- An article describing an organization or development team’s success (or failure) due to using ‘Open Source’ components.
- A breach or compromise that was attributed to the use of open-source components. For this option, please note if there were any mitigating factors that the organization should have considered.
- Other considerations concerning the use of open-source components and/or operating systems.
Remember to include the URL of the article being referenced.
Candace T Nelson says
TechTarget.com defines fuzz testing as follows:
“Fuzz testing (fuzzing) is a quality assurance technique used to discover coding errors and security loopholes in software, operating systems or networks. It involves inputting massive amounts of random data, called fuzz, to the test subject in an attempt to make it crash. If a vulnerability is found, a software tool called a fuzzer can be used to identify potential causes.”
https://searchsecurity.techtarget.com/definition/fuzz-testing
On September 15, 2020 Microsoft released Project OneFuzz (“OneFuzz”), an automated, open source extensible fuzz testing framework for Azure to replace the existing Microsoft Security and Risk Detection framework that was discontinued as of June 25, 2020. The OneFuzz testing framework that has been used by Microsoft Edge and Windows teams is now available through GitHub – under an MIT license – to developers around the world. The global release is intended to help harden platforms and tools to make an attacker’s job more difficult.
Microsoft considers fuzz testing to be the gold standard for enabling developers to find and remove costly, exploitable security flaws earlier in the development lifecycle, which is core to Microsoft’s mission of empowerment, and it frees up security engineering teams to pursue proactive work.
OneFuzz enables:
Composable fuzzing workflows
Built-in ensemble fuzzing
Programmatic triage and result deduplication
On-demand live-debugging of found crashes
Observable and Debug-able
Fuzz on Windows and Linux OSes
Crash reporting notification callbacks
Microsoft intends to maintain and expand OneFuzz and to release updates to the open-source community upon occurrence.
https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/#:~:text=Microsoft%20announces%20new%20Project%20OneFuzz%20framework%2C%20an%20open,defend%20against%20the%20dynamic%20and%20sophisticated%20threat%20landscape.
While this article doesn’t discuss the success or failure of an organization that used open (vs. closed) operating systems, it elaborated on the following comment that was made in response to an article showcased during week 4: “However do you share an interesting perspective on how to prioritize fixing vulnerabilities in the development phase!”
Anthony Wong says
Magento is an open source e-commerce platform owned by Adobe. The platform allow businesses to create their own online stores to complement their website. Recently, over 2000 Magento stores have been hacked. The attackers were able to breach into websites and exploit Magento vulnerabilities to plant scripts into the source code. The script would log payment information entered in the checkout form. The cause of the hack was due to the end of life support of Magento versions 1.X. Adobe has released Magento versions 2.X and have urged its users to upgrade to its latest version immediately. An upgrade like this could take a while as it may drastically affect business operations and needs to be tested thoroughly prior to implementation. To mitigate risks, some stores are depending on its web application firewalls to prevent any attacks.
URL: https://www.zdnet.com/article/magento-online-stores-hacked-in-largest-campaign-to-date/
Candace T Nelson says
Interesting article Anthony,
I am curious about how the breaches were discovered so quickly.
It is also noteworthy that – since version 1.x of the Magento online software store was expected to reach end-of-life on June 30, 2020 – Adobe first issued an alert to store owners in November 2019 about the need to update to the 2.x branch. Mastercard and Visa issued similar advisories in the spring of 2020. However, from November 2019 to June 2020, the number of Magento 1.x stores only decreased from 240,000 to 110,000, and 95,000 1.x stores remain today (that are suspected to have either been abandoned or to have low user traffic).
It seems to me that the store owners who failed to update to Magento 2.x timely have weak SDLC controls. The end-of-life date was known, and Adobe provided plenty of advance notice. I often say that hope is not a strategy, and it seems to me that the balance of the 1.x users as of June 30, 2020 “hoped” they wouldn’t get hacked, or “hoped” web application firewalls would stop the attacks if they did.
Anthony Wong says
In this day and age its only a matter of time before their stores would be hacked. But I have to agree with your comment about weak SDLC controls. I can understand if store owners were nervous upgrading the platform and wanted to thoroughly test the changes, but as you mentioned Adobe provided more than enough time. There’s really no excuse for this.
Nicholas Fabrizio says
As you mentioned, the article states some of the stores are depending on web application firewalls to prevent attacks on their outdated software and this does not seem to the best solution to mitigate risk, even though it is technically PCI compliant. Hopefully these stores can update to the latest Magento version and continue using a web application firewall for better protection, which would be the better defense in depth strategy.
Anthony Wong says
Similar to what Candace said, using the web application firewalls is just praying it’s enough to stop attackers until they can get to the latest version. Until then, the store owners definitely need to stay on top of this issue. Perhaps even add more mitigation tactics beyond the WAF until they can successfully transition over.
Zhuofu Wang says
Only relying on web application firewalls (WAFs) to stop attacks is not a perfect solution, it’s a temporary remedy. Usually, a version upgrade is a reliable solution. Maybe these users don’t want to bear the traffic loss during the version upgrade, maybe these users think the current processing method is sufficient. In any case, there is still a risk.
Anthony Wong says
I believe once the end of life support was announced, store owners needed to act quickly and plan to upgrade the platform as soon as possible. In my mind, upgrading to the latest version is the only solution to protect the business. For a seamless transition, the upgrade should be performed after peak business hours (generally past 12 AM) to avoid affecting customers.
Humbert Amiani says
Multiple SQL, code injection vulnerabilities in OpenSIS
Cisco Talos recently discovered around 30 vulnerabilities in the open source Student Information Management system OpenSIS. These vulnerabilities were mainly SQL injection and remote code execution vulnerabilities. The vulnerabilities have since been patched, -thanks to coordinated efforts from both OpenSIS and Cisco Talos-, and there has not been any confirmed or reported exploitation of these vulnerabilities. Most of the SQL injection vulnerabilities were caused by insufficient sanitization of use-supplied data on multiple pages, where a successful exploitation would give full access to a remote attacker to read, delete and modify database entries. The code injection vulnerability was due to improper input validation in the username variable on one of the pages, allowing an attacker to send and execute arbitrary code on the target system.
Patch updates were tested and confirmed to resolve these issues by both parties involved. An update was made available to all affected customers running OpenSIS.
https://blog.talosintelligence.com/2020/08/vuln-spotlight-opensis-aug-2020.html?&web_view=true
Nicholas Fabrizio says
It is good to hear that no confirmed exploitation of this vulnerability has occurred. Hopefully any customers using this open source student information management system can patch it in a timely manner. I feel a data breach of a system such as this could be a violation of the Family Educational Rights and Privacy Act (FERPA) which is a federal law protecting education records.
Humbert Amiani says
Hi Nicholas,
You are right, if exploited this would a big violation of FERPA, and it will general cause a major interruption in services to those using OpenSIS, as they scramble to patch the vulnerability.
Candace T Nelson says
In light of the heavy reliance on remote learning brought about by the COVID-19 pandemic, it seems that school computing systems may become more of a target, especially since there has not been a lot of time for security to be enhanced and education budgets are notoriously restrictive. Accordingly, it will be interesting to see if there is an increase of these types of attacks over the next several months.
Humbert Amiani says
Hi Candace,
I think we are just seeing the beginning of it. If high school students are now getting into it and pulling off some high profile cyber-attacks like the recent twitter hack, we can only imagine what fate these school systems will face in coming school years.
Zhuofu Wang says
Hope these customers can update this system in time. Even if the vendor provides vulnerability patches and push notifications, there will still be some customers who do not update them in time.
Humbert Amiani says
Hi Zhuofu,
It is quite unfortunate that there is always going to be customers who ignore such threats, only to face severe consequences later.
Kelly Sharadin says
In this excellent article from Dark Reading – open source software provides organizations as many opportunities for cost-saving solutions as it does potential risks. One notable risk associated with open source is the loss of dedicated vendor support sending regular patch and security bulletins. This lack of visibility into an organization’s software patch environment can seriously impede incident response efforts when investigating point of entry. The article states the power of open source is its vast community of contributing developers. However, “with so many subcomponents being used in every application, the risk landscape has become too fragmented for security teams to properly monitor the holes that cyberattackers can exploit” (DarkReading, 2020). Furthermore, how can you trust the code when open source software CVE’s have “more than doubled between 2018 and 2019” (DarkReading,2020). Proper security hygiene would be verifying checksums but in a reality are employees truly taking the time to verify that the code hasn’t been tampered with? Personally, I think open source is one of the greatest achievements we have had in technology. The article goes on to explain how DevSecOps can help organizations mitigate the risks associated with open source.
https://www.darkreading.com/risk/open-source-securitys-top-threat-and-what-to-do-about-it/a/d-id/1338857
Candace T Nelson says
I was also alarmed to learn that the CVE’s more than doubled from 2018 to 2019. Considering the significant computing changes that have occurred during 2020 in response to the COVID-19 pandemic, I can only imagine the increase in CVE’s in open source software will be similarly staggering.
I also found the recommended steps to improve security practices over open source code to be practical and reasonable. Using automated discovery tools to create an inventory of open source components – rather than expending scarce human resources to accomplish this task – seems to be an efficient approach. Depending on an enterprise’s risk appetite regarding cybersecurity (which should be low, especially in today’s computing environment), implementing measures to improve hygiene by earlier and increased security testing makes perfect sense. Finally, by committing to selecting open source components that are subjected to vulnerability testing and patching, a company’s ever increasing need for enhanced security may level off over time. Very good read!
Nicholas Fabrizio says
Title: State-Sponsored Hacking Groups Increasingly Use Cloud & Open Source Infrastructure
URL: https://www.darkreading.com/threat-intelligence/state-sponsored-hacking-groups-increasingly-use-cloud-and-open-source-infrastructure/d/d-id/1339030
Microsoft recently suspended 18 Azure Active Directory application after determining they were being used as command-and-control channels for espionage. Attackers are using cloud technology and open-source tools more often now to perform attacks because the “combination of cloud infrastructure, which can be quickly reconstituted in the event of a takedown, and open source tools, which can help attackers’ actions blend into more legitimate activity” (Lemos). As mentioned in the article, open source tools can not only help hide the attackers activity and identity because the tool may be widely used, they also benefit from constant feature updates at no cost. Lastly, I found it interesting that attackers are realizing many organizations are moving to the cloud, so they are using the cloud infrastructures to find a vulnerability they know that can be used against organizations using the same cloud technology.
Kelly Sharadin says
Hi.
Really interesting article it touchs upon a lot of different emerging trends; cloud architecture, open source, and the diminishing barrier to entry for sophisicated cyber-attacks. Criminal hackers are always going to take the path of least resistence and having access to an ever increasing free marketplace of opensource hacking tools has made hacking more accessible than ever. If you have basic CLI skills, coupled with the rapid expansion of poorly configured cloud deployments you can really generate some havoc. I believe we will see some interesting cyber threats for years to come.
Anthony Wong says
I agree with your last point. I thought that was really interesting as well because of the reconnaissance assignment we did last week. With the reconnaissance tactics we learned in class, I was able to discover the organization I researched used Amazon Web Services. I’m positive these attackers would perform similar reconnaissance to discover Azure domain/servers and easily exploit this vulnerability.
Candace T Nelson says
I agree with both Kelly and Anthony’s comments, and thought to myself that – with the availability of existing administrative tools, the vulnerabilities of open source tools, and the number of companies using the same cloud infrastructure, the espionage groups get “more bang for their buck.”
I also read about the US indictments of two defendants in Malaysia (who were arrested) and five defendants in China (who are fugitives) who were charged with hacking more than 100 companies in the US and abroad, including software development companies, computer hardware manufacturers, telecommunications providers, social media companies, video game companies, non-profit organizations, universities, think tanks, and foreign governments, as well as pro-democracy politicians and activists in Hong Kong.
On September 16, 2020, Deputy Attorney General Jeffrey A. Rosen announced that the DOJ and the FBI have been working with Microsoft, Google, Facebook, Verizon Media, and other private sector companies to identify and neutralize the infrastructure (including virtual private servers, malware and malicious domains) that Chinese cyberattack group APT-41 uses to conduct their crimes to disrupt their activities.
Nicholas Fabrizio says
Hi Candace,
I agree with you and what is interesting in this article some of the hacker groups mentioned have used a Microsoft administrative tool called BITSAdmin and the open-source Metaploit framework to find a vulnerability to exploit on machines running the same technology.
Bryan Garrahan says
“In the attack incident Microsoft described in its analysis, GADOLINIUM used a variant of PowerShell, known as PowerShell Empire, to connect to both Azure Active Directory and Microsoft’s OneDrive storage. Automated systems have a hard time detecting such attacks, as the variant of PowerShell and the fact that is connecting to a known cloud service are usually not considered suspicious activity, Microsoft stated in its analysis.”
This paragraph stood out tome based on our class discussions around how sophisticated hackers are able to fly under the radar. The attack group GADOLINIUM clearly falls into this bucket as they were successfully able to exploit system and/or application communications that wouldn’t raise any red flags. Aside from manually going in and reviewing the logs for trends (which why would they as I see it as a waste of time and resources?) I’m struggling with identifying other ways in which this type of activity could be caught more timely? I suppose some sort of protective control such as an acceptable use policy around cloud and infrastructure open source tools would help but then this would also require additional monitoring in order to ensure users are adhering to the requirements outlined within the policy. Any other ideas?
Nicholas Fabrizio says
Hi Bryan,
I wonder if these companies in addition to having acceptable use policies on some of these open sources tools could make the customers agree to some sort of automated random audit of the systems. This could allow them to verify the customers are not violating the terms by installing tools that could be used for hacking.
Kelly Sharadin says
This is attack is/was immensely clever. Many large enterprises- the type a nation-state hacking group would target – use powershell scripts all over their network to manage devices. Therefore, it is normal to see powershell executing in bulk on macines… thats also what makes this attack so effective. I was thinking about your comment how could this attack be caught in timely manner… this is where a solid relationship between a CTI team and a threat hunting team could maybe come into play. But if you don’t know what you’re looking for or you ignore normal activity (powershell) it does become increasing difficult. Thanks Bryan great article
Kelly Sharadin says
Sorry I commenting on Nicholas’s article and Bryan’s comment
Zhuofu Wang says
The upgrade of production tools has brought unexpected results like you mentioned that the attacker is moving to the cloud. The company like Amazon may need to consider how to improve their products to prevent them from being abused by hackers.
Bryan Garrahan says
https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2016/practical-considerations-in-planning-an-open-source-security-monitoring-infrastructure
While this article is from 2016, it touches on several considerations that remain in existence today as organizations look to adopt open source security monitoring tools. The article identified the following considerations:
– Storage Planning
– Secure Sockets Layer (SSL) traffic and privacy
– Visibility
– Open source risk
– Monitoring
In addition to each of these I believe requirements planning should also be considered. When picking a tool it’s important to gain an understanding of whether a tool under consideration even fits into your network topology. Implementing a tool that isn’t easily configurable and/or compatible with your organization could very easily become burdensome rather added value from an operations perspective. Can anyone think of some other considerations?
Bryan Garrahan says
https://www.contrastsecurity.com/security-influencers/cisco-server-breach-hack
This article provides details around two critical vulnerabilities (CVE-2020-11651 7 CVE-2020-11652) within SaltStack’s “Salt” management open source framework in order to compromise servers at Cisco. The article notes, “Exploitation of these vulnerabilities can allow an attacker to circumvent all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on Salt’s master server file system, and steal the secret key used to authenticate to the master as root. This provides an attacker with full remote command execution as root on both the master and all minions that connect to it”. While Cisco was able to patch the vulnerabilities on the same day in which they were identified, it should be noted that any unpatched servers running Cisco’s Virtual Internet Routing Lab Personal Edition (VIRL-PE) or Cisco Modeling Labs Corporate Edition (CML-CE) servers remain exposed to the vulnerability.
The article also provides some methods to deploy in order to secure Python based open source tools such as Salt. Since python based software require application security during, runtime application self-protection (RASP) can be applied in production to validate request inputs and prevent vulnerabilities from being exploited. As an additional layer of security, Software composition analysis (SCA) can be deployed to observe open-source libraries as they are running to accurately locate previously vulnerable components.
Kelly Sharadin says
Cisco again?! Thanks for sharing this article Bryan, I use a bunch of python opensource tools so I looked into the Contrast OSS but thats more for development rather than end user verification. Although this was an interesting read – I kinda wish it was vendor agnostic.
Zhuofu Wang says
Aptoide is a third-party store for Android, it’s also an open-source platform, which allows users to download the code for creating their own App stores. It suffered a security incident in April, the attacker has stolen more than 20 million users’ information and shared on a Dark Web Forum. Sam Curry, the chief security officer at Cybereason pointed out that most of these un-official stores are asking for too much trust upfront, but don’t provide enough basis for these trusts.
Third-party application stores have indeed received the favor of many users, through which users can publish and share some homemade applications. However, such stores do not guarantee security, and there may be a risk of malware distribution.
URL: https://www.teiss.co.uk/aptoide-data-breach/
Anthony Wong says
It’s interesting that Aptoide did hire external auditors and performed penetration testing and the breach still occurred. It was good to see that they had some risk mitigation controls in place such as having the password encrypted in the database. Since the encrypted passwords were stolen, it wouldn’t be surprising if the hackers or buyers would eventually be able decrypt the passwords.
Amelia Safirstein says
https://www.infosecurity-magazine.com/opinions/data-scientists-open-source/
This article discusses the difficulty surrounding management and oversight of open source software and the balance between agility and security. Open source software can promote shadow IT in the workplace when the importance of testing and approval is not understood.
Jerry Butler says
https://threatpost.com/google-play-apps-remain-vulnerable-to-high-severity-flaw/161785/
The vulnerability (CVE-2020-8913) in the Google Play Core Library is a local, arbitrary code execution issue in the SplitCompat.install endpoint in of Android’s Play Core Library (in versions prior to 1.7.2). The flaw, which ranks 8.8 out of 10 on the CVSS v3 scale, making it high severity, was previously disclosed in late August.