- CramHacks
- Posts
- CramHacks Chronicles #54: Weekly Cybersecurity Newsletter!
CramHacks Chronicles #54: Weekly Cybersecurity Newsletter!
Feds Prioritize Open-Source Software Security Initiatives
I’m on my way to San Francisco for the OWASP 2024 Global AppSec Conference! If you’re around, come hang out at the Semgrep booth or our co-hosted/sponsored events:
Security Speakeasy (7 PM Wednesday, September 25th, 2024)
PBC Connect (5:30 PM Thursday, September 26th, 2024)
TDIL: How to spell San Francisco and that the name Cisco was derived from the city name. 🤯
Cryptography investigator ZachXBT traced $230M that was scammed. The video includes live audio and screen sharing (Zach mentions he has 1.5+ hours of footage), which has triggered haunting memories of my old RuneScape clan getting a big P.K.
Kaspersky Exits U.S., Automatically Replaces Software With UltraAV, Raising Concerns
👋 With plans to leave the U.S. market next month (due to being banned and labeled as a national security risk), Kaspersky has swapped out their endpoint installation with UltraAV via a software update. User data, such as billing information and subscriber account credentials, were also transferred to UltraAV (Nexway). 👎️ 🙅♂️
Fake recruiter coding tests target devs with malicious Python packages
ReversingLabs engineer Karlo Zanki details an attack vector that leverages malware embedded in a compiled Python file, AKA a PYC file. The attackers, reportedly linked to the North Korean hacking team Lazarus Group, pose as financial services firms recruiting developers, assigning candidates a task that involves running the malicious Python code.
CISA boss: Makers of insecure software are enablers of the real villains
Jen Easterly, the head of CISA, continues to preach that technology vendors should be held more accountable for poor-quality software. Jen argues that “software vulnerability” is too lenient of a term and that “product defect” is more accurate.
👋 I’m unsure how I feel about some of this; it seems harsh, but some vendors need this message 👀. However, I am sure that if anyone told me face-to-face that I should consider whether a vendor signed the Secure by Design Pledge before purchasing, I would laugh.
CloudImposer: Executing Code on Millions of Google Servers with a Single Malicious Package
As presented at Black Hat, Tenable Researcher Liv Matan details how the team leveraged a dependency confusion attack targeting GCP services that could have allowed a malicious attacker to run code on potentially millions of servers.
👋 Dependency confusion attacks are ridiculous. This blog from 2021 partly sparked my interest in software supply chain security, Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies.
gaining access to anyone’s browser without them even visiting a website
“A developer and (un)professional pentester,” xyzeva details how she discovered a vulnerability with Arc’s usage of Firestore. The vulnerability, CVE-2024-45489, allowed members to abuse “Arc boosts” to execute arbitrary JavaScript on any website a user visited.
👋 It's not a great look for “The Browser Company,” but kudos for the prompt remediation. According to their incident report, no users were affected.
Feds Prioritize Open-Source Software Security Initiatives
A concise article on initiatives led by a White House working group to enhance the security of open-source software within U.S. government operations.
👋 “Our goal isn’t to control or regulate open-source software, but rather show up as a community member and contribute where we can with government’s resources.”
- CISA Senior Technical Advisor, Jack Cable
Non-Actionable Findings in 3rd-party Security Scanners...and How to Identify Them
Google Software Engineer Erik Varga details some techniques for quickly identifying non-actionable findings in third-party security scanners, which happens far too often.
👋 While the blog focuses on OS software packages, my experience with software dependencies is much the same. For example, SemVer specifications suggest that appending -alpha
, -beta
, etc., to a version implies that it is earlier than the numerical specification. Therefore, when you patch a dependency vulnerability with a version 1.0.0-patched
, SCA tools will assume that it is <= 1.0.0
, and therefore vulnerable 🙃.
Until Next Time! 👋
Hey, you made it to the bottom – thanks for sticking around!
Questions, ideas, or want to chat? Slide into my inbox! 💌
Don’t hesitate to forward if someone could benefit from this.
See you next Monday!
-Kyle
P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.