After a failed Linux backdoor attempt grabs headlines, open-source leaders warn of more attacks
The beauty of open-source software lies in the dispersed communities that develop and maintain the code, often thanklessly. But while there’s strength in this approach, it can also present risks.
This was recently made clear with the discovery of a backdoor that had been inserted into XZ Utils, a data-compression toolkit that’s baked into many Linux operating-system distributions. Discovered by a Microsoft engineer named Andres Freund, the flaw could have allowed a major cyberattack with global consequences, as corporate servers commonly run on Linux.
A couple weeks after Freund’s discovery, we are none the wiser as to the real identity of the culprit, known to the community only as “Jia Tan”—this was probably a state-sponsored operation, but either way, "Jia Tan" spent years getting involved with and eventually taking over much of the XZ Utils project.
Yesterday, open-source leaders warned that the XZ Utils incident probably wasn’t a one-off. In a blog post, senior staffers at the Open Source Security Foundation and the OpenJS Foundation, which steers the development of many JavaScript technologies that underpin the web, called on everyone maintaining open-source projects to “be alert for social engineering takeover attempts, to recognize the early threat patterns emerging, and to take steps to protect their open source projects.”
According to the post, somebody recently tried to convince the OpenJS Foundation to draft them as a maintainer of a popular JavaScript project (it’s not clear which one) in order to “address any critical vulnerabilities.” The modus operandi was apparently similar to that employed by Jia Tan, and the foundation spotted a “similar suspicious pattern” in two other JavaScript projects that it doesn’t host, so it alerted the relevant project leaders and U.S. authorities.
“Open source projects always welcome contributions from anyone, anywhere, yet granting someone administrative access to the source code as a maintainer requires a higher level of earned trust, and it is not given away as a ‘quick fix’ to any problem,” wrote OpenJS Foundation executive director Robin Bender Ginn, and Open Source Security Foundation general manager Omkhar Arasaratnam.
“These social engineering attacks are exploiting the sense of duty that maintainers have with their project and community in order to manipulate them,” they added. “Pay attention to how interactions make you feel. Interactions that create self-doubt, feelings of inadequacy, of not doing enough for the project, etc. might be part of a social engineering attack.”
Endor Labs chief security officer Chris Hughes told Computer Weekly he wasn’t surprised by the existence of more attempts to infiltrate open source projects in this fashion.
“We can likely suspect that many of these [attacks] are already underway and may have already been successful but haven’t been exposed or identified yet,” he said. “Most open source projects are incredibly underfunded and run by a single or small group of maintainers, so utilizing social engineering attacks on them isn’t surprising and given how vulnerable the ecosystem is and the pressures maintainers are under, they will likely welcome the help in many cases.”
A reminder, if it were needed, of how much technical vulnerability we humans present. More news below.
David Meyer
Want to send thoughts or suggestions to Data Sheet? Drop a line here.
This story was originally featured on Fortune.com
