Indiana Moreau Security Engineer, Security Innovation
Indiana is a security engineer at Security Innovation who specializes in testing web applications, APIs, and cloud configurations. He has a background in web development and previously worked in telecommunications and banking, performing penetration tests and security assessments. In his spare time, he works on personal coding projects and eats copious amounts of sushi.
Talk: Repo Jacking: How Github usernames expose 70,000 open-source projects to remote code injection
Does your project depend on a Github repository? It might become vulnerable to remote code injection simply due to one small Github feature. This talk will discuss ‘repo jacking’, an obscure supply chain vulnerability that allows attackers to hijack Github repositories and achieve remote code execution through dependency injection. This vulnerability has become exceedingly widespread in open-source projects and over 70,000 projects are affected. This vulnerability can affect any language and has been found to impact small personal games, huge web frameworks, cryptocurrency wallets, and everything in between. Come learn about this vulnerability, what causes it, why it has gone unnoticed for so long, and how to exploit it. Learn how you too can scan all open-source projects for this vulnerability, look for other similar vulnerabilities, and build dependency graphs to fully understand the impact of these types of issues. Finally, come hear about the outcome of this analysis, see how prevalent it is, who is impacted, and discuss some important mitigation strategies that you can use to protect your own projects from this, and other supply chain attacks.