[tl;dr sec] #203 - Stealing CI/CD Secrets, Sliver & Cursed Chrome, Career Advice

🤹 Hark and Well Met, Noble Patrons of the Digital Realm!

Good morrow to thee, cherished reader of my humble scroll.

Within these parchment pixels, I have amassed a veritable treasure trove of cybersecurity codices and links, fit for a king! Fear not, for I’ve taken care to ensure that this guidance is as sharp as a falconer's eye, and not some jesting foolery.

Last weekend I attended the Northern California Renaissance Fair.

Performers, workers, and many attendees dressed in period attire and spoke in the dialect of the time. It was delightful.

There were booths to throw axes or spears, a “do it thyself” workshop, and an area where knights jousted.

There were a few attendees dressed as hangmen with signs that said “Executioners on strike, unionize now!” 🤣 

Well, let’s get on with the show.

With quill in hand and parchment spread,
Let these links be your armor 'gainst the cyber threats that lie ahead!

Bay Area OWASP Next Thursday

5pm-8pm in the Semgrep office.

Come for food, drinks, and networking. Talks:

• “AI applied to Cybersecurity” from me! 🙌 

• “Roadmap to DevSecOps Adoption with Case Studies” by Ankush Jain and Ankita Gupta from Akto

• “IAM for the DevSecOps Engineers” by Jeff Chao from Abbey Labs

Register here

Sponsor

📣 Schedule a Complimentary Threat Briefing On LUCR-3 (aka Scattered Spider)

Learn the cloud TTPs of LUCR-3 (aka Scattered Spider), the group responsible for breaching the cloud environments of some of the largest enterprises in the world. Permiso is now offering complimentary briefings on this threat group with Ian Ahl, SVP of P0 Labs and former head of advanced practices at Mandiant. Learn how to better defend against cloud attacks orchestrated across identity providers, Iaas, Saas and CI/CD pipelines.

📜 In this newsletter…

• AppSec: Tool to steal CI/CD secrets, how to mitigate risk from recent curl bug

• Web Security: Static analysis for Elixir, LinkedIn’s CSP journey

• Cloud Security: CloudGrep, tool to automate permissions in cloud and critical apps, AWS Well-Architected Framework updates, accessing 1000s of client AWS accounts securely, Scattered Spider threat actor breakdown

• Container Security: Extended Falco rules, Kubernetes security fundamentals

• Supply Chain: OpenPubkey vs Sigstore

• Blue Team: Passkeys now the default for personal Google accounts, malware source code collection, NSA and CISA top 10 cybersecurity misconfigs

• Red Team: Sliver and Cursed Chrome for post exploitation

• Machine Learning + Security: ChatGPT dating app scams, AI watermarks broken, chatbot hallucinations poisoning web search

• Machine Learning: Analyzing LLM neurons with LLMs, both LLMs and modern apps need debugging in prod

• Career: Consulting 101, finding your moat, Moxie’s career advice

• Misc: Turn your keyboard into a typewriter, 10 concepts that explain the modern world, have apps easily join your tailnet

AppSec

synacktiv/nord-stream
By Synacktiv: A tool that allows you to extract secrets stored inside CI/CD environments by deploying malicious pipelines. It currently supports Azure DevOps, GitHub and GitLab.

Much ado about Curl
Semgrep’s Kurt Boberg provides a great overview of how to minimize risk from “the word cURL vulnerability in a while,” across Node, Python, Rust, C#, Ruby, Go, PHP, and Swift.

Sponsor

📣 What do CISOs really think about AI?

Every day, there’s a new AI-powered app, a fresh debate about its risks and rewards, or a new feature in ChatGPT, and we can’t help but be curious. AI isn’t going away any time soon but it does introduce new risks (and benefits) when it comes to cybersecurity.

One of the most significant concerns with AI is its ability to generate highly convincing fakes — be it deepfakes that replicate real-life personas, AI-driven phishing campaigns that can adapt to user behavior, or voice replication that can deceive even the most vigilant.

Hear from current CISOs on how they are protecting against and incorporating AI into a comprehensive cybersecurity strategy in this blog article from Lacework.

Insights and perspective from 5 CISOs, nice! 🤘 

Web Security

Elixir Security: Real World Sobelow
Paraxial’s Michael Lubas walks through using Sobelow, a static code analysis tool for Elixir and Phoenix: project planning, understanding your app’s security model, triaging findings, etc.

Enhancing Security and Developer Productivity: LinkedIn's Journey with Implementing Content Security Policy
Mira Thambireddy et al describe how LinkedIn went from a centralized CSP architecture, where all outgoing HTTP responses were matched against a set of rules managed by the AppSec team, to a more decentralized model where each development team can define their own CSP intercepting filter that will add CSP headers to outgoing requests. This prevents devs from being blocked on the AppSec team and enables devs to easily test CSP changes locally.

For defense in depth, a) the existing traffic headers plugin adds CSP headers to any request that doesn’t already have them, and b) GitHub validation checks are used to block PRs that use risky settings, like setting script-src to a wildcard or a domain that is not approved.

Cloud Security

cado-security/cloudgrep
By Cado Security: Like grep but for cloud storage. Currently supports searching log files, optionally compressed with gzip (.gz) or zip (.zip), in AWS S3.

common-fate/glide
Automate permissions to your cloud and critical applications, by Common Fate.

Announcing updates to the AWS Well-Architected Framework guidance
Changes across all six pillars, and in this release they’ve made the implementation guidance for the new and updated best practices more prescriptive, including enhanced recommendations and steps on reusable architecture patterns targeting specific business outcomes.

Overhauling AWS account access with Terraform, Granted, and GitOps
Duckbill’s Mike Julian breaks down their method of accessing thousands of client AWS accounts in a way that preserves ease-of-access, maintains data confidentiality, and still providing all the permissions needed.

Scattered Spider Getting SaaS-y in the Cloud
Permiso’s Ian Ahl walks through how a financially motivated attacker that leverages the Identity Provider (IDP) as initial access into an environment with the goal of stealing Intellectual Property for extortion.

Container Security

CloudDefenseAI/falco_extended_rules
A collection of extended Falco rules by CloudDefenseAI’s Anshu Bansal and Marut Pandya, covering 20 new MITRE ATT&CK areas.

Kubernetes security fundamentals: Introduction
The start of a new blog series by Datadog’s Rory McCune on the fundamental Kubernetes security areas that companies should think about.

tl;dr: Key security aspects must be handled by third-party integrations (e.g. runtime security, vulnerability management, log analysis), and there big differences between managed vs unmanaged distributions (e.g. EKS, AKS, GKE) and even within managed options.

Supply Chain

OpenPubkey and Sigstore
By Chainguard’s Dan Lorenc.

• OpenPubKey eliminates the centralized, server-side components (Transparency Log and Certificate Authority) that Sigstore has.

• Two potential issues with OpenPubkey: 1) publishing raw identity tokens (JWTs) introduces several privacy concerns, and 2) relying directly on OIDC signing keys for verification introduces a large amount of complexity (and attack surface) on clients.

Blue Team

Google has made passkeys the default option across personal Google Accounts, both saving you from remembering passwords and increasing security.

vxunderground/MalwareSourceCode
By vx-underground: Vast collection of malware source code for a variety of platforms (Android, Windows, Linux, macOS, …) in many programming languages (Java, JS, PHP, Python …).

NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations
1. Default configurations of software and applications
2. Improper separation of user/administrator privilege
3. Insufficient internal network monitoring
4. Lack of network segmentation
5. Poor patch management
…

Red Team

Sliver and Cursed Chrome for Post Exploitation
Jeremy Mill walks through using Sliver, a command and control framework (C2) to inject a CursedChrome payload into a victim’s browser, allowing an adversary to proxy requests through CursedChrome through the victim's browser, allowing you to browse sites as the victim (all sites they’re logged in to / have current sessions with).

Mitigations: use Chrome policies to limit what URLs extensions can use (See Chrome Galvanizer by Matthew Bryant), control extensions at your org, detect new listening debug ports in Chrome.

Machine Learning + Security

Quicklinks

• Deep fakes of Tom Hanks are being used to scam people. Is nothing sacred?!

• From AI with love: Scammers integrate ChatGPT into dating-app tool - Fake dating profiles are being created on Tinder, Bumble, and a dozen other dating apps. They can send likes, read replies from potential matches, and create varied believable profiles. Deep dive.

Researchers Tested AI Watermarks—and Broke All of Them
A research team found it’s easy to evade current methods of watermarking—and even add fake watermarks to real images.

Chatbot Hallucinations Are Poisoning Web Search
Chatbot’s hallucinate things → that text is published online → search engines index it and serve it up as facts. GenAI could make search harder to trust.

Machine Learning

Quicklinks

• Extreme Parkour with Legged Robots - Definitely not going to be used for military purposes, right? 😅 

Language models can explain neurons in language models
OpenAI has used GPT-4 to automatically write explanations for the behavior of neurons in LLMs and have released a dataset for every neuron in GPT-2.

Explainability is key for alignment - as models get smarter/more capable, this will help us ensure they’re doing what we want them to do, and aren’t intentionally deceiving us. Basically this is like doing a brain scan of an LLM.

Charity Major’s 🧵 on leveraging LLMs
Charity argues that modern apps are very complex, with nondeterministic outputs and emergent properties, so that you need to debug code by instrumenting and observing in production.

Career

Consulting 101: My top 10 lessons in getting paid to give advice
By Duckbill’s Mike Julian.

Finding Your Moat
Matt Johansen discusses being competitive in the job market by finding and developing your personal and professional moat- what makes you unique and valuable.

Career Advice
By Signal founder Moxie Marlinspike.

• “Be careful what job you take, because your job will change you.”

  • Prison guards and grief counselor probably see the world differently.

  • “The context of one’s life defines not just what but how one thinks, and a job tends to dominate the context of one’s life — particularly when that job is considered to be part of a career.”

• Observe the older people working at your company or in your field.

  • “They are the future you. Do not think that you will be substantially different. Look carefully at how they spend their time at work and outside of work, because this is also almost certainly how your life will look.”

• Be careful not to discover a career before you’ve discovered yourself.

  • High school → college → internships → job fair. “When we arrive at the ends of these funnels, it’s possible that the direction we’re facing is more a reflection of those structures than it is a reflection of ourselves.”

• “There’s no rush to get started early on a never-ending task.” 

  • If your career will be decades, you have time.
    

Misc

Quicklinks

• Daktilo - Turn your keyboard into a typewriter, and make people glad about their “return to office” policies.

• 10 concepts that explain the modern world

Introducing the Tailscale Universal Docker Mod
Xe Iaso announces Tailscale’s new universal Docker mod, which lets you have applications join your tailnet just as easily as machines can. You can have a wiki on http://wiki, an IDE at http://code, etc.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler