Random in Security is a summary of the cybersecurity news.
Luckily, this was caught quite early before the backdoored version was rolled out in many distributions. Andres Freund saved the internet with his attention to detail.
In the wake of this discovery, potentially other libraries that already are compromised could be discovered.
Kaspersky provides quite a detailed technical analysis. The code in amlweems/xzbot provides some great details and demo on how the backdoor would work. Gynvael has an extensive analysis of the bash obfuscation. Additional references are listed in this Gist.
In the subsequent days additional details were unearthed by binarly. Also, a very basic client implementation is available in blasty/JiaTansSSHAgent.
Fabian Bäumer from RUB disclosed the details for a secret key recovery of NIST P-521 private keys in oss-security. Marcus Brinkmann provides some additional details.
Using recent versions of the attack by Albrecht/Heninger, we can calculate the private key from 58 PuTTY P-521 signatures with a 50% probability (59 sigs: 94% success, 60 sigs: 100% success)
🎬 A curated list of movies every hacker & cyberpunk must watch.
A tool to abuse Exchange services
🔒 A compiled checklist of 300+ tips for protecting digital security and privacy in 2024
CVE-ICU is a research project that automatically pulls all CVE data from the NVD and performs fundamental data analysis and graphing.
OSINT tool to find breached emails, databases, pastes, and relevant information
GOAD is a pentest active directory LAB project
Create a vulnerable active directory that’s allowing you to test most of the active directory attacks in a local lab
Phishing Domains, urls websites and threats database. We use the PyFunceble testing tool to validate the status of all known Phishing domains and provide stats to reveal how many unique domains used for Phishing are still active.
Open source on-call scheduling, automated escalations, and notifications so you never miss a critical alert
AssetViz simplifies the visualization of subdomains from input files, presenting them as a coherent mind map. Ideal for penetration testers and bug bounty hunters conducting reconnaissance, AssetViz provides intuitive insights into domain structures for informed decision-making.