• tl;dr sec
  • Posts
  • [tl;dr sec] #141 - CIS Supply Chain Security Guide, Static Analysis on Binaries, Machine Learning

[tl;dr sec] #141 - CIS Supply Chain Security Guide, Static Analysis on Binaries, Machine Learning

New CIS software supply chain security whitepaper and tool, finding vulnerabilities in binaries using static analysis, impressive ML tools and attacking ML systems.

Hey there,

I hope you’ve been doing well!

MockuDocumentary

Short intro this week, because there are tons of great links below.

So I’ll just give you a brief glimpse into my upcoming memoir 🤣

Sponsor

📢 Benchmark your cloud configuration in minutes with JupiterOne.

See how your configuration compares against CIS Foundations benchmarks in just a few clicks. Once your cloud provider is integrated with JupiterOne, this framework is automatically imported based on which cloud provider you use, giving you greater understanding of how to improve your configuration and security posture.

📜 In this newsletter...

  • Conferences: MITRE ATT&CKcon 3.0 slides and videos posted, BSidesSF 2022 videos posted

  • Web Security: Portswigger's DOM Invader can now find client-side prototype pollution

  • Cloud Security: IAM Roles Anywhere for workloads outside of AWS, complete beginner's guide to Amazon Cognito

  • Supply Chain: Optimizing CI/CD credential hygiene, step-by-step Sigstore adoption recommendations, CIS Software Supply Chain Security Guide v1.0, tool to audit your posture against that benchmark

  • Machine Learning: DALL-E 2 prompt book, converting from English to regex and back using GPT-3, practical attacks on machine learning systems

  • Mac: Free book on analyzing Mac malware, a detailed guide on reversing malware, new iOS Lockdown Mode to protect people who might be targeted by advanced adversaries

  • Blue Team: Building a TLS-compatible honeypot, practical guide on lessons learned going through SOC2

  • Red Team: It's possible to create a PDF that presents different content based on the reader used, Cobalt Strike Beacon Object File that can perform local/remote RDP session hijacking, automating binary vulnerability discovery with Ghidra and Semgrep, academic paper on if SAST tools are effective at scanning decompiled binaries

  • Misc: Elad Gil on start-up markets, book on cross-cultural communication, expose on Uber's shady practices

Conferences

MITRE ATT&CKcon 3.0
Slides and videos posted!

BSidesSF 2022 YouTube Playlist
Tons of excellent talks, check it out!

Web Security

DOM Invader: Prototype Pollution
Last year Portswigger released DOM Invader, a tool to make it easier to find DOM XSS. In this video, Gareth Heyes walks through how DOM Invader can now make finding client-side prototype pollution as easy as a couple of clicks.

Cloud Security

AWS Identity and Access Management introduces IAM Roles Anywhere for workloads outside of AWS
“IAM Roles Anywhere allows your workloads such as servers, containers, and applications to use X.509 digital certificates to obtain temporary AWS credentials and use the same IAM roles and policies that you have configured for your AWS workloads to access AWS resources.” Ben Kehoe has a really nice thread about it.

Amazon Cognito - A Complete Beginner Guide
Great guide by Daniel at Be A Better Dev explaining the core concepts of Cognito from a beginner perspective. You’ll learn about User Pools, Identity Pools/Federated Identities, and how to tie them together.

Supply Chain

Optimizing CI/CD Credential Hygiene - A Comparison of CI/CD Solutions
Cider Security’s Asi Greenholts presents three common credential hygiene issues (unrotated static credentials, overly accessible credentials, credentials exposed in console logs), and discusses the strengths and weaknesses of four of the most popular CI vendors: Jenkins, GitHub Actions, CircleCI and GitLab CI/CD around these issues.

Where Do I Sign? Step-by-step Sigstore Adoption
Chainguard’s Jed Salazar recommends, from simple to more complex: start with git signing, then signing build artifacts, and finally protecting the build system itself.

CIS Software Supply Chain Security Guide v1.0
100+ recommendations organized into 5 main categories: source code, build pipelines, dependencies, artifacts, and deployment.

aquasecurity/chain-bench
By Aqua Security: An open-source tool for auditing your software supply chain stack for security compliance based on the new CIS Software Supply Chain benchmark.

Machine Learning

Amazing, the future is now.

The DALL·E 2 Prompt Book
A free 82 page e-book by Guy Parsons on styles and terms to use with DALL-E 2, with tons of tips and examples. Simply incredible.

I’ve played around with DALL-E 2 a bit, and it is engrossing. Like, you start typing in a few words, see something surprisingly neat and fun, and then all of the sudden you look up and it’s an hour+ later.

AutoRegex: Convert from English to RegEx with Natural Language Processing
This site uses GPT-3 to generate regular expressions from plain English and can also explain a regular expression in English 🤯

H/T Ollie Whitehouse’s excellent Blue & Purple Team Newsletter for this and other great links.

I’m not sure if this site came before or after Simon Willison’s blog post walking through the same thing.

Practical Attacks on Machine Learning Systems
NCC Group Chief Scientist (and all-around gentleman and scholar) Chris Anley aggregates over 5 years of literature review as well as NCC Group’s research and applied experiences of attacking infield systems. It includes:

  • A taxonomy of attacks on ML systems

  • Exploit techniques for SciKit-Learn, Keras, PyTorch & TensorFlow

  • Replication of key results from several canonical ML security papers

Mac

The Art of Mac Malware
Free(!) book by Patrick Wardle on uncovering Mac malware’s infection methods, persistence strategies, and insidious capabilities. Learn to use common reverse engineering tools, unpack protected malware, use a debugger to understand how it works, and finally put the lessons into practice by analyzing a complex Mac malware specimen on your own.

How to Reverse Malware on MacOS without Getting Infected
~40 page free PDF by SentinelOne’s Phil Stokes on setting up a safe lab environment to test malware, relevant tools (e.g. otool, LLDB) and how to use them, and more.

Apple expands commitment to protect users from mercenary spyware
I love this. Apple has released a new “Lockdown Mode,” designed to protect people who might be targeted by mercenary spyware. Bypassing Lockdown mode can earn you a $2M bounty, not too shabby. Apple is also making a $10M grant to support organizations that investigate, expose, and prevent highly targeted cyberattacks.

Dan Guido weighs in as well:

Missing from iOS Lockdown Mode: new introspection or detection capabilities. If an attacker overcomes the attack surface reductions, you still won’t know.

Sponsor

📢 Learn How Hyperproof is Making Continuous Controls Monitoring Work for Everyone

Watch Hyperproof’s latest webinar to learn what continuous controls monitoring (CCM) is and how you can deploy automation in your own organization to improve efficiency and effectiveness.

Blue Team

Building a TLS-compatible Honeypot
How to setup a honeypot with an IDS, ELK and TLS traffic inspection, by Nils Hanke.

SOC2: The Screenshots Will Continue Until Security Improves
Helpful and practical advice from Thomas Ptacek, with some fun snark as a bonus.

“Getting SOC2-certified” isn’t the same as “doing the engineering work to get SOC2-certified”. Do the engineering now. As early as you can. The work, and particularly its up-front costs, scale with the size of your team.

So, “when should I SOC2?” is easy to answer. Do it when it’s more economical to suck it up and get the certification than it is to individually hand-hold customer prospects through your security process.

The most important thing I can say about actually getting certified is to keep your goals modest. I’ve confirmed this over and over again with friends at other companies: the claims you make in your Type I will bind on your Type II; claims you don’t make in your Type I won’t. It stands to reason then that one of your Type I goals should be helping your future self clear a Type II.

Red Team

Two faces of a same PDF document
Fraktal Ltd’s Toni Huttunen describes a how it’s possible to create a malicious PDF document that presents different content based on the reader application used (using fallback pages or PDF reader-specific proprietary features).

netero1010/RDPHijack-BOF
By Aon’s Chris Au: “Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking. With a valid access token / kerberos ticket (e.g., golden ticket) of the session owner, you will be able to hijack the session remotely without dropping any beacon/tool on the target server.”

Automating binary vulnerability discovery with Ghidra and Semgrep
HN Security’s Marco Ivaldi describes automating vulnerability discovery in binaries by extracting pseudo-code generated by the Ghidra decompiler and scanning it with custom Semgrep rules he wrote.

The Convergence of Source Code and Binary Vulnerability Discovery – A Case Study
Academic paper linked in HN Security’s Marco Ivaldi’s above blog post. The authors ran 8 open source and commercial SAST tools against a number of code bases with known CVEs, observed if the tools found those CVEs, then ran the tools again against the decompiled versions of those same programs.

Remarkably, our results show that in 71% of the cases, the same vulnerabilities can be detected by running the static analyzers on the decompiled code, even though for several cases we observe a steep increment in the number of false positives.

Misc

Startup Markets, Summer 2022 Edition
Interesting post by Elad Gil on how he feels the next 3-18 months will play out.

The high level view is that things have yet to get truly bad in private tech. 2021-2022 were an anomaly due to COVID policies which both created an incredibly cheap low interest money environment, pumped the stock market, and facilitated adoption of certain types of tech. This environment led to both excess in fundraising but also in hiring. This means that as money transitions back to to “normal” levels teams that were hired too far ahead need to shrink. Many areas (hiring plans, valuations, time venture capital raised lasts, etc) are roughly reseting to 2018/2019 norms, which themselves were all time highs prior to the COVID era.

If interest rates and money supply continue to tighten and a recession happens, then things should get worse. The below largely deals with the base case of things roughly stay where they are now. More likely, things will get worse before they get better. Nonetheless, it is still a great time to start a company.

The Culture Map: Breaking Through the Invisible Boundaries of Global Business
Book recommended by Steve Dotson after last week’s issue on cross cultural communication. Thanks Steve!

Uber broke laws, duped police and secretly lobbied governments, leak reveals
Some serious tech #hotgoss here. Uber offered financial stakes to influential figures around the world, paid academics to produce research supporting its economic claims, knowingly ignored and evaded local laws, and secretly met with and schmoozed world leaders.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint

Hey there,

I hope you’ve been doing well!

MockuDocumentary

Short intro this week, because there are tons of great links below.

So I’ll just give you a brief glimpse into my upcoming memoir 🤣

Sponsor

📢 Benchmark your cloud configuration in minutes with JupiterOne.

See how your configuration compares against CIS Foundations benchmarks in just a few clicks. Once your cloud provider is integrated with JupiterOne, this framework is automatically imported based on which cloud provider you use, giving you greater understanding of how to improve your configuration and security posture.

📜 In this newsletter...

  • Conferences: MITRE ATT&CKcon 3.0 slides and videos posted, BSidesSF 2022 videos posted

  • Web Security: Portswigger's DOM Invader can now find client-side prototype pollution

  • Cloud Security: IAM Roles Anywhere for workloads outside of AWS, complete beginner's guide to Amazon Cognito

  • Supply Chain: Optimizing CI/CD credential hygiene, step-by-step Sigstore adoption recommendations, CIS Software Supply Chain Security Guide v1.0, tool to audit your posture against that benchmark

  • Machine Learning: DALL-E 2 prompt book, converting from English to regex and back using GPT-3, practical attacks on machine learning systems

  • Mac: Free book on analyzing Mac malware, a detailed guide on reversing malware, new iOS Lockdown Mode to protect people who might be targeted by advanced adversaries

  • Blue Team: Building a TLS-compatible honeypot, practical guide on lessons learned going through SOC2

  • Red Team: It's possible to create a PDF that presents different content based on the reader used, Cobalt Strike Beacon Object File that can perform local/remote RDP session hijacking, automating binary vulnerability discovery with Ghidra and Semgrep, academic paper on if SAST tools are effective at scanning decompiled binaries

  • Misc: Elad Gil on start-up markets, book on cross-cultural communication, expose on Uber's shady practices

Conferences

MITRE ATT&CKcon 3.0
Slides and videos posted!

BSidesSF 2022 YouTube Playlist
Tons of excellent talks, check it out!

Web Security

DOM Invader: Prototype Pollution
Last year Portswigger released DOM Invader, a tool to make it easier to find DOM XSS. In this video, Gareth Heyes walks through how DOM Invader can now make finding client-side prototype pollution as easy as a couple of clicks.

Cloud Security

AWS Identity and Access Management introduces IAM Roles Anywhere for workloads outside of AWS
“IAM Roles Anywhere allows your workloads such as servers, containers, and applications to use X.509 digital certificates to obtain temporary AWS credentials and use the same IAM roles and policies that you have configured for your AWS workloads to access AWS resources.” Ben Kehoe has a really nice thread about it.

Amazon Cognito - A Complete Beginner Guide
Great guide by Daniel at Be A Better Dev explaining the core concepts of Cognito from a beginner perspective. You’ll learn about User Pools, Identity Pools/Federated Identities, and how to tie them together.

Supply Chain

Optimizing CI/CD Credential Hygiene - A Comparison of CI/CD Solutions
Cider Security’s Asi Greenholts presents three common credential hygiene issues (unrotated static credentials, overly accessible credentials, credentials exposed in console logs), and discusses the strengths and weaknesses of four of the most popular CI vendors: Jenkins, GitHub Actions, CircleCI and GitLab CI/CD around these issues.

Where Do I Sign? Step-by-step Sigstore Adoption
Chainguard’s Jed Salazar recommends, from simple to more complex: start with git signing, then signing build artifacts, and finally protecting the build system itself.

CIS Software Supply Chain Security Guide v1.0
100+ recommendations organized into 5 main categories: source code, build pipelines, dependencies, artifacts, and deployment.

aquasecurity/chain-bench
By Aqua Security: An open-source tool for auditing your software supply chain stack for security compliance based on the new CIS Software Supply Chain benchmark.

Machine Learning

Amazing, the future is now.

The DALL·E 2 Prompt Book
A free 82 page e-book by Guy Parsons on styles and terms to use with DALL-E 2, with tons of tips and examples. Simply incredible.

I’ve played around with DALL-E 2 a bit, and it is engrossing. Like, you start typing in a few words, see something surprisingly neat and fun, and then all of the sudden you look up and it’s an hour+ later.

AutoRegex: Convert from English to RegEx with Natural Language Processing
This site uses GPT-3 to generate regular expressions from plain English and can also explain a regular expression in English 🤯

H/T Ollie Whitehouse’s excellent Blue & Purple Team Newsletter for this and other great links.

I’m not sure if this site came before or after Simon Willison’s blog post walking through the same thing.

Practical Attacks on Machine Learning Systems
NCC Group Chief Scientist (and all-around gentleman and scholar) Chris Anley aggregates over 5 years of literature review as well as NCC Group’s research and applied experiences of attacking infield systems. It includes:

  • A taxonomy of attacks on ML systems

  • Exploit techniques for SciKit-Learn, Keras, PyTorch & TensorFlow

  • Replication of key results from several canonical ML security papers

Mac

The Art of Mac Malware
Free(!) book by Patrick Wardle on uncovering Mac malware’s infection methods, persistence strategies, and insidious capabilities. Learn to use common reverse engineering tools, unpack protected malware, use a debugger to understand how it works, and finally put the lessons into practice by analyzing a complex Mac malware specimen on your own.

How to Reverse Malware on MacOS without Getting Infected
~40 page free PDF by SentinelOne’s Phil Stokes on setting up a safe lab environment to test malware, relevant tools (e.g. otool, LLDB) and how to use them, and more.

Apple expands commitment to protect users from mercenary spyware
I love this. Apple has released a new “Lockdown Mode,” designed to protect people who might be targeted by mercenary spyware. Bypassing Lockdown mode can earn you a $2M bounty, not too shabby. Apple is also making a $10M grant to support organizations that investigate, expose, and prevent highly targeted cyberattacks.

Dan Guido weighs in as well:

Missing from iOS Lockdown Mode: new introspection or detection capabilities. If an attacker overcomes the attack surface reductions, you still won’t know.

Sponsor

📢 Learn How Hyperproof is Making Continuous Controls Monitoring Work for Everyone

Watch Hyperproof’s latest webinar to learn what continuous controls monitoring (CCM) is and how you can deploy automation in your own organization to improve efficiency and effectiveness.

Blue Team

Building a TLS-compatible Honeypot
How to setup a honeypot with an IDS, ELK and TLS traffic inspection, by Nils Hanke.

SOC2: The Screenshots Will Continue Until Security Improves
Helpful and practical advice from Thomas Ptacek, with some fun snark as a bonus.

“Getting SOC2-certified” isn’t the same as “doing the engineering work to get SOC2-certified”. Do the engineering now. As early as you can. The work, and particularly its up-front costs, scale with the size of your team.

So, “when should I SOC2?” is easy to answer. Do it when it’s more economical to suck it up and get the certification than it is to individually hand-hold customer prospects through your security process.

The most important thing I can say about actually getting certified is to keep your goals modest. I’ve confirmed this over and over again with friends at other companies: the claims you make in your Type I will bind on your Type II; claims you don’t make in your Type I won’t. It stands to reason then that one of your Type I goals should be helping your future self clear a Type II.

Red Team

Two faces of a same PDF document
Fraktal Ltd’s Toni Huttunen describes a how it’s possible to create a malicious PDF document that presents different content based on the reader application used (using fallback pages or PDF reader-specific proprietary features).

netero1010/RDPHijack-BOF
By Aon’s Chris Au: “Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking. With a valid access token / kerberos ticket (e.g., golden ticket) of the session owner, you will be able to hijack the session remotely without dropping any beacon/tool on the target server.”

Automating binary vulnerability discovery with Ghidra and Semgrep
HN Security’s Marco Ivaldi describes automating vulnerability discovery in binaries by extracting pseudo-code generated by the Ghidra decompiler and scanning it with custom Semgrep rules he wrote.

The Convergence of Source Code and Binary Vulnerability Discovery – A Case Study
Academic paper linked in HN Security’s Marco Ivaldi’s above blog post. The authors ran 8 open source and commercial SAST tools against a number of code bases with known CVEs, observed if the tools found those CVEs, then ran the tools again against the decompiled versions of those same programs.

Remarkably, our results show that in 71% of the cases, the same vulnerabilities can be detected by running the static analyzers on the decompiled code, even though for several cases we observe a steep increment in the number of false positives.

Misc

Startup Markets, Summer 2022 Edition
Interesting post by Elad Gil on how he feels the next 3-18 months will play out.

The high level view is that things have yet to get truly bad in private tech. 2021-2022 were an anomaly due to COVID policies which both created an incredibly cheap low interest money environment, pumped the stock market, and facilitated adoption of certain types of tech. This environment led to both excess in fundraising but also in hiring. This means that as money transitions back to to “normal” levels teams that were hired too far ahead need to shrink. Many areas (hiring plans, valuations, time venture capital raised lasts, etc) are roughly reseting to 2018/2019 norms, which themselves were all time highs prior to the COVID era.

If interest rates and money supply continue to tighten and a recession happens, then things should get worse. The below largely deals with the base case of things roughly stay where they are now. More likely, things will get worse before they get better. Nonetheless, it is still a great time to start a company.

The Culture Map: Breaking Through the Invisible Boundaries of Global Business
Book recommended by Steve Dotson after last week’s issue on cross cultural communication. Thanks Steve!

Uber broke laws, duped police and secretly lobbied governments, leak reveals
Some serious tech #hotgoss here. Uber offered financial stakes to influential figures around the world, paid academics to produce research supporting its economic claims, knowingly ignored and evaded local laws, and secretly met with and schmoozed world leaders.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint