Tag Archives: Software supply chain

Most Third Party Libraries Never Updated After Included in a Codebase

Okay, you are probably tired of hearing me rant about software supply chain but it is a huge source of hacks. Big hacks like SolarWinds and Microsoft Exchange, but mostly small hacks that we never figure out what the source is.

Reseachers looked at what developers actually do.

The analyzed 13 million scans of 86,000 code repositories containing more than 300,000 unique libraries and also asked a couple of thousand developers what they did.

If developers have accurate vulnerability information, they have fixed 17% of flaws in an hour and 25% within a week.

92 percent of open source flaws can be fixed with an update and 60 percent of those updates are minor.

Most of the time the updates are minor and unlikely to break things.

Only half of the developers said that they had a formal process for selecting third party libraries and more than a quarter had no idea if they did or not.

The security of libraries ranks third in selection – after functionality and cost. That is probably okay if third doesn’t mean “whatever”.

As the executive order on cybersecurity gets fleshed out, expect more attention from companies on the subject – because if they don’t then they will not be able to sell their software to the government or even use particular open source software at all.

For some companies it will become best practice and if you don’t have the ability to track and maintain libraries, they will find a vendor who will. This is independent of whether they sell to the government or not.

Credit: Help Net Security

Security News Bites for the Week Ending Aug 24, 2018

FBI Asks Google for Information on ALL People Near Certain Crimes

Now that we know that Google tracks you even if you ask nicely for it not to, this news from BBC becomes more interesting.

The FBI issued a search warrant to Google for information on all people within a 100 acre block around a couple of crimes they were investigating in Portland.

Not only did they want location, but they also wanted full names and addresses, telephone numbers, records of session times and durations, date on which the account was created, length of service, IP address used to register the account, login IP addresses, email addresses, log files and means and source of payment.

Needless to say, all people within a 100 acre block of land is a lot of people and who are not particularly suspected of any crime.

Google declined the request and after about 6 months, the FBI withdrew the warrant request.  Source: BBC .

Maybe Apple’s Security is Not Perfect

A 16 year old Australian kid has been charged with hacking into Apple’s network multiple times over the course of a year successfully, downloading 90 gig of secure files and accessed customer data.

Because the kid is a minor and also because Apple is slightly embarrassed, the police are not saying much.  Source: The Age

Russians Target Senate Races and Conservative Think Tanks

While the President continues to say that the Russians are not targeting our political process, Microsoft has convinced our court system that they are and has seized several domains that were posing as Microsoft domains and were being run by the Russian spy agency GRU and created by the Russian hacker organization known as APT28/Fancy Bear/Strontium (everyone has to create the own name for the same group).  Microsoft claimed that the web sites could be used as a launch pad for attacks since they looked like official Microsoft web properties.  While the article doesn’t say so, I suspect that Microsoft detected actual attacks, otherwise why would they be so specific as to the targets?

The think tanks in question have been critical of Russia.

Russia, of course, is acting dumb and said what web sites and what do you mean impacting the elections.  No surprise there.

One of the think tanks is the Hudson Institute where Trump’s Director of National Intelligence recently said, in a speech, that the lights were “blinking red” like they were just before 9-11.  He was specifically referring, in this case, to Russian interference in the elections.

Microsoft is offering special security services to all political candidates. Source: CNN)

Another Nasty Apache Struts Vulnerability

Remember the Equifax breach?  The root cause of that was an unpatched computer running Apache Struts software.  Now there is another Apache Struts bug and this one is being called critical.   The common vulnerability risk score is 10 out of a possible 10.  Hard to get more critical than that.

Don’t use Struts?

Do you use Atlassian products?  Cisco?  Hitachi?  IBM?  Oracle?  VMWare?  Well then, you  might be using Struts (depends on exactly which product from those companies that you use). (Source: Risk Based Security )

News Bites For June 22, 2018

Latest Cost Estimates For Equifax Breach is $439 Million

According to recent (March) tax filings, costs related to their breach are now $439 million, making the Equifax breach the costliest in US history.  Assuming insurance does pay, it would cover, at most, $125 million, leaving Equifax to write a check for $300  million plus.  Given that none of the lawsuits have been settled yet, that $439 million number is sure to grow.  While Equifax’s investors can write that check, I am sure that none of them are happy about doing so.  (Source: Computing.co)

Apple, Others Allows Russians to Look for Vulnerabilities in Software Used by the Pentagon and FBI

After all, what could go wrong?

U.S. tech companies have given in to Russian, Chinese and other country’s demands to review the source code for their products.  Not only does this expose vulnerabilities (which they likely will NOT point out to the U.S. company), but it also gives away U.S. intellectual property, all in a never ending quest to increase sales and profit.

A bill currently in Congress would force companies who do business with the government to disclose any source code review done by military adversaries.  Forcing companies to disclose will keep the pressure on to stop doing that.

The limited leaks that we have already seen have caused companies to do a quick dance to try and mitigate the PR damage.

The companies say that the reviews are done in company controlled facilities.  I am sure that they use one of those memory wipers from the Men In Black movies on the reviewers before they leave the room.

The knowledge that the Russians and Chinese get is, of course, used against everyday companies as well as the government and is used to build competing products that they sell against ours.

The article has a graphic with examples of software reviewed and who uses it.  (Source: Reuters)

Senate Votes 85 to 10 to Continue ZTE Ban

ZTE, the Chinese electronics maker said to be a national security threat to America, was banned last month, from buying parts and selling products in the U.S. by the Commerce Department.  President Trump tried to overturn the ban, which basically shut the company down, by asking the company to pay a billion dollar fine and saying that would make it a non-threat.  The Senate attached a bill to the Defense Authorization Bill outlawing ZTE, nullifying Trumps gimicky non-solution.  Trump could risk shutting down the Armed Forces by vetoing the bill, but even if he did, which would be an incredibly risky political move given his base, at 85 to 10, any veto would be quickly overridden. (Source: Politico)

macOS Quicklook Feature Exposes Data on Encrypted Volumes

Let’s assume that you have some sensitive pictures and you store them on an encrypted volume on your mac.  MacOS conveniently creates thumbnails of those pictures to show you and stores them unencrypted, so while the full resolution picture is encrypted, the thumbmail is not.  Apple says this is a feature and is not going to fix it.

This problem also exists on Windows.  If you store a Word or Excel document, for example, on an encrypted volume, the temp file that those programs use will be on an unencrypted system volume.  The only way to “fix” this is to encrypt the system volume. (Source: Ars Technica)

Software Supply Chain is a Critical Issue

Recently there have been a number of reports of cities having credit card breaches.  It turns out that it all ties back to the same vendor that those cities all use called Superion.  At least 10 cities have reported being breached and there are probably more.  Superion has finally admitted that the breach was due to a WebLogic (Oracle) bug  that had not been patched.  The cities counted on Superion to keep them safe.  Superion is blaming Oracle.  Ultimately, it is the cities and taxpayers who will foot the bill for this mess – a mess caused by not managing the entire software supply chain from end to end.  Likely those cities were not even aware that they were running Oracle software.  Who’s fault is that?  (Source: Dark Reading)

Software Supply Chain Attacks are Real

For those of you who have been reading my blog for some time, you know that I have written about the software supply chain security problem.  In a nutshell, the problem is that programmers rarely write code from zero anymore.  Instead teams write pieces of code and integrate it.  Then there is limited testing due to time and budget.  Finally, everyone crosses their fingers and the code is released.

The folks at CCleaner discovered the hard way that it doesn’t always work out the way you expected.  Or hoped.

About 6 months ago researchers at Talos (a part of Cisco) and Morphisec discovered that the absurdly popular disk cleaner software CCLEANER had been compromised and was downloading infected software from the official web site and had been doing so for a month.

Worse yet, the code was cryptographically signed, meaning two things.  Most users would trust it and the attack happened from within Ccleaner’s four walls.

Finally more details of the story are coming out; useful for anyone else that writes software, for free or for money, and distributes it to outside parties.  This could be YOU!

2.27 million infected downloads (in just a month) later, Avast, the owner of Ccleaner is spilling the beans.

Not only is this a software supply chain lesson, but it is also a merger and acquisition lesson because this was discovered right after Avast bought Ccleaner from Piriform.

The attackers had stolen credentials and used them to log into Piriform’s London network using the remote desktop software Team Viewer that Piriform used.  From there they infected other computers, only working at night when the computers were likely not used, to avoid detection.

They then installed some malware called Shadowpad, which allowed them, among other things, to log every single keystroke on the infected machines.

Then they waited.  Two months after the acquisition closed, they infected the software inside the fence and waited for the infected software to be signed and uploaded to the web.

The attackers were very smart on top of this.  While 2.27 million infected copies were downloaded and 1.65 million copies asked the control server for instructions, only 40 payloads, representing 11 highly targeted companies, were activated with a second stage.  That is very patient.  To be willing to download over two million copies to only infect 40 very precise targets.  Those targets were in particular tech companies like Cisco .

Information for this post came from Wired.

So what does this mean for you?

First, if you are acquiring a company – or selling one – this could happen to you.  If you are the seller, you could sued for millions.  If you are the buyer you could be on the hook for millions.  It all hinges on the words in the contract.  CONDUCTING SOFTWARE SECURITY DUE DILIGENCE DURING AN ACQUISITION IS VERY IMPORTANT.  This is an example of why.

While this is not an example of downloading an infected library, the library did get infected.  How did the bad guys infect the code and get it checked in to the official library?  How come no review detected the added code that no one officially added?  The SECURE SOFTWARE DEVELOPMENT LIFECYCLE process might have caught this.

Could this have been caught during testing?  Probably.  You would have needed to be watching for where on the Internet that CCleaner was talking to – that it shouldn’t have been.  In fact, since it was trying to talk to Russian and Korea, that could have been an alarm bell since the test network likely should never have tried to do that.  But you have to be looking for it.

How come the attackers were able to compromise Team Viewer in the first place.  My bet is that Piriform was not using two factor authentication.  Bad boys and girls.  I know two factor is not friendly.  Neither is having 2 million infected copies of your software downloaded by your customers.

In the end you need to look at the entire software development process and think like a hacker to decide where he or she could compromise the process.

Obviously, these guys did.

How many other companies are already infected and don’t even know it?  THAT IS WHAT IS SCARY!

Russian AV Software Banned While FBI Uses Russian Fingerprint Software

Gene Kaspersky’s anti-virus software has been banned from being used by the Federal government mostly because an NSA software developer went “off the reservation”, took some classified software home and loaded it on a personally owned PC running Kaspersky’s AV software configured by the developer to share potentially malicious software with Kaspersky, thereby compromising an entire development project (see article here).

That was enough to get Kaspersky’s software banned from the government.

In the meantime, it appears, the FBI and 18,000 other law enforcement agencies are running fingerprint software developed by a French company who partnered, secretly, with a Russian company.

The Russian company has closes ties to Putin, The Kremlin and the FSB.

The FBI opted to buy the fingerprint software from Paris based Safran rather than from a U.S. based company.

The Paris company partnered with Russian company Papillion to improve its software capabilities but decided to keep that fact completely secret.  Papillion boasts on its web site about working with the FSB, the successor to the KGB.  In the agreement between the two companies, it says that they need to keep the agreement secret because if it came out that the Russian software was in use it might doom the French company’s bid.

Apparently, according to documents which are part of a whistleblower lawsuit, the Russian company signed a document that there were no backdoors in their code.  That, I am sure, will handle all issues.

At risk here is the fingerprint and related data of tens of millions of Americans and others who’s fingerprints are stored by those 18,000 law enforcement agencies.

After all, if the FSB front company signed a piece of paper that their software had no backdoors in it, surely they would not lie about something like that, would they?

As the whistleblower suit proceeds we will know more.

I also assume that FBI, NSA and contractor software and security experts are pouring through that software with a high power microscope.

However, one more time, it points out the critical nature of understanding the software supply chain.  Every piece of software developed has a software supply chain and we can certainly cover our eyes and pretend it is not a problem.  I don’t think that is working out so well for the FBI right now.

Information for this post came from Buzzfeed.

Equifax, Trans Union and the Software Supply Chain

One more time, Equifax is in the news – but they are not alone!

Users thought that Equifax had been hacked again because when customers went to a particular help page on their web site, they were redirected to a page directing them to download a malicious, fake, Adobe Flash update.

Hopefully, no one is running Flash anymore, so the request to update Flash could be safely ignored anyway.

Given the optics of the whole thing, Equifax immediately took that page offline.

The IRS, who has reputation optics problems of its own and who just renewed a $7 million no-bid contract to Equifax AFTER the first breach, immediately suspended the renewed Equifax contract, even though doing so removed some functionality from the IRS web site.  Given the complexity of government contracting rules, the IRS is limited in what it can and cannot do, but that didn’t stop Congress-critters from trying to score points with their constituents by yelling at the IRS.

In the meantime, researchers discovered that Transunion’s web site for Central America was serving up the same, exact malware!  Within a couple of hours, Transunion said that they had fixed the web site and were scanning their other web sites to see which ones were affected or infected.

It turns out, in this case, that neither Transunion nor Equifax had been breached.

The problem was, as I keep saying at every opportunity, a software supply chain problem.

The software supply chain problem comes from the fact that most web sites integrate some (or a lot of) third party code.  That code can be infected and then infect the user’s of the company’s web site.

In this case, both Transunion and Equifax both used a company called Fireclick.  Fireclick goes though a bunch of gyrations but eventually either displays a fake survey, fake Flash update or another exploit.  Fireclick, part of the conglomerate Digital River, provides web site analytics.  Or should be.  But, apparently, they got compromised and likely compromised HUNDREDS if not THOUSANDS of web site that use their analytic software.

Fireclick, pulls in code from a Fourth party, Netflame.

So the question is – who’s fault is this?

I lay the fault at the feet of companies that use third (and fourth) party code.  As soon as a company decides to do that, they “own” the problem that code causes.  No one cares that Equifax and Transunion use a third or fourth party.  They visited Equifax’s or Transunion’s web site and were served malicious content.

Equifax and Transunion deserve and get the black eye.

So if you develop software, pay others to develop software or use commercial or open source software (which should cover just about everyone with a computer), you need to understand this software supply chain problem and have a policy and procedures to deal with it.

Attackers have figured out time and time again that it is easier to attack your supply chain than to attack you.

AND, if the attackers are successful and your customers are compromised, they are going to come after you and the courts will, most likely, hold you liable.

So, two more things for your to-do list besides creating a software supply chain risk management program, are getting cyber insurance so that you are not left holding the financial bag  when your vendors screw up (while you might, possibly, be able to sue them, even if you are successful, it will take you years to recover any money) and making sure that your contracts with third parties (assuming there are contracts and that you have some say over what is in them) hold those parties responsible and financially liable for damage that they cause to you.  If there are no contracts or you can’t get the vendor to assume the liability of infecting you, you need to make sure that you address that risk in your risk management program.

Information for this post came from SC Magazine, Politico and Ars Technica.