• CramHacks
  • Posts
  • CramHacks Chronicles #23: Weekly Cybersecurity Newsletter!

CramHacks Chronicles #23: Weekly Cybersecurity Newsletter!

Temu Suspicion, AI Threat Model, Flipper Zeros Ban, OpenSSF Securing Software Repositories

🥳 Happy Monday! 🥳

How was that Super Bowl? Honestly, I’ve lost a lot of interest in Football recently, but I’ve gained a lot of interest in these POV NFL is Rigged videos. They’re hilarious but also kinda suspicious 🤣.

For those of you who haven’t already, make sure to collect your $5 Starbucks gift card. All you have to do is have one person subscribe using your unique link below.

Table of Contents

Check out my Conf42 DevOps 2024 talk! It’s a great introductory walkthrough on software composition analysis, third-party package vulnerabilities, and a few tips & tricks on prioritizing these vulnerabilities across your projects.

OWASP Bay Area Meetup: Semgrep & JIT
The Bay Area OWASP February meetup is this Thursday (Tomorrow), February 15th, 2024 @ 5:00 PM PST. Come hang out!

I will be presenting: Tackling Vulnerabilities in Third-party Packages and JIT’s Aviram Shmueli will be presenting: Velocity + Safety - Security Metrics All Engineers Should Care About.

Application Security

Synopsys Kicks Off Sale of $3 Billion-Plus SIG Unit
The Synopsys SIG (Software Integrity Group) is on the market. SIG has been a compilation of several major acquisitions, such as Coverity, Codenomicon, Cigital, and Black Duck Software. Click here for a full list of Synopsys acquisitions, thirteen in Software Security & Quality alone.

👋 This seems on track given their Q4 investor notes and January’s announcement: Ansys (ANSS) Reportedly to be Acquired by Synopsys for $35B.

Artificial Inteligence

Bugcrowd Secures $102 Million in Strategic Growth Funding to Scale AI-Powered Crowdsourced Security Platform
In the last 12 months, Bugcrowd has added more than 200 clients (almost 1,000 total), growing the overall business by more than 40% and the Pentest as a Service (PTaaS) business nearly 100%.

👋 Bugcrowd is very vocal about their usage of AI. I don’t quite understand the extent to which AI is currently adding value to their platform, but I’m sure a large chunk of this $102M will be spent towards furthering this pursuit.

ChatGPT's ability to remember things you discuss to make future chats more helpful
OpenAI is testing a new feature that will enable users to ask ChatGPT to remember certain things. One of the examples provided is:

“You’ve told ChatGPT you own a neighborhood coffee shop. When brainstorming messaging for a social post celebrating a new location, ChatGPT knows where to start. “

đź‘‹ This is pretty awesome from a technology/usability perspective, but it does add to the fear factor. Users will have the ability to enable/disable this feature and can even request that specific memories be deleted. That said, they are still a business where data determines survival, therefore:

“We may use content that you provide to ChatGPT, including memories, to improve our models for everyone. If you’d like, you can turn this off through your Data Controls. As always, we won't train on content from ChatGPT Team and Enterprise customers.”

Breaches

Insider Breach Impacts Half The Workforce Of Verizon
More than 63,000 Verizon Employees have had their employee information disclosed to an unauthorized company employee, including full name, street address, Social Security number or other national identifier, gender, and date of birth.

👋 This reads a lot like a malicious insider to me. I don’t suspect this would’ve made the news, nor do I think it would’ve caused Verizon to offer impacted employees identity protection and credit monitoring services for two years.

33M French Citizens Impacted in Country’s Largest-Ever Breach
In late January, cyberattacks separated by only five days compromised both Viamedis and Almerys, who manage third-party payments for health insurance companies. The result is the largest-ever data breach for French Citizens; 33 million citizens have reportedly been impacted.

👋 According to reports, the Viamedis breach originated from a phishing email, whereas for Almerys’, a malicious actor obtained access to a portal used by health professionals. Maybe by phishing??? I’m not sure; the information on this is vague. I wouldn’t be surprised if it were credential stuffing or similar.

Miscellaneous

Turns out the parent company of Temu has a history of publishing malware into their Android apps
Matt Johansen does some investigating on Temu, which markets itself as a one-stop destination for affordable items. It turns out that the parent company of Temu is PDD Holdings, which also has an app named Pinduoduo. Researchers discovered that the Pinduoduo app available in third-party markets contained malware exploiting several zero-day vulnerabilities.

👋 Something didn’t sit right with me after seeing all those Super Bowl commercials. Very sus.

Canada Wants To Ban Flipper Zeros
Last week, Canada hosted a National Summit on Combatting Auto Theft. One specific outcome was that the Government of Canada is taking immediate action to combat auto theft by:

“Pursuing all avenues to ban devices used to steal vehicles by copying the wireless signals for remote keyless entry, such as the Flipper Zero, which would allow for the removal of those devices from the Canadian marketplace through collaboration with law enforcement agencies.”

👋 Well, this tells all auto thieves that they should probably use the Flipper Zero… so lovely job. I think the obvious answer here is that vehicles need better security.

Chinese malware removed from SOHO routers after FBI issues covert commands
End-of-life Cisco and Netgear routers were infected with KV Botnet malware - nothing special. But, a bit more interestingly, the FBI received authority for “a seizure of target devices” from a federal judge. This enabled the FBI to issue a command to each device and stop it from running the KB Botnet VPN process.

👋 Not so sure how I feel about this. This isn’t the first time, and I’ve read many reports of other countries performing similar acts, but are there any checks and balances after the judge’s approval? I have lots of questions!

Software Supply Chain Security

OpenSSF Securing Software Repositories Working Group Releases Principles for Package Repository Security
v0.1 of OpenSSF’s framework for package repositories to assess their security capabilities. Titled Principles for Package Repository Security, the framework breaks things down into four levels of security maturity:

  • Level 0 is defined as having very little security maturity.

  • Level 1 is defined as having basic security maturity, which includes supporting basic security features like multi-factor authentication (MFA) and allowing security researchers to report vulnerabilities. All package management ecosystems should be working towards at least this level.

  • Level 2 is defined as having moderate security, which includes actions like requiring MFA for critical packages and warning users of known security vulnerabilities.

  • Level 3 is defined as having advanced security, which includes actions like requiring MFA for all maintainers and supporting build provenance for packages. This level is more aspirational, especially for smaller package management ecosystems.

👋 This is a step in the right direction. I think there’s a lot of room for improvement in regards to how public package repositories secure

FOSDEM 2024: Software Bill of Materials devroom
👋 Twenty-one talks related to SBOMs! I will need to give these a listen. At first glance, I’m shocked to see so much talk on SDPX formatting. In my experience, CycloneDX has been the clear winner. Perhaps I’ll watch each of these and share my notes 🙂.

Cloudsmith Navigator: The Trusted Guide to OSS Package Quality
Designed to help software engineers select better-quality packages, Navigator evaluates the top 40,000 open-source packages across NPM, PyPi, RubyGems, and Maven. A quality score is assigned based on the following:

  • Package Quality: If a package has no open CVEs, good test coverage, current dependencies, and is widely used in the open-source community- it’s likely to score highly on Navigator’s quality metric.

  • Maintenance: A package will score highly if it is regularly maintained by a wide pool of contributors, underpinned by a code of conduct.

  • Documentation: Packages score highly when they have a Readme, a documentation website, and a changelog.

👋 It’s interesting to see more of these platforms pop up. I’ve used deps.dev for similar information, but there is also trustypkg.dev and Socket.dev. I’m just now noticing these are all conveniently using the .dev TLD.

Deno: a new JavaScript package registry (JSR)
Marius Vatasoiu shares a simplified list of what he’s managed to learn about JSR. In my opinion, the most important note is that both npm and node schemas are supported. You can join the waitlist for JSR here.

👋 I don’t really see what the need for this is; but hey, maybe if there was more competition in the public package repository space we’d start seeing some innovation. However, this would certainly cause some massive headaches.

Until Next Time! đź‘‹ 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! đź’Ś

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle