shellsharks, to infosec
@shellsharks@shellsharks.social avatar

There's A LOT going on (analysis, discussion, vendor notices, etc...) related to the ongoing xz/liblzma compromise so I created a "link roundup" which centralizes and buckets a lot of the awesome links and threads I've seen flying around.

https://shellsharks.com/xz-compromise-link-roundup

I will try to keep this up-to-date (ish) for a few days while things are hot but I make no promises beyond that.

#cve20243094 #xz #xzbackdoor #xzorcist #supplychainattack #xz4shell #infosec #cybersecurity

rugk, to infosec German
@rugk@chaos.social avatar

Note on all the #xz drama, there are some technical solutions for such #supplychainattack that can make such an attack way harder, at least to hide the code in tarballs etc.

https://slsa.dev/ e.g. is a solution. Combined with reproducible builds, it ensures that a software artifact is built exactly from the source given in a source repository, with the possibility to prove that and no way for any maintainer to tamper with (in the highest level).

#slsa #infosec #security #linux #backdoor

itnewsbot, to security

GitHub besieged by millions of malicious repositories in ongoing attack - Enlarge (credit: Getty Images)

GitHub is struggling to contain... - https://arstechnica.com/?p=2006797

lesley, to random
@lesley@mastodon.gamedev.place avatar

Random #pldev and #packagemanager idea: In the build system, developers should explicitly grant permission for packages to execute risky tasks like accessing the filesystem or network. This includes all transitive dependencies. By doing so, any suspicious behavior introduced by updates to dependencies or their dependencies would be apparent.

I am certainly a noob in this area and are not certain whether this can be an effective strategy to mitigate #supplychainattack

Di4na,
@Di4na@hachyderm.io avatar

@lesley shock and surprises!!! ;)

chandlerc,
@chandlerc@hachyderm.io avatar

@lesley Absolutely.

I think some of this is starting to materialize nicely with system's like Go's dependencies page and OpenSSF score card: https://github.com/ossf/scorecard
Example: https://deps.dev/go/google.golang.org%2Fgrpc

Definitely would like to see this taken incrementally further as you describe. Not just granting permissions individually, but basically a constraint / capability system -- each dep says what capabilities it requires (or reserves the right to require in future) and constrains its deps to a subset.

jbzfn, to random
@jbzfn@mastodon.social avatar

😶 We've learned nothing from the SolarWinds hack
➥ cyrnel

"Given its high profile, I'm shocked to report that I feel very little has been learned from that attack.

To me, the hack was a wake-up call about how the way we install and run software is insecure by design and needs a rework, maybe using capabilities-based security. But all I hear about is a bunch of solutions that kinda miss the point. "

#SolarWinds #SupplyChainAttack #CyberSecurity https://legacy.cyrnel.net/solarwinds-hack-lessons-learned/

mdfranz,

@jbzfn After 25 years in "Cyber" I've lived through a half-dozen "wake up calls" so I really have low expecations rapid, proactive change.

A suprisingly large number of organizations inconsistently muddle through with "innovations" from a decade ago so we've got a few years before critical mass of orgs/vendors implement lessons despite all the chest pounding about #SBOM

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • mdbf
  • everett
  • osvaldo12
  • magazineikmin
  • thenastyranch
  • rosin
  • normalnudes
  • Youngstown
  • Durango
  • slotface
  • ngwrru68w68
  • kavyap
  • DreamBathrooms
  • tester
  • InstantRegret
  • ethstaker
  • GTA5RPClips
  • tacticalgear
  • Leos
  • anitta
  • modclub
  • khanakhh
  • cubers
  • cisconetworking
  • provamag3
  • megavids
  • lostlight
  • All magazines
    •