Trail of Bits

Can't believe it's been almost a week since Year 0. Congratulations again to our #junkyard winners! https://lnkd.in/dc5Y2iXX ? Most Impactful System ? - Winner: Grand Central Hack the Planet - Andrew Lemon, Red Threat: bypassing authentication prompts on an Intelight X-1 traffic control system ?? - Runner Up: Securely Insecure VPN - SeongJoon Cho and DongHyeon Oh, SSD Labs: exposing security flaws in the D-Link DSR-250 VPN Router ?? ?? Best Meme Target ?? - Winner: Final Audition - @Ben Roytenberg: manipulating operator menu settings on a Pump It Up XX: 20th Anniversary Dance Machine) ?? - Runner Up: ClickShock - Max Van Amerongen, Interrupt Labs: demo-ing a 1-Click RCE (XSS + Auth RCE) in mFi mPower Pro WiFi-Enabled Power Extender?? ?? Most Innovative Exploitation Technique ?? - Winner: Just Another Conventional Exploit - Anna Staats, DC Road Runners Club: exploiting a JACE-600E compact embedded controller/server platform ?? - Runner Up: Cloudy Wrench - Alan Cao and William Tan, Trail of Bits: uncovering legacy vulnerabilities in a Netgear WGR614 ?? Thanks to everyone who competed! Year 1 announcement coming soon - bring us your best (and worst) bugs again next year ??

Threat modeling the TRAIL of Bits way! Our TRAIL (Threat and Risk Analysis Informed Lifecycle) threat modeling process guides clients through identifying and mitigating security risks in their systems, software, and SDLC. Read the blog: https://lnkd.in/gQxJbzmj Why invest in a TRAIL threat model? 1?? Identify key threats and practical mitigation strategies 2?? Substantiate future security investments with data-driven insights 3?? Build defensible security postures for your applications While most of our threat modeling work remains confidential, we've published a handful of public examples demonstrating our approach: Kubernetes Threat Model: https://hubs.la/Q038K1cK0 YOLOv7 Security Review: https://hubs.la/Q038JYr40 cURL Threat Model: https://hubs.la/Q038JZs90 Whether you're launching a crypto exchange, developing an AI platform, or maintaining traditional applications, our TRAIL threat model identifies critical weaknesses in your systems before attackers can. Contact us: https://hubs.la/Q038J-wz0

How Threat Modeling Could Have Prevented the $1.5B Bybit Hack. Our blog explores one of our most popular but rarely published report types, and how adding threat modeling to your organization can save you from becoming the next billion-dollar headline. ?? Read the blog: https://hubs.la/Q038qnhf0 Code audits find bugs. Threat models find disasters-in-waiting. The Bybit hack wasn't about smart contracts—it was about compromised signers and manipulated UIs. The attackers didn't need to break the code when they could break the process. Don't wait until your exchange is the next trending topic for all the wrong reasons. Proper threat modeling could have spotted the exact weaknesses exploited at Bybit before $1.5B walked out the door. Contact us to learn more about our Threat Modeling services: https://hubs.la/Q038qlKg0

Trail of Bits is a Silver Sponsor of RE//verse! With expertise in security research, engineering, and software assurance, they help organizations tackle their hardest security challenges. Check them out here: trailofbits.com

The $1.5B Bybit hack marks a new era in cryptocurrency security. Attackers have moved beyond technical exploits to sophisticated operational attacks. Read our initial analysis of this historic breach and its industry-wide implications: https://lnkd.in/e8nBjUaH

Join Brad Swain and Alexis Challande at DistrictCon(Saturday 11:30 AM ET) to discover how we identified recursion-based DoS vulnerabilities in widely used software. Based on our white paper, learn how to use CodeQL as an offensive strategy to discover hidden weaknesses. Read the blog: https://hubs.la/Q037Nzdr0 Will Tan and Alan Cao will also be competing in the Junkyard competition, a pwnathon for End-of-Life targets with two submissions codenamed CLOUDY WRENCH and BEACON PRISM. Stay tuned for after the competition to learn more about the vulnerabilities and exploits!

?? RECORDED TALK #BlackAlps24 ?? ??? Start them early and keep on keepin’ on. An industry perspective on automated protocol analysis for designing and iterating cryptographic protocols ??? by Marc Ilunga, Security Engineer II (Cryptography) at Trail of Bits https://lnkd.in/ePNqpKGJ #conference #cybersecurity #switzerland

In 2024, we assessed cURL's HTTP/3 components thanks to Open Source Technology Improvement Fund, Inc (OSTIF)! This marks our 14th successful security assessment with OSTIF since 2019, reflecting our shared mission of securing the open-source technologies that power modern digital infrastructure. OSTIF's commitment to open-source security is detailed in their newly released 2024 annual report and SovTech audit report. These comprehensive documents showcase how systematic security assessments of critical open-source projects create a more resilient technology ecosystem. ?? OSTIF annual report: https://lnkd.in/dZitiRB5 ?? SovTech Agency annual report: https://lnkd.in/g-S7awnw For the cURL audit, we focused on the ngtcp2 back end and fuzzing coverage. ?? We found two issues ?? Improved existing fuzz tests ?? Created new fuzz tests to enhance coverage ?? Provided additional testing and security recommendations. ?? Audit: https://lnkd.in/gzZstijA Beyond OSTIF open-source projects, we assessed Ruby Gems, Gradio, and other critical infrastructure in 2024 while developing new security tools and resources for the community and pushing 750 PRs into open-source code. ?? Auditing Gradio 5: https://lnkd.in/dDFgdVAa ?? Auditing Ruby Central: https://lnkd.in/grGQyjFZ ?? Appsec guide: https://appsec.guide/ ?? 2024 Open-source contributions: https://lnkd.in/dGj42Uwj

#Hackers aren’t just targeting networks anymore, they’re targeting your #AI systems. On this episode of #YourAIInjection, host Deep chats with Keith Hoodlet of Trail of Bits to reveal the critical AI #security flaws some companies overlook, and how to stop them. The two dive into everything from #adversarial testing, prompt injection, and API #vulnerabilities. Learn how to #guard your #chatbot against intruders now:?https://lnkd.in/gcHqZFu2