06-07, 13:00–13:50 (Europe/Brussels), Kleine Spoel
Over the Easter weekend of 2024, the cybersecurity community exploded with uproar over CVE-2024-3094, a software supply chain attack also known as the XZ Utils backdoor. The CVE carries a maximum CVSS score of 10.0, signifying its critical severity. Security vulnerabilities with the maximum severity score are rare, but critical-level vulnerabilities are quite abundant. What sets the XZ Utils backdoor apart is the scope of the attack and the massive potential fallout it could have generated if it would have succeeded. Beyond the statistics for this vulnerability, the discovery process, the intricate engineering and social engineering aspects are wildly interesting. Let’s find out what relates a developer at Microsoft, a fundamental open-source project and a set of sock-puppet accounts on GitHub controlled by an advanced threat actor. Brace yourself for an exciting tour past exotic POSIX function control mechanisms, ELF linking symbols, ED448 keys, APTs and just plain coincidence!
Ever since the first time Kris got in touch with his dad’s 1983 ZX Spectrum, he was captivated by the wonderful world of computer programming. In 1995, he learned to program ‘Pacman’ in x86 real-time assembly, which was soon followed by learning C and then C++ and Rust, which came to be his bread and butter. He is very serious about code quality and is mostly interested in C++, Rust, Linux, cybersecurity, programming languages/paradigms, software architecture and performance optimization. He currently works as the lead developer at ViNotion/Nedinsco and as a trainer at High Tech Institute in Eindhoven (NL). If he is not working, coding for fun or doing dad-/husband-related things, he is probably playing the guitar or running out in the woods.