[tl;dr sec] #196 – How Secrets Leak in CI/CD, AI Threat Modeling, Supply Chain


I hope you’ve been doing well!

What We’re Known For

It’s long had a place in my heart, as I loved the TV show as a kid. It’s also what originally got me into doing improv comedy!

A friend who attended the show said at one point they asked for an SF-inspired suggestion and received: “Poop,” “Poop on the ground,” and “Needles.” Oof.

In other #PeakBayArea news, I recently went on a mini road trip and we tested my friend’s Tesla’s self-driving functionality.

It only almost made us do something dangerous (like drive into a shortly ending side lane) ~3 times, not bad 😅 

Hope you’ve recovered from Hacker Summer Camp!

📣 Securing Mailboxes: Lessons from the Storm-0558 Attacks

We’ve all seen the news related to recent activities from a China-based threat actor with espionage objectives. It should come as no surprise that mailboxes continue to be a target, and that even strong authentication controls are insufficient to prevent unauthorized access.

At Material, our mission is to make it prohibitively difficult for attackers to access sensitive email data even, and maybe especially, in a post-compromise situation.

We leverage the APIs to apply defense-in-depth for mailboxes. We first determine which messages contain sensitive content and then require an additional, low-friction challenge to access them. So even with full control of an organization’s mail infrastructure, adversaries would still be unable to access the content of sensitive emails.

Nice, very timely and impactful! 👆️ 

📜 In this newsletter…

  • AppSec: How secrets leak in CI/CD pipelines, example app of how not to do secrets

  • Web Security: Nuclei plugins to audit Chrome extensions, two tools to monitor for JavaScript files changing, GraphQL wordlist for pentesting

  • Cloud Security: How to set up geofencing and IP allow-list for Cognito, tool to easily anonymize logs, decrypting Azure Function App Keys

  • Container Security: Tool to simplify running Atomic Red Team in container environments

  • Supply Chain: In-toto overview, framework to assess the dev practices of open source projects against NIST

  • Blue Team: Ansible role to apply security baseline, list of shell backdoors, tool to simulate malicious behavior against Google Workspace, questions to ask to improve your SIEM usage

  • Politics / Privacy: China be China-ing

  • Machine Learning + Security: Demystifying LLMs and threats, poisoning web-scale training datasets is practical, AI threat modeling framework for policymakers

  • Machine Learning: Interview with Anthropic CEO

  • OSINT / Recon: Summary 1

  • Misc: A wide-ranging smorgasbord

AppSec

How Secrets Leak in CI/CD Pipelines
Karim Rahal describes a number of subtle ways that secrets can leak in CI/CD pipelines and offers several mitigation strategies, including CI/CD task isolation, regular secret rotation, ensuring they aren’t included in output logs, and more.

OWASP/wrongsecrets
By OWASP: A vulnerable application that offers concrete instances of improper secret storage practices. A comprehensive collection of 35 challenges spanning Docker, Kubernetes, minikube, and various cloud providers (AWS, GCP, and Azure).

Web Security

robre/jsmon
By Robert Reith: A JavaScript change monitoring tool that fetches and compares versions of JavaScript files over time and notifies users via Telegram or Slack if changes are identified.

📣 Agile Approach to Mass Cloud Credential Harvesting and Crypto Mining Sprints Ahead

Developers are not the only people who have adopted the agile methodology for their development processes. From 2023-06-15 to 2023-07-11, Permiso Security’s p0 Labs team identified and tracked an attacker developing and deploying eight (8) incremental iterations of their credential harvesting malware while continuing to develop infrastructure for a campaign.

Cloud Security

Anonymizing Logs Made Easy with LogLicker
Permiso’s Corey Ahl writes about LogLicker, a tool designed to anonymize system logs, especially AWS CloudTrail logs, by replacing sensitive data with randomized placeholders through regular expressions. Corey presents two use cases: anonymizing logs and identifying instances of long-term access keys.

They’ve also released FuncoPOP, a PowerShell toolkit for attacking Azure Function Apps, primarily through exploiting Storage Account Access, and have shared the accompanying slides that were presented at DEF CON 31 Cloud Village.

Supply Chain

At each step, in-toto generates cryptographic metadata (“attestations”) capturing details about the execution of the step, including the environment, materials, and products.

TACOS Framework
Tidelift’s Jeremy Katz writes about TACOS (Trusted Attestation and Compliance for Open Source), a framework for assessing the development practices of open source projects against a set of secure development standards specified by the NIST Secure Software Development Framework (SSDF) V1.1.

TACOS gives organizations a framework for assessing the attestation and compliance practices of the open source packages they use, and defines a machine-readable specification that helps meet the Office of Management and Budget memorandum on supply chain security requirements.

Machine Learning + Security

Demystifing LLMs and Threats
Nice overview by Caleb Sima (video version): intro to LLMs and how they work, understanding LLMs in the enterprise, and AI/ML threats (prompt injection, data poisoning, data leakage) and mitigations.

Our first attack, split-view poisoning, exploits the mutable nature of internet content to ensure a dataset annotator’s initial view of the dataset differs from the view downloaded by subsequent clients. By exploiting specific invalid trust assumptions, we show how we could have poisoned 0.01% of the LAION-400M or COYO-700M datasets for just $60 USD.

Our second attack, frontrunning poisoning, targets web-scale datasets that periodically snapshot crowd-sourced content—such as Wikipedia—where an attacker only needs a time-limited window to inject malicious examples.

[tl;dr sec] #196 - How Secrets Leak in CI/CD, AI Threat Modeling, Supply Chain

Talent density beats talent mass.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them 🙏



Source link