In this episode of the podcast (#216), sponsored by Digicert, we talk with Brian Trzupek, Digicert’s Vice President of Product, about the growing urgency of securing software supply chains, and how digital code signing can help prevent compromises like the recent hack of the firm SolarWinds.
We spend a lot of time talking about software supply chain security these days? But what does that mean. At the 10,000 foot level it means “don’t be the next Solar Winds” – don’t let a nation state actor infiltrate your build process and insert a backdoor that gets distributed to thousands of customers – including technology firms three letter government agencies.
OK. Sure. But speaking practically, what are we talking about when we talk about securing the software supply chain? Well, for one thing: we’re talking about securing the software code itself. We’re talking about taking steps to insure that what is written by our developers is actually what goes into a build and then gets distributed to users.
Digital code signing – using digital certificates to sign submitted code – is one way to do that. And use of code signing is on the rise. But is that alone enough? In this episode of the podcast, we’re joined by Brian Trzupek the SVP of Product at Digicert to talk about the growing role of digital code signing in preventing supply chain compromises and providing an audit trail for developed code.
Brian is the author of this recent Executive Insight on Security Ledger where he notes that code signing certificates are a highly effective way to ensure that software is not compromised -but only as effective as the strategy and best practices that support it. When poorly implemented, Brian notes, code signing loses its effectiveness in mitigating risk for software publishers and users.
In this conversation we talk about the changes to tooling, process and staff that DEVOPS organizations need to embrace to shore up the security of their software supply chain.
“It boils down to do you have something in place to ensure code quality, fix vulnerabilities and make sure that code isn’t incurring tech debt,” Brian says. Ensuring those things involves both process, new products and tools as well as the right mix of staff and talent to assess new code for security issues.
One idea that is gaining currency within DEVOPS organizations is “quorum based deployment” in which multiple staff members review and sign off on important code changes before they are deployed. Check out our full conversation using the player (above) or download the MP3 using the button below.
The recent SolarWinds attack highlights an Achilles heel for enterprises: software updates for critical enterprise applications. Digital signing of code is one solution, but organizations need to modernize their code signing processes to prioritize security and integrity and align with DevOps best practices, writes Brian Trzupek the Senior Vice President of Products at DigiCert in this thought leadership article.
Even in today’s security-charged world, the SolarWinds breach was a wakeup call for cybersecurity professionals. It was distinguished by its sophistication and the fact that it was carried out as part of legitimate software updates. The incident was quickly all over the news and has brought renewed focus on need for secure DevOps.
United Parcel Service (UPS) announced this week that it will test electric vertical takeoff and landing aircraft (eVTOLs) for package delivery. UPS purchased 10 eVTOL from Beta Technologies (Beta), which it plans to test for use in its Express Air Delivery network. These eVTOLs are set to be delivered to UPS in 2024, pending certification from the Federal Aviation Administration (FAA). Beta Technologies also plans to provide landing pads and rechargeable batteries. With just a single charge, the eVTOLs can fly up to 250 miles at 170 miles per hour.
All testing and operation of the eVTOLs will be done under Beta’s Flight Forward division, which is tasked with research and development for package delivery by drone.
Vice President for UPS’s Advanced Technology Group, Bala Ganesh, said “We can see a future where [the eVTOLs are] carrying, let’s say 1,000 pounds, 1,500 pounds to rural hospitals,” and landing on a helipad instead of at an airport.
However, there will be some literal obstacles in the way. For example, delivery by eVTOLs in a busy, congested city like New York might restrict some use. UPS says it may not be a one size-fits-all solution, but that the willingness to pay and urgency of need could mean that UPS would find a safe way for the eVTOLs to get there.
UPS said it initially plans to use them in smaller markets and create a series of short routes or one long route to meet customer needs. However, these eVTOLs can increase efficiency and sustainability, while reducing costs.
Security researchers analyzing a widely used open source component have discovered security vulnerabilities that leave hundreds of thousands of software applications vulnerable to attack, according to a report released Monday.
The group of five researchers found the security vulnerabilities in netmask, an open source library used in a staggering 270,000 software projects. According to the report, the flaws open the door to a wide range of malicious attacks that could enable attackers to ferry malicious code into a protected network, or siphon sensitive data out of one.
Among the attacks enabled by the flaw are so-called server-side request forgeries (SSRF), as well as remote file inclusion, local file inclusion and more, the researcher called Sick Codes told The Security Ledger. Work to discover the extent of the flaws continues. The researchers have received a preliminary vulnerability ID for the flaw, CVE-2021-28918.
Even worse, the flaws appear the stretch far beyond a single open source module, affecting a wide range of open source development languages, researchers say.
Work on one vulnerable open source module uncovers another
According to Sick Codes, the vulnerability was discovered while doing work to fix another vulnerability in a widely used NPM library known as Private IP. That module, which was also widely used by open source developers, enables applications to block request forgery attacks by filtering out attempts to access private IP4 addresses and other restricted IP4 address ranges, as defined by ARIN. In a report published in November, researchers revealed that the Private IP module didn’t work very well and was susceptible to being bypassed using SSRF attacks against top tier applications.
SSRF attacks allow malicious actors to abuse functionality on a server: reading data from internal resources or modifying the code running on the server. Private-ip was created to help application developers spot and block such attacks. SSRF is one of the most common forms of attack on web applications according to OWASP.
The researchers working to fix the Private IP flaw turned to netmask, a widely used package that allows developers to evaluate whether a IP address attempting to access an application was inside or outside of a given IPv4 range. Based on an IP address submitted to netmask, the module will return true or false about whether or not the submitted IP address is in the defined “block.”
The module has a range of other useful features, as well, such as reporting back on how many IPs are inside a given block. And, with no other “dependencies,” netmask seemed like the perfect fit to fix Private IP’s problems.
There’s only one problem: netmask itself was flawed, as the researchers soon discovered. Specifically: the module evaluates certain IP addresses incorrectly: improperly validating so-called “octal strings” rendering IPv4 addresses that contain certain octal strings as integers.
For example, the IP4 address 0126.96.36.199 should be evaluated by netmask as the private IP address 127.0.0.1, as the octal string “0177” translates to the integer “127.” However, netmask evaluates it as a public IPv4 address: 188.8.131.52, simply stripping off the leading zero and reading the remaining parts of the octal string as an integer.
And the flaw works both ways. The IP4 address 0127.0.0.01 should be evaluated as the public IP address 184.108.40.206 as the octal string “0127” is the same as the integer “87.” However, netmask reads the address as 127.0.0.1, a trusted, localhost address. Treating an untrusted public IP address as a trusted private IP address opens the door to local- and remote file inclusion (LFI/RFI) attacks, in which a remote authenticated or unauthenticated attacker can bypass packages that rely on netmask to filter IP address blocks.
A Popular Module with a Sterling Pedigree
Netmask is the creation of Olivier Poitrey, an accomplished developer who is the Director of Engineering at Netflix and a co-founder of the firm NextDNS. The module was first released nine years ago and gained prominence around 5 years ago, with version 1.06, which has been downloaded more than 3 million times.
The netmask module currently sees around 3.1 million downloads weekly, though development on netmask appears to have ceased during the last five years, up until the release of version 2.0.0 around 10 days ago, after discovery of the security holes.
Throwing open the doors to hackers
The implications for modules that are using the vulnerable version of netmask are serious. According to Sick Codes, remote attackers can use SSRF attacks to upload malicious files from the public Internet without setting off alarms, because applications relying on netmask would treat a properly configured external IP address as an internal address.
Similarly, attackers could also disguise remote IP addresses local addresses, enabling remote file inclusion (RFI) attacks that could permit web shells or malicious programs to be placed on target networks.
Parsing IPv4 Addresses: Black Magic
Updates to address the flaws in netmask began appearing on March 19 with the release of version 2.0.0. A subsequent update, 2.0.1, was released on Monday. To date, only 6,641 downloads of the updated netmask module have completed, meaning the vast majority of open source projects using it remain vulnerable. Contacted via chat, Poitrey advised netmask users to upgrade to the latest version of the module.
But researchers say much more is to come. The problems identified in netmask are not unique to that module. Researchers have noted previously that textual representation of IPv4 addresses weren’t ever standardized, leading to disparities in how different but equivalent versions of IPv4 addresses (for example: octal strings) are rendered and interpreted by different applications and platforms.
More to come
The impact of the flaw will become more clear in the weeks ahead, according to Sick Codes, as more examples of the IPv4 parsing problem are identified and patched in other popular open interpreted languages. “The implications are infinite,” he said.
In this episode of the Security Ledger Podcast (#203) we talk about the apparent hack of a water treatment plant in Oldsmar Florida with Frank Downs of the firm BlueVoyant. In our second segment: is infosec’s lack of diversity a bug or a feature? Tennisha Martin of Black Girls Hack joins us to talk about the many obstacles that black women face as they try to enter the information security field.
Part 1: Don’t Hack the Water!
An obscure water treatment facility in Oldsmar Florida became ground zero for the United States concerns about foreign adversaries ability to access and control critical infrastructure last week, after local officials revealed in a news conference that an unknown assailant had remotely accessed the facility’s SCADA system and attempted to raise levels of the poisonous chemical sodium hydroxide in the drinking water by a factor of more than 100.
The attack failed after a worker at the treatment plant saw it play out on his terminal in real time, and adjusted the sodium hydroxide levels back to normal. Nor would it have worked, officials assured a worried public: sensors elsewhere in the water distribution system would almost certainly have caught the abrupt increase in the dangerous chemical.
But closies do count when it comes to critical infrastructure hacks, and the Oldsmar incident set off a federal investigations and a flurry of warnings and editorial hand-wringing about the risks facing critical infrastructure systems. That’s especially true with so many workers accessing them remotely during the pandemic, leaving sensitive systems exposed.
In our first segment this week, Frank Downs of the firm BlueVoyant joins us in the Security Ledger studio to discuss the water system hack and why critical infrastructure firms continue to struggle to protect their environments.
Can Infosec Walk the Talk on Diversity?
For years professionals have decried the lack of diversity in the information security field which, even more than high tech in general, is dominated by white men. At infosec conferences, concerted effort has been made giving more visibility and voice to women and minorities. The dreaded “MANels” – panels made up entirely of men – have been targeted and, in many cases, banished. But down in the trenches – where information hiring takes place and information work is done – there is little evidence of change.
The lack of progress, despite a crushing shortage of infosec workers and the stated intentions of infosec leaders and executives, might get you wondering whether cyber’s lack of diversity is a bug or a feature of the system.
Our next guest suggests that it may be a feature indeed. Tennisha Martin is the founder of Black Girls Hack, a group that looks to promote women of color in cyber security. In this conversation, Tennisha and I talk about the many large and small obstacles that keep women like herself from pursuing cyber security careers: from inequalities in K-12 education to pricey certifications and acronym-stuffed job requirements. Solving those problems, Tennisha says, is going to take more than kind words and promises from Infosec leaders.
Tenniesha Martin is the founder of Black Girls Hack, a non profit organization that promotes women of color in the information security field.
In this episode of the podcast (#200), sponsored by Digicert: John Jackson, founder of the group Sakura Samurai talks to us about his quest to make hacking groups cool again. Also: we talk with Avesta Hojjati of the firm Digicert about the challenge of managing a growing population of digital certificates and how automation may be an answer.
Life for independent security researchers has changed a lot in the last 30 years. The modern information security industry grew out of pioneering work by groups like Boston-based L0pht Heavy Industries and the Cult of the Dead Cow, which began in Lubbock, Texas.
After operating for years in the shadows of the software industry and in legal limbo, by the turn of the millennium hackers were coming out of the shadows. And by the end of the first decade of the 21st century, they were free to pursue full fledged careers as bug hunters, with some earning hundreds of thousands of dollars a year through bug bounty programs that have proliferated in the last decade.
Despite that, a stigma still hangs over “hacking” in the mind of the public, law enforcement and policy makers. And, despite the growth of bug bounty programs, red teaming and other “hacking for hire” activities, plenty of blurry lines still separate legal security research from illegal hacking.
Hacks Both Daring…and Legal
Still, the need for innovative and ethical security work in the public interest has never been greater. The Solar Winds hack exposed the ways in which even sophisticated firms like Microsoft and Google are vulnerable to compromised software supply chain attacks. Consider also the tsunami of “smart” Internet connected devices like cameras, television sets and appliances are working their way into homes and workplaces by the millions.
What does a 21st century hacking crew look like? Our first guest this week is trying to find out. John Jackson (@johnjhacking) is an independent security researcher and the co-founder of a new hacking group, Sakura Samurai, which includes a diverse array of security pros ranging from a 15 year old Australian teen to Aubrey Cottle, aka @kirtaner, the founder of the group Anonymous. Their goal: to energize the world of ethical hacking with daring and attention getting discoveries that stay on the right side of the double yellow line.
One of the lesser reported sub plots in the recent Solar Winds hack is the use of stolen or compromised digital certificates to facilitate compromises of victim networks and accounts. Stolen certificates played a part in the recent hack of Mimecast, as well as in an attack on employees of a prominent think tank, according to reporting by Reuters and others.
How is it that compromised digital certificates are falling into the hands of nation state actors? One reason may be that companies are managing more digital certificates than ever, but using old systems and processes to do so. The result: it is becoming easier and easier for expired or compromised certificates to fly under the radar.
Our final guest this week, Avesta Hojjati, the Head of R&D at DigiCert, Inc. thinks we’ve only seen the beginning of this problem. As more and more connected “things” begin to populate our homes and workplaces, certificate management is going to become a critical task – one that few consumers are prepared to handle.
What’s the solution? Hojjati thinks more and better use of automation is a good place to start. In this conversation, Avesta and I talk about how digital transformation and the growth of the Internet of Things are raising the stakes for proper certificate management and why companies need to be thinking hard about how to scale their current certificate management processes to meet the challenges of the next decade.
In this episode of the podcast (#199), sponsored by LastPass, we’re joined by Barry McMahon, a Senior Global Product Marketing Manager at LogMeIn, to talk about data from that company that weighs the security impact of poor password policies and what a “passwordless” future might look like. In our first segment, we speak with Sareth Ben of Securonix about how massive layoffs that have resulted from the COVID pandemic put organizations at far greater risk of data theft.
The COVID Pandemic has done more than scramble our daily routines, school schedules and family vacations. It has also scrambled the security programs of organizations large and small, first by shifting work from corporate offices to thousands or tens of thousands of home offices, and then by transforming the workforce itself through layoffs and furloughs.
In this episode of the podcast, we did deep COVID’s lesser discussed legacy of enterprise insecurity.
Layoffs and Lost Data
We’ve read a lot about the cyber risks of Zoom (see our interview with Patrick Wardle) or remote offices. But one of the less-mentioned cyber risks engendered by COVID are the mass layoffs that have hit companies in sectors like retail, travel and hospitality, where business models have been upended by the pandemic. The Department of Labor said on Friday that employers eliminated 140,000 jobs in December alone. Since February 2020, employment in leisure and hospitality is down by some 3.9 million jobs, the Department estimates. If data compiled by our next guest is to be believed, many of those departing workers took company data and intellectual property out the door with them.