Clouds of insecurity and more: first officer's blog - week 50

The expanding attack surface of the cloud, threats to PyPi, and more. Here's the latest from the world of cyber risk.

Mike Parkin | May 08, 2023

The ongoing voyages of the Federation Support Ship USS [REDACTED] 

First Officer’s log, Terrestrial date, 20230508 Officer of the Deck reporting.  

With the recent conference out of the way and the crew quickly returning to the usual routine, the USS [REDACTED] set out from the conference site back to Starbase [REDACTED] for another round of unscheduled maintenance. While the ship appeared to be operating correctly, and our own Engineering team assured us that they had confirmed everything was in order, Starfleet had decided to bring us in for a closer inspection. 

Given what the ship had been through even the Chief Engineer agreed, somewhat reluctantly, that it was, in fact, a good idea. The deployment would take us into the core worlds of the Federation, with less chance of being involved in combat or any of the other odd occurrences that so often characterized the frontier and border areas. 

Approximately halfway through the three-day trip at standard warp, we received a message from the Systems Officer of a [REDACTED] class Heavy Cruiser that was already docked at Starbase [REDACTED]. Apparently, they had recently received some upgrades to their core computing systems, and they had not quite gone exactly to plan. In fact, they had encountered some integration issues that their senior staff considered right up our alley, and with both ships at the station it would be an opportune time to work together to solve the issue. 

We agreed, of course. But what sort of problem could come up that the starbase staff couldn’t solve without needing our help? 

We would know soon enough. 

Clouds are puffy, with lots of surface area 

What happened 

A recent report has highlighted the growing attack surface represented by larger cloud installations and an ever-expanding number of assets within an organization’s environment, which is threatening to overwhelm IT security personnel. The study showed that the number of assets had grown by upwards of 133% while the number of security vulnerabilities jumped by almost 600%. The report suggests that intricate distributed cloud architectures have added resilience, they have done so at the cost of complexity which is proving difficult to manage securely. 

Why it matters 

One of the main reasons tools like the Vulcan Cyber risk management platform exist is because it can be so challenging to manage complex environments. When you put together multi-cloud and hybrid environments, and a workforce that may be largely remote, it’s no wonder security teams are having trouble staying ahead of their adversaries, and IT teams are struggling to stay ahead of a constantly changing patch situation. 

Since there is still a shortage of qualified technical assets for security operations and IT, teams must rely on their tools to help them manage risk. It’s possible, with the right combination of tools, but it’s still a challenge. 

What they said 

Good thing there are plenty of reports on this to keep us grounded.

So, what was that about kit we shouldn’t deploy? 

What happened 

The Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to include the Federal Communication Commission’s (FCC) covered list into their risk management programs. The list is mostly made up of telecom vendors based in China, with the addition of Russia based Kaspersky labs and their anti-virus products. Vendors on this list are believed to pose an unacceptable risk to US national security interests. Organizations not subject to section 2(a) of the Secure and Trusted Communications Networks Act of 2019 are still advised to heed these recommendations. 

Why it matters 

CISA’s advisories are usually worth following whether an organization is bound to their rules or not. It is good advice, after all. Here, they’re including (mostly) telecommunications kit that is suspected of having backdoors or other security concerns due to potential, even likely, influence from the Chinese government. 

China’s surveillance capabilities are well known in their own country, so it’s no surprise that the security apparatus in other countries, like the US, would be concerned that those surveillance tools would remain in kit shipped outside China. Whether it IS there or not, is often unknown. But the risk is real, and the advice to avoid kit that’s potentially backdoored from the factory is sound. 

What they said 

When CISA talks, the security world listens. Here’s what they had to say.

Ok, one more time, vet your libraries, m’kay? 

What happened 

A series of malicious packages were found in, and quickly removed from, the PyPI (Python Package Index) repository. It is unknown how many projects were imported, and were affected by, the malicious packages, but the number is likely small. However, this incident shows that threat actors are continuing to attack the software development supply chain and developers need to make a point of assuring they are only using legitimate libraries in their projects. 

Why it matters 

While publicly accessible repositories are deploying more effective tools to identify and remove malicious libraries and are putting efforts into assuring that orphaned or abandoned libraries aren’t compromised by threat actors. But it’s ultimately the developer’s responsibility to make sure the library they are building against is legit. Is it really that cool library your friend recommended? Did you actually look at the code and confirm it’s not sending your credentials to a domain in North Korea or Russia? Did you notice a block of obfuscated code you simply don’t understand, but very definitely should? 

No? Then you need to do a better job vetting the libraries you use. While it may not be practical to check every line of code, or really necessary when you’re working with a well-known and well documented library, the reality is that most of these repo-jacking attacks rely on the victim not actually checking the code they import. Yes, checking adds time and effort, but it’s time well spent. 

What they said 

Unsurprisingly, this got plenty of attention.

Spot the Vulcan 

What happened 

SC Magazine is publishing a series of articles from guest contributors on the recent RSAC 2023 conference in San Francisco. 

Why it matters 

I was invited to contribute my insights on the event, though, to be fair, it’s very much the view from the Expo floor – as that is where I spent nearly all my time. And I’m still surprised none of our regular readers came by for a cup of the best coffee at the show.  

My original title suggestion was something to the effect of “the view from the expo floor.” 

What we said 

Take a look.


This is the 50th issue of the 1st Officer’s Blog. What started as an idea we thought would be fun has turned into 50 consecutive weeks of mixing an homage to an animated show with security incidents we had commentary on the previous week. 

Thanks to the loyal, and not so loyal, readers, and if anyone has feedback, suggestions, or anything else, reach out on LinkedIn or email me here at Vulcan Cyber. 

Live long and prosper. 


Want to get ahead of the stories?


Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy