CramHacks Chronicles #62: Weekly Cybersecurity Newsletter!

Hello! I hope you’re having a great week!

As of two weeks ago, I am now unemployed. Since then, I’ve been conversing with startup founders and peers in the software supply chain security space, and it’s been an absolute blast. There have been so many innovative ideas and inspiring collaborations.

During one of these discussions, someone referred to me as a “gentleman scientist,” and honestly, I couldn’t be prouder. That’s exactly what I’ve always aspired to be. While some might see me as having business acumen, the truth is, I’d rather the bills pay themselves while I focus on meaningful projects.

Newsletter

Repo Swatting Attack Demo - Disclosed at Melbourne BSides 2024
SourceCodeRED Founder Paul McCarty has revealed a new attack vector called "Repo Swatting," where malicious actors abuse features on platforms like GitHub, allowing attackers to upload unallowed files via issues that persist through CDNs. The actor then reports (swats) the project maintainer for hosting the unallowed content.

👋 Not long ago, on GitHub, you could upload files to a project’s associated CDN without even being signed in. Pretty wild!

CVE-2024-10524 Wget Zero Day Vulnerability
JFrog’s Goni Golan reports a vulnerability introduced by the deprecated handling of shorthand URL formats. This is unlikely to be exploited, but I wanted to share it because risks introduced via code that shouldn’t exist make me sad.

PyPI now supports digital attestations
Package maintainers may now publish signed attestations that link packages to their source repositories (I know, it’s concerning that this wasn’t already a thing). This latest milestone finalizes PyPi’s support for PEP 740 (Index support for digital attestations).

👋 This is relatively significant; I’d encourage you to read further if interested. Trail of Bits, who led a substantial amount of this effort, also shared documentation. Notably, not everyone is happy about this; see Reddit post: PyPI now has attestation. Thanks I hate it.

GitHub Secure Open Source Fund
The launch consists of $1.25M to be invested across 125 projects ($10K/ea), backed by Alfred P. Sloan Foundation, American Express, Chainguard, HeroDevs, Kraken, Mayfield Fund, Microsoft, 1Password, Shopify, Stripe, Superbloom, Vercel, Zerodha, and others. Applications are open on a rolling basis and close on January 7th.

👋 Click here for details on eligibility and benefits.

Container Security: am-i-isolated
Edera has open-sourced Am I Isolated, a security posture benchmarking tool that simulates a given runtime environment, identifies potential security risks, and offers recommendations for addressing them.

NVIDIA-AI-Blueprints/vulnerability-analysis
Rapidly identify and mitigate container security vulnerabilities with generative AI. You can get a sense of how it works here.

👋 I covered NVIDIA’s Blueprints launch a few weeks back, but I don’t believe this was on GitHub then.

Latio Tech: Comparing Static and Runtime Reachability
James Berthoty details the pros and cons of static and runtime reachability while noting the types of reachability vendors currently offer.

👋 James highlights, “The main functionality difference among reachability vendors is if it extends to the function level.” And I’d agree, but there’s no great way of evaluating which vendors are doing this best, as there’s no scaled solution for validating whether the vendor has identified the correct affected functions.  

Threat Model and Independent Verifier Audit Examine the Security of eBPF
Two research reports sponsored by the eBPF Foundation examine eBPF's security and provide deployment guidance. The eBPF Security Threat Model was created by ControlPlane, and the eBPF Verifier Code Audit was conducted by NCC Group, offering insights into inherent controls and actionable recommendations.

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.