[tl;dr sec] #196 – How Secrets Leak in CI/CD, AI Threat Modeling, Supply Chain

It’s long had a place in my heart, as I loved the TV show as a kid. It’s also what originally got me into doing improv comedy!

A friend who attended the show said at one point they asked for an SF-inspired suggestion and received: “Poop,” “Poop on the ground,” and “Needles.” Oof.

In other #PeakBayArea news, I recently went on a mini road trip and we tested my friend’s Tesla’s self-driving functionality.

It only almost made us do something dangerous (like drive into a shortly ending side lane) ~3 times, not bad 😅 

Hope you’ve recovered from Hacker Summer Camp!

We’ve all seen the news related to recent activities from a China-based threat actor with espionage objectives. It should come as no surprise that mailboxes continue to be a target, and that even strong authentication controls are insufficient to prevent unauthorized access.

At Material, our mission is to make it prohibitively difficult for attackers to access sensitive email data even, and maybe especially, in a post-compromise situation.

We leverage the APIs to apply defense-in-depth for mailboxes. We first determine which messages contain sensitive content and then require an additional, low-friction challenge to access them. So even with full control of an organization’s mail infrastructure, adversaries would still be unable to access the content of sensitive emails.

• AppSec: How secrets leak in CI/CD pipelines, example app of how not to do secrets

• Web Security: Nuclei plugins to audit Chrome extensions, two tools to monitor for JavaScript files changing, GraphQL wordlist for pentesting

• Cloud Security: How to set up geofencing and IP allow-list for Cognito, tool to easily anonymize logs, decrypting Azure Function App Keys

• Container Security: Tool to simplify running Atomic Red Team in container environments

• Supply Chain: In-toto overview, framework to assess the dev practices of open source projects against NIST

• Blue Team: Ansible role to apply security baseline, list of shell backdoors, tool to simulate malicious behavior against Google Workspace, questions to ask to improve your SIEM usage

• Politics / Privacy: China be China-ing

• Machine Learning + Security: Demystifying LLMs and threats, poisoning web-scale training datasets is practical, AI threat modeling framework for policymakers

• Machine Learning: Interview with Anthropic CEO

• OSINT / Recon: Summary 1

• Misc: A wide-ranging smorgasbord

How Secrets Leak in CI/CD Pipelines
Karim Rahal describes a number of subtle ways that secrets can leak in CI/CD pipelines and offers several mitigation strategies, including CI/CD task isolation, regular secret rotation, ensuring they aren’t included in output logs, and more.

OWASP/wrongsecrets
By OWASP: A vulnerable application that offers concrete instances of improper secret storage practices. A comprehensive collection of 35 challenges spanning Docker, Kubernetes, minikube, and various cloud providers (AWS, GCP, and Azure).

robre/jsmon
By Robert Reith: A JavaScript change monitoring tool that fetches and compares versions of JavaScript files over time and notifies users via Telegram or Slack if changes are identified.

Developers are not the only people who have adopted the agile methodology for their development processes. From 2023-06-15 to 2023-07-11, Permiso Security’s p0 Labs team identified and tracked an attacker developing and deploying eight (8) incremental iterations of their credential harvesting malware while continuing to develop infrastructure for a campaign.

Anonymizing Logs Made Easy with LogLicker
Permiso’s Corey Ahl writes about LogLicker, a tool designed to anonymize system logs, especially AWS CloudTrail logs, by replacing sensitive data with randomized placeholders through regular expressions. Corey presents two use cases: anonymizing logs and identifying instances of long-term access keys.

They’ve also released FuncoPOP, a PowerShell toolkit for attacking Azure Function Apps, primarily through exploiting Storage Account Access, and have shared the accompanying slides that were presented at DEF CON 31 Cloud Village.

At each step, in-toto generates cryptographic metadata (“attestations”) capturing details about the execution of the step, including the environment, materials, and products.

TACOS Framework
Tidelift’s Jeremy Katz writes about TACOS (Trusted Attestation and Compliance for Open Source), a framework for assessing the development practices of open source projects against a set of secure development standards specified by the NIST Secure Software Development Framework (SSDF) V1.1.

TACOS gives organizations a framework for assessing the attestation and compliance practices of the open source packages they use, and defines a machine-readable specification that helps meet the Office of Management and Budget memorandum on supply chain security requirements.

Demystifing LLMs and Threats
Nice overview by Caleb Sima (video version): intro to LLMs and how they work, understanding LLMs in the enterprise, and AI/ML threats (prompt injection, data poisoning, data leakage) and mitigations.

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them 🙏