• CramHacks
  • Posts
  • CramHacks Chronicles #56: Weekly Cybersecurity Newsletter!

CramHacks Chronicles #56: Weekly Cybersecurity Newsletter!

The State of Open Source in Financial Services, the future of Python packaging, NVIDIA NIM Agent Blueprints, fuzzing, and more!

Author

Kyle Kelly
October 09, 2024

Hello! I hope you’re having a great week 🙂.

Before I begin, I’d like to say thank you. CramHacks now has thousands of weekly readers, which is mindblowing. But numbers aside, you all are awesome.

I’ve had the pleasure of meeting many of you via email, LinkedIn, happy hours, conferences, etc., and each person I’ve met has had great energy and a clear passion for cybersecurity.

If we haven’t yet met, I’d love to chat! Heck, I’ll even buy you coffee. To get in touch, reply directly to this email or reach out on LinkedIn.

👉️ 👉️ 👉️ CLICK HERE TO READ THE FULL NEWSLETTER  👈️ 👈️ 👈️ 

I’ve been hearing a lot about uv lately. Python environments are a bit notorious in my mind; so many tools essentially doing the same thing, with some having slightly better features for different use cases.

But what if we just had one super well-built package/project manager? This may be the answer. Here are some highlights of uv from the project’s readme:

A single tool to replace pip, pip-tools, pipx, poetry, pyenv, virtualenv, and more.

  • Supports macOS, Linux, and Windows

  • Provides comprehensive project management with a universal lockfile

  • Runs and installs Python applications

  • Installs and manages Python versions

  • 10-100x faster than pip

NVIDIA and Global Partners Launch NIM Agent Blueprints for Enterprises to Make Their Own AI
In August, NVIDIA launched Agent Blueprints, a catalog of customizable workflows to provide a jump-start for developers creating AI applications. The catalog currently includes:

Blueprints are intended for enterprises to modify and use their business data, and they can continuously be refined based on user feedback.

The 2024 State of Open Source in Financial Services
The fourth edition! It's packed full of interesting insights. Spoiler: most respondents are only somewhat or not at all confident in their ability to manage and control the usage of open source software.

👋 If regulators and auditors ever learn to assess DevOps effectively, … well, we don’t have to think about that for a while. Kudos to those who have things under control 👏.

Fuzzing confused dependencies with Depfuzzer
A fresh look at dependency confusion attacks by Pierre Martin & Kévin Schouteeten, introducing the open source tool DepFuzzer, which assesses your application’s dependencies and reports those potentially susceptible.

👋 It seems like I’m talking about dependency confusion attacks every week—it’s honestly ridiculous. The tool has been made available on GitHub here. Check out Jit’s blog, A Step-by-step Guide to Preventing Dependency Confusion Attacks, for how to remediate this risk.

Azure Storage Account Reverse Shell
A GitHub Action that sends a reverse shell from a GitHub runner to any device with internet and Python, using Azure Storage Account as a broker to bypass firewall rules on self-hosted runners.

👋 Software supply chain attacks are scarily simple right now. Red teamers are having a field day, and things will only worsen as more tools are available.

What happens to “.io” TLD after UK gives back the Chagos Islands?
Some speculate the TLD .io will soon be retired, given the British government’s announcement that they will relinquish control of the Chagos Islands (British Indian Ocean Territory) to Mauritius. The TLD .io is, technically, the official country-code TLD of the British Indian Ocean Territory.

👋 I’m pretty confident IANA isn’t going to retire the .io TLD, but the history of ccTLDs is quite interesting!

Qualcomm urges device makers to push patches after ‘targeted’ exploitation
The vulnerability, CVE-2024-43047, has been added to CISA’s KEV catalog, and Google’s Threat Analysis Group disclosed that the CVE may be under limited, targeted exploitation. The vulnerability is known to affect Snapdragon 660 and newer models, Qualcomm’s 5G modems, and FastConnect 6700, 6800, 6900, and 7800 Wi-Fi/Bluetooth kit.

Protecting America from Vehicle Technology from Countries of Concern
The US announces plans to prohibit selling or importing connected vehicles using certain technologies or components from countries of concern (China & Russia). If finalized, software bans will start in Model Year 2027, and the hardware bans will begin in Model Year 2030 — or on January 1, 2029, for units lacking a model year.

Google: Effective Fuzzing: A Dav1d Case Study
Google’s Nick Galloway breaks down the discovery of an integer overflow in the dav1d AV1 video decoder (CVE-2024-1580) and, more specifically, why the oss-fuzz test harness did not catch it.

👋 Who would’ve thought oss-fuzz wasn’t a silver bullet? Nonetheless, it’s great to learn about a few gaps, e.g., oss-fuzz doesn’t support ARM and has a memory limit of 2.5GB.

Podcasts

Open Source Security Podcast
I’m honestly not a big podcast person, but this is my go-to when I dabble. Josh Bressers and Kurt Seifried have been around the block and know their stuff.

The Open at Intel podcast
Each episode explores open source, covering areas from software to security to AI, guided by conversations with leading experts.

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.