Search This Blog

Showing posts with label Open Source Software. Show all posts

Deadshot: A Tool That Marks Sensitive Content for Developers

Software code repositories might be hiding credentials, sensitive data, and other secrets of an organization without the knowledge of developers. If this information gets in the hands of cybercriminals, it could be an invaluable source for launching cyberattacks, say the cybersecurity experts at Twilio, who have released an open-source tool that alerts the developers if they accidentally attach any personal or sensitive data in their code before uploading it to a repository. 

Known as Deadshot, the tool overlooks real-time GitHub pull requests. It marks the possible addition of any sensitive information in any codes, and it varies to sensitive functionality. As per a senior product security engineer at Twilio, Laxman Eppalagudem, who worked on the project says it's not possible for an individual to manually monitor an entire codebase of an organization, hence, their team developed an automatic monitoring tool to search and mark sensitive data. 

Deploy and Forget 

The software will work as a "deploy and forget" tool, as Deadshot would work the entire codebase, it would alert project handlers if any sensitive data flows out of the organization. The safety teams can differentiate what the tool monitors and the alerts can be sent out using Jira Ticket or Slack. Leaky commits: The unintentional reveals of credentials and secrets to code repositories have always been a major problem, says senior product manager Yashvier Kosaraju. The software is aimed to remove the need to manually reviewing the entire codebase, pulling requests for sensitive data commits, which, we're all aware, don't scale. 

The software is designed in a manner so that it can only be installed on GitHub accounts by company admins. As per Twilio, it reduces the Rick of hackers exploiting Deadshot for malicious purposes. According to The Daily Swig, "GitHub already has security scanning capabilities, Blore noted. Developers could also use the open-source tool Gittyleaks to scan for API keys, passwords, and other sensitive data. Twilio is actively looking for feedback and feature requests from Deadshot users and the open-source community, Kosaraju said." Experts believe it is a good initiative to avoid ransomware attacks.

Open Source Software Vulnerabilities Leads to RCE


Various vulnerabilities in open source video platforms YouPHPTube and AVideo could be utilized to accomplish remote code execution (RCE) on a client's gadget. It can take an average of more than four years for vulnerabilities in open-source software to be detected, an area in the security community that needs to be addressed, researchers say. Experts from Synacktiv found various vulnerabilities in the source code-shared by the ventures that were because of an absence of client input sanitization, a related write-up reads. The issues incorporate an unauthenticated SQL injection vulnerability, multiple cross-site scripting (XSS) flaws, and a file write vulnerability. 

SQL injection is a code injection technique, used to assault information-driven applications, in which vindictive SQL articulations are embedded into an entry field for execution (for example to dump the database contents to the assailant). 

SQL injection should abuse a security vulnerability in an application's product. SQL injection assaults permit attackers to spoof identity, alter existing information, cause repudiation issues, for example, voiding transactions or changing balances, permit the total divulgence of all information on the system, destroy the information or make it in any case inaccessible, and become administrators of the database server.

Numerous reflected XSS vulnerabilities could be utilized to steal administrators' session cookies and perform actions as an administrator. A file write flaw could permit an administrator to execute malevolent code on the server. 

Synacktiv said there is no official workaround right now, but added that clients ought to purify $catName input information appropriately prior to processing SQL queries to avoid SQL injection. “Removing simple quotes is not a sufficient process,” researchers added. The vulnerabilities influence AVideo variants 10.0 and below, and YouPHPTube renditions 7.8 and below. 

The open-source community now plays a critical part in the improvement of software, but similarly, as with any other industry, vulnerabilities will exist. GitHub says that project developers, maintainers, and clients should check their dependencies for vulnerabilities consistently and ought to consider implementing automated alerts to remedy security issues in a more efficient and fast manner. 

"Open source is critical infrastructure, and we should all contribute to the security of open-source software," GitHub added. "Using automated alerting and patching tools to secure software quickly means attack surfaces are evolving, making it harder for attackers to exploit."

Github Escapes from Octopus Malware that Affected its 26 Software Projects

Github, a platform where every malicious software report is equally different in its place, manages to escape from a malware threat.  Github, an organization that united the world's largest community of coders and software developers, revealed that hackers exploited an open-source platform on its website to distribute malware. The hackers used a unique hacking tool that enabled backdoors in each software project, which the hackers used to infiltrate the software systems.

"While we have seen many cases where the software supply chain was compromised by hijacking developer credentials or typosquatting popular package names, a malware that abuses the build process and its resulting artifacts to spread is both interesting and concerning for multiple reasons," said Github on its security blog. Fortunately, the hackers attempt to exploit the open-source platform was unsuccessful. Still, if it were, on the contrary, hackers could've secured a position in the softwares, which were to be used later by corporate applications and other websites.

Since recent times, open-source websites have become a primary target for hackers. It is because once the hackers exploit backdoor vulnerabilities on open-source platforms, thousands of apps are exposed to remote code execution. As for Github, the company's website currently has more than 10 Million users. In the Github incident, 26 software projects were infected through malicious codes, which is a severe warning for the potential threat of the open-source compromises. The experts have identified the malware as "Octopus Scanner," which is capable of stealing data by deploying remote access codes.

The malware spread with the help of projects using software called Apache Beans, tells Github. "On March 9, we received a message from a security researcher informing us about a set of GitHub-hosted repositories that were, presumably unintentionally, actively serving malware. After a deep-dive analysis of the malware itself, we uncovered something that we had not seen before on our platform: malware designed to enumerate and backdoor NetBeans projects, and which uses the build process and its resulting artifacts to spread itself," says Github on its blog. These attacks can be highly threatening as the tactics used here gives the hackers access to various systems.

Attackers Exploit Two Vulnerabilities in SaltStack to Publish Arbitrary Control Messages and Much More

CISA has sent warnings to the users regarding two critical vulnerabilities in SaltStack Salt, an open-source remote task and configuration management framework that has been actively exploited by cybercriminals, leaving around thousands of cloud servers across the globe exposed to the threat.

The vulnerabilities that are easy to exploit are of high-severity and researchers have labeled them as particularly 'dangerous'. It allows attackers to execute code remotely with root privileges on Salt master repositories to carry out a number of commands.

Salt is employed for the configuration, management, and monitoring of servers in cloud environments and data centers. It provides the power of automation as it scans IT systems to find vulnerabilities and then brings automation workflows to remediate them. It gathers real-time data about the state of all the aspects and it employs effective machine learning and industry expertise to examine threats more precisely. In a way, it is used to check installed package versions on all IT systems, look out for vulnerabilities, and then remediate them by installing fixes.

The two vulnerabilities, the first one called CVE-2020-11651 is an authentication bypass flaw and the other one CVE-2020-11652 is a directory transversal flaw, as per the discovery made by F-Secure researchers. The attackers can bypass all authentication and authorization controls by exploiting the vulnerabilities that would allow them to easily connect to the request server. Once the authentication is bypassed, attackers can post arbitrary control messages and make changes in the master server file system. All Salt versions prior to 2019.2.4 and 3000.2 are affected by the vulnerabilities.

Xen Orchestra, an effective all in one user-friendly web-based management service became the latest victim of cybercriminals involved in the exploitation of the two high-severity vulnerabilities in Salt. The attackers ran a cryptominer on the firm's virtual machines (VMs), it has been noticed by the company on the 3rd of May as various services on their infrastructure became inaccessible.

While commenting on the matter, Olivier Lambert, Xen Orchestra's founder, said, “A coin mining script ran on some of our VMs, and we were lucky nothing bad happened to us – no RPMs affected and no evidence that private customer data, passwords or other information have been compromised. GPG signing keys were not on any affected VMs. We don’t store any credit card information nor plain text credentials. Lesson learned...”

“In short, we were caught in a storm affecting a lot of people. We all have something in common: we underestimated the risk of having the Salt master accessible from outside,” he added. “Luckily, the initial attack payload was really dumb and not dangerous. We are aware it might have been far more dangerous and we take it seriously as a big warning. The malware world is evolving really fast: having an auto-update for our management software wasn’t enough."

“If you are running SaltStack in your own infrastructure, please be very careful. Newer payloads could be far more dangerous,” warned Lambert.

Can open source software be bought?

Open-source softwares (OSS) are released under a special license that makes its source code available to the user to inspect, use, modify and enhance. It is a misunderstood term that these are not copyrighted, instead, they are copyrighted under a license that lets it users study, change and use its source code or services (depending upon the software) for commercial use. Some of the common open source softwares are Linux, Red Hat, Ubuntu, GitHub, FreeBSD, and fedora.

Just five years ago the tech world was quite critical and skeptical of open source softwares with Microsoft CEO Steve Ballmer calling Linux as 'cancer' and open source software as 'a communist threat' but OSS since then have come a long way with the success of Red Hat and Linux. Open source has given a silver lining to the underdog developers and defied the monopoly of tech giants giving power to small businesses and individuals to grow using their open-source code.

But what the open-source devotees don't know or don't stress on is that open source softwares can be bought and acquired by other commercial companies. The fix being that if they are open source how could they be bought, but even these have copyrights that can be bought and changed to closed source. And these OSS (open source softwares) are being acquired by lightning speed- IBM acquired Linux and Red Hat. Microsoft is portraying itself as "the open-source leader" by joining the  Open Invention Network (OIN) and acquiring GitHub.

Now, there are advantages if big companies take over these open-source software as these were not established with a business model and will run out but if companies like these buy out OSSs they can stay afloat and provide for their customers. But there's also a dark side to these acquisitions as these could mean the end of open source. With their rights sold, these open-source rights could be closed and their free service comes to an end. Though those who have used the open-source would not be affected as it is already licensed but any future version of the software could be closed.

Now, Microsoft says that “Microsoft is all-in on open source, we have been on a journey with open source, and today we are active in the open-source ecosystem, we contribute to open-source projects, and some of our most vibrant developer tools and frameworks are open source.” the same goes for IBM's Linux but these are big and popular software but what about small software with less distributes and copyrights, the dark cloud still hovers over them.