• CramHacks
  • Posts
  • CramHacks Chronicles #28: Weekly Cybersecurity Newsletter!

CramHacks Chronicles #28: Weekly Cybersecurity Newsletter!

Manager admits to SIM Swapping, GitGuarding State of Secrets, Comparing Dependabot/Semgrep/Snyk

Author

Kyle Kelly
March 20, 2024

🥳 Happy Monday! 🥳

I’m currently working towards gaining a better understanding of public package repositories. Publishing a package on each seemed like the easiest way to start!

So far, I’ve done Composer (PHP), NPM (Node), and PyPI (Python). In terms of ease of publication (easiest → hardest), Composer has been the easiest, followed by Node and then Python. Of course, security vs convenience has appeared because the reverse order would be my security ranking, solely from a package maintainer perspective.

Table of Contents

Loco Moco Security Conference: Kaua’i, Hawai’i
👋 This is my first time hearing about Loco Moco, but it seems incredible. Not only is it in freaking 🏖️ Kaua’i, Hawai’i, but the quality of attendees is going to be 🔥 based on what I’m seeing via social media.

What’s better than attending a conference in Kaua’i? Speaking at one! The CFP is open until March 31st, 2024.

Kaua’i is my favorite island, and I would be there in a heartbeat if I could. Unfortunately, I have a conflict this year 😭.

Application Security

Highlight

GitGuardian: The State of Secrets Sprawl 2024
This is easily the best report on leaked secrets I’ve seen to date. In 2023, GitGuardian determined that:

  • >1 in every 10 commit authors will likely have leaked a secret

  • Almost 13 Million total secrets detected (~3.7 Million unique)

  • More than 90% of the secrets remain valid 5 days after being leaked

“49% of breaches by external actors involved Use of stolen credentials”
Verizon’s 2023 Data Breach Investigations Report

👋 The full report is available here, and I strongly recommend giving it a read. It is unfathomable to me to see that leaked secrets are a growing issue in 2024.

I’ll never forget the days of using exposed secrets found in public Replit projects and posting stupid things on Twitter - while I should’ve been studying physics.

Trail of Bits: Read code like a pro with our weAudit VSCode extension
Filipe Casal announces the release of a VSCode extension that assists code reviews by offering features such as bookmarks, tracking of audited files, collaboration, and creating GitHub issues. Available via the VSCode Marketplace and GitHub.

TypeScript: Integrating Branded and Tainted Types
Allan Reyes shares a real-world application for branded and tainted types and then uses Semgrep to detect and enforce their usage.

I like how Allan phrased it here regarding his simple example, where a validator was embedded into the Brand: “These mean that developers don’t have to think, ‘Gee, do I have to validate this?’ They can totally evict that from their brains. The type will exist only if it’s already validated.”

👋 Secure-by-default, guardrails, whatever you want to call it… Do this. Part 2, Tainted Types, can be found here. Additionally, as referenced in the blog post, this thread by Matt Pocock is 🔥.

ReverserAI (OSS): Automate reverse engineering tasks
Tim Blazytko shares ReverserAI, a Binary Ninja plugin designed to automate and enhance reverse engineering tasks. The special sauce is that this project leverages locally hosted large language models (LLMs), operating entirely offline.

Artificial Intelligence

NVIDIA Blackwell Platform Arrives to Power a New Era of Computing
NVIDIA announces Blackwell technologies, which enable efficient real-time operation of models up to 10 trillion parameters, reducing cost and energy consumption by up to 25x.

Salt Security’s Aviad Carmel

Department of Homeland Security Unveils Artificial Intelligence Roadmap
DHS is initiating three pilot projects to responsibly harness AI for Homeland Security missions, ensuring privacy and civil rights, enhancing national AI safety and security, and fostering leadership through strategic partnerships.

Apple Is in Talks to Let Google Gemini Power iPhone AI Features
Bloomberg reports that Apple is actively negotiating with Google to license Gemini for new features coming to iPhone software in 2024. Apple and OpenAI are also in ongoing discussions.

Miscellaneous

Former Telecommunications Company Manager Admits Role in SIM Swapping Scheme
Jonathan Katz, aka “Luna,” 42, of Marlton, New Jersey, pleaded guilty to conspiracy to gain unauthorized access to a protected computer. Katz was the manager at a telecommunications store and abused his credentials to swap SIM numbers, enabling individuals to control other customers’ phones and access their electronic accounts. Katz was paid in Bitcoin.

👋 His Bitcoin account received a total of $5,000; meanwhile, his offense “carries a statutory maximum of five years in prison and a fine of not more than $250,000 or twice the pecuniary gain to the defendant or twice the gross loss involved, whichever is greater.” Was it worth it? 🤔 

Repository for Software Attestation and Artifacts Now Live
“Software producers who partner with the federal government can now upload their Secure Software Development Attestation Forms to CISA’s Repository for Software Attestation and Artifacts. “

Massive ‘Apex Legends’ Hack Disrupts NA Finals, Raises Serious Security Concerns
👋 There’s a lot of speculation going on, so I will add to it. My guess is that the player unknowingly installed a trojan/malware.

Software Supply Chain Security

Highlight

Doyensec: Supply Chain Benchmark Leading Tool Comparison
Luca Carettoni & Anthony Trummer share a comparative study, which included GitHub’s Dependabot, Semgrep Supply Chain, and Snyk SCA. The research aimed to evaluate SCA tools’ ability to reduce false positive rates on real-world code.

  • Dependabot: 1353 minutes to validate the positive findings, with 12% being valid

  • Semgrep: 148 minutes to validate the positive findings, with 83% being valid

  • Snyk: 1046 minutes to validate the positive findings, with 9% being valid

As someone who works on the Semgrep Supply Chain product, I was pleased, albeit not surprised, by the results. I’m very proud of our reachability analysis capabilities and the researcher team’s efforts in reviewing thousands of security advisories, patches, and example usages to write quality Semgrep rules.

An open letter to Congress to support NIST and the NVD
Following the NIST slowdown and lack of vulnerability data enrichment, Dan Lorenc, Chainguard Founder & CEO, has organized a crowdsourced draft letter to Congress. This letter aims to emphasize the criticality of the NVD and the potential implications which may result from a lack of support or funding.

Until Next Time! 👋 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle