Donuts. And biometrics | From PyPi to GitHub
#192 - Krispy Kreme collected vast amounts of personal data | Actually, It's a win for cybersecurity
Krispy Kreme piled on the additional carbs…
Notice of Data Breach on their website shows they collected a phenomenal amount of personal information
It’s a way of life. Companies get breached. People’s personal information gets stolen. Yawn! What stands out about this breach is the sheer amount of personal data that was available with 🍩 Krispy Kreme. Read this notice on their website. Krispy Kreme had the following data about their employees:
Name
Social Security number
date of birth
driver’s license or state ID number
financial account information
financial account access information ⁉
credit or debit card information
credit or debit card information in combination with a security code ⁉
username and password to a financial account ⁉
passport number
digital signature ⁉
username and password ⁉
email address and password ⁉
biometric data
USCIS or Alien Registration Number
US military ID number
medical or health information
health insurance information
The ⁉ marks highlights data that was collected, but for the life of me, I cannot figure out why. Some of it, I assume is some employee background verification data, etc.
Hey, Krispy Kreme Information Security / Data Privacy teams, welcome to the concept of data minimization. Start by reading the definition of Wikipedia and we can take it from there.
Take Action:
Cybersecurity/ Data Privacy Professionals 🕵🏼♀️ - This is the case study for implementing data minimization. It’s quite simple, actually. Collect only what you need and dispose it off when you no longer need it. Not rocket science.
Cyber Insurers 👩🏻💼 - Check what data your insured is collecting. Your ‘proposal form’ should list down all types of personal data that the organization collects. This should impact your premium decision.
Dozens of copycat repos appear on GitHub…
… but the number of malicious copycat packages in package registries declines
GitHub is the world’s larges open source software repository. So ‘dozens’ of malicious copycat repos is not really news. What’s interesting is that the number of malicious packages on registries have reduced.
This news and analysis reasons why it's a good thing that copycat repos have increased. It means that package registries have been able to handle malicious packages better and malicious actors are forced to put up code on GitHub.
Let me explain:
GitHub is a software code repository. This means that for someone to use the code, you have to create a copy of the code, setup the environment required to run the code, install all the dependencies and then run the software. You will have to run commands like this:
git clone <repo-url>
cd <folder>
docker-compose up -d
npm install
npm run devCompare this with how you setup from a package registry. A package registry is a place where you can use packages straight from your program. When you use the ‘import’ command in Python, you are expected to have that package installed from the registry. It’s more direct and developers rarely check the source code to validate packages. This is how you would setup a package:
pip install djangoIt’s a win for cybersecurity of malicious actors are forced to use GitHub to push your malicious code vs. package registries.
Take Action:
Software Developers 👩🏻💻 - Check for copycat clone names before using open source libraries from GitHub. Maintain a strong SBOM (Software Bill of Material) and get it audited regularly.
Cybersecurity Consultants and auditors 👤 - Ensure that the SBOM is current and up to date. Use tools, or manually, check packages in the SBOM. Use SAST tools wherever possible for dependency validation.