Outside of the world of open source software, few people are likely to have heard of XZ Utils, a small but widely used tool for data compression on Linux systems. But Last weekendsecurity experts have uncovered a serious and deliberate flaw that could make networked Linux computers vulnerable to malicious attacks.

The flaw has since been confirmed as a critical issue that could allow a savvy hacker to gain control over vulnerable Linux systems. Because Linux is used in email and web servers and application platforms around the world, this vulnerability could give an attacker silent access to sensitive information on computers around the world – possibly including the device you’re using. Just using it to read.

Major software vulnerabilities, eg Solar Winds Hack And Heart blade bugNothing new – but it’s very different.

The attempt to hack XZ Utils took advantage of the way open source software development often works. Like many open source projects, XZ Utils is an important and widely used tool – and is maintained mostly by a single volunteer working in their spare time. This system has brought enormous benefits to the world in the form of free software, but it also poses unique risks.

Open Source and XZ Utils

First, a brief refresher on open source software. Most commercial software, such as the Windows operating system or the Instagram app, is “closed source” — meaning that no one but its creators can read or modify the source code. In contrast, with “open source” software, the source code is freely available and people are free to do whatever they want with it.

Open source software is very common, especially in the “nuts and bolts” of software that users don’t see, and very valuable. one A recent study The total value of open source software in use today is estimated at US$8.8 trillion.

Until about two years ago, the XZ Utils project was maintained by a developer named Lasse Collin. Around this timean account using the name Jia Tan offered software improvements.

Not long after, some previously unknown accounts popped up to report bugs and submit feature requests to Colin, pressuring him to help maintain the project. Jia Tan was the logical candidate.

Over the next two yearsJia Tan becomes more and more involved and, we now know, has introduced a carefully hidden weapon into the software’s source code.

The revised code secretly modifies another piece of software, a ubiquitous network security tool called OpenSSH, so that it transmits malicious code to the target system. As a result, a certain intruder will be able to run any code he likes on the target machine.

The latest version of XZ Utils, which includes the backdoor, was to be included in popular Linux distributions and rolled out worldwide. However, it was only caught when a Microsoft engineer investigated some minor memory anomalies on his system.

A quick response

What does this event mean for open source software? Well, despite initial appearances, that doesn’t mean open source software is insecure, untrustworthy or untrustworthy.

Because all code is available for public scrutiny, developers around the world can quickly begin analyzing the backdoor and the history of how it was implemented. These efforts can be documented, distributed and shared, and specific malicious code fragments can be identified and removed.

A response on this scale would not be possible with closed source software.

An attacker would need to take a somewhat different approach to targeting a closed-source tool, perhaps by impersonating a company employee for an extended period of time and exploiting weaknesses in the closed-source software production system (such as bureaucracy , classification, unclear reporting) lines and poor knowledge sharing).

However, if they got such a backdoor into proprietary software, there would be no possibility of large-scale, distributed code auditing.

Lessons to learn

This case is a valuable opportunity to learn about different types of weaknesses and vulnerabilities.

First, it shows the ease with which online relationships between anonymous users and developers can turn toxic. In fact, the attack depended on normalizing these toxic interactions.

The social engineering part of the attack appears to have used anonymous “sockpuppet” accounts for guilt trips and emotionally coerced lead maintainers into making minor, seemingly innocuous code additions over a period of years. to accept, forcing him to cede development control to Jia Tan.

A user account complained:

You ignore many patches on this mailing list. You just throttled your repo.

When the developer Claimed mental health issuesAnother account chide:

I’m sorry for your mental health issues, but it’s important to know your own limits.

Individually such comments may seem harmless, but in a forum they become a mob.

We need to help developers and maintainers better understand the human aspects of coding, and the social relationships that shape, influence, or dictate how distributed code is produced. Much remains to be done to improve recognition of the importance of mental health in particular.

Another lesson is the importance of recognizing “obfuscation,” a process often used by hackers to reverse engineer or reverse engineer software code and processes that are difficult to understand. Many universities do not teach it as part of a standard software engineering course.

Third, some systems are still running vulnerable versions of XZ Utils. Many popular smart devices (such as refrigerators, wearables and home automation tools) run on Linux. These devices often reach an age where it is no longer financially viable for their manufacturers to update their software – meaning they no longer receive patches for newly discovered security holes.

And finally, whoever is behind the attack – some have. Speculations It could be a state actor—with free access to a variety of codebases over a two-year period—perpetrating a careful and patient deception. Even now, that adversary will be learning from how system administrators, Linux distribution producers, and codebase maintainers are reacting to the attack.

Where from here?

Code maintainers around the world are now thinking about their vulnerabilities at a strategic and tactical level. It is not only their code that they will be concerned about, but also their code distribution procedures and software assembly processes.

My colleague David Lacy, who runs a non-profit cyber security organization. IDCARE, often reminds me that the situation facing cybersecurity professionals is best described by a statement from the IRA. After its failed bombing of the Brighton Grand Hotel in 1984, the terrorist organization coldly claimed:

We were unlucky today, but remember we only get lucky once. You always have to be lucky.

(the author: Siggy GoodeProfessor of Information Systems, Australian National University)

(Disclosure Statement: Sigi Goode does not work for, consult with, participate in, or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond her academic appointment. of)

This article has been republished. Conversation Under Creative Commons License. read Original article.

(Other than the headline, this story has not been edited by NDTV staff and is published from a syndicated feed.)

Source link