[tl;dr sec] #203 - Stealing CI/CD Secrets, Sliver & Cursed Chrome, Career Advice
Tool to steal CI/CD env secrets via deploying a malicious pipeline, proxy your traffic through a victim's browser, consulting 101, finding your moat, and Moxie's career advice
My heart goes out to those facing violence, loss, and displacement. I hope there is a return to peace soon.
In the meantime, I’ll try to bring some merriment. Clears throat.
🤹 Hark and Well Met, Noble Patrons of the Digital Realm!
Good morrow to thee, cherished reader of my humble scroll.
Within these parchment pixels, I have amassed a veritable treasure trove of cybersecurity codices and links, fit for a king! Fear not, for I’ve taken care to ensure that this guidance is as sharp as a falconer's eye, and not some jesting foolery.
Last weekend I attended the Northern California Renaissance Fair.
Performers, workers, and many attendees dressed in period attire and spoke in the dialect of the time. It was delightful.
There were booths to throw axes or spears, a “do it thyself” workshop, and an area where knights jousted.
This knight had some serious ‘tude
There were a few attendees dressed as hangmen with signs that said “Executioners on strike, unionize now!” 🤣
Well, let’s get on with the show.
With quill in hand and parchment spread,
Let these links be your armor 'gainst the cyber threats that lie ahead!
5pm-8pm in the Semgrep office.
Come for food, drinks, and networking. Talks:
“AI applied to Cybersecurity” from me! 🙌
“Roadmap to DevSecOps Adoption with Case Studies” by Ankush Jain and Ankita Gupta from Akto
“IAM for the DevSecOps Engineers” by Jeff Chao from Abbey Labs
📣 Schedule a Complimentary Threat Briefing On LUCR-3 (aka Scattered Spider)
Learn the cloud TTPs of LUCR-3 (aka Scattered Spider), the group responsible for breaching the cloud environments of some of the largest enterprises in the world. Permiso is now offering complimentary briefings on this threat group with Ian Ahl, SVP of P0 Labs and former head of advanced practices at Mandiant. Learn how to better defend against cloud attacks orchestrated across identity providers, Iaas, Saas and CI/CD pipelines.
📜 In this newsletter…
AppSec: Tool to steal CI/CD secrets, how to mitigate risk from recent curl bug
Web Security: Static analysis for Elixir, LinkedIn’s CSP journey
Cloud Security: CloudGrep, tool to automate permissions in cloud and critical apps, AWS Well-Architected Framework updates, accessing 1000s of client AWS accounts securely, Scattered Spider threat actor breakdown
Container Security: Extended Falco rules, Kubernetes security fundamentals
Supply Chain: OpenPubkey vs Sigstore
Blue Team: Passkeys now the default for personal Google accounts, malware source code collection, NSA and CISA top 10 cybersecurity misconfigs
Red Team: Sliver and Cursed Chrome for post exploitation
Machine Learning + Security: ChatGPT dating app scams, AI watermarks broken, chatbot hallucinations poisoning web search
Machine Learning: Analyzing LLM neurons with LLMs, both LLMs and modern apps need debugging in prod
Career: Consulting 101, finding your moat, Moxie’s career advice
Misc: Turn your keyboard into a typewriter, 10 concepts that explain the modern world, have apps easily join your tailnet
📣 What do CISOs really think about AI?
Every day, there’s a new AI-powered app, a fresh debate about its risks and rewards, or a new feature in ChatGPT, and we can’t help but be curious. AI isn’t going away any time soon but it does introduce new risks (and benefits) when it comes to cybersecurity.
One of the most significant concerns with AI is its ability to generate highly convincing fakes — be it deepfakes that replicate real-life personas, AI-driven phishing campaigns that can adapt to user behavior, or voice replication that can deceive even the most vigilant.
Hear from current CISOs on how they are protecting against and incorporating AI into a comprehensive cybersecurity strategy in this blog article from Lacework.
Insights and perspective from 5 CISOs, nice! 🤘
Elixir Security: Real World Sobelow
Paraxial’s Michael Lubas walks through using Sobelow, a static code analysis tool for Elixir and Phoenix: project planning, understanding your app’s security model, triaging findings, etc.
Enhancing Security and Developer Productivity: LinkedIn's Journey with Implementing Content Security Policy
Mira Thambireddy et al describe how LinkedIn went from a centralized CSP architecture, where all outgoing HTTP responses were matched against a set of rules managed by the AppSec team, to a more decentralized model where each development team can define their own CSP intercepting filter that will add CSP headers to outgoing requests. This prevents devs from being blocked on the AppSec team and enables devs to easily test CSP changes locally.
For defense in depth, a) the existing traffic headers plugin adds CSP headers to any request that doesn’t already have them, and b) GitHub validation checks are used to block PRs that use risky settings, like setting script-src to a wildcard or a domain that is not approved.
Announcing updates to the AWS Well-Architected Framework guidance
Changes across all six pillars, and in this release they’ve made the implementation guidance for the new and updated best practices more prescriptive, including enhanced recommendations and steps on reusable architecture patterns targeting specific business outcomes.
Overhauling AWS account access with Terraform, Granted, and GitOps
Duckbill’s Mike Julian breaks down their method of accessing thousands of client AWS accounts in a way that preserves ease-of-access, maintains data confidentiality, and still providing all the permissions needed.
Scattered Spider Getting SaaS-y in the Cloud
Permiso’s Ian Ahl walks through how a financially motivated attacker that leverages the Identity Provider (IDP) as initial access into an environment with the goal of stealing Intellectual Property for extortion.
tl;dr: Key security aspects must be handled by third-party integrations (e.g. runtime security, vulnerability management, log analysis), and there big differences between managed vs unmanaged distributions (e.g. EKS, AKS, GKE) and even within managed options.
OpenPubKey eliminates the centralized, server-side components (Transparency Log and Certificate Authority) that Sigstore has.
Two potential issues with OpenPubkey: 1) publishing raw identity tokens (JWTs) introduces several privacy concerns, and 2) relying directly on OIDC signing keys for verification introduces a large amount of complexity (and attack surface) on clients.
Google has made passkeys the default option across personal Google Accounts, both saving you from remembering passwords and increasing security.
By vx-underground: Vast collection of malware source code for a variety of platforms (Android, Windows, Linux, macOS, …) in many programming languages (Java, JS, PHP, Python …).
NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations
1. Default configurations of software and applications
2. Improper separation of user/administrator privilege
3. Insufficient internal network monitoring
4. Lack of network segmentation
5. Poor patch management
Sliver and Cursed Chrome for Post Exploitation
Jeremy Mill walks through using Sliver, a command and control framework (C2) to inject a CursedChrome payload into a victim’s browser, allowing an adversary to proxy requests through CursedChrome through the victim's browser, allowing you to browse sites as the victim (all sites they’re logged in to / have current sessions with).
Machine Learning + Security
Deep fakes of Tom Hanks are being used to scam people. Is nothing sacred?!
From AI with love: Scammers integrate ChatGPT into dating-app tool - Fake dating profiles are being created on Tinder, Bumble, and a dozen other dating apps. They can send likes, read replies from potential matches, and create varied believable profiles. Deep dive.
Researchers Tested AI Watermarks—and Broke All of Them
A research team found it’s easy to evade current methods of watermarking—and even add fake watermarks to real images.
Chatbot Hallucinations Are Poisoning Web Search
Chatbot’s hallucinate things → that text is published online → search engines index it and serve it up as facts. GenAI could make search harder to trust.
Extreme Parkour with Legged Robots - Definitely not going to be used for military purposes, right? 😅
Language models can explain neurons in language models
OpenAI has used GPT-4 to automatically write explanations for the behavior of neurons in LLMs and have released a dataset for every neuron in GPT-2.
Explainability is key for alignment - as models get smarter/more capable, this will help us ensure they’re doing what we want them to do, and aren’t intentionally deceiving us. Basically this is like doing a brain scan of an LLM.
Charity Major’s 🧵 on leveraging LLMs
Charity argues that modern apps are very complex, with nondeterministic outputs and emergent properties, so that you need to debug code by instrumenting and observing in production.
“Be careful what job you take, because your job will change you.”
Prison guards and grief counselor probably see the world differently.
“The context of one’s life defines not just what but how one thinks, and a job tends to dominate the context of one’s life — particularly when that job is considered to be part of a career.”
Observe the older people working at your company or in your field.
“They are the future you. Do not think that you will be substantially different. Look carefully at how they spend their time at work and outside of work, because this is also almost certainly how your life will look.”
Be careful not to discover a career before you’ve discovered yourself.
High school → college → internships → job fair. “When we arrive at the ends of these funnels, it’s possible that the direction we’re facing is more a reflection of those structures than it is a reflection of ourselves.”
“There’s no rush to get started early on a never-ending task.”
If your career will be decades, you have time.
Introducing the Tailscale Universal Docker Mod
Xe Iaso announces Tailscale’s new universal Docker mod, which lets you have applications join your tailnet just as easily as machines can. You can have a wiki on
http://wiki, an IDE at
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!