CramHacks Chronicles #48: Weekly Cybersecurity Newsletter!

🥳 Happy Monday! 🥳

I’m in Vegas! Those who know me know I’m a big-time partier (sarcasm), but I’ll make the most of it. So far, I’m having a great time hanging with folks, having casual drinks, and having lots of deep technical discussions 😍.

I’ll be at the Semgrep Black Hat booth. Stop by and check out my masterful sales pitch 😈.

This week’s newsletter will be short, given the above!

Did you miss the Semgrep rule writing workshop held by Tanya Janca and me? Well, you’re in luck! Our two-hour live stream recording is now available 🙂.

Newsletter

Anyone can Access Deleted and Private Repository Data on GitHub
Truffle Security details how data from deleted or private GitHub repositories can still be accessed through what they term "Cross Fork Object Reference" (CFOR) vulnerabilities. The exposure occurs because GitHub maintains all commits in a repository network, even after repositories are deleted or made private, meaning that any commit could potentially be accessed indefinitely if it’s part of a network that includes a public fork.

👋 This is pretty wild. Add this to the list of GitHub features people don’t understand, introducing loads of risk. I certainly didn’t know this.

‘You are a helpful mail assistant,’ and other Apple Intelligence instructions
Apple's latest macOS 15.1 beta introduces pre-prompt instructions for AI features, which have been found stored locally in plaintext.

👋 It’s shocking to read some of these prompts. They’re pretty basic, but seeing things like “do not hallucinate” is quite funny.

Stressed Pungsan: DPRK-aligned threat actor leverages npm for initial access
👋 North Korea loves malicious dependencies.

KnowBe4 mistakenly hires North Korean hacker, faces infostealer attack
The North Korean-based malicious actor leveraged a stolen identity and used AI tools to create a profile picture for this identity, which was used when joining video conference calls. KnowBe4’s EDR reported an attempt to load malware on the device sent to the new hire, and the response was effective!

👋 The scenario might initially seem embarrassing for KnowBe4, but this is a great example of why you must take alerts seriously. Most organizations have a very hard time investigating and catching malicious insiders.

A Visual Exploration of Exploits in the Wild: The Inaugural Study of EPSS Data and Performance
The Cyentia Institute's study evaluates the Exploit Prediction Scoring System (EPSS) and its effectiveness in predicting real-world exploits compared to other systems like CVSS and KEV.

Secure Boot is completely broken on 200+ models from 5 big device makers

NVD CVE Analysis Rate Report
👋 Neat dashboard that seems to highlight NVD is continuing to fall behind on analyzing new CVEs. That said, the CVE Program is now strongly encouraging CNAs to include additional data, i.e., CWEs, in their CVE submissions.

Sovereign Tech Fund: Introducing the Fellowship for Maintainers
A fellowship pilot program planned for Q4 2024 aimed at financially supporting open source maintainers.

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks now has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.