Malware Crates IO | Prime Reacts

No video

Malware Crates IO | Prime Reacts

Рет қаралды 28,702

ThePrimeTime

Күн бұрын

Пікірлер: 81

@kuhluhOG Жыл бұрын

Here's how (as a company) you protect yourself against these types of supply chain attacks: 1. Host your own internal registry. 2. The packages in there are actually vetted by your security team (that's way more important than you might think). At the same time you can also ensure to actually comply with the licenses of these packages (you would be surprised at how often it happens that developers just forget that; here a reminder: if you use an MIT licensed software, you need to give credit; if you have a hundred dependencies with that licenses, that goes for every single one). 3. If a developer needs a new package, they tell that team and until it's in there do some other ticket (you probably have a few hundred anyway).

@TMRick1 Жыл бұрын

You nailed it. On my job we have a curated repository of R packages. It's better for security and version control and avoids the scenario of things breaking on a snowball effect. We can't have the risk of a CRAN package going down or being buggy.

@AllanSavolainen Жыл бұрын

Also as a nice side effect, this keeps the number of external packages lower as you cannot just include half the world to your project. And internal repo/cache for packages is important. Our rule is that the software must compile without internet connection, only local network resources are allowed.

@kuhluhOG Жыл бұрын

@@AllanSavolainen yep, having a local one has MANY advantages

@complexity5545 Жыл бұрын

Even home users could setup a directory or NAS that scans every download. They need to build this functionality into [cargo] (so rust devs don't have to solely depend on a single domain to do security checks (all the time)).

@tylermfdurden Жыл бұрын

"they're self promoting..." an open source solution to an actual problem, with a well-written article explaining the problem

@Kane0123 Жыл бұрын

Can’t satisfy some people.

@louis-phylum 11 ай бұрын

(I'm one of the co-founders @ Phylum) We really try and limit our marketing/advertising in our research reports (and let's be honest, idk anything about marketing and am a big fan of the Pi-hole) . I hope the writeups come off as informative and interesting and not needlessly self-aggrandizing!

Жыл бұрын

The perfect code interview: > cargo add postgress Then > cargo run And you get > "Joke!)" You passed the test blazingly fast!

@yannick5099 Жыл бұрын

Package names like fast-postgres would probably work as well. Who doesn't love blazingly fast stuff?

@ThePrimeTimeagen Жыл бұрын

yep!

@MegaHarko Жыл бұрын

python devs?

@jrockenjoyer Жыл бұрын

@@MegaHarkofastapi

@replikvltyoutube3727 Жыл бұрын

But not everyone use postures, something like fast-json would be much worse

@Slashx92 11 ай бұрын

FastLeftPad

@Fan_of_Ado Жыл бұрын

I like Golang's way of not having a centralized registry. Importing from GitHub etc makes it much more difficult for typosquatting to work since you'll most likely be copy&pasting.

@sohn7767 Жыл бұрын

Prime also likes. I wasn’t and am still not fully in the know as to why though. Name squatting is one such thing though, good to know.

@alexstone691 Жыл бұрын

9:12 Docker as the devs themselves said is NOT a sandbox and should never be used as one

@complexity5545 Жыл бұрын

Even Docker devs say not to do it, but there exists major companies that (idiotically) use docker to publish websites. That's the way somebody on youtube told them to do it. ...Ha

@louis-phylum 11 ай бұрын

This is exactly right. The Docker docs explicitly say that Docker is _NOT_ a security boundary. The Phylum sandbox is leveraging Landlock on Linux machines, which is baked into the kernel directly. On MacOS we're using the same facilities as Chromium to lock down processes.

@reikooters Жыл бұрын

"Joke!)" - Russian smiley

@BryanSeigneur0 Жыл бұрын

Why in the name of all that's holy wasn't crates designed to be nested-named so that squatters have to squat the distinctive top-level names of the individual devs or companies?

@k98killer Жыл бұрын

Redoing crates to have a hierarchical namespace is an ongoing discussion in the Rust community, unless they resolved not to do it within the last couple of weeks since the last time I read about it.

@clickrush Жыл бұрын

It’s almost embarrassing. Namespacing package registries was a thing way before Rust and cargo.

@k98killer Жыл бұрын

@@clickrushThe article linked in the description contains a link to another article written by Phylum about several threat actors doing supply chain attacks through PyPI. In those cases, the flat namespace was not really the cause of the issue, and the blacklisting by PyPI admins was a cat and mouse game. Pretty good articles if you're interested in InfoSec stuff.

@ykmnkmi Жыл бұрын

@@clickrush *good thing*

@janAkaliKilo Жыл бұрын

hierarchical namespace fixes name-squatting problem, but doesn't fix typo-squatting one: 'tokio/rustjs++' --> 'tokip/rustjs++'

@pokefreak2112 Жыл бұрын

blazingly safe malware

@notapplicable7292 Жыл бұрын

This is horrifying. I'm already extremely paranoid at work about adding any package but seeing this is doubling my paranoia.

@louis-phylum 11 ай бұрын

Then I won't tell you about the Discord channels we infiltrated where attackers claimed to have stolen $20k from a dev as a result of said dev installing a malicious package 😬

@AlecMaly Жыл бұрын

Good to see security getting some love on this channel.

@SvetlinTotev 11 ай бұрын

Package managers are like double-edged swords with blades for handles.

@rawpointer Жыл бұрын

Idiotic consolation for us C++ developers: dependencies are so hard to get in your project (you need to be a senior CMAKE developer), it's not worthy to have malware injected in libs....

@istasi5201 Жыл бұрын

man, prime should make a tps display, im pretty sure we are getting close to 1 tear per second

@complexity5545 Жыл бұрын

Now you have to run a virus scanner on rust projects. Ha.. Rust..and the corruption begins. "With great adoption, will come the criminals to subvert it, and then the government that claims to protect you". Rust needs to create an official [cargo/rust cache daemon], so downloaders can pull all files over the network into a directory or partition. Then the company runs their own virus scanners against rust downloads. Most (smart) companies create a NAS, NFS, squid and scan the h311 out of it. But somebody in rust needs to package that up into a plugin or script or installer. If everyone is scanning their local directory, then malware might have a higher probability to be found on the zero day. Maybe setup a company wide nfs||[NAS] that everyone uses to save and pull files. Either way, this event happens to create a great argument to appoint a czar to authorize crates. Just like the plan...LOL. It probably was someone in N.Korea or a poser. This is a real good video for the Pen Testers out there.

@Benni1000games Жыл бұрын

Surely it must be possible to detect most potential typosquatting based on heuristics or some clever computer science magic. You should not even be allowed to create packages with similar names in the first place, this seems like an easy win that could be implemented by the crates team. Even if they implemented that rule only for packages with over a certain amount of installs that would already be a huge improvement.

@spuzzdawg 11 ай бұрын

Nothing is ever that simple. You can use 'edit distance' to quantify the similarity between two strings. But there are lots of cases where similar names are legitimate.

@Omnifarious0 Жыл бұрын

This is why I don't like Rust and Go. It's just so trivial to end up downloading a whole ton of stuff, often directly from the repo. Sometimes even stupidly at a tag (like 'master') that allows the repo owner to change what you get at any time. Python is a little better, but still doesn't let you name dependencies by hash (which at least Go and Rust can do even if people stupidly don't do it).

@ThePrimeTimeagen Жыл бұрын

go is much much different (requires a website addr) and python is definitely no better

@Omnifarious0 Жыл бұрын

@@ThePrimeTimeagen - Thinking about it, you're right. Python really is no better. *sigh*

@DanielJoyce Жыл бұрын

Every language with a repo system is suffering this problem. Every single one. It's not just rust it's all of them. And cryptocurrency is what made it so lucrative.

@doomguy6296 Жыл бұрын

"I dont't like the fact baddies try to take advantage of the system, therefore, I don't like the system" You could configure Cargo to work offline with a custom repository that you manage. It requires some work. Also, Cargo has system in place to recognize such behaviour. But as long as you are using an online, open and free repository, of any programming language, then you have risks. Cargo-audit anf Cargo-deny are excellent tools that are free and open source that can help detect vulnerabilities in the supply chain. Other languages usually use payed products to do the same. And baddies? they make attempts on everything. You must be hating the internet by now ;)

@k98killer Жыл бұрын

This is a pretty close analog to a system I was thinking about making as a stretch goal for an SDK.

@doomguy6296 Жыл бұрын

"No one. Rust in production doesn't exists" *Rust in production developers* 😴

@mpotane Жыл бұрын

Saw this in rust weekly

@nobodyspecial7097 Жыл бұрын

Those who trade privacy for safety will have neither.

@KrakonosovoBabka Жыл бұрын

if you write software in way that you install packages because their name seems fitting functionality you need, you are not developer.

@claudiodev8094 Жыл бұрын

Here's how you do it... make an actual useful package... say left-pad. Have it dormant for a few years and then BOOM. I'd be surprised if we npm isn't already a minefield waiting to explode

@louis-phylum 11 ай бұрын

Open-source is a house of cards at the moment. We (Phylum) did a research effort to determine which authors had high centrality in the ecosystem graph. That is, which authors have gotten packages upstreamed from major projects and who many other packages depend on. We found a handful of individuals who have published hundreds of mostly useless packages (think lef-pad). We then cross referenced these users against known data breach information. Here's where it gets scary: Several of these authors have appeared in multiple data breaches across several years, have trivially crackable passwords and have never bothered to update their passwords post breach. They also have packages upstreamed from major projects, as a dependency of a dependency of a dependency of said major project. If one of these guys is compromised, the entire ecosystem falls. It's going to happen. The question is just when.

@denissorn 11 ай бұрын

What's that IDE in the background?

@lancemarchetti8673 Жыл бұрын

Why we don't impress more on IRC I don't know 😅

@lonterel4704 11 ай бұрын

In python dashes and underscores in a package name are equivalent

@Slashx92 11 ай бұрын

Neat tbh

@cbbcbb6803 Жыл бұрын

I prefer the word hyphen over the word dash. And I like hyphens much more than underscores.

@Slashx92 11 ай бұрын

I prefer dash but it may be because I’m adn ESL speaker, it may be because it’s more simple lol

@anon-fz2bo Жыл бұрын

only a few mins in but yea thats some sneaky nefarious s*hit

@user-qr4jf4tv2x Жыл бұрын

damn man maybe that's why go stick to pure go instead of relying on packages

@PinakiGupta82Appu Жыл бұрын

More appropriately, it should be Post-Grease or Post-Grese.

@homelessrobot Жыл бұрын

Post-Greece

@nomadshiba Жыл бұрын

i don't like package services, just use urls

@MrQuantumCodes Жыл бұрын

Big fan prime!

@alexandrucomanescu9857 Жыл бұрын

Crates should have hashes that have to be copy/pasted manually before installing. By doing so you also know for sure that the content isn’t altered. Npm’s ‘^’ for versioning is the worst thing that happened to dev world.

@alexandrucomanescu9857 Жыл бұрын

Also package installs should include the author/organization name. I cannot express how much I hate that it is not required.

@DanielJoyce Жыл бұрын

A ttposquatted package would have a matching hash valid to its contents. The hash fixes nothing here.

@alexandrucomanescu9857 Жыл бұрын

@@DanielJoyce You would have to get the hash manually. It would not be installed automatically and by doing so, you visit the author page. The checksum would never match if the attacker changes one bit.

@spuzzdawg 11 ай бұрын

@@alexandrucomanescu9857I'm not getting how the hash helps. For a typosquatted repo, the squatter probably owns an associated GitHub repo. So they control the most likely place you'd get the hash from.

@C4Oc. 11 ай бұрын

@@DanielJoyceThe malware package would have a matching hash to its own contents, yes, but not to the real package's contents (Well, it couldn't be malware if the real one wasn't and they were both matching in contents(

@scottdrake5159 Жыл бұрын

It's not open source. This story is an advertisement, I'm afraid. Is there a significant difference between a crate with "telemetry" that talks to a server where a company sells anonymized data, and a "security" scanner server API that collects data? If it was a third-party reporting this, or if the server code was open (e.g., AGPLv3), I'd have been more credulous. But this doesn't sound like a good idea.

@louis-phylum 11 ай бұрын

I honestly don't know if there'd be much value in open-sourcing the API. It's some basic CRUD stuff. The bulk of the work occurs in our big data pipeline, which does the heuristics/analytics on the packages as they are published. It's _very_ expensive to run at scale (currently analyzing about 30-40k packages and around 2-3M files _each day_). The API itself doesn't collect much information at all (you can verify this by watching the network traffic or looking at the open-source CLI). Merely the package lockfile information: ecosystem, package name and package version. The team hates ads (probably 100% of the team is running Pi-hole) so we really try and keep our research reports as technical as possible. The platform is free for devs and small teams, and we're continuing to open-source as many things as possible (just pushed out a PURL Rust lib recently).