This is a personal blog of 0xCardinal, discussing topics such as supply chain security, product & platform security, alongside discussions on interesting attack & defense strategies.
Reputation Farming in OSS: A Threat to Building Trust
This issue complicates the open source and supply chain security space. For attacks like xz, such strategies can be used by attackers to build “fake” trust among fellow OSS community members. A few days ago, this discussion ignited in the OSSF Slack , which talked about the issue of credibility farming in several open source repositories. So, the issue revolves around GitHub (or equivalent platforms) accounts approving or commenting on old pull requests and issues that were already resolved or closed, where these meaningless contributions show up prominently on the user’s profile and activity feed, making their involvement seem more significant than it actually is, without closer look....
Two Bits on the xz Vulnerability
GitHub Repository xz (Suspended) Source Code https://git.tukaani.org/?p=xz.git Threat Actor Jia Tan (GitHub) CVE Number CVE-2024-3094 (CVSS 10.0) Vulnerability Type Remote Code Execution Attack Category Social Engineering, Supply Chain Attack What does xz module do? XZ Utils is a set of free and open-source data compression utilities that provide high compression ratios and fast decompression....
Handling Deprecated Dependencies In Your Project
Disclaimer: Just a heads up, while we’re diving into ways to tackle the problem of dependency depreciation, there’s no one-size-fits-all solution here. It’s a bit of a wild ride dealing with supply chain security and those pesky deprecated dependencies, so don’t expect a quick fix! The issue of using deprecated dependencies has persisted for quite some time, and it’s gaining increased attention. Many projects continue to incorporate deprecated dependencies. I was inspired to write this blog after coming across a LinkedIn post by Rory McCune and several other posts over the past few weeks....
VS Code Security: Looking at the IDE from Security Lens
While perusing StackOverflow's 2023 Developer Survey (yes, we developers have our own version of celebrity gossip), I couldn’t help but notice that our trusty VSCode is still riding high as the undisputed IDE champ. With a whopping 73% of the developer vote, it’s safe to say that VSCode has firmly planted its flag. But, like any superstar, it’s not immune to the spotlight’s glare, especially when it comes to security. And in this blog, we’ll explore the security aspects that every VSCode user should consider....
Investigating Reported Vulnerabilities: A Closer Look!
In vulnerability scanners or penetration testing reports, you might come across statements like “Service version x.y.z is vulnerable to CVE-YYYY-ABCD." However, it’s essential to delve deeper to confirm the actual vulnerability. Let’s consider a real example: We received a vulnerability report indicating a vulnerability ( CVE-2023-23916 ) in curl v7.74.0 within the Debian 11 environment. The CVE documentation mentions: Affected versions: curl 7.57.0 to and including 7.87.0 At first glance, it appears that v7....
Kubernetes Components
In this blog post, we are going to talk about different components used in Kubernetes and what purpose each component serve. We will be talking about the following - Pods Service Ingress ConfigMap Secret Deployment StatefulSet ReplicaSet DaemonSet Use-case that will be used througout the blog will be hosting a web application with application code and database in different pods. Before starting this blog, if you want to learn about the underlying concepts - Read “Kubernetes Concept”...
My Experiments with Raspberry Pi Pico - Poor Man's Rubber Ducky
Mr. Robot Season 2 Episode 9 - “Rubber Duckie, You’re The One” - I was fascinated by this piece of technology when I first saw it many years ago. Then I looked it up on the internet to learn more about it, and it turned out to be HID, or Human Interface Device. It basically imitates users and executes code or performs actions in their place. Since the real rubber ducky was out of my budget, I looked for alternatives and discovered that similar behaviour to the rubber ducky can be achieved using a less expensive piece of hardware - the Raspberry Pi Pico (7$)....
Docker Security
Last Updated on 2nd Feb 2023. Containers? Why do we need containers over VMs - Efficient Resource Consumption between containers Once License for services/OS Low Compute Overhead What does docker engine does? Emulates Filesystem Gives each container unique process ID Isolation of container process Communication between the architecture components - Components Docker client (The one user interacts with) Docker Host Docker Daemon Images Containers Registry Docker client using serveral API calls sends the commands to Docker Engine which is being forwarded to containerd....