社会工程接管开源项目

社会工程接管开源项目
Social engineering takeovers of open source projects

原始链接: https://openssf.org/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects/

OpenJS 基金会和开源安全基金会 (OpenSSF) 警告称，针对开源维护者的社会工程攻击的潜在趋势。在此之前，我们发现了通过后门 (CVE-2024-3094) 破坏 XZ Utils 的尝试失败，这与 OpenJS 之前检测到的一次不成功的入侵类似。这两个组织都建议开源项目经理对社会工程策略保持谨慎。入侵者采用友好但坚持的方法，冒充社区成员，请求维护角色，并推送隐藏恶意代码的所谓紧急更新。这些操作模仿了 XZ Utils 违规尝试中使用的方法。由于 OpenJS 团队既定的安全措施和仔细的审查，冒名顶替者及其提议的代码修改都没有进入 OpenJS 项目。为了避免成为这种欺骗性策略的受害者，开源贡献者应该密切关注伪装攻击性的友好迹象、主动提出的管理角色请求、来自可疑来源的认可、模糊的改进建议、不熟悉的编码方法以及项目不稳定的突然增加。了解这些模式可以帮助维护人员加强防御，最终保护有价值的开源资产。保护开源项目的最佳实践包括执行严格的访问规则、启用多因素身份验证、维护强大的密码卫生、采用强大的补丁管理系统、限制对发布功能的访问以及执行定期安全审核。此外，基金会和政府可以在支持关键的开源基础设施、为增强安全提供赠款以及促进应对威胁的国际合作方面发挥关键作用。

在此讨论中，用户描述了公司或犯罪分子试图通过提供激励和威胁来腐蚀开发人员的威胁。他们认为，即使是看似无害的编码错误也可能是故意的，特别是考虑到像 Heartbleed 这样引人注目的错误。用户认为，缺乏成功攻击实例的报告表明要么没有进行任何尝试，要么它们 100% 有效。他们提出了一种潜在的解决方案，涉及用于协作开发的去中心化协议，并警告不要过度依赖任何单一供应商或基金会。他们还鼓励对概率和威胁模型进行持续沟通和理性思考。用户提到了受感染项目的具体案例，包括 xz，并承认在归因和缓解方面面临的挑战。他们对开源代码日益复杂以及维护健康、多元化社区的重要性表示担忧。此外，他们还讨论了机器学习在生成令人信服的虚假提交方面可能发挥的作用。总体而言，用户主张保持警惕、教育和社区参与来应对这些挑战。

原文

XZ Utils cyberattack likely not an isolated incident

By Robin Bender Ginn, Executive Director, OpenJS Foundation; and Omkhar Arasaratnam, General Manager, Open Source Security Foundation

The recent attempted XZ Utils backdoor (CVE-2024-3094) may not be an isolated incident as evidenced by a similar credible takeover attempt intercepted by the OpenJS Foundation, home to JavaScript projects used by billions of websites worldwide. The Open Source Security (OpenSSF) and OpenJS Foundations are calling all open source maintainers to be alert for social engineering takeover attempts, to recognize the early threat patterns emerging, and to take steps to protect their open source projects.

Failed Credible Takeover Attempt

The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails. These emails implored OpenJS to take action to update one of its popular JavaScript projects to “address any critical vulnerabilities,” yet cited no specifics. The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement. This approach bears strong resemblance to the manner in which “Jia Tan” positioned themselves in the XZ/liblzma backdoor.

None of these individuals have been given privileged access to the OpenJS-hosted project. The project has security policies in place, including those outlined by the Foundation’s security working group.

The OpenJS team also recognized a similar suspicious pattern in two other popular JavaScript projects not hosted by its Foundation, and immediately flagged the potential security concerns to respective OpenJS leaders, and the Cybersecurity and Infrastructure Security Agency (CISA) within the United States Department of Homeland Security (DHS).

Open source projects always welcome contributions from anyone, anywhere, yet granting someone administrative access to the source code as a maintainer requires a higher level of earned trust, and it is not given away as a “quick fix” to any problem.

Together with the Linux Foundation, we want to raise awareness of this ongoing threat to all open source maintainers, and offer practical guidance and resources from our broad community of experts in security and open source.

Suspicious patterns in social engineering takeovers:

Friendly yet aggressive and persistent pursuit of maintainer or their hosted entity (foundation or company) by relatively unknown members of the community.
Request to be elevated to maintainer status by new or unknown persons.
Endorsement coming from other unknown members of the community who may also be using false identities, also known as “sock puppets.”
PRs containing blobs as artifacts.
- For example, the XZ backdoor was a cleverly crafted file as part of the test suite that wasn’t human readable, as opposed to source code.
Intentionally obfuscated or difficult to understand source code.
Gradually escalating security issues.
- For example, the XZ issue started off with a relatively innocuous replacement of safe_fprintf() with fprintf() to see who would notice.
Deviation from typical project compile, build, and deployment practices that could allow the insertion of external malicious payloads into blobs, zips, or other binary artifacts.
A false sense of urgency, especially if the implied urgency forces a maintainer to reduce the thoroughness of a review or bypass a control.

These social engineering attacks are exploiting the sense of duty that maintainers have with their project and community in order to manipulate them. Pay attention to how interactions make you feel. Interactions that create self-doubt, feelings of inadequacy, of not doing enough for the project, etc. might be part of a social engineering attack.

Social engineering attacks like the ones we have witnessed with XZ/liblzma were successfully averted by the OpenJS community. These types of attacks are difficult to detect or protect against programmatically as they prey on a violation of trust through social engineering. In the short term, clearly and transparently sharing suspicious activity like those we mentioned above will help other communities stay vigilant. Ensuring our maintainers are well supported is the primary deterrent we have against these social engineering attacks.

Steps to help secure your open source project:

In addition to these recommendations, there are a number of security best practices that can improve the security properties of our projects. While these recommendations will not thwart a persistent social engineering attack, they may help improve your overall security posture of your project.

Consider following industry-standard security best practices such as OpenSSF Guides.
Use strong authentication.
- Enable two-factor authentication (2FA) or Multifactor Authentication (MFA).
- Use a secure password manager.
- Preserve your recovery codes in a safe, preferably offline place.
- Do not reuse credentials/passwords across different services.
Have a security policy including a “coordinated disclosure” process for reports.
Use best practices for merging new code.
- Enable branch protections and signed commits.
- If possible, have a second developer conduct code reviews before merging, even when the PR comes from a maintainer.
- Enforce readability requirements to ensure new PRs are not obfuscated, and use of opaque binaries is minimized.
- Limit who has npm publish rights.
- Know your committers and maintainers, and do a periodic review. Have you seen them in your working group meetings or met them at events, for example?
If you run an open source package repository, consider adopting Principles for Package Repository Security.
Review “Avoiding social engineering and phishing attacks” from CISA and/or “What is ‘Social Engineering’” from ENISA.

Steps for industry and government to help secure critical open source infrastructure:

The pressure to sustain a stable and secure open source project creates pressure on maintainers. For example, many projects in the JavaScript ecosystem are maintained by small teams or single developers who are overwhelmed by commercial companies who depend on these community-led projects yet contribute very little back.

To solve a problem of this scale, we need vast resources and public/private international coordination. There is already great work underway by the following organizations:

Open source foundations:

The Linux Foundation family of foundations and other similar organizations like ours can help provide a safety net for open source projects. Maintainers often lack the time, people and expertise in areas such as security. Neutral foundations help support the business, marketing, legal and operations behind hundreds of open source projects that so many rely upon. Our goal is to remove any friction outside of coding to support our maintainers and help their projects grow. As vendor-neutral nonprofits, we are uniquely positioned to offer expertise garnered from multiple stakeholders represented in our organizations.

On security, our open source foundations have found that an effective best approach is to provide technical assistance and direct support to open source projects.

Alpha-Omega is an associated project of the OpenSSF, funded by Microsoft, Google, and Amazon, funds critical projects and ecosystems. The project aims to build a world where critical open source projects are secure and where security vulnerabilities are found and fixed quickly. The OpenJS Foundation has experienced how funding developers for security has had a proven impact through Alpha-Omega investments in Node.js and jQuery.

Sovereign Tech Fund:

The Sovereign Tech Fund, financed by the German Federal Ministry for Economic Affairs and Climate Action, is providing the OpenJS Foundation and more open source organizations significant funding to strengthen infrastructure and security.

They have built a model with detailed reporting and accountability of resources, yet at the same time, have technical expertise on staff to customize security proposals for the variety of open source projects they fund.

It’s encouraging to see the German government taking this initiative to improve the lives of citizens by investing in critical open source infrastructure through the Sovereign Tech Fund.

We are advocating for more global public investment in initiatives like the Sovereign Tech Fund to invest in open source global that society depends on, complimentary to private funding. We recommend that public institutions learn from, adapt and coordinate with Germany’s Sovereign Tech Fund to support our interconnected open source projects and shared digital economies.

About OpenJS Foundation

The OpenJS Foundation is committed to supporting the healthy growth of the JavaScript ecosystem and web technologies by providing a neutral organization to host and sustain projects, as well as collaboratively fund activities for the benefit of the community at large. The OpenJS Foundation is made up of 35 open source JavaScript projects including Appium, Electron, Jest, jQuery, Node.js, and webpack and is supported by corporate and end-user members, including GoDaddy, Google, HeroDevs, IBM, Joyent, Microsoft, and the Sovereign Tech Fund. These members recognize the interconnected nature of the JavaScript ecosystem and the importance of providing a central home for projects which represent significant shared value.

About the OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at openssf.org.

About the Authors

Robin Bender Ginn is the Executive Director of the OpenJS Foundation, the neutral home to drive broad adoption and ongoing development of key JavaScript and web technologies. She also serves on the leadership team at the Linux Foundation. Robin has led major initiatives advancing open source technologies, community development, and open standards. Previously, Robin spent more than 10 years at Microsoft where she was at the forefront of the company’s shift to openness.

Omkhar Arasaratnam is the General Manager of the Open Source Security Foundation (OpenSSF). He is a veteran cybersecurity and technical risk management executive with more than 25 years of experience leading global organizations. Omkhar began his career as a strong supporter of open source software as a PPC64 maintainer for Gentoo and contributor to the Linux kernel, and that enthusiasm for OSS continues today. Before joining the OpenSSF, he led security and engineering organizations at financial and technology institutions, such as Google, JPMorgan Chase, Credit Suisse, Deutsche Bank, TD Bank Group, and IBM. As a seasoned technology leader, he has revolutionized the effectiveness of secure software engineering, compliance, and cybersecurity controls. He is also an accomplished author and has led contributions to many international standards. Omkhar is also a NYU Cyber Fellow Advisory Council member and a Senior Fellow with the NYU Center for Cybersecurity where he guest lectures Applied Cryptography.