In this cautionary tale of averting a large-scale supply chain attack, a follow-up to Kudelski Security researchers @tmlxs and @nathanhamiel’s Black Hat USA presentation, we detail our RCE on CodeRabbit’s production servers and write access to 1m repos. https://t.co/SAUyzFz8o1

Here is our detailed write-up of the CodeRabbit vulnerability, one of the vulnerabilities @tmlxs and I highlighted in our @blackhatevents USA presentation. This is the one where we had access to a million repositories. We show how to go from PR to RCE. A patient attacker could

Glad to see our AI-powered fuzzing work inspire research community to try this on Rust targets successfully ($3, 14 bugs, 34 fuzzers in 37 projects). Wait on some of our new results on Gemini!

🦀 Using AI to Automatically Fuzz Rust Projects from Scratch New tool, Fuzzomatic, can automatically generate fuzz targets for @rustlang projects → Found at least one bug in 14 projects (38%) Code: https://t.co/eTj1yen3yy By @KudelskiSec https://t.co/FZCA4hFMP8

@KudelskiSec's @tmlxs releases the code behind his latest project, Fuzzomatic — an automated fuzz target generator and bug finder meticulously crafted for Rust projects, written in Python! https://t.co/r3dvVqD2xL #Fuzzing #Python #Rust #AI

Introducing Fuzzomatic. A Python based fuzzer for Rust that uses AI assistance, allowing for completely from scratch fuzzing. Fuzzomatic has a few tricks up its sleeve, too. It can perform fixes and parse various artifacts to generate fuzz targets. https://t.co/y0JkkMjmDm

Last week during @ph0wn we gave a workshop about Security Keys with @tmlxs. Here are the slides:

Today I’m happy to announce a new paper Addressing Risks from AI Coding Assistants. A realistic look at tools like #GitHub #Copilot and #ChatGPT for development tasks, outlining the risks and providing mitigation advice for security and development teams.

AI coding assistants: development utopia or buggy nightmare? As @nathanhamiel paper shows, it all depends on understanding the risks and mitigating them. Click the link and read on: https://t.co/J8r7vxydrf #risks #ChatGPT #Copilot

The @KudelskiSec Research Team discovered a novel attack on ECDSA that they call Polynonce and applied it to datasets like Bitcoin and Ethereum networks. Are private jets in their future? Details and open-source tools to test the attack here: https://t.co/lcsdxmxHk4

Based on their presentation at @sstic, Kudelski Security’s Sylvain Pelissier and Nils Amiet latest blog post covers GPG and whether it resists memory forensics. Read more:

⚡Tech Speaker Alert! 🧠GPG memory #Forensics 💡Nils & Sylvain @Pelissier_S (@KudelskiSec) will demonstrate techniques to retrieve #passphrases & #encryption keys from a memory dump 😎Join us➡️ https://t.co/yyWjER3Xjf #NullconBerlin2022 #Infosec

It's now possible to detect and fix security issues with Semgrep’s Autofix feature as long as the rule that matched is autofix-capable. Check out some real-world examples in Kudelski Security Nils Amiet’s latest blog post: https://t.co/QeNhzm8lrj #semgrep #autofix #securityissues

It's always a rarity when we find a really good manual on smart contract hacking. Today, we have such a manual for you! 👉 https://t.co/SvXTVRtbCU - Blockchain Vulnerabilities in Practice.

Today we released oramfs, a simple, flexible, Free Software ORAM implementation for Linux written in Rust https://t.co/0hZmzzU6M9 Join us on Wednesday July 7th at 4:10pm CEST when we present oramfs at #pts21 #Linux #OpenSource

Did you miss #PassTheSALT? That’s okay. In his latest blog post, you can view Nils’ slides and even watch a recording of his talk on replacing #passwords with #FIDO2. Click here.

#DifferentialPrivacy provides a measurable way to balance privacy & data accuracy when publicly releasing aggregate data on private datasets. @KudelskiSec’s Nils Amiet’s latest blog is a hands-on, applied, comparison of several popular libraries

Un article très intéressant de @KudelskiSec. L'équipe de chercheurs de Kudelski y décrit le modèle de sécurité de #FIDO2 et aborde des sujets avancés au cœur du protocole tels que les attestations. #cybersecurity #trust https://t.co/dqINxJMDlU

Organizations still have a #password problem. In his latest post,@KudelskiSec’s Nils Amiet dives into #FIDO2, specifically on the topics of #attestations, #trustmodel, and #security. Read it here.

With just a little bit of money, you can perform a power analysis on a target. Learn more in @KudelskiSec’s @Baldanos latest #ResearchBlog article Power (Analysis) to the People.