Welcome to Cyber Security Today. This is the Week in Review edition for Friday, January 14th. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll be joined by Jim Love, chief information officer of ITWorldCanada.com, to talk about some of the news in the past seven days. But first a review of what happened:
Software developers who use free open source packages were stunned earlier this week at news that two utilities in the GitHub and NPM libraries were generating strange code. What was even more stunning was the conclusion by most that this was not the work of a threat actor but by the projects’ creator as a protest for not being paid to maintain his work. Jim and I will discuss what this incident means for the open source community.
We’ll also look at the decision by Salesforce to force all users to login with multifactor authentication, and the finding of fake QR codes pasted by a crook onto parking meters in Texas.
In other news, the FBI warned a ransomware group is emailing infected USB keys to American organizations, hoping victims will plug the devices into their computers and spread malware. Victims are getting the USB sticks in two ways: Either in a couriered package that appears to come from a U.S. government health agency and purports to contain COVID information, or in a box in general mail that appears to be a gift with a thank you note.
The Department of Health for the state of Maryland admitted it’s been dealing with a ransomware attack since early December. As a precaution some services were taken offline and were still unavailable to hospitals this week.
Game developer Electronic Arts has confirmed accounts of several dozen high profile players of its FIFA 22 online soccer game were compromised by attackers. They did it scamming the customer support team, in part with threats and other social engineering tactics. As a result the attackers were able to bypass two-factor authentication that was supposed to protect logins. According to the Bleeping Computer news service, some of the hijacked accounts belonged to real soccer players, professional streamers and in-game currency traders.
Finally, researchers at Fortinet have discovered a new variant of the Redline Stealer malware, which steals data about the computers it has infected. These are things like passwords, cookies and stored credit card information. The malware hides itself in a file called Omicron Stats.exe. The report doesn’t say how the malware is spread, but a good guess is by phishing messages with an attachment purporting to have COVID-19 statistics.
(The following transcript has been edited for clarity. To hear the entire conversation play the podcast)
Howard: I’m going to bring in Jim Love. We should start by looking at the controversy in the open-source world. For listeners who don’t know, open-source software is usually written for free by developers and used by others who can add what they create to their applications. Open-source developers will create packages and list them for download in libraries like NPM, Maven and Github. Last week a developer of two utilities apparently uploaded new versions of his packages that caused mayhem when they were opened. One runs an American flag or repeatedly prints the word ‘Lliberty.’ No one can get a hold of the developer. But one news site noted that just over a year ago this developer complained bitterly about not being paid for his work. So the assumption is the sabotage of these 2 utilities is his protest. Jim, this incident raises a number of questions. If it’s true that this is a protest over a legitimate issue, was this a proper way to protest?
Jim: No it probably wasn’t proper. But was it expected or was it a reaction to something? I think the guy who had really invented free software is named Richard Stallman, a programmer at MIT… He has a famous quote that says, ‘Free software is like more like free speech. It’s not free beer.’
A Forrester Research analyst said she was surprised and horrified by this incident. And people should be. Open software is so prevalent. A company called Synopsis says it’s so prevalent many code owners aren’t aware of the open-source components in their software. Five years ago there were 84 open source components per app on average in regular and commercial software. Now it’s an average of 528 open source components per application. So let’s get back to your question is that is it proper to alter your open source project. Well, it’s disastrous when people do things like that, but is it to be expected? What this guy said was, ‘I’m not going to work free for Fortune 500 companies anymore.’ There’s money: Github was bought by Microsoft, SugarCRM went from being an open-source company to a for-profit company. Red Hat was sold to IBM. Even Drupal, which was a great open source content management system became private. Did any of open-source programmers make money? So it wasn’t proper but people should have seen this coming. This [paying or supporting open source developers] is something people should have been doing more about. We’re at a crisis point but the good thing is we’re at a point where we’re actually going to talk about this now in an intelligent manner. We’re not giving up an open-source software. But we’re going to have to get smarter about how we deal with it and have a conversation about what is proper behavior and I think that’s the important thing.
Howard: The idea of open-source software is that the code is open so the collective eyesight of developers around the world can look for and find bugs so that they can be quickly fixed. That means the developer has to spend some of their spare time on updates and they’re not getting paid. Are there compensation models for open source developers?
Jim: There are models for compensating people, and they could have been used with more foresight. The biggest parallel I can see is musicians. They write songs and those songs are used in all kinds of places all around the globe in there and there is licensing that says when you use this I [as the creator] get a cut. That’s going to have to come in open source software. At least we’re going to hear a good discussion about it.
Howard: There’s there are dual licensing models where a software developer can create an open-source package and if it’s used in a commercial product then the developer has to be paid a licensing fee. A software vendor can take some open source packages, bundle them in their software and then they can release two versions: A free version that has limited features, and a paid version that has more features. Some of the money from the people who purchase that application goes to the open-source developer.
Jim: That’d be a really good idea. There’s so many foundational pieces and I think that’s how you get these high averages [of open source components in applications]. We could sign [open source] code like on a blockchain so people can trace it. There’s no easy answer. But there’s got to be an answer.
Howard: Let me look at this incident from the other point of view If you’re an application developer and you want to use open source components after this incident. How do you trust what’s in NPM or the other libraries?
Jim: How do you trust anything these days? This is why I say we’re a pivotal point. Trust seems to be evaporating. It’s not just open-source code. There’s not an easy answer to this, but, like I said we have to find one because the whole question of what we can trust in code.
Howard: One of the things that application developers I think have to get used to is is using software composition analysis tools that examine software code for vulnerabilities. This is a mature market.. There are lots of choices. You can get them from vendors like White Source, Sonotype, Gitlab, Fossa, JFrog — and that’s that’s a small list.
Jim: Forrester’s got a really good list of those commercial ones, and there are open source ones too. So even if you’re a small company you can have one. If you go to the OWASP Foundation you can find a whole list of free and open tools as well. To actually inspect your code is a valuable thing to do.
Howard: So one lesson from this is whatever you download has to be tested before you put it in an app, before you put it in production. And, of course, check with the open-source community after you you download a software update. What’s their take on the latest version of what’s been posted? Does it break their apps?
Has this incident damaged the reputation of open source?
Jim: It’s a blip, but no, I don’t think so. But it has forced us to confront this gorilla in the room, that there has to be a compensation method.
Howard: Let’s turn to the announcement by Salesforce that starting in February all users will no longer be able to log in with just a username and password alone. They’ve got to do it through multifactor authentication. This is really significant.
Jim: It’s absolutely great, and every other major company should get on board. There’s this old story: The old testament prophets didn’t go looking for an eleventh commandment. They they were praying for the strength to do the 10. One of the 10 [cybersecurity] commandments is ‘Thou shalt use multifactor authentication.’ Salesforce is ubiquitous and people will follow them, and they have a whole ecosystem of developers who are going to have to follow them This sets it as a norm, not as something that you should be encouraging people to do. It’s a very simple way to prevent a lot of damage.
Howard: Why aren’t more applications and companies making MFA mandatory?
Jim: I have no idea. It’s so easy to do. You use the validators [like Google Authenticator, Microsoft Authenticator or Authy]. But there’s no point in having a code sent to you if it’s sent to you by a text. I have multifactor on as many things as I can. Sometimes it’s painful because every time I log in I’ve got to put in my password then I’ve got to get my MFA code. So I understand the user reluctance to do it. But. That’s tough noogies. We have to do it.
Howard: Another report this week dealt with company officials unexpectedly receiving USB keys under various guises. You know the old saying beware of Greeks bearing gifts? It can be modified to beware of unexpected USB keys. This is an old way of spreading malware that’s come back again.
Jim: There is an experiment from way back when viruses were just being started and somebody dropped USB keys around a campus to find out whether people would put them in their machines — and almost everybody did. So this is an evolution. This is again social engineering at its finest.
Howard: I remember ah reading about a company that did a penetration test and it was along the same line, except the trick was sending an iPad to the chief financial officer a courier package with a note that looked like it came from the chief executive officer. It said something the effect of, ‘Hi Richard. We really appreciated your efforts on the last online financial meet with analysts. This is just a little thank you gift.’ In order to activate an iPad you have to log into your local wireless connection. Well, the iPad was infected — I mean, this was a penetration test so that it didn’t have malware but it would have registered that the financial officer fell for this scam. And if someone who’s running a penetration test can think of this then a crook sure can.
Jim: The first time I saw a federal government employee laptop with the USB port blocked I thought, ‘That’s a little extreme.’ But I don’t think that anymore.
Howard: The final item that we’re going to look at is the report of malicious QR codes being slapped on parking meters in Texas. The sticker that this would be printed on would look like an official way of linking your smartphone to pay for parking. It would say to pay for your parking scan this, and it would go to a website where you’d have to log in with your credit card. Of course, the idea is that they’re stealing your credit card number. It’s just another social engineering trick. It’s just another way the crooks take advantage of people’s gullibility.
Jim: But that’s what I mean by the foundations are being shaken. QR codes are so convenient, but it’s the flip side of this USB thing. So again, we’re shaken to the foundations on this. We have to find a way to authenticate these things easily or there’s going to be a crashing problem on these QR codes.