- CramHacks
- Posts
- CramHacks Chronicles #27: Weekly Cybersecurity Newsletter!
CramHacks Chronicles #27: Weekly Cybersecurity Newsletter!
Ex-Google Software Engineer Charged, Secure Software Development Attestation Form, NVD vulnerability reviews on pause
Kyle Kelly
March 13, 2024
🥳 Happy Monday! 🥳
I had a blast chatting with Hemil Kadakia and Mike Vizard on Monday about securing open source. Click the link below for access to the free recording!
Table of Contents
Loco Moco Security Conference: Kaua’i, Hawai’i
👋 This is my first time hearing about Loco Moco, but it seems incredible. Not only is it in freaking 🏖️ Kaua’i, Hawai’i, but the quality of attendees is going to be 🔥 based on what I’m seeing via social media.
What’s better than attending a conference in Kaua’i? Speaking at one! The CFP is open until March 31st, 2024.
Kaua’i is my favorite island, and I would be there in a heartbeat if I could. Unfortunately, I have a conflict this year 😭.
Application Security
Writeup: Exploiting TruffleHog v3 - Bending a Security Tool to Steal Secrets
Helena Rosenzweig, a Security Researcher at Omegapoint, disclosed a security concern with TruffleHog’s secrets detection validation. The issue is that TruffleHog crowdsources many of its detectors, which are enabled by default.
When a detector finds a potential secret, it sends the secret to the validator. However, since many of these detectors have a high false-positive rate, intentionally or not, this can cause other services’ secrets to be sent to the validator - which can very quickly be a malicious host intended to steal secrets.
👋 TruffleHog has released a blog post on this matter here.
GitHub Announces Default Secret Scanning Push Protection
Public repositories will now, by default, analyze every push for supported secrets (>200 types). If found, GitHub will offer the ability to remove the secret from relevant commits before it becomes exposed.
Secure Software Development Attestation Form
“This self-attestation form identifies the minimum secure software development requirements a software producer must meet, and attest to meeting, before software subject to the requirements of M-22-18 and M-23-16 may be used by Federal agencies.”
Artificial Inteligence
Ex-Google Software Engineer Charged with Stealing AI Trade Secrets
Secretly working with two China-based AI startups, the leaker, Linwei Ding, now faces up to 10 years in prison.
👋 For me, the craziest part was that another Google employee was scanning Ding’s access badge at the office in the U.S. while Ding was actually in China.
Cognition: The world’s first AI software engineer - Devin
“Named Devin, the AI can write, debug and deploy code to create functioning websites and products. Its creators say that its coding performance far surpasses existing state-of-the-art LLMs like GPT-4 and Gemini.”
👋 “The AI Guy” 🤔 A.K.A Zain Kahn highlights that Devin resolved almost 14% of GitHub issues in real-world open-source projects. The demo is worth a watch.
Elon Musk: This week, @xAI will open source Grok
👋 I am enjoying the Elon Musk vs OpenAI shenanigans 🤣.
Breaches
CISA forced to take two systems offline last month after Ivanti compromise
👋 I give my personal approval for you, CISA, to use my tax money to patch your shiz!
Russia’s Midnight Blizzard Accesses Microsoft Source Code
In January 2024, Microsoft shared a security incident on their corporate email system; more info is here. Now, Microsoft has observed the same threat actor leveraging information exfiltrated from the prior breach to gain unauthorized access to the company’s source code repositories and internal systems.
“To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.“
Miscellaneous
NIST Releases Version 2.0 of Landmark Cybersecurity Framework
The updated core guidance and new resources are designed to assist a broader range of organizations in enhancing their cybersecurity measures, focusing on improving governance and securing supply chains.
Software Supply Chain Security
What happens when NIST’s NVD stops analyzing vulnerabilities
About a month ago, NIST’s NVD (National Vulnerability Database) began presenting a banner to visiting users that suggested NIST is working on revamping tooling & methods and that there may be delays in vulnerability analysis.
Jay Jacobs of Cyentia Institute shared some insightful data that shows just how much of a delay there has been. As you might imagine, this is incredibly concerning, given how many security products rely on NVD’s data to notify customers of vulnerabilities. While this is a national vulnerability database, it is the most used globally.
CISA Announces New Efforts to Help Secure Open Source Ecosystem
Last week, there was a two-day Open Source Software (OSS) Security Summit convening OSS community leaders. CISA has seemingly lit a fire by advocating for many of OpenSSF’s mission objectives.
CISA is working closely with package repositories to foster the adoption of the Principles for Package Repository Security Developed by CISA and the Open Source Security Foundation’s (OpenSSF) Securing Software Repositories Working Group.
The summit also held a tabletop exercise, and CISA will publish details to share lessons learned regarding improving vulnerability and incident response capabilities.
👋 This is huge! I particularly enjoyed reading the keynote details by CISA Director Jen Easterly, which discussed a recent Harvard study that estimates open source software has generated over eight trillion dollars. 🤑
VulnCheck KEV (Known Exploited Vulnerabilities)
It’s the KEV catalog on steroids 🔥, with more than 1980 known exploited vulnerabilities, 8,500 publicly cited reference links, and 3,500 exploit proof-of-concept references. This is almost twice as many known exploited vulnerabilities versus CISA’s KEV Catalog.
Data is accessible via the VulnCheck KEV dashboard, machine-readable JSON, and the VulnCheck KEV API endpoint.
📚️ What I’m Reading 📚️
Zero: The Biography of a Dangerous Idea by Charles Seife
I am amazed by this book - I’m now roughly halfway through. We all know that religion/church has a massive impact on society, for better or worse. But I had no idea how big of a role religion played in terms of mathematics and numbers.
👋 I wish I read this book when torturing myself with calculus. It gives so much meaning to the math we’re otherwise taught to pass a meaningless exam.
Until Next Time! 👋
Hey, you made it to the bottom – thanks for sticking around!
Questions, ideas, or want to chat? Slide into my inbox! 💌
Don’t hesitate to forward if someone could benefit from this.
See you next Monday!
-Kyle