GitHub: Certificates Pinched in Desktop, Atom Repo Hack
ReversingLabs
ReversingLabs is the trusted name in file and software security. RL - Trust Delivered.
Welcome to?Chainmail: Software Supply Chain Security News. Each week, Chainmail brings you the latest software supply chain security headlines, curated by the team at?ReversingLabs . In this week's issue, we look at the fallout from a hack of open source repository GitHub, an attack manipulating Microsoft's Verified Publisher program and layoffs at Google affecting leading open source experts.
This Week’s Top Story
Open source code hosting platform GitHub said it detected unauthorized access to a set of repositories used in the planning and development of?GitHub Desktop ?and?Atom following an incident in December.
In a blog post on Monday , GitHub vice president of security operations Alexis Wales said that an internal investigation revealed that a set of encrypted code signing certificates were exfiltrated from the repositories, though the company said the certificates were password-protected and that the company has not seen evidence that they were used in attacks.
GitHub revoked the exposed certificates used for the Desktop and Atom application on February 2 and urged its users to?update to the latest version of Desktop .
The incident follows an attack on continuous integration platform CircleCI said in January that?it discovered a security incident and urged its customers to rotate any secrets stored in code hosted on CircleCI's platform. (GitHub)
News Roundup
Proofpoint researchers said this week that they discovered a new campaign involving malicious third-party OAuth apps that were being used to infiltrate organizations’ cloud environments. According to a blog post , Proofpoint discovered the campaign in early December. The company said that the threat actors satisfied Microsoft’s requirements for third-party OAuth apps by abusing the Microsoft “verified publisher” status, using brand abuse, app impersonation and other social engineering tactics to lure users into authorizing malicious apps. (CSO)
领英推荐
Google has laid off many leading lights of the open source world. This will have a profound effect on software supply chain security.
One of the many people fired was Chris DiBona. Until January 20, he was Google’s director of open source, holding the position since 2004.
Patronage from firms such as Google was key to funding security-critical open source projects — for example, BoringSSL/Tink, Samba and Kubernetes, to name but three. The move brought criticism, with some saying Google "blew it" in firing industry leaders who have made Google competitive with firms like AWS by aggressively open sourcing projects such as?TensorFlow ?and?Kubernetes (ReversingLabs)
A new open framework aims to be a MITRE ATT&CK for evaluating threats and vulnerabilities to software supply chains. OSC&R , the Open Software Supply Chain Attack Reference (OSC&R) initiative, led by OX Security, evaluates software supply chain security threats such as vulnerabilities in third-party libraries and components, threats to build and deployment systems, and compromised or malicious software updates. Representatives from GitLab as well as former leaders from Microsoft, Google Cloud, Check Point Technologies, and OWASP formed the foundation that launched OSC&R. The goal is to create a single point of reference for assessing software supply chain risks and defenses, said Hiroki Suezawa a senior security engineer at GitLab. (CSO)
Car maker?Toyota suffered a data breach in 2022 after the company accidentally exposed a database access credential to a server containing customer data in a public GitHub repository. That type of breach could be avoided if organizations focused on credentials that are exposed within SaaS applications, Corey O'Connor, director of product at SaaS security platform?DoControl , said in a Q&A why he believes identity security needs to go beyond just protecting the keys. (Beta News)
GitLab's Global Field CISO Francis Ofungwu believes that we need to better prepare developers for the threats and vulnerabilities posed to every phase of the software development lifecycle (SDLC). He argues that rather than forcing Dev teams to sit through lengthy security trainings, organizations should host platforms that deliver real-time knowledge-building, giving Devs the ability to identify security issues as they code. (TechBeacon)