Distributing Malware By Becoming an Admin on an Open-Source Project

The module "event-stream" was infected with malware by an anonymous someone who became an admin on the project.

Cory Doctorow points out that this is a clever new attack vector:

Many open source projects attain a level of "maturity" where no one really needs any new features and there aren't a lot of new bugs being found, and the contributors to these projects dwindle, often to a single maintainer who is generally grateful for developers who take an interest in these older projects and offer to share the choresome, intermittent work of keeping the projects alive.

Ironically, these are often projects with millions of users, who trust them specifically because of their stolid, unexciting maturity.

This presents a scary social-engineering vector for malware: A malicious person volunteers to help maintain the project, makes some small, positive contributions, gets commit access to the project, and releases a malicious patch, infecting millions of users and apps.

Posted on November 28, 2018 at 6:48 AM • 32 Comments

Comments

Clive RobinsonNovember 28, 2018 7:49 AM

@ Bruce,

    Cory Doctorow points out that this is a clever new attack vector

I'm fairly certain the "idea" is far from new as it has been discussed at quite some length in the past over the failings of "code signing" to insider attacks allong the production / supply chain.

Oh and do people remember the original "Microsoft Word Macro malware"?

Then there were the issues with certain "code reposotories" adding stuff to what they considered "abandond" projects...

linuxoid-1995November 28, 2018 7:50 AM

This doublespeak, sneaking "warning" needs translation
into plain English:

"we (the mainstream computing corporations, who serve
the needs of the "owners" of the USA and the Western
world)are ready now to attack and outlaw, or repossess
and subvert, the GNU and "open source" software, the
way we have done with Linux systemd, Ubuntu project,
"microsoftization" of Linux, etc.

So "we" need a pretext to start the attack -- exactly
as we used some freak to do her hysterical act against
the very Linux kernel developer who refused to confine
randomness to a dedicated (and possibly backdoored)
on-the-board hardware chip -- and blackmailed the Linux
developer community into accepting a new "code of conduct",
which allows "us" to kick out any future developer, who'd
go against the NSA wishes etc.

SO - here comes the useful "opinion" of Cory Doctorow,
pointing at the fantasized abstract "vector" with the
well-established utilities in the GNU world.

..well, it figures. The corporations and the "owners" of
the USA have long been into subverting the open-source
into a cheap, free source for their computer "solutions",
as Google did with Android, a clear-cut case of parasitism
on the work of thousands and thousands.
The game of the day is "enemmies attack us on all fronts" -
so the obvious next step is to subvert Open Source:
"ironically, these are often projects with millions of users,
who trust them specifically because of their stolid,
unexciting maturity"

Figures.

meNovember 28, 2018 8:54 AM

reason number 23894289 to not enable javascript, also reason number 2839892 to use Qubes OS
(yes i know that the problem is not only javascript).
at least for javascript we have sub resource integrity (which is almost never used).


Denton ScratchNovember 28, 2018 9:59 AM

Node.js in general is a security nightmare. It's not the fault of Google's Javascript compiler; it seems to be a cultural problem. The node 'culture' involves relying on external modules for anything that can be done by an external module - avoid duplicating code.

Typically, these external dependencies are imported at build-time - that is, the external code is typically not checked-in to revision-control for the project that is depending on it (it will be replaced by the latest version on the next build anyway).

If you have never built a Node.js project before, and you are a reasonably security-conscious developer, you would be shocked to see the console log from a node build. Fundamental modules (e.g. basic networking) depend on lesser modules, and so on, to the point where there is a module for stripping whitespace from the end of a string. You see literally hundreds of modules of code that nobody in your organisation has ever reviewed (or ever could) being sucked into your project. It's absolutely terrifying.

I don't know how this culture came about; it may be a combination of the 'build it quick, ship it' philosophy that grew up with the web and Javascript, combined with the baleful influence of Npm Inc, which manages the most-popular repository of these modules.

If I ran a company that produced software for money, I would ban Node.js. It's a serious hazard to the company's future.

Impossibly StupidNovember 28, 2018 10:09 AM

Yeah, there is nothing particularly "new" or "clever" about this. It's the digital equivalent of the FREE CANDY van.

It does, however, serve to highlight how flawed the concept of "continuous integration" is. As nice as automation is for some things, the very idea that intelligent human oversight is unnecessary is laughable. Or would be if it were so dangerous. Just another step on the "click here to kill everybody" path.

echoNovember 28, 2018 10:42 AM

@Bruce

This presents a scary social-engineering vector for malware: A malicious person volunteers to help maintain the project, makes some small, positive contributions, gets commit access to the project, and releases a malicious patch, infecting millions of users and apps.

This is just the criminal variant of companies buying up android apps which they then monitize by adding paid for features or cloud nonsense. A good few applications have been ruined this way. forcing users to archive and lock the app from updating or seek alternatives.

JackNovember 28, 2018 11:05 AM

@Bruce: since you closed the comments in the Hillary-agitprop thread :
Please cut down on the unproven partisan conspiracy theories, many of us like neither Hillary nor Trump.

MengchenNovember 28, 2018 11:21 AM

Reminds me the lecture "Reflections on Trusting Trust" where Ken Thompson demonstrated how "project admins" can plant Trojan horses into innocuous source code.

Ross SniderNovember 28, 2018 11:26 AM

This isn't a new vector!

Krebs blogged about malware authors offering to buy old browser plug-ins from developers, and then using those for malicious purposes.

It even happens at a larger scale. Skype refused to add a backdoor, but it was eventually bought out by Microsoft, who had agreements set up with federal entities and immediately worked to eliminate the end-to-end security and feed those conversations into the federal surveillance network.

FaustusNovember 28, 2018 12:01 PM

For packages that are distributed as source, I wonder if it is feasible to grant rights at the import level?

I am a big go fan and almost exclusively use official libraries. But go is very security conscious so I could see them enabling rights restrictions on embedded c, embedded assembler, and whole libraries such as "unsafe" which allows pointer manipulation. (This is not a comprehensive list) The top level import would have to enable all capabilities used down the import tree.

This would also have the salubrious effect of flagging new rights suddenly claimed by already imported libraries.

Or is there an obvious fatal flaw to this idea that I am missing? Does anybody know of it being implemented anywhere?

@Bruce You have the patience of a saint. Thank you so much for making this forum possible.

Men in BlackNovember 28, 2018 12:20 PM

You need a lot of guns and security to become an admin on an open source project.

If you are not subverting the project yourself, someone with access to all your credentials surely is.

When you provide, por gratis y por libre, something that other businesses would have otherwise been able to charge money for and maintain professionally on a propriety basis, you will find yourself on their hitlist, the target of murder and mayhem, never mind being able to find employers or customers for your work in the field.

CesyobNovember 28, 2018 12:55 PM

How about über secure programming language Rust which also builds an executable from huge amount of external crate libraries just like npm?

Clive RobinsonNovember 28, 2018 1:28 PM

@ All,

The security of the software language you chose to write your code in is by and large irrelevant if you alow access to the compiled code tree.

Whilst it might appear crazy-difficult to some to modify asm and object for some it is the work of moments to make little changes.

The point is a programing language can protect against a limited series of attacks upstream of the compiler in the tool chain. But in most cases down stream of the compiler, no not a thing. The same with code provers and other "source level" and above tools...

The further down the computing stack you make an attack as a general rule of thumb the easier it is to do...

Men in BlackNovember 28, 2018 4:29 PM

@Anders

Those were Estonians who implemented backdoor into the Skype for the NSA.

For the NSA? Oh really? I thought it was all KGB//FSB over there. And now they have all the Finns' healthcare information under the Soviet version of HIPAA.

https://e-estonia.com/estonia-and-finland-to-start-sharing-patient-data-and-thats-just-the-start/

So when did the Estonians come out from behind the Iron Curtain, let alone the Finns? They're all laying it on a bit thick, and it's all a bit much for me to believe.

PhaeteNovember 28, 2018 4:49 PM

I think that the chance that a commercial company delivers spyware through their next patch is greater then a hijacked open source project.
And for sure it will affect more customers.

Like running Flight Simulator on Windows 10 on a Lenovo laptop.

echoNovember 28, 2018 9:56 PM

@Clive

This all boils down to getting within the OODA loop.

One interesting example is Diane Abbot kicking up a fuss about UK police ramming moped gangs. The police defended this as did the Home Secretary. In isolation their defence sounds plausible but when taken as a whole including items like tasering and Stop and Search and turning a blind eye to sex trafficking and victimising victims things begin to look a little different.

Being able to control the narrative and vectors for bubble up attacks can create an overall weakness which can be exploited.

I don't have the expertise to properly analyse public policy from a systems theory and security perspective. The balance of an actor having full knowledge and an actor not having full knowledge is an interesting democratic issue which pivots on the issue of privacy.

You own concepts on security and energy gapping depend on manufactured privacy.

I wonder if physicists could contribute to the security discussion and invent something like Feynman diagrams to use to discuss these issues so fundamental discussion is on more scientific grounds.

IsmarNovember 28, 2018 10:24 PM

I’m afraid that this is a case of
YOU GET WHAT YOU PAY FOR
service and the syndrome of free software expectations where we want to see first class service provided for free. This is only one thing that can go wrong in this “business model”

RealFakeNewsNovember 29, 2018 12:08 AM

When will people realize that "open source software" and security is an oxymoron?

What irks me most is this: "anyone can view the source code and make changes". The very document describing OSS says this. They say it as if someone had the time to bother, spot a problem, and fix it.

Worse, proponents of open source software act as if the code quality is at Apollo standards of design, writing, and verification. Not a chance!

If it wasn't obvious by now:

* OSS is poorly written
* OSS is poorly understood (functionally and technically)
* OSS is built on the premise of continual improvement (but there is little to no actual evidence to support this)
* OSS IS NOT SECURE, despite what they lead you to believe (I'm talking code, not systems)

I'm in no way surprised by this article.

Did everyone forget the OpenSSL debacle, or the alleged (proven?) tampering by the FBI (or post-Snowden was it really the NSA posing as the FBI?) of the IPSec stack in OpenBSD??

The events described in the article happened long ago, and being a mere developer was all the was required.

Why is the article suggesting you need to be anything more than a programmer with access to modify source code??

Regarding Bruce's politics: has Bruce been subverted? He used to be seemingly unbiased; now he isn't.

AndersNovember 29, 2018 6:44 AM

@Men in Black

You forgot that Estonia is NATO member since 2004.
Estonia is under very strong US influence.
You cannot create software product in Estonia without a backdoor for NSA.
For example - Finland has F-Secure AV - it would be impossible to create
similar product without the backdoor in Estonia.

Denton ScratchNovember 29, 2018 7:12 AM

@RealFakeNews

Note that "Open Source" is a very flexible term. It includes, for example, software written and published by Microsoft, for which the source code is available for inspection (but not for re-purposing).

Perhaps you are really hurling your barbs at Free Software, software that is explicitly licensed so as to allow any type of re-use or re-purposing.

So let's inspect your (evidence-free) barbs:

* OSS is poorly written
Wow, talk about broad generalisations. Was it some particular piece of software that bit you, or have you reviewed all of it, and determined that none of it is well-written?

* OSS is poorly understood (functionally and technically)
Poorly understood by whom? Again, are you referring to a particular item, or are you saying that nobody understands any of it? Do you think that proprietary, closed-source software is better-understood? Really? Haver you ever worked in a closed-source shop?

* (Continual improvement)
Obviously, abandoned software projects are not being continually improved. But that applies equally to commercial, proprietary projects. Most of the commercial software that has ever been written is now abandoned.

* OSS IS NOT SECURE
Well, SHOUTING doesn't make your argument stronger:-) Obviously, some free software is badly-written and insecure. Let's take the Linux kernel, for example: it's a huge mass of code, contributed by thousands, and managed by a man who has said publicly that security is not a high priority. Fine - so let's compare it with some competing operating system - a commercial, proprietary one. Choose one. Was that Windows? Windows contains much more code than the Linux kernel, there is far less transparency, the project leadership has historically been much more blase about security (and code quality) than the Linux leadership.

I choose a prominent example: OpenSSL. The OpenSSL project was forked a couple of years ago, because it was insecure. It was insecure because it incorporated numerous backward-compatibility features - which offered compatibility with versions of the SSL/TLS standards that were themselves insecure; and also because of feeping creaturitis - Heartbleed was the result of adding a feature that nobody needed. The insecurities were not caused by the openness. And because of the openness of OpenSSL, it has been possible to fork it, and revise it to make it more secure.

Oh - of course you will have noticed that OpenSSL has been incorporated in many closed-source software projects; OpenSSL is distributed under an Apache licence that permits unlimited free commercial re-use.

Clive RobinsonNovember 29, 2018 7:50 AM

@ echo,

I wonder if physicists could contribute to the security discussion and invent something like Feynman diagrams to use to discuss these issues

That is a question I suspect may not get answered any time soon, because of surprise surprise politics...

Meanwhile a jem from the mid 1970's to amuse you,

http://rako.com/Other_Voices/Putt's_Law/Putts_Law_no_ads.pdf

I'm told the originals are difficult to get hold of in the printed form and changing hands at eye watering prices for what is just thirty one magazine pages.

It later became a book the most recent edition being 2006 at around 180 pages it would appear to have around the usual ratio of content to filler for technical books (managment books are usually up on the 20:1 filler to content ratio or way way more when it comes from say a Project Managment Institution ;-)

So try the original and smile at the rye humour then realise that there is a lot of truth in it and not just for the technical proffessions ;-)


Clive RobinsonNovember 29, 2018 8:07 AM

@ RealFakeNews,

When will people realize that "open source software" and security is an oxymoron?

It is the same for nearly all software regardless of source or business model.

Some of the most secure software is Open Source whilst it's even easier to spot that the worlds biggest name software houses turn out compleat and utter security nightmares.

Money and business model have little to do with software security... Possibly because the people actually capable of writing secure software currently are so rare that Golden Hens Eggs appear considerably more available.

Why would that be... Well various people have their views, but the view that money and business models are anti-security is quite common, along with the view that you have to "go with the flow" to be successful.

But the cold hard reality is security is a subset of quality. Whilst businesses are starting to accept "Quality Costs" as part of the price of staying in a market consumers frequent, apparently the consumers in those markets are not yet differentiating by security...

Thus we should be asking why?

JohnnySNovember 29, 2018 10:49 AM

@Mengchen

And that wonderful Turing Award Lecture at the AGM was from 1984.

Have we learned anything in the intervening 34 years? We're currently at a place where the security problems and genuine risks are increasing faster than any possible defensive security efforts can handle.

Despair.

Clive RobinsonNovember 29, 2018 2:36 PM

@ JohnnyS,

Have we learned anything in the intervening 34 years?

Well yes a lot realy, but the scary thing is that it is mostly "still born"...

It's discovered, written up as a paper, presented at a conference, where it might get an award, then it gets forgoton about.

The result is if you investigate a malware attack method from oh say twenty years ago, the chances are whilst it will not work with the creaking old systems of the time, it does with new systems...

For some reason the industry is loosing it's memory within a decade or so, and there is no way that can be blaimed on the speed of change, because the reality is very little has changed except for fad HLLs and cosmetics of interfaces...

youNovember 30, 2018 10:04 PM

@Denton Scratch
Node.js in general is a security nightmare.

Well all Google products are like that. In one way, or another. They are designed according to a not-particularly-well-thought-out Wild West Architecture.

JustWonderinDecember 1, 2018 9:00 AM

@me : reason number 23894289 to not enable javascript, also reason number 2839892 to use Qubes OS (yes i know that the problem is not only javascript).
at least for javascript we have sub resource integrity (which is almost never used).

So many sites are refusing to operate w/o javascript, such that the public (who has never had and will never have a clue) - is easy mutton for the chops shops. You and I will turn off javascript, but we'll still have to contend with the fallout, which is that everything is hacked and botted. Without 90% of the trinkets that public internet users are addicted to, we'll get bored with Lynx and retreat to our out-of-range cabins in the Luddite mountain country.

Drive By IdealogueDecember 4, 2018 4:53 AM

We need new ideas to explain how public statements on the Internet can weaken American democracy.

How about better teaching the oldie but goodie - "Don't believe everything you read".

Cory Doctorow points out that this is a clever new attack vector:

I'd more emphasize the broader vector including those actors sufficiently powerful that they can insert a talented developer into an organization. I.e. the spectrum of threat models that considers the difficulty of various state and substate level organizations to fictionalize a volunteer/employee to penetrate the software/hardware/cyber project.

Open Source, Many Eyes. Like Free Speech and Democracy, doesn't solve things overnight, but seems quite plausible it provides the best solution possible.

Home E-Mail Servers For All

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.