threlfall

Metadata Analysis of flatmap dependency supply chain attack

Investigating future model detection mechanisms for open source project repositories

Posted on May 3, 2021

There’s been hundreds of software dependency supply chain attacks exploiting a range of vectors in the past, with great effect. The July 2020 paper by Marc Ohm et al describes that on average a malicious package is available for 209 days. (𝑚𝑖𝑛=−1,𝑚𝑎𝑥=1,216,𝜎=258,𝑥̃ =67) so naturally, any method to reduce this... [Read More]

Tags: supplychain sdlc

Enterprise Threat Hunting for Dependency Confusion & Typosquatting

The fundamentals once again determine the ease of enterprise response.

Posted on May 1, 2021

This collection of advice is aimed to improve the detection of dependency confusion and typo-squatting attacks at enterprise, where response to such a thing can be tricky due to scale or fragmentation. [Read More]

Tags: threathunting sdlc supplychain

The CEO of SolarWinds (and former CEO of Pulse Secure) is clearly a victim of witchcraft.

Has there ever been such compelling evidence of the existence of magic?

Posted on April 22, 2021

Over the years I have conducted numerous physical and personal security assessments for businesses and executives. Part of that assessment has always included a sweep for hex bags and other physical curses. Using this knowledge, I must state that the CEO at the center of two of the most serious... [Read More]

Tags: humor test