nbd

@nbdsec@infosec.exchange
13 Followers
110 Following
39 Posts

I like security things.

Sharing is caring. Teaching is growing.

He/him

Imagine the shitshow we'd be in right now if ICANN hadn't been spun off from the US government

@RecklessPush38671 @jack_daniel

I've always said the same thing about the Indiana state motto: "Crossroads of America" because you're not supposed stop in the middle of the crossroads

🚨 Socket researchers uncovered malicious npm & PyPI packages posing as dev tools — stealing wallet seed phrases via Google Analytics and Telegram bots.

Inside the malware and how it works: https://socket.dev/blog/malicious-npm-and-pypi-packages-steal-wallet-credentials #Python #JavaScript

The Bad Seeds: Malicious npm and PyPI Packages Pose as Devel...

Socket researchers uncovered malicious npm and PyPI packages that steal crypto wallet credentials using Google Analytics and Telegram for exfiltration...

Socket

Wow. CVE database is in serious trouble, tomorrow.

The cyber industry as a whole is in trouble also really, it’s the elephant in the room - the collapse of the White House’s support for cybersecurity is obvious and pronounced due to widespread cutbacks.

MITRE-backed cyber vulnerability program to lose funding Wednesday

Organizations across industry, government, national security and critical infrastructure rely on the CVE Program, which serves as the de-facto global standard for vulnerability identification and management.

Nextgov.com

The Socket Research Team discovered a malicious #Python package that enables automated credit card fraud on #WooCommerce stores by abusing checkout and payment flows.

https://socket.dev/blog/malicious-pypi-package-targets-woocommerce-stores-with-automated-carding-attacks

Malicious PyPI Package Targets WooCommerce Stores with Autom...

The Socket Research Team investigates a malicious Python package that enables automated credit card fraud on WooCommerce stores by abusing real checko...

Socket

Not a single Republican is going to say anything about POTUS's shameful treatment of veterans? Especially those most in need? All cowards. This is hard to read without wincing, and it's an utter disgrace for the United States to treat its veterans this way.

"Late in February, as the Trump administration ramped up its quest to transform the federal government, a psychiatrist who treats veterans was directed to her new workstation — and was incredulous."

"She was required, under a new return-to-office policy, to conduct virtual psychotherapy with her patients from one of 13 cubicles in a large open office space, the kind of setup used for call centers. Other staff might overhear the sessions, or appear on the patient’s screen as they passed on their way to the bathroom and break room."

"The psychiatrist was stunned. Her patients suffered from disorders like schizophrenia and bipolar disorder. Treating them from her home office, it had taken many months to earn their trust. This new arrangement, she said, violated a core ethical tenet of mental health care: the guarantee of privacy."

"When the doctor asked how she was expected to safeguard patient privacy, a supervisor suggested she purchase privacy screens and a white noise machine. “I’m ready to walk away if it comes to it,” she wrote to her manager, in a text message shared with The New York Times. “I get it,” the manager replied. “Many of us are ready to walk away.”

"Scenes like this have been unfolding in Veterans Affairs facilities across the country in recent weeks, as therapy and other mental health services have been thrown into turmoil amid the dramatic changes ordered by President Trump and pushed by Elon Musk’s Department of Government Efficiency."

"Among the most consequential orders is the requirement that thousands of mental health providers, including many who were hired for fully remote positions, now work full time from federal office space. This is a jarring policy reversal for the V.A., which pioneered the practice of virtual health care two decades ago as a way to reach isolated veterans, long before the pandemic made telehealth the preferred mode of treatment for many Americans."

"As the first wave of providers reports to offices where there is simply not enough room to accommodate them, many found no way to ensure patient privacy, health workers said. Some have filed complaints, warning that the arrangement violates ethics regulations and medical privacy laws. At the same time, layoffs of at least 1,900 probationary employees are thinning out already stressed services that assist veterans who are homeless or suicidal."

"In more than three dozen interviews, current and recently terminated mental health workers at the V.A. described a period of rapid, chaotic behind-the-scenes change. Many agreed to speak on the condition of anonymity because they want to continue to serve veterans, and feared retribution from the Trump administration."

"Clinicians warn that the changes will degrade mental health treatment at the V.A., which already has severe staffing shortages. Some expect to see a mass exodus of sought-after specialists, like psychiatrists and psychologists. They expect wait times to increase, and veterans to eventually seek treatment outside the agency."

https://www.nytimes.com/2025/03/22/us/politics/veterans-affairs-mental-health-doge.html

Trump and DOGE Propel V.A. Mental Health System Into Turmoil

A chaotic restructuring order threatens to degrade services for veterans of wars in Vietnam, Iraq and Afghanistan.

The New York Times
Supply-chain attack exposing credentials affects 23K users of tj-actions
tj-actions/changed-files, corrupted to run credential-stealing memory scraper.
https://arstechnica.com/information-technology/2025/03/supply-chain-attack-exposing-credentials-affects-23k-users-of-tj-actions/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social
Large enterprises scramble after supply-chain attack spills their secrets

tj-actions/changed-files corrupted to run credential-stealing memory scraper.

Ars Technica
If Watergate happened today, it would just be Saturday and forgotten the next week.
×

Wow. CVE database is in serious trouble, tomorrow.

The cyber industry as a whole is in trouble also really, it’s the elephant in the room - the collapse of the White House’s support for cybersecurity is obvious and pronounced due to widespread cutbacks.

My take on the CVE contract issue for businesses: don’t overreact, wait and see what impacts are.

The NVD backlog was already pretty crazy.. the US gov has gotta put real funding into this area if it wants to retain control of cyber standards.

Just as an update to this - @briankrebs has confirmed with MITRE the letter is real, and as it stands the CVE database is likely to go offline tomorrow.

To widen it out - CVE is the globally recognised system orgs use for vulnerability management.

Every vulnerability management product uses CVEs. Vulnerability management is a core part of cybersecurity - often, the most important part.

Additionally, CVE is written into several US government standards that orgs have to follow.

So the US Government not funding it is a major and historic own goal.

There's an argument that MITRE should try to keep everything alive and run things without funding and contracts etc.. but, honestly? My take - stop doing everything that isn't in the contract. Force the issue.
CISA comment on CVE situation - they say the contract “will” lapse tomorrow. https://infosec.exchange/@metacurity/114344326544856491
Metacurity (@metacurity@infosec.exchange)

Attached: 1 image Regarding the end of MITRE's CVE program, here's a statement that a CISA spokesperson gave me for a piece I'm writing.

Infosec Exchange
MITRE-backed cyber vulnerability program to lose funding Wednesday

Organizations across industry, government, national security and critical infrastructure rely on the CVE Program, which serves as the de-facto global standard for vulnerability identification and management.

Nextgov.com
DOGE have terminated MITREs contracts, they say they will be laying off nearly 500 people. This will have impacts beyond CVE - think MITRE ATT&CK etc. https://virginiabusiness.com/nova-govcon-firm-mitre-to-lay-off-442-employees-after-doge-cuts-contracts/
NoVa govcon firm Mitre to lay off 442 employees after DOGE cuts contracts

Listen to this article Federal contracting firm Mitre, which has dual headquarters in McLean and Massachusetts, expects to lay off 442 people in Virginia in two months. The cuts come after the Trump administration has announced more than $28 million in canceled contracts for the company. Mitre notified the state Wednesday of 442 job cuts […]

Virginia Business
If you want to know how stupid the CVE situation is - CISA are trying to source last minute funding or look at taking CVE management in house, but they themselves have had a massive budget cut where the staff trying to fix it are also at risk of being cut.
Looks like the US Government are going to lose control of CVE. https://www.thecvefoundation.org/
CVE Foundation

FOR IMMEDIATE RELEASE April 16, 2025 CVE Foundation Launched to Secure the Future of the CVE Program [Bremerton, Washington] – The CVE Foundation has been formally established to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program, a

Another effort - https://gcve.eu/ Global CVE Allocation System. @gcve
GCVE.eu

CISA have, at the last minute, extended the MITRE CVE contract. “The CVE Program is invaluable to cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.” HT @metacurity

It’s unclear how long it has been extended for.

Now all we need is for Breachforums to get back online and the threat intelligence industry is alive again!
Metacurity (@metacurity@infosec.exchange)

I hear that the extension granted to MITRE for its CVE contract lasts eleven months.

Infosec Exchange

CVE extension to March 16th 2026

See y’all March 15th 2026 for the last minute renewal 🫡😅

https://www.usaspending.gov/award/CONT_AWD_70RCSJ24FR0000018_7001_70RSAT20D00000001_7001

USAspending.gov

@GossiTheDog I guess at least a lot of us learned about https://euvd.enisa.europa.eu/search today
Vulnerability Database

Web site created using create-react-app

@GossiTheDog What kind of clown show is this government ​

@GossiTheDog I have to say, as someone who lives in the D.C. area and is plugged into gossip networks of both civil servants and contractors…there is a lot of this kind of thing* going on lately.

*”This kind of thing” being “the contract is off, no, wait, now it’s back on.”

@GossiTheDog what an incredible shitshow 
@GossiTheDog @metacurity good for them, but I do hope that the other things that quickly sprang up to replace it.. continue to replace it.

@GossiTheDog Do they understand that if you smash the trust-china, it will not hold the soup in the future?

The last sentence reads like an intentional insult to me.

Kintsugi - Wikipedia

@isotopp Looks great, but I rather not have it smashed in the first place 😏

@GossiTheDog @metacurity I feel like this short period of uncertainty has done enough damage that alternatives will come forward regardless of what will happen to MITRE in the future.

I just hope that we'll be able to arrive at a better independent and decentralized solution without completely fragmenting into multiple competing standards

@GossiTheDog Love the "let me put some anonymous website up and Yolo it" attempts. I'm sure it's a well funded long term commitment. GCVE vs lettuce webcam time...
@viraptor @GossiTheDog So they're anonymous just because you've never heard of them?
https://www.circl.lu/mission/rfc2350/
CIRCL » RFC 2350 CIRCL - the CERT for the private sector, communes and non-governmental entities in Luxembourg

CIRCL » RFC 2350 CIRCL - the CERT for the private sector, communes and non-governmental entities in Luxembourg

@oya3un @GossiTheDog more of a - there's only one org reference on the contact page in a postal address. No specific people, nothing about goals, funding, GitHub org is not connected to circl, etc. I just expected a "who are we and why should you care about this specific project" page, regardless of whether I know about circl or not.
(Actually, I think I looked at the page initially before contact was even there)
@viraptor @GossiTheDog Just so I understand what you're saying: there's an overnight emergency rescue attempt to sustain the CVE system (one of several in the European Union, by the way) by a very much official state CERT (Luxemburg being rather wealthy might even answer your concerns about funding), backed by a government not in any imminent danger of being taken over by fascist baboons, and you complain about a missing link between the repo of an improvised web site and its mothership?
@oya3un yeah. Otherwise how do we know it's in any way related? As much as it's an emergency, it's unlikely major changes will be made and full systems established within days.
Meanwhile we've got at least 3 officially-ish looking efforts and more randos popping up with a static site saying they're building a replacement. Which feels like either people aren't communicating well or not all the new orgs are real.
(But yes, I've seen a very early link - now it's been confirmed already)

@GossiTheDog @gcve Great, now there are three competing standards... Waiting for a fourth one from China...

Also, their FAQ doesn't cover even the very basic question - how do I request an ID for a vulnerability that I have discovered?

@GossiTheDog half tempted to spin up a website saying I am putting CVEs on the Blockchain with AI for the fun of it

@GossiTheDog @gcve

Ok, but why don't we just use OIDs?

They're hirarchical and already delegated to a lot of organizations. And they're already used at other places like TLS certs and such.
Also you can address anything and everything with them.

EUVD

European Vulnerability Database

@GossiTheDog good. The US government does not deserve to have control of something so globally important.
@carbontwelve @GossiTheDog
They're currently demonstrating why that is the case, indeed.
@caranea @carbontwelve @GossiTheDog DNS roots and ICANN next, please.
@derickr @caranea @carbontwelve @GossiTheDog yes please. Properly decrentalise the internet ✊
@GossiTheDog I wonder if that essentially runs towards privatization and paid-tier access to information... 😖
@GossiTheDog this is not good for USA. Great for Russia and China.
@GossiTheDog At my workplace they'd say "let it fail". Something better - or different - might emerge from the ashes. Maybe we will have less dependence on the US government, maybe we will find that people have to apply every update rather than just the ones with CVEs.
@GossiTheDog Can they afford to even? They're a non profit R&D org with just about everyone on soft contract money.
@mattblaze @GossiTheDog Right now, I gather we can't afford anything. And I'm not sure if it would be legal for us to perform on a lapsed contract even if we could afford it. But at this point, what I know is what's in the public letter, and that's about it.
@GossiTheDog That's tantamount to recommending suicide.
USAspending.gov

@gwire @GossiTheDog okay that is very interesting. that exact link loaded something else about 10 minutes ago. Here's the screenshot. See the date changes.
@briankrebs @GossiTheDog that screenshot is the 2023/2024 order, not the 2024/2025 one
@gwire @briankrebs @GossiTheDog Yes, until a short while ago the old data was provided at that link. The amounts were higher.
@GossiTheDog @briankrebs multiple CVE Board members have confirmed.
@GossiTheDog They don't care. It gets in the way of the grift.
@GossiTheDog Even if no new CVEs are officially released for the next five years, I reckon we can still have applications riddled with CVEs still being used in most businesses.
@GossiTheDog This is going to be pretty disruptive ongoing. Any talk of another org picking this up?
@GossiTheDog is the disappearance of the CVE database a CVE by itself?
@f4grx @GossiTheDog
The threat model CVE was designed for did not include Cheeto Benito or the Doge Dunce.
@f4grx @GossiTheDog It's definitely a weakness.