CramHacks Chronicles #25: Weekly Cybersecurity Newsletter!

🥳 Happy Monday! 🥳

Come listen to me talk about “Tackling Vulnerabilities in Third-Party Packages” tomorrow (Thursday), February 29th, 2024, at 6 PM Pacific Time! Thank you, Cloud Security Alliance’s San Francisco Chapter, for having me. More Details

Table of Contents

• Application Security

• Artificial Inteligence

• Cloud Security

• Health Hacks

• Miscellaneous

• Software Supply Chain Security

• Until Next Time! 👋

🧠 Are you interested in my existential crises?

Check out my latest blog post about my first year in application security and my desperate goal to be a perpetual learner.

Application Security

Addressing the Threat of Security Debt: Unveiling the State of Software Security 2024
One of the better “State of Software Security” reports I’ve read recently. The main topics are Measuring and Monitoring Security Debt and Securing the Software Supply Chain. Ungated Copy Here

The report suggests that most (65.4%) of critical security vulnerabilities that have not been remediated within a year are introduced by third-party packages. Most people would think it’s harder to remediate vulnerabilities in third-party packages, but I believe fewer people care about third-party package vulnerabilities. I suspect this is changing.

👋 Interestingly, much of the talking points in this report are about software supply chain security. It’s wild to me how much publicity the supply chain has gotten these last two years, and it seems to be growing!

Artificial Inteligence

Python Risk Identification Tool for generative AI (PyRIT)
Microsoft has released PyRIT, an open-source automation framework that can proactively find risks in their generative AI systems.

Specifically, the tool enables teams to assess their LLM endpoints against categories such as fabrication/ungrounded content (e.g., hallucination), misuse (e.g., bias) and prohibited content (e.g., harassment).

Jeff Bezos and Nvidia join OpenAI and Microsoft in backing a humanoid robot unicorn valued at $2 billion, sources say

Google pauses ‘absurdly woke’ Gemini AI chatbot’s image tool after backlash over historically inaccurate pictures
Well, this is interesting. For years, we’ve seen people and businesses canceled left and right with varying degrees of justification. But now we’re seeing Google under fire for seemingly trying too hard.

Cloud Security

Wyze: About 13,000 home security customers were shown someone else’s home
Wyze has acknowledged a recent “security issue” where users looking at their app would see a video thumbnail for someone else’s feed. About 1,500 users clicked on these thumbnails and could view other people’s footage.

👋 This should probably be a bigger deal. A device you purchase to feel safer can also be used against you. Either by the provider, hackers, or random creeps abusing a bug.

CISA, NCSC-UK, and Partners Release Advisory on Russian SVR Actors Targeting Cloud Infrastructure
This advisory details recent tactics, techniques, and procedures (TTPs) of the group commonly known as APT29, also known as Midnight Blizzard, the Dukes, or Cozy Bear.

Health Hacks

👋 Have any recommended feeds for health hacking? Please let me know!

In other news, I’ve started running (again). I was a cross-country and track runner, for those who don’t know. But that was years of overexercising, not healthy.

Miscellaneous

FTC Slams Avast with $16.5 Million Fine for Selling Users’ Browsing Data
In January 2020, a joint investigation by Motherboard and PCMag revealed that the antivirus giant Avast was selling users’ internet browsing histories to over 100 third parties via its subsidiary, Jumpshot.

The FTC order bans Avast from selling browsing data for advertising purposes, costing them USD 16.5M in penalties.

👋 Only took four years 🤷‍♂️, I’m surprised they’re still in business. There have been very few successful consumer cybersecurity products; it’s a shame that the few who have succeeded seemingly have an agenda irrelevant to protecting their customers.

Apple’s iMessage Is Getting Post-Quantum Encryption
Apple’s post-quantum cryptographic protocol (PQ3) will be included in iMessage. Coming in iOS and iPad OS 17.4 and macOS 14.4.

👋 I’m no cryptographer, but from what I’ve read this puts iMessage as more superior, in terms of encryption, to competitors such as Signal Messenger.

Software Supply Chain Security

Linux Kernel Achieves CVE Numbering Authority Status
“Almost any bug might be exploitable to compromise the security of the kernel, but the possibility of exploitation is often not evident when the bug is fixed.”

👋 This is controversial. There’s an interesting thread on LWN.net where people share their concerns about the Kernel Security Team’s strong beliefs about when a CVE is warranted. With this change, we’ll see the number of new Linux Kernel CVEs slow down significantly.

Aqua Security: The Hidden Dangers Within Ubuntu’s Package Suggestion System
Have you ever tried to run a command in an Ubuntu terminal and received a message conveniently telling you that you don’t have it installed, with convenient instructions on how to get it? Well, that was probably the command-not-found package.

Security Researcher Ilay Goldman discusses how malicious actors can abuse this package to trick users into installing malicious packages and other relevant risks with the snap package management system.

👋 Ilay has now joined Meta as a Security Engineer; congrats!

Harden-Runner Now Supports Monitoring Outbound HTTPS Requests From GitHub Actions Runners

Until Next Time! 👋 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle