How open source flaws pose a rising threat to all businesses

September 15th, 2016

By Byron Acohido

Arguably the biggest security blind spot in just about every business network is something too few security executives are aware of, much less focusing on: open source software vulnerabilities.

This truism first rose to the fore in 2014 with the flurry of malicious activity following the discovery of gaping defects in three innocuous open-source protocals: Heartbleed, Shellshock and POODLE.

And today, a long know vulnerability in open-source JBoss application servers is being leveraged by criminal gangs to scale up highly invasive ransomware attacks against business networks, according to intelligence recently shared by Cisco.

These are telltale signs. More open-source-based attacks are coming. Organizations need to recognize this rising exposure, and manage open-source defects as assidiuosuly as they do vulnerabilities in their paid-for commercial software systems, security experts say.

“More and more companies are embracing open source technologies for mission-critical operations, thanks to its ability to lower costs and accelerate innovation” observes Alexandra Gheorghe, security specialist at antimalware vendor BitDefender. “As open source software development continues to proliferate, the potential risk of cyber attacks increases.”

Root of the problem

The root of the problem derives from the very nature of open-source software, which is steeped in a spirit of pioneering altruism. Independent coders create open-source programs for the sake of writing good code. They then make it available for anyone to use and extend, license free.

It is not uncommon for just a handful of volunteers working part-time to maintain an open source software package. Best coding  practices, such as threat modeling, static analysis, manual code reviews and security testing, are bypassed. Down the line, patch management is rudimentary. No vendor or government agency assumes  responsibility for systematically identifying and mitigating open source vulnerabilities. This circumstance is compounded by the wide practice of reusing critical libraries, originally developed by understaffed groups that do not have the necessary resources to properly maintain the codebase, Gheorghe points out.

To be sure, gaping vulnerabilities are not the exclusive domain of open source systems –licensed proprietary software has them too. “However, open source software is often developed with very limited resources,” and with little by way of secure software development lifecycle practices, says Amit Sethi, senior principal consultant at application security vendor Cigital.

If that sounds like a recipe for an attack surface riddled with criminal opportunity, it is. For understandable reasons, open-source protocals came to be used deep within the infrastructure of business networks and the Internet. In fact, if it wasn’t for open-source coding, corporate networks and digital commerce would never have evolved as quickly as it did, mushrooming in complexities and capabilities.

Underestimated exposure

 But now, the other shoe falls. Open source software vulnerabilities have come to present an increasingly serious security and privacy risk to companies of all sizes – one that for the moment is starkly underestimated.

A survey of 1,300 IT executives by Black Duck Software earlier this year had 90 percent of the respondents saying their organizations relied on open source for a variety of reasons including improved efficiency, interoperability, innovation and freedom from vendor lock-in.

However, nearly half said they had no formal process for selecting or approving the use of such software in their organizations while about the same number expressed their inability to track such use. Nearly one-third had no processes for identifying and mitigating known vulnerabilities in open source code being used in their organizations, the Black Duck survey found.

Importantly, in the open source realm, there are few formal programs available like Windows Auto Update for automatically installing security patches on vulnerable software.  So it falls upon the enterprise entirely to keep track of vulnerability disclosures impacting their open source portfolio and for ensuring deployment of patches in a timely manner.

Businesses only exacerbate the problem when they deploy open source products and code without properly vetting it for security issues on the mistaken notion that it is already secure. Nearly 50 percent of the code base at some organizations, according to Black Duck, is already comprised of open source components.

A long standing joke in the developer community is that if StackOverflow, the über popular Q&A website site for programmers, went down for a day thousands of programmers would find themselves in the unemployment line.

“The abundance of public code, often written by programmers just as inexperienced as the original client, leads to potentially unsafe code resting in thousands of different applications,” says BitDefender’s Gheorghe.

Forgotten lessons

Given their frustrations keeping bad guys from breaching their licensed business applications, many security executives appear to have forgotten the open-source lessons of 2014.

You may recall how, in 2014, Heartbleed exposed the OpenSSL protocols widely used by website shopping carts; Shellshock enabled a hacker to take control of the module used to type text-based commands on Linux , Unix and Mac servers; and POODLE opened a path to highjack accounts from visitors using secured banking and shopping webpages.

More recently, a large-scale vulnerability was discovered in Linux 3.6, which has been around since 2012 and was used to introduce Android 4.4 KitKat. This is the version of Linux used in all versions of Android after KitKat, including the current version, Android Nougat. This makes some 80 percent of Android users, or around 1.4 billion individuals, open to being hacked.

That Android vulnerability highlights how Web apps present an acute open-source pain point. BitDefender analysts routinely observe spam, data theft and ransomware campaigns stemming from minimally secured Web app content management systems.

“Despite known risks and safety recommendations, many organizations still fail to update add-ons and plugins, thus, exposing their networks and users,”  says Gheorghe. “This failure partially happens because some highly popular open-source plugins or themes are discontinued and vulnerabilities discovered after the project’s termination are left unpatched forever.”

JBoss vulnerability

And now comes some similarly chillingly intel from Cisco regarding JBoss. It turns out that several versions of JBoss application servers contain a vulnerability that allows hacker to take control of the server. Though Red Hat issued a patch for the JBoss flaw about five years ago,  many organizations failed to implement the patch. The result:  more than 3.2 million JBoss servers left open to a nasty ransomware exploit dubbed SamSam.

Cisco researchers found that about 10 percent of all web-connected JBoss servers have been compromised, putting a huge computing resource under criminal control. Cisco found examples of intruders using JexBoss, an open-source tool for testing JBoss application servers, to gain a foothold in organizations’ networks.

Once inside the network, the intruders proceeded to encrypt multiple Microsoft Windows systems using the SamSam ransomware family. “We expect the next wave of ransomware to be even more pervasive and resilient,” Cisco warns in its Mid-Year Cybersecurity report. “Organizations and end users should prepare now by backing up their critical data and confirming that those backups will not be susceptible to compromise.”

Open-source clearly has great value. We wouldn’t be where we are today without it. But to harness the full power of open source, organizations need to focus on:

  • Implementing robust security policies that contain clear guidelines about the installation and maintenance of open source software.
  • Performing an extensive risk and security analysis of any open source considered for an enterprise use.
  • Download software only from trusted sites.
  • Using vulnerability scanners to scan the network for vulnerabilities.

Over the next few years, expect to see many more high-risk vulnerabilities in open source software. It is imperative for organizations of all sizes to view open source vulnerabilities as an exposure on par with vulnerabilities in their licensed software.

(Editor’s note: I have done content consulting work for BitDefender.)

 

 

Machine learning shows promise for improving cyber defenses

By Byron Acohido

LAS VEGAS — The cyber security sector  generates mountains of data.

Security Information & Event Management, or SIEM, systems, like Splunk, generate logs of all network traffic. Threat data pours in from next generation firewalls, endpoint security systems, intrusion prevention and  detection systems and vulnerability management systems. A growing crop of threat intelligence vendors are coming up with innovations to make better use of this ocean of threat data.

The key to truly leveraging the vast amounts of threat data …more

Ransomware rampage takes aim at business targets

By Byron Acohido

sh_ransomware_7501_250pxConsumers are no longer the prime target of ransomware campaigns. After years of petty thievery on a global scale – locking up the computer screens of millions of consumers with scams to sell bogus $79 antivirus clean-up services  –  they’ve turned their attention to much bigger fish.

The opening quarter of this year saw a 7 percent  rise  in registration of websites set up exclusively to host ransomware campaigns, …more

Why ‘Shadow IT’ must be addressed

120316_DDos screen175pxBy Byron Acohido

By-passing the IT department in to order begin utilizing the hottest new technologies is something tech-savvy employees have been doing since the inception of corporate networks. Most often, these workers aren’t maliciously motivated. They are simply intolerant of plodding decision-making and so take it into their own hands to acquire and begin using nifty new tools  they believe will help them become more productive.

This dynamic — variously referred …more

LastWatchdog moves to ThirdCertainty.com

black-hat2

(Editor’s note: Last Watchdog is on the move. On this site you may continue to access my body of work on security and privacy topics since 2008. I’m not done yet. Going forward, I will continue delivering smart content as Editor-In-Chief for ThirdCertainty, a  new cybersecurity and privacy online publication sponsored by  IDT911. Full disclosure: ThirdCertainty’s parent company, IDT911,  is an identity theft and data loss assistance firm owned …more

Microsoft comes to aid of SMBs reliant on Windows XP

By Byron Acohido, Last Watchdog

KINGSTON, Wash. –  Microsoft should be applauded for reversing its policy , and broadly issuing a  security patch for a profound new security hold recently discovered in  Windows XP.  This is a major benefit to thousands of small and medium sized businesses reliant on XP.

SMBs already have their hands full dealing with intensifying attacks and the high likelihood that their networks have been  breached. This SANS Institute survey of 948 IT pros found the majority of respondents operate on the assumption that their respective company’s networks are compromised, or soon will be. The survey was sponsored by Guidance Software.

So when Microsoft came along last April and stopped all support for XP, including issuing security patches, things got dicier. And the discovery of this latest flaw in IE browsers underscored how that move makes XP machines ripe targets. …more

Why $3.6 million to prevent next Heartbleed isn’t enough

By Byron Acohido, Last Watchdog

A dozen tech behemoths — led by Microsoft, IBM, Google, Intel and Cisco — have stepped forward with cold, hard cash to prevent the next Heartbleed.

Each has pledged $100,000 annually for the next three years to a war chest earmarked to fund improvements of open source technology.

That’s a collective pledge of $3.6 million, through 2016, set aside in something called the Core Infrastructure Initiative, administered by The Linux Foundation. …more