Lessons That The XZ Utils Backdoor Spells Out – Farshad Abasi – ASW #280
Full Audio
View Show IndexSegments
1. Lessons That The XZ Utils Backdoor Spells Out – Farshad Abasi – ASW #280
We look into the supply chain saga of the XZ Utils backdoor. It's a wild story of a carefully planned long con to add malicious code to a commonly used package that many SSH connections rely on. It hits themes from social engineering and abuse of trust to obscuring the changes and suppressing warnings. It also has a few lessons about software development, the social and economic dynamics of open source, and strategies for patching software.
It's an exciting topic partially because so much other appsec is boring. And that boring stuff is important to get right first. We also talk about what parts of this that orgs should be worried about and what types of threats they should be prioritizing instead.
Segment Resources:
- https://tukaani.org/xz-backdoor/
- https://news.risky.biz/risky-biz-news-supply-chain-attack-in-linuxland/
- https://www.zdnet.com/article/this-backdoor-almost-infected-linux-everywhere-the-xz-utils-close-call/#ftag=RSSbaffb68
- https://therecord.media/malicious-backdoor-code-linux-red-hat-cisa
- https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
- https://duo.com/decipher/carefully-crafted-campaign-led-to-xz-utils-backdoor
- https://boehs.org/node/everything-i-know-about-the-xz-backdoor
Announcements
On the evening of Monday, May 6, 2024, W2 Communications and CyberRisk Alliance are bringing CYBERTACOS back to San Francisco! If eating FREE tacos, sipping on margaritas and mingling with cyber professionals from all over the world sounds good to you, make sure to register to secure your spot! Visit securityweekly.com/cybertacos to RSVP today!
We’d like to invite our listeners to be part of our prestigious 2024 SC Awards! Entries are officially open.
The SC Awards continue to serve as a beacon of excellence, recognizing the industry’s best solutions, organizations, and people that are advancing information security. This year, there are 34 categories, many updated to reflect trends in artificial intelligence, cloud security and continuous threat exposure management. This is your chance to shine among the brightest in the cybersecurity world.
Take advantage of the early bird rate by April 12! Visit securityweekly.com/scawards to submit your entries by May 31st!
Guest
Farshad Abasi is the Founder and CEO of Forward Security, bringing over 27 years of industry experience to the forefront of cybersecurity innovation. His professional journey includes key technical roles at Intel and Motorola, evolving into senior security positions as the Principal Security Architect for HSBC Global, and Head of IT Security for the Canadian division. Farshad’s commitment to the field extends to his role as an instructor at BCIT, where he imparts his wealth of knowledge to the next generation of cybersecurity experts.
At Forward Security, Farshad leads the development of the Eureka DevSecOps platform and the delivery of comprehensive security services. His diverse experience, ranging from startups to large enterprises, informs Forward Security’s approach to delivering adaptive, reliable solutions.
Engaged actively in the cybersecurity community through roles in BSides Vancouver/MARS, OWASP Vancouver/AppSec PNW, and as a CISSP designate, Farshad’s vision and leadership continue to drive the industry forward. Under his guidance, Forward Security is setting new standards in application and cloud security
Host
2. OWASP Breach, Types of Prompt Injection, Device-Bound Sessions, ASVS & APIs – ASW #280
OWASP leaks resumes, defining different types of prompt injection, a secure design example in device-bound sessions, turning an ASVS requirement into practice, Ivanti has its 2000s-era Microsoft moment, HTTP/2 CONTINUATION flood, and more!
Announcements
Security Weekly listeners save $100 on their RSA Conference 2024 Full Conference Pass! RSA Conference will take place May 6 to May 9 in San Francisco and on demand. To register using our discount code, please visit securityweekly.com/rsac24 and use the code 54USECWEEKLY! We hope to see you there!
Google has announced that they will be shutting down the Google Podcasts platform in mid-2024. To ensure that you don't lose access to the Security Weekly content you know and love, please make sure that you subscribe to your favorite podcasts feeds on an alternative platform such as Spotify, YouTube Music, Amazon Music, Apple Podcasts, Overcast, Podcast Addict, PocketCasts, or anywhere else you listen to podcasts! Visit securityweekly.com/subscribe to find the buttons to subscribe to each show now!
Guest
Farshad Abasi is the Founder and CEO of Forward Security, bringing over 27 years of industry experience to the forefront of cybersecurity innovation. His professional journey includes key technical roles at Intel and Motorola, evolving into senior security positions as the Principal Security Architect for HSBC Global, and Head of IT Security for the Canadian division. Farshad’s commitment to the field extends to his role as an instructor at BCIT, where he imparts his wealth of knowledge to the next generation of cybersecurity experts.
At Forward Security, Farshad leads the development of the Eureka DevSecOps platform and the delivery of comprehensive security services. His diverse experience, ranging from startups to large enterprises, informs Forward Security’s approach to delivering adaptive, reliable solutions.
Engaged actively in the cybersecurity community through roles in BSides Vancouver/MARS, OWASP Vancouver/AppSec PNW, and as a CISSP designate, Farshad’s vision and leadership continue to drive the industry forward. Under his guidance, Forward Security is setting new standards in application and cloud security
Host
- 1. OWASP Data Breach Notification
Two big lessons stand out to me from this breach.
One, OWASP explains that it "...collected resumes as part of the early membership process, whereby members were required in the 2006 to 2014 era to show a connection to the OWASP community. OWASP no longer collects resumes..." This implies that the data was kept around for the past 10 years despite being of no importance and that they made the active decision to stop gathering resumes. Even better than encrypting data is deleting it in the first place -- deletion removes the liability and burden of having to protect the data. There was a big process failure here.
Two, even security-minded orgs make mistakes. You can have all the awareness you want, but if it's not backed by processes that exercise that awareness in practice, then it's just relying on random people to randomly remember to do something. Even better is having tooling that enforces and controls that process. A retention policy combined with an automatic job to delete data would have helped immensely.
- 2. HiddenLayer Research | Prompt Injection Attacks on LLMs
This is a nice summary of classes of attacks against LLMs. Establishing a shared terminology makes discussions about threat models, countermeasures, and risks more efficient since everyone in the conversation can be starting from similar assumptions.
For example, it's more useful to understand specific vectors of prompt injection in order to evaluate whether a defense is effective. A jailbreak and a prompt leak require different defenses.
- 3. Chromium Blog: Fighting cookie theft using device bound sessions
Yes, authentication solutions like passkeys, WebAuthn, and FIDO2 are phishing-resistant and the modern mechanism that all orgs should adopt.
But there's still a catch. The post-authentication process typically assigns a session token to identify the user for a period of time. If that session token is compromised, such as by stealing cookies, then an attacker may be able to impersonate a user by merely presenting that cookie. The server assumes that the user presenting the cookie is the original user who went through the identity check during authentication. This is the type of attack we saw against Twitter and Uber, where Slack session tokens were compromised, thereby enabling an attacker to impersonate a user and gain more privileges through social engineering.
By binding the cookies to a device, this replay attack becomes more difficult -- the attacker would essentially have to proxy their traffic through the victim's device, which may be more technically difficult and more prone to detection by network or endpoint monitoring.
- 4. 2.10.1 Verify that intra-service secrets do not rely on unchanging credentials such as passwords, API keys · Issue #1032 · OWASP/ASVS · GitHub
This discussion thread shows the challenge of translating a single sentence into a design and implementation.
Item 2.10.1 of the ASVS states, "Verify that intra-service secrets do not rely on unchanging credentials such as passwords, API keys"
So, what should intra-service (aka service-to-service or s2s) authentication look like? Is mutual TLS an unchanging credential, but nonetheless secure? Is the spirit of this requirement really about an unchanging password or about the ability to easily rotate passwords? Is the spirit of this more about using authentication mechanisms that don't expose the secret, such as using a signed request instead of a raw API key?
- 5. Ivanti CEO Vows Cybersecurity Makeover After Zero-Day Blitz – SecurityWeek
Ivanti is having their Microsoft-in-the-early-2000s moment of repeated security lapses followed by a call to action from their CEO. (Check out some of the Microsoft history in last week's April Fool's news segment.)
Read Ivanti's statement here.
It has some nice sentiments, like "Alleviating the Burden of Security for Customers: We will be enhancing our capabilities to provide solutions that are secure out of the box (Secure by Default)..." We'll see how these manifest in practice.
It seems about 20 years late for a security company to be listing off actions like this, though. It's an unpleasant reminder that security products can weaken your environment by increasing the attack surface you need to defend.
- 6. FYI: OAuth: “grant” vs “flow” vs “grant type” • Aaron Parecki
A super-short article that helps clarify some OAuth terminology.
- 7. HTTP/2 CONTINUATION Flood: Technical Details – nowotarski.info
I can never resist a protocol-based attack. The impact here is a DoS, but one that can be very asymmetric -- the attacker needs few resources to exhaust the target.
Check out this post for a table of affected software.
Specification documentation is hard! This is an implementation issue that the HTTP/2 spec sort of cautions against, but not explicitly so. Check out episode 266 for a discussion about RFCs and the importance of documentation with Heather Flanagan.