Modernizing AppSec – Melinda Marks – ASW #307

The answer to the question isn't terribly dramatic, but it's still a good question to consider. Most of the tech in our hands everyday and the tech that makes it possible to access and use the Internet were invented by folks that are still alive today.

Will their legacy be to serve as bar trivia questions, or will it be more substantial? Will there be a Linus Torvalds AI bot, trained on his hundreds of thousands of emails, posts, and pull request comments? I'm predicting no - not unless we learn how to make LLMs properly sassy. They just refuse to be mean or negative in any way today.

I love a good chance to evaluate the risk of vulnerabilities. It often isn't clear until you dig into the vulnerability details. What's the access vector? What does the exploit do? What level of privilege would the attacker gain?

In this case, it sounds really bad - wireless access points with a CVSS 10 vulnerability! The access vector is network, attack complexity is low, no authentication required. Sounds like an urgent one, right?

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

But then, why is the EPSS score 0.04? Probably because exploiting the vulnerability requires access to the access point's web management console, which isn't going to be available outside the network.

So that means, you need to be on the inside to hack them. But if you're on the internal network already, you have no need for hacking them.

Many vulnerabilities have this paradoxical effect. Vulnerabilities look terrifying, until you take a closer look and realize that no attacker would ever leverage it, because it doesn't make sense from the attacker's perspective.

This is another area where, as the article's author points out several times, that vulns haven't typically been exploited in the wild. Like, ever. Diving into the details again tells us why - it requires physical access to the car and the ability to turn it on. If you have those two things, you can steal the car - you don't really have a need for exploits on a USB key (maybe, if cars had a USB port accessible on the outside of the car?)

It's a useful thought exercise though - are there legit attack scenarios with cars that could start getting hit at scale? Nearly all modern cars have some connectivity to the public Internet, and we've seen hacks via the Internet, mobile apps, or APIs in the past. It seems like a fleet of cars would be a great potential ransomware attack. A fleet of semi trucks belonging to a long haul shipping carrier? Amazon's Rivian delivery trucks? All Ford 150s?

"Almost 70 percent of DevSecOps professionals can't detect AI source code origins, creating massive security risks, according to a new report"

Is it really though? Who cares where the code comes from - it has to go through the same gauntlet of quality, functional, and security testing, right?

The source report is here

what year is it.gif

Hilarious. I'm only sad it's all gone and I didn't get a chance to grab a Welcome to Paradise Gameboy cartridge!

Socket Security researchers discovered five malicious npm packages deploying malware to steal credentials and other data through typo squatting (such as node-dll, which I'm guessing is attempting to spoof dll for dynamically linked lists). It looks like the packages were "only" downloaded 320 times before removal.

In a refreshing change, a software vendor tells customers to secure the management interfaces to their PANW devices. While they don't know all the details yet, they've gotten word of a RCE vulnerability being exploited in the wild, and are trying to help customers stay safe.

And the linked web page on how to secure the management interface looks decent, too.