Wreaking Havoc on cybersecurity

A new malware method has been identified by cybersecurity researchers. While it hasn’t yet been widely used, it is causing some concern. Ironically, it has been named Havoc.

Why worry about it if it is a niche case? Because of its sophistication of methods and the collection of tools and techniques (shown in the diagram above from ZScaler) that it used. It doesn’t bode well for the digital world. Right now it has been observed targeting government networks.

Havoc is a command and control (C2) framework, meaning that it is used to control the progress of an attack. There are several C2 frameworks that are used by bad actors, including Manjusaka, Covenant, Merlin, Empire and the commercial Cobalt Strike (this last one is used by both attackers and red team researchers). Havoc is able to bypass the most current version of Windows 11 Defender (at least until Microsoft figures out the problem, then releases a patch, then gets us to install it). It is also able to employ various evasion and obfuscation techniques.

One reason for concern is how it works. Researchers at Reversing Labs “do not believe it poses any risk to development organizations at this point. However, its discovery underscores the growing risk of malicious packages lurking in open source repositories like npm, PyPi and GitHub.” Translated into English, this means that Havoc could become the basis of future software supply chain attacks.

In addition, the malware disables the Event Tracing for Windows (ETW) process. This is used to log various events, so is another way for the malware to hide its presence. This process can be turned on or off as needed for debugging operations, so this action by itself isn’t suspicious.

One of the common techniques is for the malware to go to sleep once it reaches a potential target PC. This makes it harder to detect, because defender teams can perhaps track when some malware entered their system but don’t necessarily find when it wakes up with further work. Another obfuscation technique is to hide or otherwise encrypt its source code. For proprietary applications, this is to be expected, but for open-source apps the underlying code should be easily viewable. However, this last technique is bare bones, according to the researchers, and easily found. The open source packages that were initially infected with Havoc have been subsequently cleansed (at least for now). Still, it is an appropriate warning for software devops groups to remain vigilant and to be on the lookout for supply chain irregularities.

One way this is being done is called static code analysis, where your code in question is run through various parsing algorithms to check for errors. What is new is using ChatGPT-like products to do the analysis for you and here is one paper that shows how it was used to find code defects. While the AI caught 85 vulnerabilities in 129 sample files (what the author said was “shockingly good”), it isn’t perfect and is more a complement to human code review and traditional code analysis tools.

Skynet as evil chatbot

Building the Real Skynet - The New StackWhen we first thought about the plausible future of a real Skynet, many of us assumed it would take the form of a mainframe or room-sized computer that would be firing death rays to eliminate us puny humans. But now the concept has taken a much more insidious form as — a chatbot?

Don’t laugh. It could happen. AI-based chatbots have gotten so good, they are being used in clever ways: to write poems, songs, and TV scripts, to answering trivia questions and even writing computer code. An earlier version was great at penning Twitter-ready misinformation.

The latest version is called ChatGPT which is created by OpenAI and based on its autocomplete text generator GPT-3.5. One author turned it loose on trying to write a story pitch.Yikes!

The first skirmish happened recently over at Stack Overflow, a website that is used by coders to find answers to common programming problems. Trouble is, ChatGPT’s answers are so good that they at first blush seem right, but upon further analysis, they are wrong. Conspiracy theories abound. But for now, Stack Overflow has banned the bot from its forums. “ChatGPT makes it too easy for users to generate responses and flood the site with answers that seem correct at first glance but are often wrong on close examination,” according to this post over on The Verge. The site has been flooded by thousands of bot-generated answers, making it difficult for moderators to sift through them.

It may be time to welcome our new AI-based overlords.

Network World: Lessons learned from the Atlassian network outage

Last month, software tools vendor Atlassian suffered a major network outage that lasted two weeks and affected more than 400 of their over 200,000 customers. It is rare that a vendor who has been hit with such a massive and public outage takes the effort to thoughtfully piece together what happened and why, and also provide a roadmap that others can learn from as well.

In a post on their blog last week, they describe their existing IT infrastructure in careful detail, point out the deficiencies in their disaster recovery program, how to fix its shortcomings to prevent future outages, and describe timelines, workflows and ways they intend to improve their processes. I wrote an op/ed for Network World that gleans the four takeaways for network and IT managers.

Avast blog: Yandex is causing serious data privacy concerns for mobile users

Yandex — Company newsPrivate data could be collected from thousands of Android and iOS apps,according to security researchers. The issue revolves around Yandex, the leading search engine in Russia, and how this data might be available to Russia state agencies. In addition to being a search portal, Yandex also makes an SDK called AppMetrica, which does app usage analytics and marketing and is similar to Google’s Firebase. The SDK has been incorporated into more than 52,000 different apps, including games and messaging apps.

In this post for Avast’s blog, I provide details about the problems with this SDK and things to watch out for when you download your next app.

Infoworld: How to evaluate software asset management tools

The vulnerabilities of the Apache Log4j logging package—and the attacks they’ve drawn—have made one thing very clear: If you haven’t yet implemented a software inventory across your enterprise, now is the time to start evaluating and implementing such tools. These aren’t new —  I recall testing one of the earlier products, Landesk, which is now a part of Ivanti, back in the early 1990s. In this post for Infoworld, I go into detail about how you can evaluate Ivanti and four of other leading tools from Atlassian, ServiceNow (shown above), ManageEngine and Spiceworks, why these tools are needed in modern software development organizations, how you should go about evaluating them, what their notable features are, and what these tools will cost.

Infoworld: How Roblox fixed a three-day worldwide infrastructure outage

Last October the gaming company Roblox’s online network went down, an outage that lasted three days. The site is used by 50M gamers daily. Figuring out and fixing the root causes of this disruption would take a massive effort by engineers at both Roblox and their main tech supplier, HashiCorp. The company eventually posted an amazing analysis on a blog post at the end of January. Roblox got bitten by a strange coincidence of several events. The processes they went through to diagnose and ultimately fix things is instructive to readers that are doing similar projects, and especially if you are running any large-scale IaC installations or are a heavy user of containers and microservices across your infrastructure.

There are a few things to be learned from the Roblox outage that I discuss in my latest story for Infoworld.

Infoworld: What app developers need to do now to fight Log4j exploits

Earlier this month, security researchers uncovered a series of major vulnerabilities in the Log4j Java software that is used in tens of thousands of web applications. The code is widely used across consumer and enterprise systems, in everything from Minecraft, Steam, and iCloud to Fortinet and Red Hat systems. One analyst estimate millions of endpoints could be at risk.

There are at least four major vulnerabilities from Log4j exploits. What is clear is that as an application developer, you have a lot of work to do to find, fix, and prevent log4j issues in the near-term, and a few things to worry about in the longer term.

You can read my analysis and suggested strategies in Infoworld here.

Avast blog: Here are OWASP’s top 10 vulnerabilities in 2021

owaspLast week was the 20th anniversary of the Open Web Application Security Project (OWASP), and in honor of that date, the organization issued its long-awaited update to its top 10 exploits. It has been in draft form for months and has been updated several times since 2003, and before its latest iteration, in 2017. In my blog post for Avast, I probe into its development, how it differs from the older lists, and what are some key takeaways for infosec managers and corporate app developers.

The 2021 Top 10 list has sparked some controversy. Security consultant Daniel Miessler complains that list is mixing unequal elements, and calls out the insecure design item as a problem.  “While everyone can agree it’s important, it’s not a thing in itself. It’s instead a set of behaviors that we use to prevent issues.” He thinks the methodology is backwards: “OWASP should start with the purpose of the project and the output you want it to produce for a defined audience, and then look at the data needed.”

Why we need girls’ STEM programs

Like many of you, I have watched the horrors unfold in Afghanistan this week. There has been some excellent reporting — particularly by Al Jazeera on their English channel — but very little said about one massive and positive change that the past 20 years has seen: hundreds of thousands of boys and girls there have received an education that was previously out of reach. I am particularly glad to see that many students have also gotten interested in STEM fields as well.

I was reminded of something that happened to me nine summers ago, when I was one of the judges in the annual Microsoft Imagine Cup collegiate software contest, held that year in Sydney. By chance, I ended up judging three teams that were all female students from Ecuador, Qatar and Oman. Just so you understand the process: each country holds its own competition, and that team goes on to the finals. That means that the women bested dozens if not hundreds of other teams in their respective countries.

My post from 2012 shows the Omani team (above) and how carefully they branded themselves with red head scarfs (their app was something dealing with blood distribution, hence the color and the logos on their shirts). The Qatari team had a somewhat different style: one woman wore sweats and sneakers, one wore a full-on burka covering everything but a screen for her eyes, and the other two had modest coverings in between those points. It was my first time seeing anyone give a talk in a burka, and it was memorable. All four of them were from the same university, which was also an important point. While none of my teams were finalists, it didn’t really matter. They all were part of the 375 students who made it to Sydney, and they all got a lot out of the experience, as did I.

The reason I was thinking about the issues for women’s STEM education was this piece that I found in the NY Times about the FIRST robotics competition and the Afghan girls team. The story was written two years ago, and pre-dates what is happening now.

The girls were able to made it out of Kabul on Tuesday to Oman, where they will continue their STEM education. But there are certainly many thousands of girls who aren’t so fortunate, and we’ll see what happens in the coming weeks and months. I think many of us are literally holding our breaths and hoping for the best.

One of the reasons for the FIRST girls team’s success was great mentorship by Roya Mahboob, an Afghan expat tech entrepreneur and the team’s founder. She — yes you might not know that Roya is a woman’s name and is Persian meaning visionary — isn’t the only one that got behind these girls — if you read some of their own stories you can see that they had the support of an older generation of women who had gotten STEM education — the “tech aunties brigade” as I would call them — who were important role models. It shows that this progress happens slowly — family by family — as the old world order and obstacles are broken down bit by bit. Think about that for a moment: these girls already had older family members who were established in their careers. In Afghanistan, there isn’t a glass ceiling, but a glass floor to just gain entry.

While there is a lot to be said about whether America and the other NATO allies should have been in Afghanistan to begin with, I think you could make an argument that our focus on education was a net positive for the country and its future. From various government sources cited in this report, “literacy among 15- to 24-year-olds increased by 28 percentage points among males and 19 points among females, primarily driven by increases in rural areas.” This is over the period from 2005 to 2017. And while I couldn’t find any STEM-specific stats, you can see that education has had a big impact. I don’t know if the mistakes of our “endless war” can be absolved by this one small but shining result, but I am glad to see more all-girls STEM teams take their message around the world, and to motivate others to try to start their own STEM careers.

Linode blog: Guides to improving app security

I have written a series of blog posts to help developers improve their security posture.

Thanks to Covid challenges, there is a more complicated business environment and a higher collection of risks. Supply chains are more stressed, component transportation is more complex, and new software is needed to manage these changes. Businesses have more complex compliance requirements, which also ups the risk ante, especially if they run afoul of regulations or experience a data breach. Attackers are more clever at penetrating corporate networks with stealthier methods that often go without any detection for weeks or months.

Cybersecurity continues to be a challenge as adversaries come up with new and innovative ways to penetrate computer networks and steal data. One of the more popular attack methods is ransomware. There are tools to defend yourself against potential attack and techniques to strengthen your computer security posture. In this post, I describe how these attacks happen, what you can do to defend yourself and how to prevent future attacks.

The days where software developers wrote their application code in isolation of any security implications are over. Applications are exploited every minute of the day, thanks to the internet that connects them to any hacker around the planet. Application security doesn’t have to be overwhelming: there are dozens if not hundreds of tools to help you improve your security posture, prevent exploits, and reduce configuration errors that let bad actors gain unauthorized access to your network. In this post, I review the different kinds of appsec tools and best practices to improve your security posture.

Security starts with having a well-protected network. This means keeping intruders out, and continuously scanning for potential breaches and flagging attempted compromises. Sadly, there is no single product that will protect everything, but the good news is that over the years a number of specialized tools have been developed to help you protect your enterprise network. Your burden is to ensure that there are no gaps in between these various tools, and that you have covered all the important bases to keep your network secure and protect yourself against potential harm from cyber criminals. New security threats happen daily as attackers target your business, make use of inexpensive services designed to uncover weaknesses across your network or in the many online services that you use to run your business. In this post, I review the different types of tools, point out the typical vendors who supply them and why they are useful to protect your network.

As developers release their code more quickly, security threats have become more complex, more difficult to find, and more potent in their potential damage to your networks, your data, and your corporate reputation. Balancing these two megatrends isn’t easy. While developers are making an effort to improve the security of their code earlier in the software life cycle, what one blogger on Twilio has called “shifting left,” there is still plenty of room for improvement. In this guide, I describe what are some of the motivations needed to better protect your code.

Many developers are moving “left” towards the earliest possible moment in the application development life cycle to ensure the most secure code. This guide discusses ways to approach coding your app more critically. It also outlines some of the more common security weaknesses and coding errors that could lead to subsequent problems. In this post, I look at how SQL injection and cross-site scripting attacks happens and what you can do to prevent each of them.

Application security testing products come in two basic groups and you need more than one. The umbrella groups: testing and shielding. The former run various automated and manual tests on your code to identify security weaknesses. The application shielding products are used to harden your apps to make attacks more difficult to implement. These products go beyond the testing process and are used to be more proactive in your protection and flag bad spots as you write the code within your development environment. This guide delves into the differences between the tools and reviews and recommends a series of application security testing products.