• CramHacks
  • Posts
  • CramHacks Chronicles #30: Weekly Cybersecurity Newsletter!

CramHacks Chronicles #30: Weekly Cybersecurity Newsletter!

xz/liblzma backdoor, PyPi suspends user registrations, OSV-Scanner offers guided remediation, and Chief AI Officers

🥳 Happy Monday! 🥳

This past weekend was BSides San Diego! It was great chatting with folks and learning some new topics.

I’d love to be one who says it was the greatest time ever… But the reality is that didn’t happen. I caught up with the few people I knew would be there, listened to a few talks, and then felt the need to get out of there.

👋 Referrals are back this week! Have two people subscribe using your referral link, and you'll receive a $5 gift card! Thank you for supporting ❤️!

Table of Contents

Backdoor in upstream xz/liblzma leading to SSH server compromise
In short, a maintainer with years of contributions to the xz/liblzma project went rogue and introduced a backdoor. Linux systems using certain OpenSSH builds are affected, but everyone using a compromised version should revert to a known good version.

👋 My favorite technical analysis is here, and my favorite overall coverage of this incident is here.

Application Security

The architecture of SAST tools: An explainer for developers
GitHub’s Sylwia Budzynska, Keith Hoodlet, and Nick Liffen break down static application security testing (SAST) tools and why they are essential to developers.

👋 I’m constantly blown away when I learn that some of the best developers I know have never used a SAST tool. For those who don’t have security engineers looking over their shoulders, introducing SAST into your project’s CI/CD can add a ton of value to your team. Even doing some spot checks here and there could result in significant code quality and security improvements.

Code security configurations let organizations easily roll out GitHub security products at scale
GitHub’s new security configurations feature allows organizations to efficiently manage and apply recommended or custom Dependabot, secret scanning, and code scanning settings across repositories. It is now available in public beta and will be forthcoming in GitHub Enterprise Server 3.14.

Artificial Intelligence

Every US federal agency must hire a chief AI officer
The U.S. government now requires federal agencies to appoint a chief AI officer and establish governance boards to ensure ethical and transparent AI use as part of a broader initiative to integrate AI responsibly into public services.

Intel confirms Microsoft’s Copilot AI will soon run locally on PCs, next-gen AI PCs require 40 TOPS of NPU performance
Intel announces that Microsoft’s Copilot AI will run locally on future AI PCs requiring at least 40 TOPS of NPU performance, signaling a shift towards more powerful, privacy-focused local processing in computing.

Cloud Security

Amazon buys nuclear-powered data center from Talen
Amazon Web Services (AWS) acquired the 1,200-acre campus in Pennsylvania, which contains a 960-megawatt data center and an adjacent Susquehanna Steam Electric Station for a power source, for $650 million.

Software Supply Chain Security

Highlight:

OSV and helping developers fix known vulnerabilities
Michael Kedar, Rex Pan, and Oliver Chang from Google’s Open Source Security Team announce the latest OSV-Scanner features. This includes a new guided remediation tool to help developers update known bad dependencies and the OSV-Scanner GitHub Action so maintainers can incorporate scans via CI/CD.

👋 I’m a fanboy when it comes to Google’s Open Source Security Team. OSV.dev is a precious open-source vulnerability database, and OSV-Scanner now supports vulnerability AND license scanning. Then, there’s the OSS-fuzz project and countless contributions to communities like OpenSSF. I’m sure there are many other major projects I’ve also yet to uncover.

Aqua Security: Chain-bench
An open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.

PyPI suspends new user registration to block malware campaign
AuToMaTe AlL tHe ThInGs… wait not that… PyPI recently suspended new user registrations for ~10 hours to block a malware campaign that registered 500+ unique accounts; each uploaded a malicious package to PyPI.

Until Next Time! 👋 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle