Episode 535: Dan Lorenc on Supply Chain Attacks

Topics covered
Popular Clips
Episode Highlights
Dependency Confusion
Dependency confusion is a sophisticated attack strategy where attackers exploit public repositories to inject malicious code by mimicking internal package names. explains that this technique leverages the order in which package managers search for packages, often prioritizing public repositories over private ones 1. This oversight allows attackers to upload malicious packages with the same names as internal ones, leading to potential remote code execution vulnerabilities 1.
You don't really see names as incredibly sensitive data. Sometimes the code is, but the name of the package is something that people copy around all the time.
---
Additionally, Lorenc highlights the related tactic of typo squatting, where attackers create packages with names similar to popular ones, relying on human error or social engineering to spread their malicious code 2.
Code Obfuscation
Code obfuscation is a technique used to hide vulnerabilities within software, making detection challenging. notes that while many attackers are lazy and leave obvious traces, some employ sophisticated methods to conceal their malicious activities 3. These methods include encoding strings or using manual obfuscation techniques that evade standard security scanners 3.
There are a lot of bug doors, I think is the technique there where if you could read code and see every bug, then you'd be the best programmer in the world.
---
Lorenc also mentions the International Obfuscated C Code Competition, where programmers create code that performs hidden tasks, illustrating the potential for obfuscated code to sit undetected in software systems 4.
Malicious Inputs
Malicious inputs are another vector for compromising software systems, often exploiting logging vulnerabilities. describes how attackers can inject malicious code into logging systems by embedding harmful strings in inputs like HTTP headers or IP address fields 5. These inputs can trigger unintended behaviors, such as downloading and executing untrusted code, due to the presence of interpreters in unexpected places 5.
People build like a small programming language into these logging libraries.
---
Lorenc emphasizes that the intersection of seemingly benign features can lead to vulnerabilities, as seen in Java's logging libraries, where template expansions can inadvertently execute remote code 6.
Related Episodes


Episode 541: Jordan Harband and Donald Fisher on Securing the Supply Chain
Answers 383 questions

SE Radio 606: Charlie Jones on Third-Party Software Supply Chain Risks
Answers 383 questions

Episode 441 Shipping Software - With Bugs
Answers 383 questions

SE Radio 630: Luis Rodríguez on the SSH Backdoor Attack
Answers 383 questions

Episode 514: Vandana Verma on the Owasp Top 10
Answers 383 questions

Episode 438: Andy Powell on Lessons Learned from a Major Cyber Attack
Answers 383 questions

Episode 449: Dan Moore on Build vs Buy
Answers 383 questions

SE-Radio-Episode-309-Zane-Lackey-on-Application-Security
Answers 383 questions

Episode 475: Rey Bango on Secure Coding Veracode
Answers 383 questions

SE Radio 559: Ross Anderson on Software Obsolescence
Answers 383 questions

Episode 544: Ganesh Datta on DevOps vs Site Reliability Engineering
Answers 383 questions

Episode 66: Gary McGraw on Security
Answers 383 questions

Episode 206: Ken Collier on Agile Analytics
Answers 383 questions

SE-Radio Episode 313: Conor Delanbanque on Hiring and Retaining DevOps
Answers 383 questions

Episode 427: Sven Schleier and Jeroen Willemsen on Mobile Application Security
Answers 383 questions













