Under-resourced maintainers pose risk to Africa's open source push

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software security headlines from around the world, curated by the team at ReversingLabs.

This week: The insecurity of open source software poses risk to Africa’s open source push. Also: A judge’s dismissal of major parts of the SEC lawsuit against SolarWinds weakens the commission’s cybersecurity enforcement stance.?

This Week’s Top Story

Under-resourced maintainers pose risk to Africa's open source push?

Last week during a conference at the United Nations in New York City, experts discussed the benefits that open source software (OSS) can provide to the world, especially to underserved nations that oftentimes have less technological resources and funding for OSS efforts. Philip Thigo, a special envoy on technology for the government of Kenya, spoke candidly in regards to OSS's impact on African nations:

“In the era of sustainable development goals, where we must end extreme poverty but also leave no one behind ... open source almost becomes intrinsic or integral to everything that we do.” - Philip Thigo

Thigo believes that OSS offers a way for people from all walks of life to participate in coding activities and application development, making it easier for disadvantaged communities to be part of an increasingly technological world.?

However, using OSS – in any scenario – comes with risk due to malicious actors taking advantage of these platforms. Omkhar Arasaratnam, general manager of the Open Source Security Foundation (OpenSSF), noted, “It's wonderful that open source can provide assistance in all these areas and build community, but of course, the precondition is that it must be secure… The last thing that you want... is a scenario where a part of the global majority is contending with, say, food safety as well as cyber safety, because of a package that's insecure.”?

Because of the increasing software supply chain security risks that stem from OSS use, it’s essential that the community continues working together to secure open source platforms from threat actors. Doing so will make the use of OSS for all more secure, and give maintainers from across the globe the ability to contribute.??

However, one of the looming challenges in making OSS more secure is that these platforms often rely on maintainers and project contributors, which oftentimes lack funding and resources for security, with many of them working on the projects for free, or alone. This reality creates an imbalance between supply and demand, where the demand for the package outweighs the supply, being the resources needed to secure and maintain said package. This imbalance creates an attack window, where malicious actors can take advantage of a package’s popularity to deploy malware.?

The way to eradicate this attack vector relies on securing the open source ecosystem as a whole, a project that is slow going. As of now, such security resides in educating developers and package managers on how to produce and manage code securely, in addition to securing OSS platforms themselves from malicious actors.?

Due to the current state of OSS, it appears unlikely that there will be a large push for OSS support in underserved areas. Nevertheless, OSS as it stands would not be as robust nor as successful as it is without the help of maintainers and developers from all parts of the world, such as the more than 300,000 Kenyan developers and the one million Nigerian developers currently working on GitHub. (Dark Reading)

This Week’s Headlines

Judge deals major blow to SEC’s cybersecurity enforcement stance

The recent lawsuit against SolarWinds brought forth by the U.S. Securities Exchange Commission (SEC), has weakened the commission's cybersecurity enforcement posture, legal analysts concluded. The basis of much of the lawsuit was that a cybersecurity failure could be categorized as, and as such punished as, an “internal accounting controls” violation under Section 13(b)(2)(B) of the Securities Exchange Act. It was this claim and many other aggressive actions that were dismissed by a judge, leaving only the allegation that SolarWinds’ statements about its cybersecurity program were materially misleading. This dismissal of aggressive action means the SEC must now tread carefully in any upcoming cases and stances in the wake of this precedent being set. (CFO Dive)

LLM deployment flaws that catch IT by surprise

Large language models (LLMs) handle a plethora of enterprise tasks, yet they must be treated with a delicate hand. After all, with the slightest provocation – LLMs will go their own way, ignoring guardrails and setting limitations. One such example is that if the LLM is overloaded with information, it won’t crash, but rather will jailbreak its control. These defections can be traced back to the fact that LLMs are temperamental and pose security risks, despite being active in many different use cases. Companies that deploy LLMs before proper testing has taken place lack the understanding of the LLMs’ triggers, leaving behind a wake of jailbreaking models. Continue reading this article for the top five cases of LLMs acting out. (ComputerWorld)

Executives have more confidence in software supply chain security than their developers

A new report, sponsored by DevOps company Jfrog, finds that enterprises’ executives are more confident in their software supply chain security than their organizations’ developers, with 92% of the former believing there are solutions in place to detect malware in open-source packages, and only 70% of the latter. Malware in open-source packages can lead to major cybersecurity incidents, such as the Log4j incident of 2021. It is currently unclear why there is a disconnect in confidence between executives and developers, and this article from DevClass explores why. (DevClass)

Commentary: Wanted: An SBOM standard to rule them all

The Software Bill of Materials (SBOM) has become commonplace and integral in cybersecurity, especially when it comes to Software-as-a-Service (SaaS). With SaaS, a company looking to buy a product can receive the SBOM and know every component inside of it, allowing them to make sure all parts are secure. Yet, it is somehow not enough, and the SBOM falls short of allowing security by way of transparency between vendor and seller. This lack of trust is partly due to the competing standards and implementation methods, turning the SBOM into a confusing exercise in ETL and data schema management. As such, there is a need for a singularly unified SBOM standard. This article argues that without one, the SBOM will continue to fail at bringing true transparency to the software industry. (Dark Reading)

Researchers claim anyone can access deleted, private GitHub repository data

An issue within GitHub, dubbed Cross Fork Object Reference (CFOR), allows access to deleted and private repository data. This issue does not stem from a bug, rather a design choice that makes code from a public repository potentially accessible forever, even if the original repository is deleted, as long as there is one fork from that repository remaining. There are three attack scenarios this design can be exploited in: accessing deleted fork data, accessing deleted repo data, and accessing private repo data. Despite the security implications of this design – the exposure of secrets and confidential data – GitHub does not appear to be in the works of changing it. (HackRead)

Hackers exploit Windows SmartScreen flaw to deliver info stealer malware?

Microsoft’s Windows SmartScreen has a critical bypass vulnerability (CVE-2024-21412), which arises from an error in handling maliciously crafted files. The error allows remote attackers to bypass security warnings and deliver malicious payloads. Cybercriminals are using the vulnerability to push several malware families, including Water Hydra, Lumma Stealer, and Meduza Stealer. One threat group leveraged the vulnerability in a stealer attack that resulted in data being sent back to a command and control center (C2). Users are advised to update their systems promptly. (Cyber Security News)

Over 3,000 GitHub accounts used by malware distribution service???

'Stargazer Goblin,’ a cybercrime group, has created a malware Distribution-as-a-Service (DaaS) by using over 3,000 fake accounts on GitHub to push malware. These accounts are part of the malware delivery service Stargazers Ghost Network, which distributes password-protected archives that contain malware, such as RedLine, Lumma Stealer, Rhadamanthys, RisePro, and Atlantida Stealer. Stargazer Goblin has appeared to be running this service and network since at least Summer 2023. The campaign uses GitHub’s trusted reputation to lull downloaders into a false sense of security. However, you can find comfort in the fact that this is the first time such an organized and large-scale scheme has been documented on GitHub (or, maybe not). (Bleeping Computer)

Project 2025 could escalate US cybersecurity risks, endanger more Americans?

The nearly 1,000-page document, Project 2025, outlines what a conservative DC-based think tank believes should be the plan for fmr. President Donald Trump if he wins this November, and includes actions that could be detrimental to the U.S.’s state of cybersecurity. The document calls for the dissolving of the Cybersecurity and Infrastructure Security Agency (CISA), the primary agency that upholds federal cybersecurity policy in the U.S. The move is believed to be motivated by the belief that CISA duplicates cybersecurity functions done elsewhere at the Department of Defense, FBI, National Security Agency, and U.S. Secret Service. Meanwhile, Michael Daniel, CEO of the Cyber Threat Alliance and former Special Assistant to President Obama and Cybersecurity Coordinator on the National Security Council Staff, thinks “[dismantling CISA] would be disastrous… it would significantly increase the cyber risk to the United States.” (CSO Online)

Resource Round-up

Blog I Secure by Default: Lock down your development for better AppSec

In this addition to the RL blog, we explain the benefits and limitations of Secure by Design’s cousin: Secure by Default. This initiative can help make software more secure out of the box by adding guardrails to development, but it is not without its shortcomings. [Read Here]

Webinar I Insights from the Gartner? Leader’s Guide to Software Supply Chain Security?

The latest Gartner? Report, "Leader’s Guide to Software Supply Chain Security" offers critical findings and strategies that enterprises need to secure their software supply chains. Join ReversingLabs’ Chief Trust Officer Sa?a Zdjelar and VP of Product Marketing Daniel Petrillo to learn how to implement these key strategies. [Save your seat]?

Webinar I Insights from OWASP: Future-Proofing SBOMs with CycloneDX

The OWASP Foundation has released a new version of its CycloneDX standard for software bills of materials (SBOMs) that is geared to make SBOMs relevant far into the future. Watch this webinar to hear Steve Springett , chair of the CycloneDX SBOM Standard at OWASP, share the key takeaways from this major update, including two changes that seek to boost software supply chain security. [Watch Here]

Looking for more great conversations to watch? See RL’s recent webinars here: https://www.reversinglabs.com/webinars?