CramHacks Chronicles #82: Weekly Cybersecurity Newsletter!

Hello, and Happy Monday! There hasn’t been much excitement, at least not technology-wise, this past week. But we do have some follow up from the hackers whom targeted the Happiest Place on Earth in 2024.

Former Disney worker sentenced to 3 years for hacking into park menus
In June 2024, a menu production manager was terminated from Disney. The former employee then accessed the internal menu-building system and modified food listings, manipulating allergen information in restaurant menus. The malicious changes did not reach customer hands 🙏.

👋 This is wild. He purposely targeted items that could harm customers with certain allergies, and even modified the menu information for wine regions to instead reflect locations of recent mass shootings.

Man Agrees to Plead Guilty to Hacking Disney Employee’s Computer
In early 2024, a California resident published a trojan to various platforms, including GitHub, advertising it as an AI art generation tool. A Disney employee fell victim to the trojan and the malicious actor gained accessed to their personal computer, including access to their password vault—including personal and work credentials.

GitHub: Secure Your Open Source Projects & Earn a Free Certification!
The month of May is Maintainer Month! GitHub has released three exercises for: repository management, dependency management, and secret scanning.

👋 Exercises should take about ~1 hr each, and you’ll receive a free GitHub Advanced Security certification test voucher if you complete all three 👀.

White House Proposes $500 Million Cut to CISA
The administration proposes a nearly 16% budget cut for the Cybersecurity and Infrastructure Security Agency; stating that cuts would exclusively focus on divisions tied to "censorship."

Request for Information (RFI) – Software Fast Track (SWFT) Tools
The DoD CIO is soliciting information and ideas for expediting the Authorization to Operate (ATO) process for the DoD adoption of software. They’ve “developed a voluntary procedure in which a company can provide a 3rd party produced Software Bill of Materials (SBOM) along with an independent 3rd party assessment of their software for the Department to evaluate and adopt Software faster.”

The Russian Open Source Project That We Can’t Live Without
Hunted Labs has re-ignited a sensitive topic; are we okay with state-owned Russian entities contributing to open source projects that we depend on? In this case, it’s easyjson, a package used by projects like Kubernetes.

👋 Opinions are totally my own, and I’d probably feel differently if my decision set any form of global precedent, but I personally don’t love knowing this. The original Kubernetes repo issue alludes to them not replacing it simply because of the level of effort, which I also don’t love. If there was more effort into the analysis, I’d love to see it.

More Links

CNCF Announces Graduation of in-toto Security Framework

Jury orders NSO to pay $167 million for hacking WhatsApp users

Redis 'returns' to open source with AGPL license

The Signal Clone the Trump Admin Uses Was Hacked

OIN marks 20 years of defending Linux and open source from patent trolls

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.