Ancient Curl Bug, AWS re:Invent, Malware in NPM, Census III Report, MS OTP – ASW #311
Curl's oldest bug yet, RCPs (and more!) from AWS re:Invent, possible controls for NPM's malware proliferation, insights and next steps on protecting top 500 packages from the Census III report, the flawed design choice that made Microsoft's OTP (successfully) brute-forceable, and more!
00:00 - Intro & Cyber Resilience Insights 01:20 - The 25-Year-Old Curl Bug Story 04:17 - Fuzzing for Security: A Missed Opportunity? 08:46 - AWS re:Invent Security Highlights 11:54 - NPM Malware Surge 16:33 - Small Packages, Big Risks in NPM 19:55 - Open Source Security Trends 24:27 - Microsoft MFA Vulnerability Explained 28:28 - Hardware Hacking & DMA Exploits 30:55 - Auditing Ruby’s Package Ecosystem 34:02 - Looking Ahead to 2025
Hosts
- 1. A twenty-five years old curl bug | daniel.haxx.se
- 2. Auditing the Ruby ecosystem’s central package repository | Trail of Bits Blog
- 3. Top AWS re:Invent Announcements for Security Teams 2024 | Wiz Blog
- 4. Open Source Usage Trends and Security Challenges Revealed in New Study
Download the report here
- 5. WorstFit!
Noting this because it falls into the category of parsing, defaults, and choosing between failure modes.
- 6. Open Source Malware Reaches More Than 778500 Packages, According to Sonatype Researchers
The report is behind a regwall. I've included it here to talk about the phrase, "...npm, exemplifies the risk contained in public repositories, representing 98.5% of the malicious packages Sonatype has identified in the past year."
- 1. Microsoft MFA found to be lax, bypassable
Folks at Oasis Security found out that Microsoft was allowing 3 minutes to accept a MFA token - 2.5 minutes longer than specified in RFC-6238. This gave attackers six times as long to attempt to brute force the value.
- 2. Getting PCIE memory access via SD card reader
This might be a little more hardware hacking than appsec, but is still a good read on some of the history of memory card interfaces and DMA attacks. End-of-day, they've created a custom board to insert into a SD card reader that provides access to the laptop's memory via PCI Express.
