- CramHacks
- Posts
- CramHacks Chronicles #28: Weekly Cybersecurity Newsletter!
CramHacks Chronicles #28: Weekly Cybersecurity Newsletter!
Manager admits to SIM Swapping, GitGuarding State of Secrets, Comparing Dependabot/Semgrep/Snyk
Kyle Kelly
March 20, 2024
š„³ Happy Monday! š„³
Iām currently working towards gaining a better understanding of public package repositories. Publishing a package on each seemed like the easiest way to start!
So far, Iāve done Composer (PHP), NPM (Node), and PyPI (Python). In terms of ease of publication (easiest ā hardest), Composer has been the easiest, followed by Node and then Python. Of course, security vs convenience has appeared because the reverse order would be my security ranking, solely from a package maintainer perspective.
Table of Contents
Loco Moco Security Conference: Kauaāi, Hawaiāi
š This is my first time hearing about Loco Moco, but it seems incredible. Not only is it in freaking šļø Kauaāi, Hawaiāi, but the quality of attendees is going to be š„ based on what Iām seeing via social media.
Whatās better than attending a conference in Kauaāi? Speaking at one! The CFP is open until March 31st, 2024.
Kauaāi is my favorite island, and I would be there in a heartbeat if I could. Unfortunately, I have a conflict this year š.
Application Security
Highlight
GitGuardian: The State of Secrets Sprawl 2024
This is easily the best report on leaked secrets Iāve seen to date. In 2023, GitGuardian determined that:
>1 in every 10 commit authors will likely have leaked a secret
Almost 13 Million total secrets detected (~3.7 Million unique)
More than 90% of the secrets remain valid 5 days after being leaked
ā49% of breaches by external actors involved Use of stolen credentialsā
Verizonās 2023 Data Breach Investigations Report
š The full report is available here, and I strongly recommend giving it a read. It is unfathomable to me to see that leaked secrets are a growing issue in 2024.
Iāll never forget the days of using exposed secrets found in public Replit projects and posting stupid things on Twitter - while I shouldāve been studying physics.
Trail of Bits: Read code like a pro with our weAudit VSCode extension
Filipe Casal announces the release of a VSCode extension that assists code reviews by offering features such as bookmarks, tracking of audited files, collaboration, and creating GitHub issues. Available via the VSCode Marketplace and GitHub.
TypeScript: Integrating Branded and Tainted Types
Allan Reyes shares a real-world application for branded and tainted types and then uses Semgrep to detect and enforce their usage.
I like how Allan phrased it here regarding his simple example, where a validator was embedded into the Brand: āThese mean that developers donāt have to think, āGee, do I have to validate this?ā They can totally evict that from their brains. The type will exist only if itās already validated.ā
š Secure-by-default, guardrails, whatever you want to call itā¦ Do this. Part 2, Tainted Types, can be found here. Additionally, as referenced in the blog post, this thread by Matt Pocock is š„.
ReverserAI (OSS): Automate reverse engineering tasks
Tim Blazytko shares ReverserAI, a Binary Ninja plugin designed to automate and enhance reverse engineering tasks. The special sauce is that this project leverages locally hosted large language models (LLMs), operating entirely offline.
Artificial Intelligence
NVIDIA Blackwell Platform Arrives to Power a New Era of Computing
NVIDIA announces Blackwell technologies, which enable efficient real-time operation of models up to 10 trillion parameters, reducing cost and energy consumption by up to 25x.
Salt Securityās Aviad Carmel
Department of Homeland Security Unveils Artificial Intelligence Roadmap
DHS is initiating three pilot projects to responsibly harness AI for Homeland Security missions, ensuring privacy and civil rights, enhancing national AI safety and security, and fostering leadership through strategic partnerships.
Apple Is in Talks to Let Google Gemini Power iPhone AI Features
Bloomberg reports that Apple is actively negotiating with Google to license Gemini for new features coming to iPhone software in 2024. Apple and OpenAI are also in ongoing discussions.
Miscellaneous
Former Telecommunications Company Manager Admits Role in SIM Swapping Scheme
Jonathan Katz, aka āLuna,ā 42, of Marlton, New Jersey, pleaded guilty to conspiracy to gain unauthorized access to a protected computer. Katz was the manager at a telecommunications store and abused his credentials to swap SIM numbers, enabling individuals to control other customersā phones and access their electronic accounts. Katz was paid in Bitcoin.
š His Bitcoin account received a total of $5,000; meanwhile, his offense ācarries a statutory maximum of five years in prison and a fine of not more than $250,000 or twice the pecuniary gain to the defendant or twice the gross loss involved, whichever is greater.ā Was it worth it? š¤
Repository for Software Attestation and Artifacts Now Live
āSoftware producers who partner with the federal government can now upload their Secure Software Development Attestation Forms to CISAās Repository for Software Attestation and Artifacts. ā
Massive āApex Legendsā Hack Disrupts NA Finals, Raises Serious Security Concerns
š Thereās a lot of speculation going on, so I will add to it. My guess is that the player unknowingly installed a trojan/malware.
Software Supply Chain Security
Highlight
Doyensec: Supply Chain Benchmark Leading Tool Comparison
Luca Carettoni & Anthony Trummer share a comparative study, which included GitHubās Dependabot, Semgrep Supply Chain, and Snyk SCA. The research aimed to evaluate SCA toolsā ability to reduce false positive rates on real-world code.
Dependabot: 1353 minutes to validate the positive findings, with 12% being valid
Semgrep: 148 minutes to validate the positive findings, with 83% being valid
Snyk: 1046 minutes to validate the positive findings, with 9% being valid
As someone who works on the Semgrep Supply Chain product, I was pleased, albeit not surprised, by the results. Iām very proud of our reachability analysis capabilities and the researcher teamās efforts in reviewing thousands of security advisories, patches, and example usages to write quality Semgrep rules.
An open letter to Congress to support NIST and the NVD
Following the NIST slowdown and lack of vulnerability data enrichment, Dan Lorenc, Chainguard Founder & CEO, has organized a crowdsourced draft letter to Congress. This letter aims to emphasize the criticality of the NVD and the potential implications which may result from a lack of support or funding.
Until Next Time! š
Hey, you made it to the bottom ā thanks for sticking around!
Questions, ideas, or want to chat? Slide into my inbox! š
Donāt hesitate to forward if someone could benefit from this.
See you next Monday!
-Kyle