Intro
Hi!
I hope you were not affected by the recent faulty update from CrowdStrike. If you were, I hope you were able to quickly react and restore your critical systems to an operational state.
In this edition, I’ve included a few hot topics. Aside from the CrowdStrike BSOD, you will find an article about preventing a major supply chain attack by identifying an access token to PyPI in a public Docker image. In this context, I’ve also included a list of best practices for secure secret management. If you’re using GitLab, especially self-hosted versions, make sure you apply the latest updates, as a high-severity vulnerability was identified that allows attackers to run GitLab jobs as an arbitrary user.
Security engineers interested in AI and LLMs might find building a lab with Google Colab and Ollama intriguing. Furthermore, you may take a look at GitLab DUO – AI feature helping developers to remediate security vulnerabilities.
If you’re a bug bounty hunter, take a look at a novel HTTP request smuggling vulnerability. I’ve also included a public disclosure write-up about API vulnerabilities in APDCL, a major power distribution company, which exposed personal data of 5.17 million electricity consumers. In the context of this API vulnerability, take a look at my recent Web API Security Champion articles about Broken Function Level Authorization and IDOR.
Have a great weekend and take care, especially if you’re spending it in the server room.
Materials
📃 Global Microsoft Meltdown Tied to Bad CrowdStrike Update
How did a faulty software update cripple Windows systems worldwide? This article explores the massive impact of a flawed CrowdStrike update that caused the “Blue Screen of Death” on numerous computers, affecting airlines, financial institutions, hospitals, and more. Readers will learn about the manual fix needed, reactions from social media, and the broader implications for cybersecurity and IT operations.
📃 Worst supply chain attack you can imagine prevented with binary secret scanning
What did the JFrog Security Research team do to prevent a major supply chain attack? The team discovered and reported a leaked access token with admin access to crucial Python package index – PyPI. The token was exposed in a public Docker container hosted on Docker Hub This article discusses the importance of secrets detection in binaries and the potential risks of such leaks. Remember to use modern tokens, secret values convention and audit both source code and binary data for security.
📃 Developing Gitlab Duo: Use AI to remediate security vulnerabilities
How can AI help address security vulnerabilities quickly? Discover in this tutorial on Developing GitLab Duo how AI can analyze, explain vulnerabilities, provide code fixes, and enable collaboration for resolution. Helpful for developers facing critical vulnerabilities. AI assistance streamlines investigation, understanding, mitigation, testing, and code refactoring, enhancing code security and efficiency.
📃 Surprising findings from our 2024 Global DevSecOps Survey – GitLab
What surprising findings are highlighted in the 2024 Global DevSecOps Survey performed by GitLab? This year’s survey of over 5,000 professionals revealed insights on AI impacting toolchains, speeding up developer onboarding, and the evolving role of the cloud in IT investment priorities. Organizations are reevaluating toolchain efficiency with AI, improving developer experience, and recognizing the cloud as essential. AI enhances productivity, but concerns exist about job displacement. Cloud computing remains crucial but is now considered standard practice alongside emerging tech investments like AI.
📃 Protecting Your Codebase: Best Practices for Secure Secret Management
What are the best practices for secure secret management in software development? Discover why safeguarding sensitive information, using secret management tools, implementing environment variables, automating secret rotation, enforcing the Principle of Least Privilege, utilizing Git hooks, and continuous monitoring are essential.
📃 An attacker can run pipeline GitLab jobs as an arbitrary user – CVE-2024-6385
What important information can you find in the recent GitLab Critical Patch Release article and who should be interested? The article provides details about critical bug and security fixes in GitLab Community Edition and Enterprise Edition. It is essential for all GitLab users to upgrade to the latest patch releases immediately to ensure security. For GitLab administrators and users.
📃 Broken Function Level Authorization — Web API Security Champion Part V
Wondering how to secure your APIs from unauthorized access? This article is for developers and security professionals focusing on Broken Function Level Authorization (BFLA), a top API security risk. Learn how BFLA occurs, its severe impacts like privilege escalation and data breaches, and practical solutions using role-based access control. Case studies and step-by-step fixes using the Damn Vulnerable RESTaurant API project illustrate key concepts.
📃 How to build a free LLM cybersecurity lab with Google Colab and Ollama
Why should you set up a free LLM cybersecurity lab with Google Colab and Ollama? Learn the basics of Large Language Models, check leaderboards for suitable LLMs, utilize open source LLMs for flexibility, and explore practical use cases like generating malware info cards and cybersecurity news digests. Keep in mind ethical considerations for responsible use. Stay curious and secure in the evolving field of AI and cybersecurity.
📃 Unveiling TE.0 HTTP Request Smuggling: Discovering a Critical Vulnerability in Thousands of Google Cloud Websites
What novel HTTP request smuggling vulnerability did a team uncover related to Google Cloud websites? The article discusses the discovery of TE 0 HTTP Request Smuggling on Google Cloud hosts, bypassing security measures like Google IAP. The exploit allows session token leaks and mass account takeovers, impacting a large number of websites. The team integrated payloads, reported the issue, and received a bounty of $8,500 from Google.
📃 IDOR + Account Takeover: How I Secured Personal Information (PII) of 5.17M Electricity Consumers
Interested in cybersecurity and ethical hacking? Learn how a bug bounty hunter discovered critical vulnerabilities exposing data of 5.17M electricity consumers at APDCL. The article details the impact, proof of concept, and disclosure timeline of the security flaws.
📃 Cert-PL open-sources MailGoose scanner
Looking to enhance your email security? Learn about MailGoose, a tool by CERT Polska that helps organizations prevent email spoofing with SPF, DMARC, and DKIM checks. Available on GitHub for easy deployment, MailGoose simplifies email configuration verification for both public and private institutions in Poland and beyond.