Changelog: Bad code is a national security concern

KOBU Agency / Unsplash

Welcome to Changelog for 2/29/2024, published by Synack! README senior editor Nathaniel Mott here on this glorious Leap Day with the week’s top security news.

The payload

President Joe Biden has officially joined the Rust Evangelism Strike Force. Or at least that’s what many have said on social media following the Office of the National Cyber Director’s (ONCD) publication of a report (PDF) titled “Back to the Building Blocks: A Path Toward Secure and Measurable Software” on Feb. 26. But the recommendations made in the ONCD report are more nuanced than just “rewrite it in Rust.”

ONCD does recommend that developers choose memory safe programming languages moving forward. But the report only mentions Rust by name in a section explaining why it’s one of three languages suitable for use in space, where “reliable and predictable outcomes” are of utmost importance. The other languages, C and C++, don’t offer the same memory safety guarantees as Rust. Yet they are considered good enough for space because decades of effort have been devoted to using them in the sector.

“Further progress on development toolchains, workforce education, and fielded case studies are needed to demonstrate the viability of memory safe languages in these use cases,” ONCD said. “In the interim, there are other ways to achieve memory safe outcomes at scale by using secure building blocks.” That includes hardware-based approaches to memory safety like Arm’s Memory Tagging Extension and the University of Cambridge’s Capability Hardware Enhanced RISC Instructions (CHERI) project.

So it’s safe to say the Biden administration won’t be looking to ban C and C++ any time soon. The ONCD report also discussed the importance of testing software—the bane of every developer’s existence—and the need to “develop empirical metrics to effectively measure code” as part of the effort to make software more secure by default. In that sense the report echoes README contributor Robert Lemos’ findings from September 2023: “Memory safety is the first step, not the last, towards secure software.”

If the report doesn’t represent Biden’s induction to the Rust Evangelism Strike Force, then, what does it stand for? I think perhaps the most important takeaway is that “Programmers writing lines of code do not do so without consequence; the way they do their work is of critical importance to the national interest.” Security doesn’t start with programmers switching to Rust—it starts with them considering the consequences their coding practices can have on the people who expect software to be secure.

(Before someone asks: No, requiring developers to use tools based on large language models isn’t going to work, either. We reported in February 2023 that “AI code assistants need security training.” That hasn’t gotten better with time, with GitClear reporting in January that data suggests GitHub Copilot has put “downward pressure on code quality,” which is a nice way of saying that all of this don’t-call-it-AI-generated code is actually making software worse. Do not @ me about this.)

The week, compiled

Since we’re discussing the Biden administration: The White House announced on Feb. 28 that new restrictions on the sale of “bulk sensitive personal data” to “countries of concern” are incoming.

“Access to Americans’ bulk sensitive personal data or United States Government-related data increases the ability of countries of concern to engage in a wide range of malicious activities,” Biden said. “Countries of concern can rely on advanced technologies, including artificial intelligence (AI), to analyze and manipulate bulk sensitive personal data to engage in espionage, influence, kinetic, or cyber operations or to identify other potential strategic advantages over the United States.”

Blocking the sale of this data feels like a half-measure for a number of reasons. First, it seems unlikely that regulators will be able to impose and enforce these restrictions in a timely manner, especially if data brokers claim they don’t know who is buying their wares. Second, if these “countries of concern” can’t legitimately purchase this data, won’t they just look to obtain it by other means? People who can’t subscribe to Netflix don’t stop watching videos, for example, they simply go back to pirating them instead.

This strikes me as the same kind of flawed thinking that has led the feds to believe technology companies can put backdoors in their products that only U.S. law enforcement agencies will be able to use. That isn’t how any of this works! The best way to stop “countries of concern” from accessing this data is preventing data brokers from gathering and selling it in the first place. But that would be a problem for the many U.S. agencies that—surprise!—also buy a bunch of data about U.S. citizens from commercial vendors.

claudio-schwarz-S2W3Q_2Pv84-unsplash

Claudio Schwarz / Unsplash

404 Media reported in October 2023 that “Immigration and Customs Enforcement (ICE), Customs and Border Enforcement (CBP), and the Secret Service all broke the law while using location data harvested from ordinary apps installed on smartphones,” for example, and CNN reported in January that the NSA “has been buying Americans’ web browsing data from commercial data brokers without warrants.” Biden won’t just cut off these agencies’ access to all that data, so we get half-measures like this instead.

Now for the week’s security news:

Wired: BlackCat is back. Wired reported on Feb. 27 that the group—which the Justice Department crowed about disrupting in December 2023—is responsible for an attack on Change Healthcare that has led to “delays in drug prescriptions for an untold number of patients” across the U.S. That’s a quick turnaround, and according to Wired, it’s part of a broader trend of ransomware gangs not staying down for long.

JFrog: A machine learning model shared on Hugging Face, the self-described “AI community building the future,” is being used to pop researchers using the platform. JFrog said on Feb. 27 that the model features a payload that “grants the attacker a shell on the compromised machine” and allows them to “gain full control over victims’ machines” through a backdoor. So be careful while you’re face-hugging, I guess.

Apiiro: You should probably be careful on GitHub, too, because Apiiro said on Feb. 28 that a malicious repo confusion campaign “impacts more than 100,000 GitHub repositories (and presumably millions) when unsuspecting developers use repositories that resemble known and trusted ones but are, in fact, infected with malicious code.” (As if open source developers needed something else to worry about.)

A message from Synack

Pentesting on a FedRAMP Moderate Authorized Platform. Synack has achieved the Moderate "Authorized" designation from the U.S. Federal Risk and Authorization Management Program (FedRAMP), demonstrating that Synack's premier security testing platform meets the cloud compliance framework's rigorous requirements at the Moderate level. The milestone approval means government agencies can deploy Synack's best-in-class penetration testing and vulnerability management solutions – even for internal data, and in systems that process Controlled Unclassified Information. To learn more about the news and your security testing options, head over to https://hubs.ly/Q02jpBQ30.

Flash memory

It’s Feb. 29. Things don’t happen today, and this newsletter’s a bit long, so let’s move on.

Local files

BleepingComputer: The scumbags in the Rhysida ransomware gang have claimed responsibility for an attack on Lurie Children's Hospital, with BleepingComputer reporting on Feb. 28 that the attack “forced the healthcare provider to take its IT systems offline and postpone medical care in some cases.” The group (I can’t use the term I’d prefer to use there) is now selling 600GB of stolen data for about $3.7 million. 

Mandiant: A group with Iranian ties is reportedly “targeting the aerospace, aviation and defense industries” in “Israel and the United Arab Emirates (UAE) and potentially Turkey, India, and Albania.” Mandiant said on Feb. 27 that the campaign “has been active since at least June 2022 and is still ongoing as of February 2024.” The blog post includes a spate of details about how the group, UNC1549, is operating.

Off-script

It’s weird to think Pokemon’s been a part of my life since kindergarten. My parents bought me Pokemon Blue alongside my first handheld—a Game Boy Pocket that, of course, did not fit in any of my child-sized pockets—and then gave me Pokemon Red when I was recovering from having my tonsils removed. (Which I still consider a fair trade.) I stuck with the series through Pokemon Ruby and Sapphire, with a brief return for HeartGold and SoulSilver, but I haven’t really played anything released since then.

thimo-pedersen-dip9IIwUK6w-unsplash

Thimo Pedersen / Unsplash

My kid started kindergarten last September. He’s recently taken an interest in Pokemon, mostly because he liked the look of a particular coloring book, and he’s also getting to the point that he can sound out most words when he sees them. That’s awesome for all sorts of reasons… including the fact that it brings us closer to being able to share the experience of playing these little turn-based monster battlers. (And this time I don’t have to worry about someone lying about how to find Mew! Jerks.)