Trail of Bits

We are excited to be sponsoring SekaiCTF again this year! Best of luck to all the teams competing! https://ctf.sekai.team/

New position!! We are actively seeking a Technical Content Manager to join our marketing team at Trail of Bits! This is an awesome opportunity to work at the leading edge of fields like AI/ML, appsec, blockchain, cryptography, and open-source security by working closely with Trail of Bits' security engineers and the marketing team to effectively communicate our offerings. Some highlights! - You will be a part of one of the most well-respected security organizations in the world! - Create impactful technical content (newsletters, websites, blogs, podcasts, social media etc) that resonates with our industry! - Get to work with the amazing Holly Womack to craft content that authentically captures the Trail of Bits' voice! - Even though the position is US-only, we are a remote-first company that offers a $1,000 stipend for any items you need to feel more comfortable working remotely! Take a look at the position below and apply if you think you would be a good fit for the role. Feel free to send me a DM if you have any questions regarding the role! https://lnkd.in/ge9usFTR

“YOLO” is not a valid hash construction. Our recent blog explores the risks associated with custom hash constructions. While seemingly straightforward, these ad-hoc solutions are often just plain wrong. We examine common pitfalls in: 👉 Multi-hash functions 👉Homegrown MACs 👉Custom password-based key derivation functions We also provide guidance on standardized methods that offer robust security: For multi-hashing: TupleHash or BLAKE3's stateful hash objects For MACs: HMAC, KMAC, or BLAKE2/3's keyed hashing mode For password-based key derivation: Argon2 or scrypt These vetted solutions have undergone rigorous testing and analysis by the cryptographic community, offering far greater security assurances than any custom construction.

If you missed our Burp Suite webinar featuring James Kettle, you can watch the recording now on Youtube: https://buff.ly/4ds1dd7 We cover: advanced web research techniques using Burp Suite how to discover ideas and targets optimizing your setup & utilizing Burp tools in various scenarios + Q&A with Albinowax

That's a wrap on Hacker Summer Camp for me! A huge thank you to everyone who attended my presentations at DEFCON, BSidesLV, and HOPE! I really enjoyed discussing my AI/ML security research at Trail of Bits. I'm very grateful to the many people who made my project and presentation possible. If you missed my talks, you can catch up here: -- Slides: https://shorturl.at/Ha6uD -- HOPE recording: https://lnkd.in/eTjN7JwA -- BSidesLV recording: https://lnkd.in/e6uSna3K (at 28:50ish) It’s an exciting time to be working in this space. Feel free to reach out if you have questions about my talk or want to discuss AI/ML security!

📚 tl;dr sec 243 Talks and Tools from BSidesLV, BlackHat, and DEF CON ✨ Highlights 👨💻 Web Security 👨💻 - GraphQler: A dependency-aware GraphQL API fuzzing tool - Omar Tsai - Splitting the email atom: exploiting parsers to bypass access controls - Gareth Heyes - Listen to the whispers: web timing attacks that actually work - James Kettle 😈 Hacker Summer Camp 😈 - BlackHat Innovators & Investors Quick Hits - Darwin Salazar, MSc - 100+ Founders, Investors, and Operators: Francis Odum's Key Takeaways - Watch How a Hacker’s Infrared Laser Can Spy on Your Laptop’s Keystrokes - samy kamkar - Apple Prototypes and Corporate Secrets Are for Sale Online—If You Know Where to Look - Matthew Bryant ☁ Cloud Security ☁ - AWS Honey Token Manager for Creating and Monitoring Access Keys - Steven Smiley - Shorten your detection engineering feedback loops with Grimoire - Christophe Tafani-Dereeper - Bucket Monopoly: Breaching AWS Accounts Through Shadow Resources - Yakir Kadkoda, Ofek Itach, Michael Katchinskiy ⛓ Supply Chain ⛓ - ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artifacts - Yaron Avital - Grand Theft Actions: Abusing Self-Hosted GitHub Runners at Scale - Adnan Khan, John Stawinski 🤖 AI + Security 🤖 - NVIDIA AI Red Team Course - Will Pearce, Rich Harang, Becca Lynch, Joseph Lucas, John Irwin - Trail of Bits’ thread overview of AIxCC - Dan Guido https://lnkd.in/guqEmarZ #cybersecurity #security #ai #ciso

The White House’s summary on securing open-source software included our RFI response, among only 6 other commercial firms. In it, we pushed for memory-safe languages, funding OSS tools, and more. 📖 Read more here: https://buff.ly/4crUfmT The main themes of our recommendations included: We suggested using memory-safe languages like Rust to address vulnerabilities, such as the heap buffer overflow in libwebp. However, we acknowledged that code rewrites are costly and proposed identifying suitable OSS candidates by focusing on widely used, minimally tested, and vulnerable software. To strengthen software supply chains, we recommended that CISA implement CI/CD guidelines, provide guidance for "upstream" and "downstream" developers, and promote best practices like MFA. We also proposed that CISA allocate funding to facilitate widespread industry compliance with these guidelines. We advocated for the large-scale reduction of vulnerabilities in the OSS ecosystem by recommending the funding of projects similar to OSS-Fuzz and sponsoring tools like Semgrep and CodeQL. Recognizing that many current developer education resources focus heavily on common vulnerabilities, we also advocated for producing guidance on impactful security concepts, such as minimizing attack surfaces and "shifting left." Our RFI response: https://buff.ly/46noyIn Our blog covering our response: https://buff.ly/47IjcZi Whitehouse summary: https://buff.ly/3SP7IhB

Two days ago, NIST finalized three post-quantum cryptography standards. Today, we are announcing an open-source Rust implementation of one of these standards, SLH-DSA, now available in RustCrypto! 🔑 Key Features of Our Implementation: No-std capable and heap allocation-free, suitable for any platform, including embedded devices Supports all 12 FIPS-approved parameter sets Integrates known answer test vectors from NIST for enhanced correctness Provides the trait API defined in the RustCrypto signature crate for easy integration 🧐 Looking Ahead: The transition to post-quantum cryptography is a complex, multi-year process. At Trail of Bits, we're committed to helping the industry navigate this transition. We have plans to further improve the codebase, including support for custom allocators and continued work on usability and documentation.

TAG Infosphere, the world's leading next-generation cybersecurity analysis firm, is proud to announce the addition of Trail of Bits to its TAG Exchange platform. The TAG Exchange is where we highlight the most creative and innovative solution providers of the cybersecurity industry, driven by AI and SaaS technology, it showcases the industry's top performers, offering valuable resources to enterprises and government agencies seeking to enhance their cybersecurity posture. Trail of Bits has secured some of the world's most targeted organizations and products by combining high-end security research with a real-world attacker mentality to reduce risk and fortify code. Their clientele, ranging from Facebook to DARPA, lead their industries and rely on Trail of Bits' dedicated security teams for support. The teams at Trail of Bits possess deep expertise in various domains, including AI/ML, Application Security, Blockchain, and Cryptography, enabling them to tackle a wide range of security challenges. One key advantage of working with Trail of Bits is their high-quality technical assessments and team upskilling. Throughout the assessment process, Trail of Bits ensures continuous knowledge transfer by delivering code, scripts, and testing tools that clients can use independently. In addition to assessments, Trail of Bits helps clients stay ahead of emerging threats through research and open-source efforts. They build and share valuable security resources - such as tools, research blogs, and handbooks - that benefit their clients and contribute to the advancement of cybersecurity as a whole. Read more about Trail of Bits here: https://lnkd.in/ewjiMPXG #TAGInfosphere #Cybersecurity #TrailOfBits

🚨 Vulnerability Disclosure 🚨 Earlier this year, iVerify's EDR agent flagged an Android device at Palantir Technologies as unsecure, which launched an investigation in partnership with Palantir and Trail of Bits. The investigation revealed an Android application package, Showcase.apk, that turned out to be bloatware baked into the firmware image of each and every Pixel phone sold since at least 2017. The bloatware is owned by Verizon, and when enabled, makes the operating system accessible to hackers and ripe for man-in-the-middle attacks, code injection, and spyware. Specifically, the application: 📌 Has excessive system privileges, including remote code execution and remote package installation capabilities, on a very large percentage of Pixel devices shipped worldwide since September 2017 📌 Downloads a configuration file over an unsecure connection and can be manipulated to execute code at the system level 📌 Retrieves the configuration file from a single US-based, AWS-hosted domain over unsecured HTTP, which leaves the configuration vulnerable and can makes the device vulnerable 📌 Leaves millions of Android Pixel devices susceptible to man-in-the-middle (MITM) attacks, giving cybercriminals the ability to inject malicious code and dangerous spyware 📌 Gives cybercriminals the ability to execute code or shell commands with system privileges on Android devices to take over devices to perpetrate cybercrime and breaches Removal of the app is not possible through a user’s standard uninstallation process, and at this time, Google has not offered a patch for the vulnerability. The app is not enabled by default, but there might be multiple methods to enable it. The iVerify research team proved at least one method of exploiting the vulnerability that requires physical access. We would have much preferred to have Google patch this before we talked about it publicly, but their inability to give a specific patch date left us no other choice. A well-resourced adversary like a nation state could exploit this—it has the potential to be a backdoor into basically any Pixel in the world. Read more in Wired: https://lnkd.in/gMTyzKmw