- tl;dr sec
- [tl;dr sec] #196 - How Secrets Leak in CI/CD, AI Threat Modeling, Supply Chain
[tl;dr sec] #196 - How Secrets Leak in CI/CD, AI Threat Modeling, Supply Chain
Some subtle ways secrets leak and how to mitigate, AI threat modeling for policymakers, in-toto and TACOS
I hope you’ve been doing well!
What We’re Known For
Recently Whose Line Is It Anyway had a show in San Francisco.
It’s long had a place in my heart, as I loved the TV show as a kid. It’s also what originally got me into doing improv comedy!
A friend who attended the show said at one point they asked for an SF-inspired suggestion and received: “Poop,” “Poop on the ground,” and “Needles.” Oof.
In other #PeakBayArea news, I recently went on a mini road trip and we tested my friend’s Tesla’s self-driving functionality.
It only almost made us do something dangerous (like drive into a shortly ending side lane) ~3 times, not bad 😅
Hope you’ve recovered from Hacker Summer Camp!
📣 Securing Mailboxes: Lessons from the Storm-0558 Attacks
We’ve all seen the news related to recent activities from a China-based threat actor with espionage objectives. It should come as no surprise that mailboxes continue to be a target, and that even strong authentication controls are insufficient to prevent unauthorized access.
At Material, our mission is to make it prohibitively difficult for attackers to access sensitive email data even, and maybe especially, in a post-compromise situation.
We leverage the APIs to apply defense-in-depth for mailboxes. We first determine which messages contain sensitive content and then require an additional, low-friction challenge to access them. So even with full control of an organization's mail infrastructure, adversaries would still be unable to access the content of sensitive emails.
Nice, very timely and impactful! 👆️
📜 In this newsletter…
AppSec: How secrets leak in CI/CD pipelines, example app of how not to do secrets
Cloud Security: How to set up geofencing and IP allow-list for Cognito, tool to easily anonymize logs, decrypting Azure Function App Keys
Container Security: Tool to simplify running Atomic Red Team in container environments
Supply Chain: In-toto overview, framework to assess the dev practices of open source projects against NIST
Blue Team: Ansible role to apply security baseline, list of shell backdoors, tool to simulate malicious behavior against Google Workspace, questions to ask to improve your SIEM usage
Politics / Privacy: China be China-ing
Machine Learning + Security: Demystifying LLMs and threats, poisoning web-scale training datasets is practical, AI threat modeling framework for policymakers
Machine Learning: Interview with Anthropic CEO
Misc: A wide-ranging smorgasbord
How Secrets Leak in CI/CD Pipelines
Karim Rahal describes a number of subtle ways that secrets can leak in CI/CD pipelines and offers several mitigation strategies, including CI/CD task isolation, regular secret rotation, ensuring they aren’t included in output logs, and more.
By OWASP: A vulnerable application that offers concrete instances of improper secret storage practices. A comprehensive collection of 35 challenges spanning Docker, Kubernetes, minikube, and various cloud providers (AWS, GCP, and Azure).
Nuclei plugins to audit Chrome extensions.
Building a free open source GraphQL wordlist for pentesting
Escape's Nohé Hinniger-Foray presents an open-source GraphQL wordlist designed specifically for penetration testing, utilizing insights from over 60,000 operational GraphQL endpoints. This wordlist is designed to complement tools such as Goctopus and Clairvoyance.
📣 Agile Approach to Mass Cloud Credential Harvesting and Crypto Mining Sprints Ahead
Developers are not the only people who have adopted the agile methodology for their development processes. From 2023-06-15 to 2023-07-11, Permiso Security’s p0 Labs team identified and tracked an attacker developing and deploying eight (8) incremental iterations of their credential harvesting malware while continuing to develop infrastructure for a campaign.
How to setup geofencing and IP allow-list for Cognito user pool
AWS announced a new feature this that lets you enable WAF protection for Cognito user pools. Yan Cui walks through how to use this to implement geo-fencing and IP allow/deny lists.
Anonymizing Logs Made Easy with LogLicker
Permiso's Corey Ahl writes about LogLicker, a tool designed to anonymize system logs, especially AWS CloudTrail logs, by replacing sensitive data with randomized placeholders through regular expressions. Corey presents two use cases: anonymizing logs and identifying instances of long-term access keys.
What the Function: Decrypting Azure Function App Keys
NetSPI's Karl Fosaaen and Thomas Elling on how attackers can decrypt Azure Function App's master key, leading to supply chain attacks and unauthorized access to any managed identities assigned to the Function App.
They’ve also released FuncoPOP, a PowerShell toolkit for attacking Azure Function Apps, primarily through exploiting Storage Account Access, and have shared the accompanying slides that were presented at DEF CON 31 Cloud Village.
Run Atomic Red Team detection tests in container environments with Datadog’s Workload Security Evaluator
Datadog’s Nathaniel Beckstead announces Workload Security Evaluator, a new tool that simplifies the process of running Atomic Red Team detection tests in container environments (i.e. make sure your runtime container detections work).
Unleashing in-toto: The API of DevSecOps
Aditya Sirish and Cole Kennedy describe in-toto, where basically you can define a series of steps that map out your software supply chain, from coding and testing to packaging and deployment, including Jenkins/GitLab, security scanning tools, identity tools like Okta, etc.
At each step, in-toto generates cryptographic metadata ("attestations") capturing details about the execution of the step, including the environment, materials, and products.
Tidelift's Jeremy Katz writes about TACOS (Trusted Attestation and Compliance for Open Source), a framework for assessing the development practices of open source projects against a set of secure development standards specified by the NIST Secure Software Development Framework (SSDF) V1.1.
TACOS gives organizations a framework for assessing the attestation and compliance practices of the open source packages they use, and defines a machine-readable specification that helps meet the Office of Management and Budget memorandum on supply chain security requirements.
A massive list of shell backdoors.
How to identify when you’ve lost control of your SIEM (and how to rein it back in)
Expel's Dan Whalen and Lori Easterly explore signs of losing control over your SIEM, such as frequent system crashes, missing data, high false positives, or complex data management. They provide a useful list of questions for evaluating and improving your SIEM usage.
Politics / Privacy
Naomi Wu and the Silence That Speaks Volumes - Naomi Wu was a prominent Chinese tech influencer
China hacked Japan’s military networks
China would consider attacks on US railroads, pipelines if it invades Taiwan, CISA Directory Jen Easterly says
Machine Learning + Security
Demystifing LLMs and Threats
Nice overview by Caleb Sima (video version): intro to LLMs and how they work, understanding LLMs in the enterprise, and AI/ML threats (prompt injection, data poisoning, data leakage) and mitigations.
ATHI — An AI Threat Modeling Framework for Policymakers
Daniel Miessler proposes a framework (Actor, Technique, Harm, Impact) for thinking about harms and impacts that can come from AI systems.
DeepEval - PyTest for LLMs. Run offline evaluations on your LLM pipelines.
Measuring Q&A system correctness with LangChain
Law Society: A pro-innovation approach to AI regulation
Using GPT-4 for content moderation - By including a detailed policy in your prompt.
Consensus: A search engine that uses AI to find insights in research papers
AI bots are better than humans at solving CAPTCHAs - 85-100% vs human accuracy of 50-85%.
Generated Photos: Create realistic full-body photos of people in real time. “Thanks to our advanced AI algorithms, you won’t tell generated humans from real people.” Errr, thanks?
Dario Amodei - $10 Billion Models, OpenAI, Scaling, & AGI in 2 years
Fascinating interview with the CEO of Anthropic, who doesn’t do many interviews. It was interesting hearing how open he was about how many things AI researchers just don’t know, for example: where things are headed, how alignment might be solved (or if it’s solvable), failure modes of superhuman AI, and more. His thoughts on maintaining a low profile are worth a listen.
Zuckerberg has dismissed the Zuck vs Elon cage match as Elon keeps coming up with excuses on why it has to be delayed.
The Onion - Christians Explain Why Jesus Was Too Liberal
How to Process Your Emotions - By the School of Life
Simple Parenting Hacks: Tips and Scripts from a Hacker Dad - I enjoyed these tips by rez0.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!