Recent years show a significant increase in attacks against libraries, tools, and infrastructure used in application development, as well as directly against developers and software companies. From fake libraries and malicious changes to popular libraries or programming languages to vulnerabilities in CI/CD infrastructure components.
During the presentation, you will discover a handful of interesting, fresh examples and attack techniques and, perhaps most importantly, learn how to work safely as a programmer. You will find out about typosquatting, dependency confusion, protestware and discover stories of attacks on PHP, Codecov, Homebrew, npm, Ruby Gems, or GitHub.
Developer in a digital crosshair, 2022 edition - Oh My H@ck!SecuRing
Attacks on third-party libraries and tools that are often used while developing software have become dramatically frequent.
Among these attacks, one can find dependency confusion, issues in popular dev tools (Codecov, Homebrew, npm...), typosquatting, incidents (PHP, GitHub...), or malicious changes in popular dependencies (UAParser.js, coa, node-ipc...). I will share a lot of gripping real-life examples of such attacks, their causes and effects, and help you stay secure while developing software.
Developer in a digital crosshair, 2022 edition - No cON NameSecuRing
The frequency of attacks on third-party libraries and tools used in software development has dramatically increased in recent years.
Typosquatting, dependency confusion, malicious changes in popular dependencies (UAParser.js, coa, node-ipc...), issues in popular dev tools (Codecov, Homebrew, npm...) or incidents (PHP, GitHub...). In this presentation, I will go over many fascinating, recent examples of these attacks, their causes and effects, and recommend to you how to stay secure when developing software.
Developer in a digital crosshair, 2022 editionSecuRing
This presentation takes you through recent attacks aimed at software developers and software companies. First it starts with attacks on libraries you install or have installed (typosquatting, pushing malicious library updates due to maintainer's credential takeover, protestware), even your private ones (dependency confusion). Second it shows attack on tools which are used in software development (package managers). Third, there are examples of attacks onto developer's infrastructure (PHP programming language git sever, GitHub OAuth incident with Heroku and Travis-CI).
Slides for the PromCon presentation "Securing Prometheus. Lessons Learned From OpenShift"
https://promcon.io/2022-munich/talks/securing-prometheus-lessons-lear/
Open source security tools for Kubernetes.Michael Ducy
Cloud Native platforms such as Kubernetes help developers to easily get started deploying and running their applications at scale. But as this access to compute starts to become ubiquitous, how you secure and maintain compliance standards in these environments becomes extremely important.
In this talk, we'll cover the basics of securing Cloud Native platforms such as Kubernetes. We will also cover open source tools - such as Clair, Anchore, and Sysdig Falco - that can be used to maintain a secure computing environment. Attendees will walk away with a good understanding of the challenges of securing a Cloud Native platform and practical advice on using open source tools as part of their security strategy.
Developer in a digital crosshair, 2022 edition - Oh My H@ck!SecuRing
Attacks on third-party libraries and tools that are often used while developing software have become dramatically frequent.
Among these attacks, one can find dependency confusion, issues in popular dev tools (Codecov, Homebrew, npm...), typosquatting, incidents (PHP, GitHub...), or malicious changes in popular dependencies (UAParser.js, coa, node-ipc...). I will share a lot of gripping real-life examples of such attacks, their causes and effects, and help you stay secure while developing software.
Developer in a digital crosshair, 2022 edition - No cON NameSecuRing
The frequency of attacks on third-party libraries and tools used in software development has dramatically increased in recent years.
Typosquatting, dependency confusion, malicious changes in popular dependencies (UAParser.js, coa, node-ipc...), issues in popular dev tools (Codecov, Homebrew, npm...) or incidents (PHP, GitHub...). In this presentation, I will go over many fascinating, recent examples of these attacks, their causes and effects, and recommend to you how to stay secure when developing software.
Developer in a digital crosshair, 2022 editionSecuRing
This presentation takes you through recent attacks aimed at software developers and software companies. First it starts with attacks on libraries you install or have installed (typosquatting, pushing malicious library updates due to maintainer's credential takeover, protestware), even your private ones (dependency confusion). Second it shows attack on tools which are used in software development (package managers). Third, there are examples of attacks onto developer's infrastructure (PHP programming language git sever, GitHub OAuth incident with Heroku and Travis-CI).
Slides for the PromCon presentation "Securing Prometheus. Lessons Learned From OpenShift"
https://promcon.io/2022-munich/talks/securing-prometheus-lessons-lear/
Open source security tools for Kubernetes.Michael Ducy
Cloud Native platforms such as Kubernetes help developers to easily get started deploying and running their applications at scale. But as this access to compute starts to become ubiquitous, how you secure and maintain compliance standards in these environments becomes extremely important.
In this talk, we'll cover the basics of securing Cloud Native platforms such as Kubernetes. We will also cover open source tools - such as Clair, Anchore, and Sysdig Falco - that can be used to maintain a secure computing environment. Attendees will walk away with a good understanding of the challenges of securing a Cloud Native platform and practical advice on using open source tools as part of their security strategy.
ENPM808 Independent Study Final Report - amaster 2019Alexander Master
Research involving commonly exploited web application functionality, with analysis of the threats at the application, network, and protocol levels. Provided demonstrations of the exploits, as well as proposed detection techniques using open source tools
Supply Chain Security for Containerised Workloads - Lee Chuk MunnNUS-ISS
Containers have emerged as an indispensable component of modern cloud-native applications, serving diverse roles from development environments to application distribution and deployment on platforms like Azure's App Service and Kubernetes. In this presentation, we will delve into a suite of powerful tools designed to ensure the adoption of best practices in container management. You'll gain insights into how to scan container images rigorously, identifying and mitigating vulnerabilities effectively. We'll also explore the art of generating comprehensive software bill of materials (SBOM) for your containers and the significance of signing container images for enhanced security. The ultimate goal of this presentation is to empower you with the knowledge and skills necessary to seamlessly integrate these tools and practices into your CI (Continuous Integration) pipelines. By the end of this session, you'll be well-equipped to fortify your container workflows, delivering secure and robust cloud-native applications that thrive in today's dynamic digital landscape.
GitStack 0day . Remote code execution - Adam NurudiniAdam Nurudini
The following presentation describes CVE-2018-5955 an unauthenticated action in GitStack that allows a remote attacker to add new users and then trigger remote code execution.
"The widespread adoption of custom URI protocols to launch specific Windows Universal App can be diverted to a nefarious purpose. The URI schemes in Windows 10 can be abused in such a way to maintain persistence via the 'Living off the Land' approach. Backdooring a compromised Windows account in userland context is a matter of seconds. The operation is concealed to the unaware victim thanks to the URI intents being transparently proxyed to the legitimate default application. The subtle fileless payloads can be triggered in many contexts, from the Narrator available in the Windows logon screen (an undocumented Accessibility Feature abuse technique that set off this whole research) to the classical web 'attack surface'."
All this research started with a novel Accessibility Feature Abuse I discuss here:
https://www.secjuice.com/abusing-windows-10-for-fileless-persistence/
The tool was demo at BlackHat Europe Arsenal 2019:
https://www.blackhat.com/eu-19/arsenal/schedule/#backoori-tool-aided-persistence-via-windows-uri-schemes-abuse-18131
GitHub investierte sehr stark im Bereich Security und hat als weltweit grösste Open-Source-Plattform auch die ideale Basis, um Abhängigkeiten und Schwachstellen viel genutzter Bibliotheken zu analysieren und zu notifizieren. In öffentlichen wie auch in privaten Repositories in GitHub Enterprise Cloud und GitHub Enterprise Server stehen einem unter dem Betriff "GitHub Advanced Security" eine Vielzahl von Sicherheitsfunktionen zur Verfügung.
Dieser Vortrag zeigt die Funktionsweise der Features Code Scanning, Secret Scanning und Dependency Review auf. GitHub Actions und Pull Requests runden die Werkzeugkiste für einen erfolgreichen DevSecOps-Prozess ab.
Protecting your organization against attacks via the build systemLouis Jacomet
Organisations build software all the time, from developer machines to CI, even public pull requests.
There are security risks associated with these actions! Come discover what they are and how to mitigate them.
The build tool is about execution of modifications and thus inherently insecure. However risks can be mitigated through:
* Trusted dependencies
* Reproducibility
* Vulnerability tracking
Gradle will be used for examples
>>> View this presentation online at http://github-service-universe.kimminich.de/ <<<
PDF version of the slide deck for my JavaLand 2015 talk "All-round careful Software Development with GitHub Services"
Tools for unit testing, building applications, analyzing software quality and planning release scopes are an essential aspect of modern software development. With GitHub and "pluggable" external services there are lots of options to move these aspects into "the Cloud". For open source projects this is a viable alternative to on-premise solutions. In this talk I will present and demonstrate the CI lifecycle of some of my recent projects hosted on GitHub where I tried to integrate modern tools (e.g. Gradle, npm, bower) and external services (e.g. Travis-CI, Code Climate, Coveralls, HuBoard, AmazonSNS, NMA). The benefits and limitations of those services will be honestly illuminated. I am not affiliated with any of the providers mentioned, so this talk will not end up as a marketing show! Instead, the audience is supposed go out of this talk with some new things to try out with their own GitHub projects while hopefully being able to avoid some of the ramp-up difficulties.
Are you securing your microservice architectures by hiding them behind a firewall? That works, but there are better ways to do it. This presentation recommends 11 patterns to secure microservice architectures.
1. Be Secure by Design
2. Scan Dependencies
3. Use HTTPS Everywhere
4. Use Access and Identity Tokens
5. Encrypt and Protect Secrets
6. Verify Security with Delivery Pipelines
7. Slow Down Attackers
8. Use Docker Rootless Mode
9. Use Time-Based Security
10. Scan Docker and Kubernetes Configuration for Vulnerabilities
11. Know Your Cloud and Cluster Security
Blog post: https://developer.okta.com/blog/2020/03/23/microservice-security-patterns
Putting microservices on a diet with istioQAware GmbH
CodeDays 2019, Munich: Talk by Mario-Leander Reimer (@LeanderReimer, Principal Software Architect at QAware)
=== Please download slides if blurred! ===
Abstract:
Building microservice architectures is complex. Handling the involved complexities, like circuit breaking, rate limiting, observability or transport security, is usually left up to the development teams to implement. Using open source components to address these challenges is an option, but this quickly leads to excessive library bloat in our microservices. So let's put them on a diet: with Istio.
Watch How The Giants Fall: Learning from Bug Bounty Resultsjtmelton
Security is hard. We all miss things. Attackers find things.
"You must learn from the mistakes of others. You can't possibly live long enough to make them all yourself." -Samuel Levenson
This talk is a fun, fast-moving survey of some of the best recent bug bounty finds against some of the largest and best-known applications in the world. Some of the bugs are really simple, some are super complex, but all are entertaining. As we go through these, we'll take a look at what caused the issue, and how to fix it.
From this talk, you'll walk away with:
* a few minutes of entertainment
* a view of the wide breadth of security issues
* practical ideas on testing and shoring up security in your own applications
* (maybe) a new side gig as a bug bounty hunter!
Continuous Delivery helps to keep your software and Docker images updated and deploy new versions in production easily. Microservices are great reducing the attack vector and limiting the privileges or credentials access of each piece of your application. Containers provide an opportunity to implement better security, small, immutable, single process and purpose. In this session, we will discover real use case examples on how to make your CI/CD pipeline interact with Docker security tools. But security doesn’t stop where your deployment pipeline ends. How we can prepare for 0-days and policy violations that happen at run-time? Can we make it part of the CI/CD process?
Putting microservices on a diet with IstioQAware GmbH
Software Architecture Conference 2018, London (UK): Talk by Mario-Leander Reimer (@LeanderReimer, Principal Software Architect at QAware)
=== Please download slides if blurred! ===
Abstract:
In a microservice world, things become more complex. Platforms such as Kubernetes address a lot of the complexity; they handle resource isolation and utilization, networking, and deployments nicely. But a lot of the involved complexity such as load balancing, rollout scenarios, circuit breaking, retries, rate limiting, observability, tracing and transport security is still left up to the development teams.
Of course, you can address all of these challenges in your microservices programmatically using popular open-source components such as Hystrix, Ribbon, Eureka, the EFK Stack, Prometheus or Jaeger. But, unfortunately, this approach can quickly lead to excessive library bloat and suddenly your microservices are not quite so micro anymore.
All this might seem acceptable if you’re on a single, consistent development stack like Java EE or Spring Boot. But tackling these complexities becomes even more challenging if you’re dealing with multiple stacks and multiple frameworks, to say nothing about dealing with legacy applications that you can’t modify to retrofit these requirements.
In comes Istio to the rescue. It is a so-called service mesh that addresses many of the cross-cutting communication concerns in a microservice architecture. Think of Istio as AOP (aspect-oriented programming) for microservice communication. Instead of implementing everything directly within your services, Istio transparently injects and decorates the desired concerns into the individual communication channels.
Mario-Leander Reimer offers an overview of Istio and explains how it addresses the inherent complexities in microservice architectures. He briefly discusses the conceptual architecture and the main building blocks of Istio before diving into several examples deployed on a live Kubernetes cluster to demonstrate the different traffic management features, as well as diagnosability and security.
Container Days: Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl
Nico will show how to hijack a Kubernetes cluster based on common attack vectors. You'll also learn why it's important to implement zero-trust to prevent data leaks and malicious workloads from being executed on a hijacked cluster.
Furthermore, he will show you how to protect your cluster from being taken over by sharing useful insights, configurations, and toolsets.
This talk is not intended to be an in-depth security talk, but to provide you with best practices and also make you aware of certain attack vectors and how to prevent them.
Is persistency on serverless even possible?!SecuRing
In addition to being a common option in cloud environments, serverless computing is also a suggested method for creating plenty of things! Did you ever consider its mechanics? Is serverless truly server-less? How does the execution environment function? In this event-driven compute service, is persistency even conceivable?
I will not lie – Remote Code Executions and Command Injections are uncommon, but what if one occurs in your function? Additionally, it may be brought in by an attacker through dependency injection. I will demonstrate how to use it to obtain persistency and exfiltrate more data than the function role gives.
Let us figure out:
- How serverless infrastructure functions.
- Why persistency is possible in this semi-volatile environment.
- How to use pseudo shell over HTTP for serverless environment research.
- An exploitation demo – how can we make use of an RCE vulnerability to obtain a persistency.
- Possible mitigations.
Let us hijack the data real-time from the AWS Lambdas and GCP Cloud Functions!
Presented at: Confidence 2022, AlligatorCon 2022, Secops Polska Meetup #32, DevSecCon Poland 2022, AWS Community Day Warsaw 2022.
What happens on your Mac, stays on Apple’s iCloud?!SecuRing
“$ sudo ls ~/Desktop: Operation not permitted”. Apple’s Transparency, Consent, and Control (TCC) framework limits access to private information like documents, a camera, a microphone, emails, and more in order to preserve your privacy. Since authorisation is required to grant such access, the mechanism key design priority was clear user consent.
At Black Hat USA 2021, I co-presented considerable research on abusing the TCC mechanisms, however, this time, we won’t be directly exploiting the TCC. Given that iCloud has tons of macOS users’ secrets, why keep attacking the TCC? The default configuration makes Mac synchronize a lot of data. Don’t you have your iMessages/Photos/Calendars/Reminders/Notes accessible from iCloud? That’s good because you take care of your privacy… but most users don’t. :)
The brand-new research on abusing Apple’s iCloud to gain access to users’ sensitive data will be shared during the presentation. All that from a malicious applications’ perspective without any additional permissions.
More Related Content
Similar to Developer in a digital crosshair, 2023 edition - 4Developers
ENPM808 Independent Study Final Report - amaster 2019Alexander Master
Research involving commonly exploited web application functionality, with analysis of the threats at the application, network, and protocol levels. Provided demonstrations of the exploits, as well as proposed detection techniques using open source tools
Supply Chain Security for Containerised Workloads - Lee Chuk MunnNUS-ISS
Containers have emerged as an indispensable component of modern cloud-native applications, serving diverse roles from development environments to application distribution and deployment on platforms like Azure's App Service and Kubernetes. In this presentation, we will delve into a suite of powerful tools designed to ensure the adoption of best practices in container management. You'll gain insights into how to scan container images rigorously, identifying and mitigating vulnerabilities effectively. We'll also explore the art of generating comprehensive software bill of materials (SBOM) for your containers and the significance of signing container images for enhanced security. The ultimate goal of this presentation is to empower you with the knowledge and skills necessary to seamlessly integrate these tools and practices into your CI (Continuous Integration) pipelines. By the end of this session, you'll be well-equipped to fortify your container workflows, delivering secure and robust cloud-native applications that thrive in today's dynamic digital landscape.
GitStack 0day . Remote code execution - Adam NurudiniAdam Nurudini
The following presentation describes CVE-2018-5955 an unauthenticated action in GitStack that allows a remote attacker to add new users and then trigger remote code execution.
"The widespread adoption of custom URI protocols to launch specific Windows Universal App can be diverted to a nefarious purpose. The URI schemes in Windows 10 can be abused in such a way to maintain persistence via the 'Living off the Land' approach. Backdooring a compromised Windows account in userland context is a matter of seconds. The operation is concealed to the unaware victim thanks to the URI intents being transparently proxyed to the legitimate default application. The subtle fileless payloads can be triggered in many contexts, from the Narrator available in the Windows logon screen (an undocumented Accessibility Feature abuse technique that set off this whole research) to the classical web 'attack surface'."
All this research started with a novel Accessibility Feature Abuse I discuss here:
https://www.secjuice.com/abusing-windows-10-for-fileless-persistence/
The tool was demo at BlackHat Europe Arsenal 2019:
https://www.blackhat.com/eu-19/arsenal/schedule/#backoori-tool-aided-persistence-via-windows-uri-schemes-abuse-18131
GitHub investierte sehr stark im Bereich Security und hat als weltweit grösste Open-Source-Plattform auch die ideale Basis, um Abhängigkeiten und Schwachstellen viel genutzter Bibliotheken zu analysieren und zu notifizieren. In öffentlichen wie auch in privaten Repositories in GitHub Enterprise Cloud und GitHub Enterprise Server stehen einem unter dem Betriff "GitHub Advanced Security" eine Vielzahl von Sicherheitsfunktionen zur Verfügung.
Dieser Vortrag zeigt die Funktionsweise der Features Code Scanning, Secret Scanning und Dependency Review auf. GitHub Actions und Pull Requests runden die Werkzeugkiste für einen erfolgreichen DevSecOps-Prozess ab.
Protecting your organization against attacks via the build systemLouis Jacomet
Organisations build software all the time, from developer machines to CI, even public pull requests.
There are security risks associated with these actions! Come discover what they are and how to mitigate them.
The build tool is about execution of modifications and thus inherently insecure. However risks can be mitigated through:
* Trusted dependencies
* Reproducibility
* Vulnerability tracking
Gradle will be used for examples
>>> View this presentation online at http://github-service-universe.kimminich.de/ <<<
PDF version of the slide deck for my JavaLand 2015 talk "All-round careful Software Development with GitHub Services"
Tools for unit testing, building applications, analyzing software quality and planning release scopes are an essential aspect of modern software development. With GitHub and "pluggable" external services there are lots of options to move these aspects into "the Cloud". For open source projects this is a viable alternative to on-premise solutions. In this talk I will present and demonstrate the CI lifecycle of some of my recent projects hosted on GitHub where I tried to integrate modern tools (e.g. Gradle, npm, bower) and external services (e.g. Travis-CI, Code Climate, Coveralls, HuBoard, AmazonSNS, NMA). The benefits and limitations of those services will be honestly illuminated. I am not affiliated with any of the providers mentioned, so this talk will not end up as a marketing show! Instead, the audience is supposed go out of this talk with some new things to try out with their own GitHub projects while hopefully being able to avoid some of the ramp-up difficulties.
Are you securing your microservice architectures by hiding them behind a firewall? That works, but there are better ways to do it. This presentation recommends 11 patterns to secure microservice architectures.
1. Be Secure by Design
2. Scan Dependencies
3. Use HTTPS Everywhere
4. Use Access and Identity Tokens
5. Encrypt and Protect Secrets
6. Verify Security with Delivery Pipelines
7. Slow Down Attackers
8. Use Docker Rootless Mode
9. Use Time-Based Security
10. Scan Docker and Kubernetes Configuration for Vulnerabilities
11. Know Your Cloud and Cluster Security
Blog post: https://developer.okta.com/blog/2020/03/23/microservice-security-patterns
Putting microservices on a diet with istioQAware GmbH
CodeDays 2019, Munich: Talk by Mario-Leander Reimer (@LeanderReimer, Principal Software Architect at QAware)
=== Please download slides if blurred! ===
Abstract:
Building microservice architectures is complex. Handling the involved complexities, like circuit breaking, rate limiting, observability or transport security, is usually left up to the development teams to implement. Using open source components to address these challenges is an option, but this quickly leads to excessive library bloat in our microservices. So let's put them on a diet: with Istio.
Watch How The Giants Fall: Learning from Bug Bounty Resultsjtmelton
Security is hard. We all miss things. Attackers find things.
"You must learn from the mistakes of others. You can't possibly live long enough to make them all yourself." -Samuel Levenson
This talk is a fun, fast-moving survey of some of the best recent bug bounty finds against some of the largest and best-known applications in the world. Some of the bugs are really simple, some are super complex, but all are entertaining. As we go through these, we'll take a look at what caused the issue, and how to fix it.
From this talk, you'll walk away with:
* a few minutes of entertainment
* a view of the wide breadth of security issues
* practical ideas on testing and shoring up security in your own applications
* (maybe) a new side gig as a bug bounty hunter!
Continuous Delivery helps to keep your software and Docker images updated and deploy new versions in production easily. Microservices are great reducing the attack vector and limiting the privileges or credentials access of each piece of your application. Containers provide an opportunity to implement better security, small, immutable, single process and purpose. In this session, we will discover real use case examples on how to make your CI/CD pipeline interact with Docker security tools. But security doesn’t stop where your deployment pipeline ends. How we can prepare for 0-days and policy violations that happen at run-time? Can we make it part of the CI/CD process?
Putting microservices on a diet with IstioQAware GmbH
Software Architecture Conference 2018, London (UK): Talk by Mario-Leander Reimer (@LeanderReimer, Principal Software Architect at QAware)
=== Please download slides if blurred! ===
Abstract:
In a microservice world, things become more complex. Platforms such as Kubernetes address a lot of the complexity; they handle resource isolation and utilization, networking, and deployments nicely. But a lot of the involved complexity such as load balancing, rollout scenarios, circuit breaking, retries, rate limiting, observability, tracing and transport security is still left up to the development teams.
Of course, you can address all of these challenges in your microservices programmatically using popular open-source components such as Hystrix, Ribbon, Eureka, the EFK Stack, Prometheus or Jaeger. But, unfortunately, this approach can quickly lead to excessive library bloat and suddenly your microservices are not quite so micro anymore.
All this might seem acceptable if you’re on a single, consistent development stack like Java EE or Spring Boot. But tackling these complexities becomes even more challenging if you’re dealing with multiple stacks and multiple frameworks, to say nothing about dealing with legacy applications that you can’t modify to retrofit these requirements.
In comes Istio to the rescue. It is a so-called service mesh that addresses many of the cross-cutting communication concerns in a microservice architecture. Think of Istio as AOP (aspect-oriented programming) for microservice communication. Instead of implementing everything directly within your services, Istio transparently injects and decorates the desired concerns into the individual communication channels.
Mario-Leander Reimer offers an overview of Istio and explains how it addresses the inherent complexities in microservice architectures. He briefly discusses the conceptual architecture and the main building blocks of Istio before diving into several examples deployed on a live Kubernetes cluster to demonstrate the different traffic management features, as well as diagnosability and security.
Container Days: Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl
Nico will show how to hijack a Kubernetes cluster based on common attack vectors. You'll also learn why it's important to implement zero-trust to prevent data leaks and malicious workloads from being executed on a hijacked cluster.
Furthermore, he will show you how to protect your cluster from being taken over by sharing useful insights, configurations, and toolsets.
This talk is not intended to be an in-depth security talk, but to provide you with best practices and also make you aware of certain attack vectors and how to prevent them.
Similar to Developer in a digital crosshair, 2023 edition - 4Developers (20)
Is persistency on serverless even possible?!SecuRing
In addition to being a common option in cloud environments, serverless computing is also a suggested method for creating plenty of things! Did you ever consider its mechanics? Is serverless truly server-less? How does the execution environment function? In this event-driven compute service, is persistency even conceivable?
I will not lie – Remote Code Executions and Command Injections are uncommon, but what if one occurs in your function? Additionally, it may be brought in by an attacker through dependency injection. I will demonstrate how to use it to obtain persistency and exfiltrate more data than the function role gives.
Let us figure out:
- How serverless infrastructure functions.
- Why persistency is possible in this semi-volatile environment.
- How to use pseudo shell over HTTP for serverless environment research.
- An exploitation demo – how can we make use of an RCE vulnerability to obtain a persistency.
- Possible mitigations.
Let us hijack the data real-time from the AWS Lambdas and GCP Cloud Functions!
Presented at: Confidence 2022, AlligatorCon 2022, Secops Polska Meetup #32, DevSecCon Poland 2022, AWS Community Day Warsaw 2022.
What happens on your Mac, stays on Apple’s iCloud?!SecuRing
“$ sudo ls ~/Desktop: Operation not permitted”. Apple’s Transparency, Consent, and Control (TCC) framework limits access to private information like documents, a camera, a microphone, emails, and more in order to preserve your privacy. Since authorisation is required to grant such access, the mechanism key design priority was clear user consent.
At Black Hat USA 2021, I co-presented considerable research on abusing the TCC mechanisms, however, this time, we won’t be directly exploiting the TCC. Given that iCloud has tons of macOS users’ secrets, why keep attacking the TCC? The default configuration makes Mac synchronize a lot of data. Don’t you have your iMessages/Photos/Calendars/Reminders/Notes accessible from iCloud? That’s good because you take care of your privacy… but most users don’t. :)
The brand-new research on abusing Apple’s iCloud to gain access to users’ sensitive data will be shared during the presentation. All that from a malicious applications’ perspective without any additional permissions.
0-Day Up Your Sleeve - Attacking macOS EnvironmentsSecuRing
Do you have Macs in your company's infrastructure? Nowadays, I bet that in most cases the answer would be YES. Macs stopped being computers only used in startups. We can observe them even in huge legacy environments in banks and other corporations. The problem is that they are usually not symmetrically secured, compared to the rest of Windows stations. Macs are not immune, they can be insecurely configured and now...even Apple admits that malware is present on Macs.
In this presentation I will:
1. Introduce you to macOS security mechanisms
2. Perform step-by-step macOS infection based on my 0-day (live demo)
3. Show you post-exploitation techniques
4. Attack installed apps and collect data from them
5. Give recommendations on how to harden your Mac and macOS infrastructure
20+ Ways To Bypass Your Macos Privacy MechanismsSecuRing
In this presentation, we showed multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user’s consent.
In the search for a webinar platform, we have tested the security of 14 of them. As a result, in half of tested platforms we have identified high-severity vulnerabilities for example access control issues allowing unprivileged attendees to become a host/presenter or sensitive data leakage.
20+ Ways to Bypass Your macOS Privacy MechanismsSecuRing
"TotallyNotAVirus.app" would like to access the camera and spy on you. To protect your privacy, Apple introduced Transparency, Consent, and Control (TCC) framework that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism's main design concern was clear user consent.
In this talk, we will share multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user's consent. Together, we submitted over 40 vulnerabilities just to Apple through the past year, which allowed us to bypass some parts or the entire TCC. We also found numerous vulnerabilities in third-party apps (including Firefox, Signal, and others), which allowed us to avoid the OS restrictions by leveraging the targeted apps' privileges.
In the first part of the talk, we will give you an overview of the TCC framework, its building blocks, and how it limits application access to private data. We will explore the various databases it uses and discuss the difference between user consent and user intent.
Next, we will go through various techniques and specific vulnerabilities that we used to bypass TCC. We will cover how we can use techniques like process injection, mounting, application behavior, or simple file searches to find vulnerabilities and gain access to the protected resources.
The audience will leave with a solid understanding of the macOS privacy restrictions framework (TCC) and its weaknesses. We believe there is a need to raise awareness on why OS protections are not 100% effective, and in the end, users have to be careful with installing software on their machines. Moreover - as we're going to publish several exploits - red teams will also benefit from the talk.
Author: Paweł Rzepa
In this talk I'm going to show you various attack vectors against the serverless applications built from AWS Lambda functions. You'll see:
- my findings on publishing malicious NPM packages to smuggle malicious code into legitimately looking dependences,
- examples of validation errors in serverless applications, including Denial of Wallet attacks and RCE in a fugacious, serverless environment
- serverless attacks and security nuances in Azure and GCP
- recipes to prevent those attacks
XPC is a well-known interprocess communication mechanism used on Apple devices. Abusing XPC led to many severe bugs, including those used in jailbreaks. While the XPC bugs in Apple's components are harder and harder to exploit, did we look at non-Apple apps on macOS? As it turns out, vulnerable apps are everywhere - Anti Viruses, Messengers, Privacy tools, Firewalls, and more.
This presentation:
1.Explain how XPC/NSXPC work
2.Present you some of my findings in popular macOS apps (e.g. local privilege escalation to r00t)
3.Abuse an interesting feature on Catalina allowing to inject an unsigned dylib
4.Show you how to fix that vulnz finally!
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
The presentation focuses on the whole process of security testing and present it by analogies to the web applications which are quite well-known. It covers the whole SDLC and show the similarities and differences in the arsenal of vulnerabilities, security tools and standards between the smart contracts and web applications on each step. Even though there exist a lot of great security projects for smart contracts, we do not have single, widely accepted security standard (such as ASVS in web apps world). That is why we introduce SCSVS (Smart Contract Security Verification Standard), a open-source 13-part checklist created to standardize the security of smart contracts for developers, architects, security reviewers and vendors.
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
The presentation focuses on the whole process of security testing and present it by analogies to the web applications which are quite well-known. It covers the whole SDLC and show the similarities and differences in the arsenal of vulnerabilities, security tools and standards between the smart contracts and web applications on each step. Even though there exist a lot of great security projects for smart contracts, we do not have single, widely accepted security standard (such as ASVS in web apps world). That is why we introduce SCSVS (Smart Contract Security Verification Standard), a open-source 13-part checklist created to standardize the security of smart contracts for developers, architects, security reviewers and vendors.
Author: Jakub Kaluzny
Let's talk about large-scale security programmes and maintaining security with tens of project teams - agile or waterfall, in-house or outsourced. I will discuss how to effectively track security requirements, organise threat modelling sessions, log output from those and translate it into penetration testing scope and test cases. We will dive deep into evil brainstorming, come up with abuser stories for each user story and define what makes the SDLC process secure or not. This talk is based on my work with different organisations in multiple countries and observations what works well in regards to security at scale and what does not.
While it is quite common practice to do periodic security assessments of your local network, it is really rare to find a company who puts the same effort for testing the security in their cloud. We have to understand what new threats and risks appeared with the cloud and how should we change our attitude to testing cloud security. The goal of my presentation is to show how security assessment of cloud infrastructure it is different from testing environments in classic architecture. I'll demonstrate a hypothetical attack on a company which is fully deployed in the AWS environment. I’m going to show the whole kill chain starting from presenting cloud-applicable reconnaissance techniques. Then I’ll attack the web application server hosted on EC2 instance to access its metadata. Using the assigned role, I’ll access another AWS EC2 instance to escalate privileges to the administrator and then present how to hide fingerprints in CloudTrail service. Finally, I’ll demonstrate various techniques of silent exfiltrating data from AWS environment, setting up persistent access and describe another potential, cloud-specific threats, e.g. cryptojacking or ransomware in the cloud. The presentation shows practical aspects of attacking cloud services and each step of the kill chain will be presented in a form of an interactive, live demo. On the examples of presented attacks, I’ll show how to use AWS exploitation framework Pacu and other handy scripts.
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsSecuRing
Last year at AppSec EU I had a presentation about the Ethereum smart contracts and did a technical showcase of some of their potential vulnerabilities and security flaws. I also presented my proposition on how to handle the responsible disclosure process in the smart contracts world.
This year I want to focus on the whole process of security testing and present it by analogies to the web applications which are quite well-known. Smart contracts are described as Web3 decentralized apps and I believe that my talk will not only bring new light on this subject but will also help to understand and organize the way of testing. I am going to cover the whole SDLC and show the similarities and differences between the smart contracts and web applications on each step.
The presented overview is especially important nowadays when the biggest companies are building their own blockchain platforms and cryptocurrencies – i.e. Libra introduced by Facebook (which by the way also supports smart contracts).
I am also going to show the differences in the arsenal of vulnerabilities, security tools and standards by the analogy to web apps arsenal. I think that, even though there exist a lot of great security projects for smart contracts, we do not have a single, widely accepted security standard (such as ASVS in web apps world). I would like to discuss potential work that needs to be done in that area and show my preliminary work on that matter.
After this presentation audience will know what are the similarities and differences between smart contracts and web apps in the SDLC, an arsenal of tools and standards, but also will have a fresh overview of possible options and current trends.
Budowanie i hakowanie nowoczesnych aplikacji iOSSecuRing
Po ostatniej prezentacji dotyczącej pentestów bez jailbreaka, autor zdecydował stworzyć prezentację defensywną. Znajdują się w niej informacje o najczęściej występujących problemach w nowoczesnych aplikacjach iOS oraz wskazówki jak sobie z nimi radzić. W prezentacji przedstawiona jest równie nowa otwartoźródłowa biblioteka iOS Security Suite dostępna pod adresem https://github.com/securing/IOSSecuritySuite
We need t go deeper - Testing inception apps.SecuRing
When it comes to thick-clients, java applets, embedded devices or mobile apps - often, the idea is to forget about HTTP/S stack, plaintext POST parameters, and instead, implement a custom communication protocol. - Sending files for printing? Caesar cipher does not support full UTF-8, so use AES in ECB mode. - Malware attacking online banking? Even over HTTPS, double-encrypt POST parameters. If your clients are rich, use asymetric encryption, for better protection. - Planning SOAP WS? Use WCF Binary XML and put it in a START-TLS tunnel wrapped over a TCP connection. Welcome to the world of application/x-inception-data content types, <meta charset=obscure> encoding and custom cryptography. Ideas that usually implement methods of 'security by obscurity'. Once the outer layer of obfuscation is off, very often the server backend reveals simple access control issues, SQL query shells or code execution vulnerabilities. I will discuss real-world examples from enterprise solutions tests which require a bit more effort to allow tampering with data send from the client: - intercepting the traffic, bypassing NAC - decapsulating encryption and encoding layers - hooking into function calls, modifying packages - reverse-engineer proprietary protocols and encryption.
After my offensive presentation "Testing iOS Apps without Jailbreak in 2018" it is time to focus also on building not just breaking. This talk will cover the most important milestones in reaching secure iOS/macOS apps. I'm going to show you how to develop modern & secure iOS/macOS apps using new security features presented at the latest Apple's Worldwide Developers Conference. Hackers will be satisfied as well, since I'm going to cover also pen tester's perspective. What's more - I will share with you details of multiple vulnerabilities (*including not disclosed previously*) that I found during security assessments and my research of Apple's applications.
Artificial Intelligence – a buzzword, new era of IT or new threats?SecuRing
In my presentation I will show you a couple of applications that use artificial intelligence in order to improve our security and how easily it is to use other AI to break it. You may like it or not, but natural language processing, deep learning, computer vision are being developed very rapidly and already have significant impact on your life, working behind the scenes of multiple services you use every day.
However, as a great man once said "with great power comes great responsibility", same with the AI - the risk of abuse appears. I will show you how to beat AI using rogue AI, how a crowd-sourced human intelligence can beat AI, or finally how a small, unnoticed by human change in the input data (constructed by AI of course) can severly impact the output of AI processing. I will focus on applications that improve our security not only in the cyber world (like CAPTCHA), but also in real life world (e.g. car safety systems).
Last, but not least, I will tell you how to prevent such abuses and why it is so important to understand how above-mentioned tools work.
After my successful presentation "Testing iOS Apps without Jailbreak in 2018" it's time to change the side. This talk will cover the most important milestones in reaching secure iOS/macOS apps. I'm going to show you how to develop modern&secure iOS/macOS apps using new security features presented on WWDC2018. H4ckers will be satisfied as well since I'm going to talk about these steps from pentester's perspective. What's more - this presentation will include vulnerabilities that I found during my professional work and my vulnz found in real Apple's apps! (That I haven't disclosed yet!)
Rok 2019 może dużo zmienić w świecie bankowości, fintechów, e-commerce i płatności elektronicznych, również w zakresie bezpieczeństwa. W tym roku wejdą w życie regulacje dyrektywy PSD2 dotyczące interfejsów API które banki muszą udostępnić dla podmiotów trzecich oraz silnego, wieloskładnikowego uwierzytelniania i autoryzowania operacji finansowych. Jak to wpłynie na bezpieczeństwo usług bankowych i płatności elektronicznych? Tak jak przy każdej zmianie, wiele zależy od szczegółów. Przede wszystkim od sposobu implementacji interfejsów API i funkcji uwierzytelniania wieloskładnikowego. Testując bezpieczeństwo nowych aplikacji finansowych ekspert miał okazje zaobserwować niektóre trendy i zebrać informacje o typowych błędach popełnianych podczas implementacji. Podczas prezentacji prelegent przyjrzy się technicznym wyzwaniom związanym z bezpieczeństwem w kontekście PSD2. Omówione zostaną niektóre podatności spotykane w funkcjonalności uwierzytelniania dwuskładnikowego (2FA) i autoryzacji transakcji (w tym w zastosowaniach biometrii) oraz w interfejsach API do usług bankowych. Przedstawione zostaną również dobre praktyki odnośnie implementacji 2FA i interfejsów PIS/AIS.
Testowanie bezpieczeństwa chmury na przykładzie AWS.SecuRing
W dzisiejszych czasach powszechną praktyką jest przeprowadzanie okresowych testów bezpieczeństwa lokalnej sieci, jednakże rzadko kiedy właściciele firm decydują się na podobne testy ich środowisk chmurowych. Musimy zrozumieć nowe zagrożenia i ryzyka, które pojawiły się wraz z usługami chmurowymi oraz jak powinniśmy zmienić nasze podejście do ich testowania. Celem prezentacji jest pokazanie konieczności testowania środowiska chmurowego oraz jak bardzo różni się ono od testów środowiska opartego o klasyczną architekturę. W formie dema przedstawiony zostanie przykładowy atak na firmę wykorzystującą usługi AWS. Wykorzystując podatność w aplikacji webowej, a następnie szereg drobnych zaniedbań w konfiguracji AWS, prelegent pokaże jak potencjalny atakujący może krok po kroku przejąć rolę administratora AWS, a następnie usunąć wszystkie dowody swojej aktywnności. Na podstawie przeprowadzonego ataku i zebranych wniosków odpowie na pytanie "jak powinien wyglądać test bezpieczeństwa chmury?".
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
14. Interview
I mean no harm to anyone in any way
https://www.bleepingcomputer.com/news/software/empty-npm-package-has-over-700-000-downloads-heres-why/
15. Interview
Parzhitsky agrees [...] that the unusually high number of
downloads can most likely be attributed to developers
making typos
24. Dependency Confusion
What happens if malicious code is uploaded to npm under
these names?
Is it possible that some of PayPal’s internal projects will
start defaulting to the new public packages instead of the
private ones?
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
50. On Thursday, April 1, 2021, we learned that someone had
gained unauthorized access to our Bash Uploader script
and modified it without our permission.
51. This customer was using the shasum that is available on
our Bash Uploader to confirm the integrity of the uploader
fetched from https://codecov.io/bash.
55. Our use of Codecov’s Bash Uploader script was limited: it
was set up on a single CI server used to test and build some
internal tooling […].
We were not using Codecov on any CI server used for
product code.
https://www.rapid7.com/blog/post/2021/05/13/rapid7s-response-to-codecov-incident/
56. While investigation has not revealed evidence of
unauthorized usage of the exposed GPG key, it has been
rotated in order to maintain a trusted signing mechanism
https://discuss.hashicorp.com/t/hcsec-2021-12-codecov-security-event-and-hashicorp-gpg-key-exposure/23512
58. Homebrew
In the Homebrew/homebrew-cask repository, it was
possible to merge the malicious pull request by confusing
the library that is used in the automated pull request
review script developed by the Homebrew project.
https://blog.ryotak.me/post/homebrew-security-incident-en/
59. Homebrew
This is due to a flaw in the git_diff dependency of the
review-cask-pr GitHub Action, which is used to parse a pull
request’s diff for inspection.
Due to this flaw, the parser can be spoofed into
completely ignoring the offending lines, resulting in
successfully approving a malicious pull request.
60. Homebrew
By abusing it, an attacker could execute arbitrary Ruby codes on users'
machine who uses brew.
The discovered vulnerability would allow an attacker to inject arbitrary
code into a cask and have it be merged automatically
61. Second, on November 2 we received a report to our security bug
bounty program of a vulnerability that would allow an attacker to
publish new versions of any npm package using an account without
proper authorization
https://github.blog/2021-11-15-githubs-commitment-to-npm-ecosystem-security/
62. We determined that this vulnerability was due to inconsistent
authorization checks and validation of data across several
microservices that handle requests to the npm registry.
63. This vulnerability existed in the npm registry beyond the timeframe
for which we have telemetry to determine whether it has ever been
exploited maliciously.
64. However, we can say with high confidence that this vulnerability has
not been exploited maliciously during the timeframe for which we
have available telemetry, which goes back to September 2020
65. Ruby Gems
An ordering mistake in the code that accepts gem uploads allowed
some gems […] to be temporarily replaced in the CDN cache by a
malicious package
https://github.com/rubygems/rubygems.org/security/advisories/GHSA-2jmx-8mh8-pm8w
66. Ruby Gems
1. An attacker could guess the next version number, and create a gem
with the name sorbet-static-0.5.9996-universal-darwin and version
number 20.
67. Ruby Gems
2. With a crafted invalid gemspec, it was possible to coerce
RubyGems.org to save that gem to S3 without creating a matching
database record.
68. Ruby Gems
3. Later, the real sorbet-static gem would release version 0.5.9996 as
usual, and the attacker-controlled file would be overwritten on S3.
69. Ruby Gems
4. However, if the attacker had already primed the Fastly CDN cache
by requesting their malicious gem, Fastly would continue to serve the
old, malicious package.
72. Yesterday (2021-03-28) two malicious commits were pushed to the
php-src repo [1] from the names of Rasmus Lerdorf and myself.
We don't yet know how exactly this happened, but everything points
towards a compromise of the git.php.net server (rather than a
compromise of an individual git account).
https://news-web.php.net/php.internals/113838
73.
74.
75. Something I was not aware of at the time is that git.php.net (intentionally)
supported pushing changes not only via SSH […] but also via HTTPS.
The latter did not use gitolite, and instead used git-http-backend behind Apache2
Digest authentication against the master.php.net user database.
https://news-web.php.net/php.internals/113981
76.
77. It is notable that the attacker only makes a few guesses at usernames,
and successfully authenticates once the correct username has been
found.
While we don't have any specific evidence for this, a possible
explanation is that the user database of master.php.net has been
leaked
78. The master.php.net system, which is used for authentication and
various management tasks, was running very old code on a very old
operating system
/
PHP version, so some kind of vulnerability would not be terribly
surprising.
79. On April 12, GitHub Security began an investigation that uncovered
evidence that an attacker abused stolen OAuth user tokens issued to
two third-party OAuth integrators, Heroku and Travis-CI, to download
data from dozens of organizations, including npm.
https://github.blog/2022-04-15-security-alert-stolen-oauth-user-tokens/
80. Our analysis of other behavior by the threat actor suggests that the
actors may be mining the downloaded private repository contents, to
which the stolen OAuth token had access, for secrets that could be
used to pivot into other infrastructure.
81. GitHub contacted Heroku and Travis-CI to request that they initiate
their own security investigations, revoke all OAuth user tokens
associated with the affected applications, and begin work to notify
their own users.
82. We do not believe the attacker obtained these tokens via a
compromise of GitHub or its systems, because the tokens in question
are not stored by GitHub in their original, usable formats.
83. On April 7, 2022, a threat actor obtained access to a Heroku database
and downloaded stored customer GitHub integration OAuth tokens.
Access to the environment was gained by leveraging a compromised
token for a Heroku machine account.
https://status.heroku.com/incidents/2413
84. On that same day, the threat actor downloaded data from another
database that stores pipeline-level config vars for Review Apps and
Heroku CI.
Additionally, another small subset of Heroku users had their Heroku
tokens exposed in a config var for a pipeline.
85. On April 15, 2022, Travis CI personnel were informed that certain
private customer repositories may have been accessed by an
individual who used a man-in-the-middle 2FA attack, leveraging a
third-party integration token.
https://blog.travis-ci.com/2022-04-17-securitybulletin
86. Upon further review that same day, Travis CI personnel learned that
the hacker breached a Heroku service and accessed a private
application OAuth key used to integrate the Heroku and Travis CI
application.
87. Travis CI immediately revoked all authorization keys and tokens
preventing any further access to our systems. No customer data was
exposed and no further access was possible.
88. This week, we discovered that GitHub.com’s RSA SSH private key was
briefly exposed in a public GitHub repository.
We immediately acted to contain the exposure and began investigating
to understand the root cause and impact.
https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
94. Libraries
• Awareness
• No typos ;)
• Use tools to detect malicious dependencies
• Download from official sources
95. Libraries
• Awareness
• No typos ;)
• Use tools to detect malicious dependencies
• Download from official sources
• When not sure do not install
96. Libraries
• Awareness
• No typos ;)
• Use tools to detect malicious dependencies
• Download from official sources
• When not sure do not install
• Enable 2FA (as a maintainer)
97. Enforcing 2FA
• Top 100 packages
• Started on: 1.02.2022
•Packages classified
as critical: ~4000
•Started on:
8.07.2022
• Top 100 packages
• Started on:
15.08.2022
100. What can go wrong with enforcing 2fa?
https://github.com/untitaker/python-atomicwrites/issues/61
101. atomicwrites
I'd rather just write code for fun and only worry about supply chain
security when I'm actually paid to do so.
102. Libraries
• Awareness
• No typos ;)
• Use tools to detect malicious dependencies
• Download from official sources
• When not sure do not install
• Enable 2FA (as a maintainer)
111. Tools
• I will not download and run scripts directly
from the net
112. Tools
• I will not download and run scripts directly
from the net
• I will verify checksums and signatures of
downloaded files
113. Tools
• I will not download and run scripts directly
from the net
• I will verify checksums and signatures of
downloaded files
• I will install only from official sources
114. Tools
• I will not download and run scripts directly
from the net
• I will verify checksums and signatures of
downloaded files
• I will install only from official sources
• I will update frequently what I’ve already
installed
115. Tools
• I will not download and run scripts directly
from the net
• I will verify checksums and signatures of
downloaded files
• I will install only from official sources
• I will update frequently what I’ve already
installed
118. Infrastructure
• Keep good inventory, especially of what is in
the clouds
• Disable/shutdown what’s unused
119. Infrastructure
• Keep good inventory, especially of what is in
the clouds
• Disable/shutdown what’s unused
• Secure configurations
120. Infrastructure
• Keep good inventory, especially of what is in
the clouds
• Disable/shutdown what’s unused
• Secure configurations
• Frequently update (to fix known issues)
121. Infrastructure
• Keep good inventory, especially of what is in
the clouds
• Disable/shutdown what’s unused
• Secure configurations
• Frequently update (to fix known issues)
• Monitor, monitor, monitor
122. Infrastructure
• Keep good inventory, especially of what is in
the clouds
• Disable/shutdown what’s unused
• Secure configurations
• Frequently update (to fix known issues)
• Monitor, monitor, monitor
123. Final words
• Trust but always verify
• K.I.S.S.
• RTFM
• Keep stuff up to date
• Keep your secrets secret (KYSS ;)