Information Technology

When you think of important open-source projects you almost certainly recall Linux, the Apache Web Server, LibreOffice, and so on. And, that’s true. These are vital, but beneath these are the critical software libraries that empower hundreds of thousands of other programs. These are far less well known. That’s why the Harvard Laboratory for Innovation Science (LISH) and the Linux Foundation’s Open Source Security Foundation (OpenSSF), recently put together a comprehensive survey, Census II of Free and Open Source Software – Application Libraries, of these under-the-hood critical programs.

Open Source

This is the second such study. The first, 2020’s “Vulnerabilities in the Core,’ a preliminary report and Census II of open-source software, focused on the lower level critical operating system libraries and utilities. This new report aggregates data from over half a million observations of free and open-source (FOSS) libraries used in production applications at thousands of companies.The data for this report came from the Software Composition Analysis (SCA) scans of codebases of thousands of companies. This data was provided by Snyk, the Synopsys Cybersecurity Research Center (CyRC), and FOSSA.The purpose of this, besides simply wanting to know what were indeed the most popular, open-source application libraries, packages, and components, is to help secure these projects. Until you know that’s important, you can’t know what you need to secure first. For example, the heretofore relatively unknown log4j logging package became a massive security problem when the Log4Shell zero-day was revealed. Jen Easterly, the director of the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) called it  “the most serious vulnerability I’ve seen in my decades-long career.” This bug affected tens or hundreds of millions of devices and programs. Kevin Wang, FOSSA’s Founder and CEO observed, The ubiquitous nature of OSS means that severe vulnerabilities — such as Log4Shell — can have a devastating and widespread impact. Mounting a comprehensive defense against supply chain threats starts with establishing strong visibility into software.” Only by understanding our “open source dependencies can we improve transparency and trust in the software supply chain.”Mike Dolan, the Linux Foundation’s senior vice president of Projects, added, “Understanding what FOSS packages are the most critical to society allows us to proactively support projects that warrant operations and security support. Open-source software is the foundation upon which our day-to-day lives run, from our banking institutions to our schools and workplaces. ” This census breaks down the 500 most used FOSS packages in eight different areas. These include different slices of the data including versioned/version-agnostic, npm/non-npm package manager, and direct/direct and indirect package calls. For example, the top 10 version-agnostic npm JavaScript packages that are called directly are:lodashreactaxiosdebug@babel/coreexpresssemveruuidreact-domjqueryThese, and the other top libraries, need to be closely watched for any security issues. Besides simply listing them, the survey’s authors, from Harvard University, made five overall findings:1) There’s a need for a standardized naming schema for software components. As it is, the names aren’t random, but there’s not a lot of rhyme or reason to them either. 2) We need to clean up the complexities of package versioning. Can you tell at a glance what version a package is? You can if you work on that program, but if you just use it as a brick in your higher-level software, it can be a mystery. 3) Much of the most widely used FOSS is developed by only a handful of contributors. Everyone knows the XKCD cartoon of a giant software stack that all depends on a single developer in Nebraska. The sad and funny thing about this is that it’s not a joke. We still depend on code that relies on a sole programmer.  4) Improving individual developer account security is becoming critical. With hacking attacks on developers becoming more common, we must protect their accounts like the crown jewels of development they are.5) Legacy software in the open-source space needs to be cleaned up. Usually, we think of legacy software in terms of that one guy we all know who’s still running Windows XP. But, old, crufty code lives on in open-source repositories as well.  That said, while this survey is useful, the work is far from done. More and continuing work needs to be done. All the participants in this report are planning on working on another study. This is only a precursor to more exhaustive studies to come to better understand these critical pillars of our information infrastructureRelated Stories: More

Old security vulnerabilities in corporate networks are leaving organisations at risk from ransomware and other cyber attacks as hackers look to actively exploit unpatched systems and legacy software. Analysis by cybersecurity researchers at F-Secure suggests that 61% of security vulnerabilities which exist in corporate networks are from 2016 or even older, despite patches being available for five years or more. Some of the vulnerabilities which continue to be exploited to breach networks are more than a decade old.One of the most common unpatched vulnerabilities plaguing businesses is CVE-2017-11882, an old memory corruption issue in Microsoft Office including Office 365 which was uncovered and patched in 2017, but had existed since 2000. According to F-Secure, it’s one of the most actively exploited vulnerabilities on Windows.  The vulnerability requires little interaction from the user, making it useful for cyber criminals running phishing campaigns. Researchers note that since it was detailed in 2017, the vulnerability has regularly been used by hacking groups, including Cobalt Group. Other common vulnerabilities detailed in the research paper include CVE-2012-1723, a vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7, which was detailed in 2012 and CVE-2013-1493.  Security patches are available to protect against these vulnerabilities and have been available for years, but many organisations haven’t applied the updates, leaving them vulnerable to various cyber criminal intrusions. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)According to the report, organisations see ransomware as the key cybersecurity threat they face, but the exploits can also be exploited by cyber criminals looking to implant trojan malware, or gain access to networks by stealing usernames and passwords. But it’s not just cyber criminals which pose a risk to organisations, nation-state backed hacking groups will often use the exact same vulnerabilities because they can be used to provide relatively easy access to networks.Identifying and managing vulnerabilities can be a difficult task, especially for large organisations with vast IT estates, but the most effective way to prevent cyber criminals from exploiting vulnerabilities is for the IT department and information security teams to know what’s on the network and move to protect it, via applying security patches, hardening defences or both. “Organisations that understand their IT estates, what opportunities they have to detect attacks, and what risks and threats are facing their industry, can prepare themselves to mitigate most of the damages caused by the kind of ransomware attacks we see today,” said F-Secure global head of incident response Joani Green, who also warned that plans should be put in place about how deal with successful attacks. “Detecting attacks is obviously the first step, but organizations that prepare a full plan for responding can put a stop to these incidents in a matter of hours instead of days or weeks,” she said. MORE ON CYBERSECURITY More

Google has made a small but important change to how it presents comment notifications in Docs messages to help users spot phishing email attempts. Over the past year Google Workspace app Docs has gained new collaboration features like @mentions that aim to modernize productivity software. But as ZDNet’s Jonathan Greig noted in January, hackers were exploiting the feature by adding @mentions in Docs that trigger an email to the target’s inbox. In that attack, the commenter mentions the target with an @ and then an email is automatically sent to the target’s inbox. The email arrives from Google with the full comment as well as potentially malicious links and text. But as security firm Avanan noted at the time, the main problem was that the message triggered by the @mention didn’t display the email address of the commenter — only their name. The absence of the commenter’s email address made it easier for the attacker to phish a target for credentials by pretending to be someone the recipient knows and trusts.Google has responded to this phishing attack by now including the email address of the person who @mentioned another person to generate the email from Google.   “When someone mentions you in a comment in a Google Workspace document, we send you an email notification with the comment and the commenter’s name. With this update, we are adding the commenter’s email address to the email notification,” it notes on its Workspace updates blog.  Google says it hopes that users “feel more confident that you’re receiving a legitimate notification rather than a spam or phishing attempt by a bad actor.”It’s a small change on Google’s side that should help not just Gmail users but also Microsoft’s Outlook users. Avanan found that most of the automatically generated comment emails were targeted at Outlook users. That the email comes from Google also helped evade email filtering systems since Google is generally trusted. Google says the update is available for all Workspace customers, legacy G Suit Basic and Business customers, as well as users with a personal Google account. Google also updated Workspace to counter information leaks. Workspace admins can now see events in Drive audit logs that happened in their own organization as well as external organizations. The Drive audit log includes content that users create in Google Docs, Sheets, and Slides. Google has updated its support page for the feature: “Some events involve domains outside your own; for example, when a user copies a file to another domain. Some of these events are reported in the Drive audit logs of both your domain and the external domain. Names of external documents are not included in audit log entries.”Now, actions including moving, copying, and changing access on Drive items that can involve external domains are reported in the Drive audit logs of both domains, it said. More

Microsoft is suspending all new sales of its products and services in Russia in response to its invasion of Ukraine. Microsoft announced its intentions in a March 4 blog post by President and Vice-Chair Brad Smith. Smith said Microsoft is “coordinating closely and working in lockstep with the governments of the United States, the European Union and the United Kingdom, and we are stopping many aspects of our business in Russia in compliance with governmental sanctions decisions.” Earlier this week, Microsoft announced its plans to try to help protect Ukraine from cyberattacks, protect people from state-sponsored disinformation campaigns, and support humanitarian assistance in Ukraine. Microsoft says it found a new malware package — which it calls “FoxBlade” — hours before Russia began its invasion of Ukraine on February 24.  Smith’s blog post didn’t mention existing contracts that Microsoft has with Russian customers. Corporate Vice President of Communications Frank Shaw said that U.S.-government-imposed sanctions also apply to some existing Microsoft Russian customers. Smith’s blog post also did not mention any plans around the Microsoft Russia office and Shaw had nothing further to add on that front.Microsoft “will take additional steps as this situation continues to evolve,” Smith said in his post.  

Ukraine Crisis More

The National Security Agency (NSA) has released a new report that gives all organizations the most current advice on how to protect their IT network infrastructures from cyberattacks. NSA’s report ‘Cybersecurity Technical Report (CTR): Network Infrastructure Security Guidance’ is available freely for all network admins and CIOs to bolster their networks from state-sponsored and criminal cyberattacks. 

ZDNet Recommends

The report covers network design, device passwords and password management, remote logging and administration, security updates, key exchange algorithms, and important protocols such as Network Time Protocol, SSH, HTTP, and Simple Network Management Protocol (SNMP).SEE: Cybersecurity: Let’s get tactical (ZDNet special report)The US Cybersecurity and Infrastructure Security Agency (CISA) is encouraging tech leaders to view the NSA document as part of its new push for all organizations in the US and elsewhere to raise defenses after the recent disk wiper malware targeting Ukrainian organizations. The document, from NSA’s cybersecurity directorate, encourages the adoption of ‘zero trust’ networks. Zero trust assumes malicious insiders and threats existing inside and outside classical network boundaries. The NSA says it “fully supports the Zero Trust model” and offers recommendations for creating it, from installing routers and using multiple vendors to creating firewalls that reduce the potential of an exploit impacting one vendor’s product. However, the agency also notes that its guidance focuses on mitigating common vulnerabilities and weaknesses on existing networks. The Biden administration has given federal agencies until 2024 to implement zero trust architectures, so the NSA’s guidance joins recommendations from the National Institute of Standards and Technology’s (NIST) work to explain what zero trust is with key vendors such as Microsoft and Google. The UK is also pushing organizations to adopt zero trust. Among other things, the document focuses closely on Cisco and its widely used IOS networking software for routers and switches, including configuring its one to 15 levels of privileged access to network devices and how to store passwords with algorithms that Cisco IOS devices use. The NSA knows a lot about Cisco gear, as Edward Snowden’s 2013 leaks revealed.   NSA recommends that similar systems within a network should be grouped together to protect against an attacker’s lateral movement after a compromise. Attackers will target systems like printers that are more easily exploitable, for example. It also recommends removing backdoor connections between devices in the network, using strict perimeter access control lists, and implementing network access control (NAC) that authenticates unique devices connected to the network. Regarding VPNs, it says to “disable all unneeded features and implement strict traffic filtering rules”. It also specifies the algorithms that should be used for key exchanges in IPSec VPN configurations.     NSA says local administrator accounts should be protected with a unique and complex password. It recommends enforcing a new password policy and warns that “most devices have default administrative credentials which are advertised to the public”. Admins should remove all default configurations and then reconfigure them with a unique secure account for each admin. “Do not introduce any new devices into the network without first changing the default administrative settings and accounts,” NSA says.     The new report follows NSA’s guidance to help people and organizations choose virtual private networks (VPN). VPN hardware for securing connections between remote workers to corporate networks became a prime target during the pandemic.  More

The US Cybersecurity and Infrastructure Security Agency (CISA) just added a whopping 95 new bugs to its catalogue of known exploited vulnerabilities, including multiple critical Cisco router flaws, Windows flaws new and old, and bugs in Adobe Flash Player, and more.”CISA has added 95 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise,” the agency said.

ZDNet Recommends

The Windows flaw CVE-2021-41379 that joined CISA’s list was being used in attacks against customers in November. Cisco’s Talos researchers discovered malware that targeted the elevation of privilege flaw affecting Windows 11 and earlier. Microsoft rated it an “important” threat and a severity score of 5.5 out of 10.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)Cisco’s router flaws, however, are a greater concern to patch given their severity rating of 10 out of 10. Cisco released firmware updates in February to address multiple critical flaws in its RV Series of routers. These were bugs that allowed attackers to execute malicious code, elevate privileges, run random commands, knock a device offline, bypass authentication, and more. They affected Cisco small business RV160, RV260, RV340, and RV345 series routers.  CISA’s list is important for US federal government agencies since officers are obliged, under the binding operational directive (BOD) 22-01, to act on CISA’s vulnerability alerts within a deadline. In this case, the due date for applying these updates from vendors is in March, suggesting how important CISA considers it that agencies respond swiftly.   “BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats,” CISA notes. It looks as though CISA is ordering agencies to do a thorough clean up of any old software flaws that may be still lurking on government systems.   The updated list of bugs to patch becomes part of CISA’s Shields Up recommendations, which it flagged this week as part of its response to destructive malware attacks against Ukrainian organizations. CISA is concerned that wiper malware like WhisperGate and HermeticWiper may soon target organizations outside of Ukraine because of US and European new sanctions against Russia. The list is also a valuable resource for all organizations outside the US. CISA has urged every other organization to apply the updates to reduce their exposure to cyberattacks.SEE: How Russia’s invasion of Ukraine threatens the IT industryAmong older bugs it’s added with a March 17 due date is a Microsoft Excel RCE flaw CVE-2019-1297, an old Exchange Server privilege escalation flaw CVE-2018-8581, and a bug in the browser scripting engine ChakraCore CVE-2018-8298 that Microsoft is killing off because of its switch to Chromium for Edge. There are also several older Cisco IOS and IOS XE software flaws disclosed in 2017 that now must be patched by 17 March. Even older bugs from pre-2018, such as those affecting Siemens SIMATIC Communication Processor (CP) and Adobe’s now-dead Flash Player software, are now on the list.  More

Bug bounty programs have become an invaluable channel for the disclosure and remediation of vulnerabilities, but like any industry, they come with their own set of problems. 

Ukraine Crisis

Bug bounty platforms, such as those operated by HackerOne and Bugcrowd, work with individual companies to launch and manage programs for external researchers to responsibility report vulnerabilities in software and online services. It was once common practice that vulnerability reports were made piecemeal; it may have been through a generic email or by telephone, and some organizations would be spooked by bug reports or would respond negatively.  This is still the case in some circles, where fear, a lack of concern, or a lack of education can cause a backlash. Emails sent to DK-Lok by ZDNet warning them of an unsecured server were simply sent to the trash bin (viewable as the server was open). Coalfire researchers were arrested by US law enforcement while conducting a penetration test the court system had requested.  In addition, who could forget Missouri Governor Mike Parson, who branded a journalist a “hacker” for viewing website HTML and reporting a serious data breach impacting the state’s educators.  Official bug bounty programs can streamline the process, at least when it comes to typical vulnerability disclosure. However, as shared by White Oak Security Staff Specialist Brett DeWall, there are common problems, in his opinion, that new bug hunters should be aware of.  Communication While penetration testers at the company attempt to disclose bugs, a frequent lack of communication are deemed a “time-consuming process.” If the organization doesn’t have an established bug bounty project, researchers can find themselves trying multiple channels ranging from LinkedIn and social media to generic email addresses and sales channels.  If a vendor doesn’t have responsible disclosure instructions on their website, opening up an initial line of communication can be even more difficult.  “Nowadays, companies are not always receptive to receiving news about security issues with their products or offerings,” DeWall says. “Most of the communication results in radio SILENCE…. This can be frustrating from a researcher’s standpoint that is trying to relay sensitive information in the most preferred method possible. The biggest takeaway here is to keep trying.” Scope “In scope” and “out of scope” bugs are common features of disclosure processes. For example, organizations may want to know about Remote Code Execution (RCE) vulnerabilities but will not consider issues that may be less severe — despite their exploitability or real-world impact — such as unsecured servers, Server-Side Request Forgery (SSRF) or Insecure Direct Object Reference (IDOR) vulnerabilities. DeWall says that White Oak has run into “multiple” examples of this when SSRF/IDOR bugs are ‘out of scope’ and, therefore, submissions are not accepted. This could be for many reasons, such as a limited number of staff able to verify reports and the time required to tackle flaws. DeWall commented: “The organization may not have the financial resources to pay the bounties or the number of employees required to keep up with the validation effort. If a high-risk bug is discovered that is “out of scope,” is it no longer exploitable? I would still strongly urge organizations who have bug bounty programs to accept (or provide a contact form) for any submissions that are “out of scope.”” Recognition According to DeWall, one of the “biggest” frustrations in vulnerability disclosure is not receiving any credit for finding and responsibly reporting a bug.  Whereas researchers want to be acknowledged for their work and may want to be able to list their findings as part of their portfolio, on the flip-side, organizations don’t want security flaws found in their products to be public.  If you want to encourage researchers to spend their time on improving the security of your products, a Hall of Fame – which does not have to reveal the technical aspects of vulnerabilities – could be the way forward as a fair compromise.  “Bug bounty hunting or security research is here to stay and won’t be stopping anytime soon (or ever),” the researcher noted. “However, the way we handle it can change – the researchers and organizations must work together.” HackerOne has put together an e-book with tips for those interested in becoming involved in bug bounty hunting.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Days after sending SpaceX Starlink internet terminals to Ukraine, Elon Musk is warning people there to “please use with caution.” As a non-Russian communications system, the Starlink satellite internet service has a “high” probability of being targeted during the ongoing Russian invasion, Musk said. 

Important warning: Starlink is the only non-Russian communications system still working in some parts of Ukraine, so probability of being targeted is high. Please use with caution.— Elon Musk (@elonmusk) March 3, 2022

The SpaceX founder and CEO advised users to only turn on Starlink when needed and to place the antenna as far away from people as possible. He also suggested visibly camouflaging antennas. Some cybersecurity experts have similarly warned that satellite communications systems can put users at risk, particularly given Russia’s extensive experience targeting satellites. John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, noted on Twitter last weekend that “if #Putin controls the air above #Ukraine, users’ uplink transmissions become beacons… for airstrikes.”Additionally, the US National Reconnaissance Office (NRO) Director Christopher Scolese recently warned that Russia’s military can target satellites to disrupt satellite-based internet traffic, communications, and GPS services. Scolese said that if Russia feels it needs to, they will extend their war into space.While using satellite communications comes with serious risks, it does avoid the problems that come with conventional landline broadband. Global internet access tracker NetBlocks told ZDNet that connectivity in Ukraine is down 20% since the start of the conflict, following an increase in Russian bombing campaigns and rocket fire.

Ukraine Crisis More