The Razor: ep 5

Hey Razers (that's the collective noun for people that subscribe to this newsletter, right?),

Another huge month of updates and interesting discussions in the world of building secure systems. It's the first one for the year and yet also, somehow, we're already over 8% into 2024! 🤯

📢 New Podcast

We've also been busy talking about these topics on our recently launched Ockam Podcast. This it the bit where I slam the air horn and say 📢 (brrpp brrpp brrrrppp) "Hit like and then smash that subscribe button" 📢. In all seriousness though, I'd love for you to check it out and let us know what you think (and also subscribe and share it with friends to make the algorithms happy).

🔮 Predicting the future

A few weeks ago we recorded an episode where we discussed the challenges and complexities of VPNs, and the following week an exploit of the Ivanti VPN was disclosed. Then we recoded an episode about the risks associated with putting private VCS on the public internet, and the following week we had both the GitLab and Jenkins disclosures. I'm not saying we're psychic (but, maybe?)… but if you want to keep ahead of these things you know where to subscribe.

Secure-by-design

• 🥸 Forging signed commits in GitHub: a clever exploit that uses a private endpoint and CodeSpaces to fool GitHub marking a commit as verified. It's an example of a parser mismatch vulnerability that I linked to in the previous newsletter.
• 😎 Five Cryptologic Giants to be Inducted into NSA's Cryptologic Hall of Honor: I guess this is the closest thing we have to celebrities and Oscar winners in this industry? I'm always impressed with the ingenuity and brilliance of pioneers like these that many decades ago lay the foundations for what we do today.
• 🤺 NIST on Adversarial Machine Learning: A very dense read about the some of the attacks possible with current AI systems. And more importantly, some of the mitigations we can put in place.
• 🚰 Dutch Engineer Used Water Pump to Get Stuxnet Malware Into Iranian Nuclear Facility: A report into how Stuxnet was (allegedly?) initially deployed over a decade ago. Obviously the headline tells you punchline. It's an incredible reminder that you're only ever as strong as your weakest link.
• 🍔 How I pwned half of America’s fast food chains, simultaneously: a writeup on how an embedded AI hiring system on a bunch of fast food chains' websites ultimately exposed lots of personal and shift details for employees, franchise managers, and job applicants.
• 👮 US disabled Chinese hacking network targeting critical infrastructure: A quick read on how the US government intervened to stop a China-based hacking group from attacking critical infrastructure. Keep your systems secure! You really don't want to have to rely on them to stop the bad guys, though I guess there's some comfort in knowing they're there as an option of last resort.
• 🧑‍⚖️ German Court Fines Security Researcher for Reporting a Company's Data Vulnerabilities: A concerning result for any ethical security researchers in Germany. The researcher may have been a bit aggressive in going to the press with the issues they found in only 3 days, but that doesn't appear to have had any impact on how or why they made their decision to find the defendent guilty.
• 🙃 Cybersecurity Isn’t Special: If you're a CISO, or just working in cyber security, and you think your life is hard Kelly has some news for you... it's not easy for SRE/Platform/Infra/insert other teams either. There's advice in there too on how to make it easier, so go check it out.
• 🚱 No Federal Funding For US Healthcare Providers Lacking Cyber Security Defences: The US government is laying out new guidelines for healthcare providers, and those that don't meet their basic cybersecurity requirements will have their funding tap turned off.
• 👷 The State of Software Supply Chain Security 2024: A report from ReversingLabs on the trends in supply chain attacks. One big take away is that they're getting easier!
• 💍 One Supply Chain Attack to Rule Them All – Poisoning GitHub’s Runner Images: A story of how someone managed to get access that would have allowed them to insert malicious code into all for GitHub's runner base images, enabling them to attack every customer that used hosted runners.
• 🚨 LVE Repository: It's like a CVE database, except for Large Language Models (LLMs).
• 👩‍🎤 GenAI could make KYC effectively useless: Take a look at the example of someone producing fraudulent ID documents. Generative AI has got so good it's trivially easy to have it produce the proof of identity documents many organisations ask for as part of their Know Your Customer compliance requirements.
• 🤖 National Cyber Agencies on Engaging with AI: 13 national agencies have teamed up to identify a list of challenges in using AI technologies securely. I liked Vaughan's summary on LinkedIn so I've linked to that, the full report is in the comments.
• 🧑‍💻 Deliver Secure Code for Apps and Infrastructure: It's part sales pitch/marketing for Prisma Cloud, but PAN's guide on DevSecOps for your CI/CD pipelines has some good general takes in it too. And given the GitLab and Jenkins vulnerabilities this month I thought we could all use a refresher.
• 🎰 How I hacked two of Australia's largest Casino's (legally): Jamie gives a lot of detail (ironically while also not going too much into the specifics! Quite the trick) on how he managed to get himself privileged access to two separate casinos down under. The (re)registering a defunct company was an especially nice touch.
• 🌎 World Economic Forum: Global Risks Report 2024: The most severe global risk anticipated over the next 2 years is misinformation and disinformation! Coming in at #4 is cyber insecurity.
• ⚡️ Hacking EV Chargers: A 3 day event in Japan has just wrapped, where hundreds of thousands of dollars in prizemoney was given out to teams that could successfully compromise various popular EV charging stations.
• 📱 iPhone's new stolen device protection: Apple has added a new feature that forces additional security checks if you try to do sensitive actions in unfamiliar locations.
• 🔥 It’s 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable: A research team that's taken two previously known exploits, and shows how they can be used to DoS a firewall and force it to reboot into safe mode.

Exposed

• 💰 Tietoevry: Swedish banking-as-a-service provider hit with ransomware attack.
• 🤡 Microsoft: Systems breached and attackers had access to "a very small percentage of Microsoft corporate email accounts". Thankfully those accounts were only the members of the senior leadership team, cybersecurity, legal, and some other functions and were used to exfiltrate some emails and attached documents. 🙄
• 🦊 GitLab: Over 5000 public servers vulnerable to an account takeover attack.
• 🚗 Mercedes-Benz: A leaked token gave someone full access to a private GitHub Enterprise server.
• 🏡 Fidelity National: Hackers stole 1.3M records and took the company offline for a week.
• 💾 Redis: Memory overflow bug that could potentially lead to remote code execution.
• 🔧 Bosch: There's been a lot of talk about loose nuts causing problems in the media this month. It seemed relevant to include a vulnerability for something you might find in a tool shop.
• 🧱 Ivanti: Two separate vulnerabilities that allows access that can bypass control checks or to execute arbitrary commands on the appliance.
• ⛈️ Google Cloud: I wasn't sure where to put this one as it's not exactly an exposure. A widely misunderstood configuration setting means that rather allowing access from authenticated users within your Google Org, any authenticated Google account could have access to and take control of Google Kuberenetes Engine (GKE) clusters running on GCP. As many as 250,000 clusters could be affected.

DX

• 🖥️ CLI User Experience Case Study: Topiary: I ❤️ a good CLI experience. This post goes through some of the reasons why they can be so difficult and the problems users will typically run into (I've also strong opinions on how these constraints drive amazing experiences in other parts of your product, that's a blog post for another time). From there there's some great examples of how they applied those lessons to improving their own CLI tool.
• 🧙 Be the best prompt engineer you can be: A paper that provides a list of guiding principles for providing the most useful prompts possible when using LLM systems (another shout out to Vaughan Shanks for bringing this one to my attention).
• 🏃 Developer Productivity/Quality: Google has published a series of papers around 3 facets of developer productivity: speed, ease, and quality. This one dives into various different types and definitions for what "quality" means in that context and how they influence each other.
• 🐳 Dive - a tool for exploring each layer in a Docker image: Wish you had an easier way to analyze the contents of each layer of a Docker image and/or work out how to make it smaller? We got you.
• 📉 GitHub Copilot Research Finds 'Downward Pressure on Code Quality': In news I find not at all surprising, research projects that the amount of code churn is expected to double in 2024 relative to 2021'. This article says it's a counterpoint to previous research that claimed CoPilot helped devs complete tasks significantly faster. It's not really a counterpoint though IMO and the reason devs get the speed has the same underlying reasons for why the code ends up being refactored later. I feel like I have another blog post in the works! 🤣
• ✨ 12 Modern CSS One-Line Upgrades: CSS is one of those things that I feel like is fairly stable and that I know quite well, and then realise it's not and I'm quite bad at it. This page has a number of nice improvements I need to immediately use to replace various hacks and workarounds I thought I needed on the Ockam website.
• 📙 The Hacker News Top 40 books of 2023: Someone built a thing to scrape HN posts and find the most mentioned books of 2023. These are the results. Some absolute classics in there with a mix of both fiction and non-fiction.
• 📦 PackagingCon 2023 Videos are up: A whole conference dedicated to package management across various ecosystems! I've not had a chance to watch any of the videos yet, but there are a whole host of them related to security, trust, and integrity. Topics I assume are of interest to this audience. As an example a few of the ones I've open in tabs to watch are: "How to bootstrap trust for the open-source ecosystem", "Python at Bloomberg", "Rebuilding Trust: Asserting Integrity in Language Package Ecosystems", "Rebuilding Trust: Asserting Integrity in Language Package Ecosystems", "Secure the Build, Secure the Cloud: Using OIDC Tokens in CI/CD Pipelines"
• ⌨️ Work Faster in VSCode Without Needing a Mouse: An interesting read on how Giles mapped various things to avoid the need to use a mouse in VSCode. I'm reasonably proficient at driving VSCode via the keyboard and my biggest crutch is simple not remembering the various shortcuts so I use the Command Palette as a crutch to make up for it. I like some of the suggestions in here though that have shortcut mappings more aligned to spatial things and where you want to move vs the names of the actions. I need to give it a try as it might be the thing that makes the shortcuts stick.

Product spotlight

• 🧬 Helix: A post-modern text editor: Look, I don't really understand what "post-modern" means in this context either (I know it's a joke!). It's a new text editor. Right as I might have discovered how to use VSCode properly! If you're finding VSCode a bit heavy though it looks like it's worth checking out.

The odd bits

• 🦄 Apocryphal Inventions: My attempts to explain this will do it absolutely no justice, so I'll just give you the blurb from the website: "The objects in the Apocryphal Inventions series are technical chimeras, intentional misdirections coaxed from the generative AI platform Midjourney. Instead of iterating on the system’s early drafts to create ever more accurate renderings of real-world objects, creator Jonathan Hoefler subverted the system to refine and intensify its most intriguing misunderstandings, pushing the software to create beguiling, aestheticized nonsense. Some images have been retouched to make them more plausible; others have been left intact, appearing exactly as generated by the software. The accompanying descriptions, written by the author, offer fictitious backstories rooted in historical fact, which suggest how each of these inventions might have come to be."

Whew! 😅 There's so much interesting stuff happening. Please keep sharing anything you find with me. Also, did I mention we have a podcast now? 😉

Best,