Open Source Tools by NCC group🐄 | Privacy Violation by Meta 🙄
CyberInsights #96 - Code Credential Scanner and a tool that distributes pen testing workloads across AWS || 20 NHS trusts using Meta Pixel found to be sharing health data
Cloud Credential Scanner & CowCloud
Any contribution to the community of cybersecurity is valuable and should be encouraged
The NCC Group has released two new security tools on Github.
One of them is a code credential scanner. This is what the tool does:
This script is intended to scan a large, diverse codebase for hard-coded credentials, or credentials present in configuration files. These represent a serious security issue, and can be extremely hard to detect and manage.
The specific focus of this script is to create a tool that can be used directly by dev teams in a CI/CD pipeline, to manage the remediation process for this issue by alerting the team when credentials are present in the code, so that the team can immediately fix issues as they arise.
And the other one, is cowcloud. This is a tool that can automatically distribute workloads across AWS. Here is what it does:
This solution is intended to abstract end users from the underlying work required to distribute workloads in AWS. CowCloud provides users with a friendly web interface to view and create new tasks that later on are consumed by Python code running on worker nodes (EC2 instances). It is intended that the Python code will be customised as well as the EC2 AMIs.
Take Action:
Credential Scanners or Secret Scanners are built into many cloud repos. They cost money. You have to upgrade your subscription to get the feature. If you don’t want to do that, but still want to provide your devs with a tool for credential scanning in their DevSecOps pipeline, implement this tool.
Meta Pixel are tracking effectiveness of ads.
And sharing health data to Facebook. Without Consent.
It’s a cliche to say that Meta leaks data. This, however, is a little more complicated.
Meta has a service called Meta Pixel. It’s where you put a piece of code provided by Meta 🫥 to your web page. It will help you ‘understand the effectiveness of your ads’.
20 NHS trusts wanted to understand the effectiveness of their ads, I guess. They used Meta Pixel and leaked health data of individuals to Facebook.
I say ‘leaked’ because this was not a part of the consent given by users when they visited the sites. Read the article to understand the level of detail captured. Also read this article about how this has been alleged almost a year back.
Take Action:
Review your website for tracking pixels and tracking code. If you are using third party code, then review the code to ensure that you do not end up violating privacy of your trusting visitors.
Oh, I really like the purpose of code credential scanner. Hopefully this is not the first tool doing this.