Tag: security
Pytosquatting, Supply Chain Risk, and the Slovak National Security Bureau
So most of you will have the Slovak ‘NBU’ on your RSS speed-dial, but I found I was a bit behind on my reading of it. As I was catching up, skcsirt-sa-20170909-pypi caught my eye. In a nutshell, its around a phenomena called ‘typo-squatting’. In this case, Python-package name squatting (called pytosquatting). So there is…
Software supply chain risk management robots
It finally happened to you. A developer used ‘import A’. A pulled in B, B pulled in C, D. D pulled in E… and somewhere along that chain evil lurked. Now all your bits are belong to l33t hackerz. So like all things in life its time to over-react after the fact (something about…
My webinar today on surprises in cloud security migration
On of the things that people felt was controversial about my message was “end-point security is no longer a thing”. I’m saying this from the standpoint of: Instances are short-lived (hours/days, not months/years) Instances are dynamically scaling in and out Cloud native applications (usually) run a single-process per instance/container, no space for another (you could…
The return of the bike thief: spoiler, the lock held, but my hands were cold
Came out last night and… some nibble marks on the lock, and my gloves are gone from the glove compartment. So it was a very thumb-numbing ride in this am @ 2 degrees! But… the lock held, which is the important part. Rot in hell thief. I stopped carrying the ‘massive chain’ since it was…
One letter ~= 700K. The taxpayers of DC are sad
This is a common tale. A scammer gets a bit of inside information. Perhaps the name of a supplier. In the case of this Alberta University, $12M was siphoned (details here). In the case at hand, the city government of Washington DC wired $700K to a fake supplier. An email comes in, it looks right.…
