- CramHacks
- Posts
- CramHacks Chronicles #32: Weekly Cybersecurity Newsletter!
CramHacks Chronicles #32: Weekly Cybersecurity Newsletter!
CISA releases Next-Gen Malware Analysis, Sisense's Security Slip-Up, Debating SAST's Value, Secure Defaults!
Kyle Kelly
April 17, 2024
š„³ Happy Monday! š„³
I hope you are doing well! Lately, Iāve been getting loads of surfing, which has sparked some creativity in my research interests.
You can count on CramHacks to provide a weekly cybersecurity newsletter, but with some patience, you can also expect solid, longer-form content!
SURVEYWhich topic would you want to learn more about? |
Table of Contents
Oh, Sisense, why oh why... āOur customers must reset any keys, tokens, or other credentials in their environment used within the Sisense application.ā
Sisense is 20+ years old but still seeing rapid growth. In 2020, Sisense raised $100M+ at more than a $1 Billion Valuation. This is an unfortunate event, but I hate to say Iām not surprisedāmany of you are likely just as susceptible.
According to ātwo trusted sources,ā a malicious actor somehow gained access to Sisenseās self-managed Gitlab platform with privileges to view a code repository containing a token or credential that gave access to Sisenseās Amazon S3 buckets.
From there, the attackers exfiltrated terabytes of Sisense customer data, including millions of access tokens, email account passwords, and SSL certificates.
Having witnessed early results of the Semgrep Secrets product, it was evident that exposed secrets are a massive issue. But what are some challenges with managing exposed secrets?
Noise: false positives - get a secret scanner that offers validators.
Secrets need identifiers. The industry must move away from random (weak) secrets, which is a big reason for all the false positives! For example, GitHub personal access tokens start with āghp_ā.
Ensure developers know how/when secrets get exposed. Just because you merged a commit that removed a hardcoded secret doesnāt mean itās safe!
Finally, the part I donāt necessarily have an answer for is that you need to know how and why that secret exists and who its owner is. Finding exposed secrets is one thing; rotating your secrets is another. A judgment call must often be made on whether or not to allow the secret to remain based on risks. What are the risks if that secret is compromised, vs. what are the risks of rotating it and breaking something?
Application Security
Comparison and Evaluation on Static Application Security Testing (SAST) Tools for Java
Recently, there was a wave of SAST haters trying to disprove its value because a single research paper showed that in their sample of 165 Java projects with verified CVEs, the best SAST tool tested only found 12.7% of the vulnerabilities. Daniel Cuthbert does a great job analyzing the meaningful content this paper offers - thereās lots!
š Itās unfortunate to see how many people skimmed this paper, likely didnāt understand 90% of it, and then ran online to say SAST can only detect 10% of vulnerabilitiesā¦. Firstly, the researchers only used basic configurations of open-source SAST tools. Secondly, matured projects are (hopefully) using SAST tools; therefore, all the vulnerabilities SAST can detect hopefully donāt exist in the first place!
Is SAST a silver bullet? No, of course not. But when I see a developer using a SAST IDE integration, they write a vulnerable line of code, which immediately gets highlighted, prompting them to remediate the issue before ever needing to build the projectā¦ Itās the most beautiful thing Iāve ever seen.
tl;dr sec: awesome-secure-defaults
A GitHub repository with āsecure by default librariesā aimed at eliminating common bug classes.
Twitterās Clumsy Pivot to X.com Is a Gift to Phishers
Twitter/Xās automatic replacement of ātwitter.comā in links with āx.comā led to the opportunistic registration of misleading domains, prompting defensive registrations to prevent phishing, but Twitter/X quickly corrected this.
Miscellaneous
OpenTofu: Our Response to Hashicorpās Cease and Desist Letter
OpenTofu received a cease and desist from HashiCorp for alleged copyright infringement, which they dispute with evidence showing the code originates from MPL-2.0 licensed material. Development on OpenTofu 1.7 continues, with a new release expected soon.
CISA Releases Malware Next-Gen Analysis System for Public Use
CISA has launched Malware Next-Gen, a public threat hunting and malware analysis system previously used by US federal agencies, to automatically analyze malicious files and URLs, supporting broader cybersecurity efforts with automated tools and shared insights.
š Sadly, youāre required to register and authenticate via login.gov.
CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect
š This is a bad one. If youāre affected and learning about this from a weekly cybersecurity newsletter, you should be concerned š¤£.
Software Supply Chain Security
Homebrew is now producing in-toto attestations
Shout out to Trail of Bits and all else involved in continuously improving the Homebrew ecosystem! Trail of Bitsā Joe Sweeney presented these enhancements at SOSS Community Day earlier this week!
Whatās in the SOSS - An OpenSSF Podcast
Omkhar Arasaratnam, General Manager of the Open Source Security Foundation (OpenSSF), is now hosting a podcast to discuss key components of secure open-source software.
Life as a maintainer after the xz utils backdoor hack
Ever wonder what itās like putting out global fires as an open-source maintainer? Well, hereās an hour of some of the best talking about their experiences and future fears.
Why I Signed: An Open Letter to Congress on the National Vulnerability Database
On April 12th, 2024, security researchers and practitioners published an open letter to the U.S. Congress and Secretary of Commerce urging action regarding NISTās ability to maintain the National Vulnerability Database (NVD) effectively.
Until Next Time! š
Hey, you made it to the bottom ā thanks for sticking around!
Questions, ideas, or want to chat? Slide into my inbox! š
Donāt hesitate to forward if someone could benefit from this.
See you next Monday!
-Kyle