The beauty of open-source software lies in the dispersed communities that develop and maintain the code, often thanklessly. But while there’s strength in this approach, it can also present risks.
This was recently made clear with the discovery of a backdoor that had been inserted into XZ Utils, a data-compression toolkit that’s baked into many Linux operating-system distributions. Discovered by a Microsoft engineer named Andres Freund, the flaw could have allowed a major cyberattack with global consequences, as corporate servers commonly run on Linux.
A couple weeks after Freund’s discovery, we are none the wiser as to the real identity of the culprit, known to the community only as “Jia Tan”—this was probably a state-sponsored operation, but either way, “Jia Tan” spent years getting involved with and eventually taking over much of the XZ Utils project.
Yesterday, open-source leaders warned that the XZ Utils incident probably wasn’t a one-off. In a blog post, senior staffers at the Open Source Security Foundation and the OpenJS Foundation, which steers the development of many JavaScript technologies that underpin the web, called on everyone maintaining open-source projects to “be alert for social engineering takeover attempts, to recognize the early threat patterns emerging, and to take steps to protect their open source projects.”
As reported in this post, an individual recently attempted to persuade the OpenJS Foundation to appoint them as the project maintainer of a popular JavaScript project, under the ruse of “addressing any critical vulnerabilities”. This approach seems to mirror that used by Jia Tan. Consequently, the Foundation identified a “similar suspicious pattern” in two other JavaScript projects not hosted by it, and alerted the relevant project leaders alongside U.S. authorities.
The OpenJS Foundation’s executive director, Robin Bender Ginn, and the Open Source Security Foundation’s general manager, Omkhar Arasaratnam expressed that whilst open source projects are always open to contributions from anywhere and anyone, administrative access to the source code as a maintainer entails a higher level of earned trust and is never provided as a ‘quick fix’ to any issues.
They went further to highlight that these social engineering attacks leverage the responsibility that maintainers feel towards their projects and communities, with the aim of manipulating them. They advised maintainers to be alert to interactions that induce self-doubt, feelings of inadequacy or a sense of falling short, as these might signal a social engineering attack.
Endor Labs’ Chief Security Officer Chris Hughes revealed to Computer Weekly his lack of surprise at the discovery of more efforts to infiltrate open source projects in this manner.
“We can likely suspect that many of these [attacks] are already underway and may have already been successful but haven’t been exposed or identified yet,” he said. “Most open source projects are incredibly underfunded and run by a single or small group of maintainers, so utilizing social engineering attacks on them isn’t surprising and given how vulnerable the ecosystem is and the pressures maintainers are under, they will likely welcome the help in many cases.”
A reminder, if it were needed, of how much technical vulnerability we humans present. More news below.
David Meyer
Want to send thoughts or suggestions to Data Sheet? Drop a line here.
This story was originally featured on Fortune.com
ChicagoVPS is your gateway to unparalleled hosting solutions. Our state-of-the-art datacenters and powerful network ensures lightning-fast speeds and uninterrupted connectivity for your websites and applications. Whether you’re a startup looking for scalable resources or an enterprise in need of enterprise-grade hosting, our range of plans and customizable solutions guarantee a perfect fit. Trust in ChicagoVPS to deliver excellence, combining unmatched reliability and top-tier support.
For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@chicagovps.net.
