP session hijacking, automating binary vulnerability discovery with Ghidra and Semgrep, academic paper on if SAST tools are effective at scanning decompiled binaries
Misc: Elad Gil on start-up markets, book on cross-cultural communication, expose on Uber's shady practices
MITRE ATT&CKcon 3.0
Slides and videos posted!
BSidesSF 2022 YouTube Playlist
Tons of excellent talks, check it out!
DOM Invader: Prototype Pollution
Last year Portswigger released DOM Invader, a tool to make it easier to find DOM XSS. In this video, Gareth Heyes walks through how DOM Invader can now make finding client-side prototype pollution as easy as a couple of clicks.
AWS Identity and Access Management introduces IAM Roles Anywhere for workloads outside of AWS
“IAM Roles Anywhere allows your workloads such as servers, containers, and applications to use X.509 digital certificates to obtain temporary AWS credentials and use the same IAM roles and policies that you have configured for your AWS workloads to access AWS resources.” Ben Kehoe has a really nice thread about it.
Amazon Cognito - A Complete Beginner Guide
Great guide by Daniel at Be A Better Dev explaining the core concepts of Cognito from a beginner perspective. You’ll learn about User Pools, Identity Pools/Federated Identities, and how to tie them together.
Optimizing CI/CD Credential Hygiene - A Comparison of CI/CD Solutions
Cider Security’s Asi Greenholts presents three common credential hygiene issues (unrotated static credentials, overly accessible credentials, credentials exposed in console logs), and discusses the strengths and weaknesses of four of the most popular CI vendors: Jenkins, GitHub Actions, CircleCI and GitLab CI/CD around these issues.
Where Do I Sign? Step-by-step Sigstore Adoption
Chainguard’s Jed Salazar recommends, from simple to more complex: start with git signing, then signing build artifacts, and finally protecting the build system itself.
CIS Software Supply Chain Security Guide v1.0
100+ recommendations organized into 5 main categories: source code, build pipelines, dependencies, artifacts, and deployment.
Amazing, the future is now.
I’ve played around with DALL-E 2 a bit, and it is engrossing. Like, you start typing in a few words, see something surprisingly neat and fun, and then all of the sudden you look up and it’s an hour+ later.
AutoRegex: Convert from English to RegEx with Natural Language Processing
This site uses GPT-3 to generate regular expressions from plain English and can also explain a regular expression in English 🤯
Practical Attacks on Machine Learning Systems
NCC Group Chief Scientist (and all-around gentleman and scholar) Chris Anley aggregates over 5 years of literature review as well as NCC Group’s research and applied experiences of attacking infield systems. It includes:
A taxonomy of attacks on ML systems
Exploit techniques for SciKit-Learn, Keras, PyTorch & TensorFlow
Replication of key results from several canonical ML security papers
The Art of Mac Malware
Free(!) book by Patrick Wardle on uncovering Mac malware’s infection methods, persistence strategies, and insidious capabilities. Learn to use common reverse engineering tools, unpack protected malware, use a debugger to understand how it works, and finally put the lessons into practice by analyzing a complex Mac malware specimen on your own.
How to Reverse Malware on MacOS without Getting Infected
~40 page free PDF by SentinelOne’s Phil Stokes on setting up a safe lab environment to test malware, relevant tools (e.g. otool, LLDB) and how to use them, and more.
Apple expands commitment to protect users from mercenary spyware
I love this. Apple has released a new “Lockdown Mode,” designed to protect people who might be targeted by mercenary spyware. Bypassing Lockdown mode can earn you a $2M bounty, not too shabby. Apple is also making a $10M grant to support organizations that investigate, expose, and prevent highly targeted cyberattacks.
Dan Guido weighs in as well:
📢 Learn How Hyperproof is Making Continuous Controls Monitoring Work for Everyone
Watch Hyperproof’s latest webinar to learn what continuous controls monitoring (CCM) is and how you can deploy automation in your own organization to improve efficiency and effectiveness.
SOC2: The Screenshots Will Continue Until Security Improves
Helpful and practical advice from Thomas Ptacek, with some fun snark as a bonus.
Two faces of a same PDF document
Fraktal Ltd’s Toni Huttunen describes a how it’s possible to create a malicious PDF document that presents different content based on the reader application used (using fallback pages or PDF reader-specific proprietary features).
By Aon’s Chris Au: “Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking. With a valid access token / kerberos ticket (e.g., golden ticket) of the session owner, you will be able to hijack the session remotely without dropping any beacon/tool on the target server.”
Automating binary vulnerability discovery with Ghidra and Semgrep
HN Security’s Marco Ivaldi describes automating vulnerability discovery in binaries by extracting pseudo-code generated by the Ghidra decompiler and scanning it with custom Semgrep rules he wrote.
The Convergence of Source Code and Binary Vulnerability Discovery – A Case Study
Academic paper linked in HN Security’s Marco Ivaldi’s above blog post. The authors ran 8 open source and commercial SAST tools against a number of code bases with known CVEs, observed if the tools found those CVEs, then ran the tools again against the decompiled versions of those same programs.
The Culture Map: Breaking Through the Invisible Boundaries of Global Business
Book recommended by Steve Dotson after last week’s issue on cross cultural communication. Thanks Steve!
Uber broke laws, duped police and secretly lobbied governments, leak reveals
Some serious tech #hotgoss here. Uber offered financial stakes to influential figures around the world, paid academics to produce research supporting its economic claims, knowingly ignored and evaded local laws, and secretly met with and schmoozed world leaders.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!