What happens if malicious code is uploaded to npm under these names? Is it possible that some of PayPal’s internal projects will start defaulting to the new public packages instead of the private ones?
tl;dr: User countermeasures:
- Noreply-Email-Address: Every GitHub user should either use a dedicated commit email address or GitHub’s noreply-email-address service, also enabling the option to block accidental command line pushes.
- 2-Factor-Authentication: Every GitHub user should have 2-Factor-Authentication enabled
- Raise Awareness: it’s the duty of developers aware of this issue toinform their colleagues about it
sed -i "s/$real_email/$github_email/" /opt/*/.git/config
Usine hydro-électrique, génératrice diesel, système d’aération, métro, silo, haut fourneau, système de production de bio-gaz ou d’eau potable… Tout y passe. Autant, les VNC d’avant, ça ne pouvait pas trop faire de dégat sinon la compromission de la machine en question, autant là on parle de systèmes qui peuvent conduire à des morts…
Issue #2 is out !
Paged Out! is a new experimental (one article == one page) free magazine about programming (especially programming tricks!), hacking, security hacking, retro computers, modern computers, electronics, demoscene, and other similar topics.
Include a crazy prime Python quine ! (page 35) O.O
This article shows how to construct a non-recursive zip bomb that achieves a high compression ratio by overlapping files inside the zip container. "Non-recursive" means that it does not rely on a decompressor's recursively unpacking zip files nested within zip files: it expands fully after a single round of decompression. The output size increases quadratically in the input size, reaching a compression ratio of over 28 million (10 MB → 281 TB) at the limits of the zip format. Even greater expansion is possible using 64-bit extensions. The construction uses only the most common compression algorithm, DEFLATE, and is compatible with most zip parsers.
$ python3 -m zipfile -e overlap.zip .
Traceback (most recent call last):
...
__main__.BadZipFile: File name in directory 'B' and header b'A' differ.
How does a tiny repo cause git to run out of memory? The secret is that git de-duplicates “blobs” (which are used to store files) to make repositories smaller and allow using the same blob when a file remains unchanged between commits. Git also allows de-duplication of “tree” objects (which define the directory structure in a repository).
git-bomb
tries to make a billion files, however it only has 10 references to the file blob and only has 10 tree objects in all.
- Input injection
- Parsing XML
- Assert statements
- Timing attacks
- A polluted site-packages or import path
- Temporary files
- Using yaml.load
- Pickles
- Using the system Python runtime and not patching it
- Not patching your dependencies
We are left with A1, A4, A5 and A9 as somewhat relevant and a dozen of other attack vectors common app faces with no single mention.
A very plausible scenario of credentials sniffer injected through npm dependency chain.
I loved the "I’d see it in your source on GitHub!" section : so scary and true.
Journalists watch out—you may be unintentionally revealing sources.
Unlike previous text fingerprinting techniques, zero-width characters are not removed when formatting is removed from text
- HTTP/2
- TLS 1.3
- DOH: DNS over HTTP
- QUIC: a candidate replacement for the TCP protocol
since Google has already deployed QUIC in the Chrome browser and on its sites, it already accounts for more than 7% of Internet traffic.
Also mention this creepy & fascinating attack : http://codebutler.com/firesheep
Canary tokens are a free, quick, painless way to help defenders discover they've been breached (by having attackers announce themselves.)
Embeddable in :
- fake URLs ending in .html, .js, .php...
- emails to detect if you are spied on
- files in the cloud
- as file watchs do detect spies on filesystems
- desktop.ini for Windows directories or zip files
- MSSQL & MYSQL
- Word / PDF documents
- a JS resource is used elsewhere
few realize how absolutely devastating and omnipresent this vulnerability can be
Pour vous donner un exemple de la vulnérabilité des outils comme la messagerie Outlook, en 2016, l’Annudef’ (l’annuaire du ministère de la Défense) a été téléchargé deux fois et on ne sait toujours pas par qui.
😲😱😩
- XML internal entities
- Billion laughs attack / quadratic blowup
- XML external entity (XXE)
Or how I obtained direct publish access to 14% of npm packages (including popular ones)
"Here you have a trivially simple method of injecting legit-looking messages into text conversations with anyone, providing you know how your target stores the spoofee sender in their contacts. In the UK, that’s largely the difference between starting with 07, and +447.
The utterly exquisite reality is that, if your target then replies, that reply goes to the real sender, who is overwhelmingly likely to reply something like “what the hell are you on about?”, this being the first they’ve heard of this shady business. Does that look like backtracking or denial? I ain’t no Member of Parliament, but it sure sounds like it to me."