Caution regarding the risks of taking control of open source projects through social engineering

Business Regina REPORT
Caution regarding the risks of taking control of open source projects through social engineering
Descriptive text here

Open Source Security (OpenSSF) and the OpenJS Foundations want to raise awareness among developers and open Source project leaders of the growing risks of takeover through what we call social engineering. Explanations.

The recent XZ Utils backdoor attempt, which we reported on in this article, may not be an isolated incident, as evidenced by a similar (and credible) takeover attempt intercepted by the OpenJS Foundation, which hosts projects JavaScript.

Hence the call from the Open Source Security (OpenSSF) and OpenJS foundations to all maintainers of open Source projects: we must be extremely vigilant in the face of attempts to take control through social engineering.

The problem and the issues

The OpenJS Foundation Cross-Project Council received a suspicious series of emails, with different names and overlapping GitHub-related emails. These emails urged OpenJS to take steps to update one of its popular JavaScript projects to “ fix all critical vulnerabilities“, without citing details. The OpenJS team also identified a similar suspicious pattern in two other JavaScript projects that are not hosted by its Foundation, and immediately flagged the potential security issues.

The Foundations believe that it is imperative, whatever the open Source project concerned, learn to recognize early threat patterns emerging and power take steps to protect open Source projects.

These social engineering attacks exploit the sense of duty that maintainers have towards their project and their community in order to manipulate them.

Open Source projects always welcome contributions from anyone, anywhere, but granting someone administrative access to the Source code as a maintainer requires a higher level of acquired trust and is not granted as a “quick fix” to any problem. »

The recommendations

This type of attack is difficult to detect, the Foundations acknowledge. So, what to do?

Here are some of the recommendations formulated:

  • Adopt (and revise, if necessary) the security best practices such as the OpenSSF guides.
  • Use strong authentication. Enable two-factor authentication (2FA) or multi-factor authentication (MFA). Use a secure password manager.
  • Keep your recovery codes in a safe place, preferably offline.
  • Adopt a security policy including a “coordinated disclosure” process for reports.
  • Use best practices to merge new code.
  • Enable branch protections and signed commits.
  • Limit npm publishing rights.
  • Know your committers and maintainersand do a periodic “check-up”.
  • Consult the following guides (in English): “Avoiding social engineering and phishing attacks” from CISA and/or “What is ‘Social Engineering’” from ENISA.

To find out more, go to this page.

I like this :

I like loading…

-

-

PREV Mortgage rates continue to fall in May and further declines are expected
NEXT There’s a hole in the ocean and we can’t find the bottom

Related posts

Airbag: Citroën recalls more than 600,000 C3 and DS3 cars

Chris Kreider sends the Rangers to the Eastern final

Cases of loose anthrax on the rise

Diabetes screening and vaccination information organized free of charge on June 1 in Quimper