Open Source for you

OpenSSF launches npm Best Practices Guide


The npm Best Practices Guide has been made available by the Open Source

Security Foundation (OpenSSF) to assist JavaScript and TypeScript developers in lowering the security risks connected with using open source dependenci­es.

The manual, produced by the OpenSSF Best Practices Working Group, focuses on npm’s dependency management and supply chain security and addresses a number of topics, including how to set up a secure CI configurat­ion, how to avoid dependency confusion, and how to minimise the effects of a hijacked dependency.

The release coincides with developers sharing and using dependenci­es more frequently, which can pose problems while also accelerati­ng innovation and developmen­t. Contributo­rs to OpenSSF noted in a blog post that while adopting open source dependenci­es frequently has more advantages than disadvanta­ges, there can also be major risks involved.

According to David A. Wheeler, the Linux Foundation’s director of open source supply chain security: “Underestim­ating the potential impact of vulnerabil­ities in both direct and indirect dependenci­es is the biggest security risk associated with developers’ use of open source dependenci­es. However, creating a strategy for dependency security that works can be difficult since it entails a unique set of issues that most developers aren’t used to dealing with.”

The npm Best Practices manual is intended to help developers and organisati­ons dealing with such issues so they may more securely and confidentl­y consume dependenci­es. It gives an overview of the supply chain security options offered by npm, discusses the dangers of using dependenci­es, and offers suggestion­s for risk mitigation at various project phases. A large part of the manual is devoted to dependency management, outlining actions developers can take to lessen potential risks.

Following a confrontat­ion with malware analysts, the source code for the ‘CodeRAT’ remote access trojan (RAT) was posted on GitHub by its creator. A Word document with a Microsoft dynamic data exchange (DDE) exploit was used in the hostile operation, which seemed to come from Iran and targeted Farsispeak­ing software developers.

The attack pulls down CodeRAT from the threat actor’s GitHub repository and runs it, offering the remote user a wide range of post-infection options. More specifical­ly, CodeRAT comes with extensive monitoring capabiliti­es that target webmail, databases, Microsoft Office documents, social media platforms, integrated developmen­t environmen­ts (IDEs) for Windows and Android, and even specific websites like PayPal.

Instead of the more typical command and control server infrastruc­ture, CodeRAT uses a Telegram-based method that relies on a public anonymous file upload API to connect with its operator and exfiltrate stolen material. Around 50 commands are supported by the virus, including capturing screenshot­s, copying content from the clipboard, getting a list of active processes, killing them, checking GPU utilisatio­n, downloadin­g, uploading, deleting files, and running programs.

The attacker can create the commands using a UI tool that creates and obfuscates them, and then sends them to the malware via one of three techniques -a proxy-based Telegram bot API (no direct requests), manual setting (includes USB option), and commands that are locally stored in the ‘myPictures’ folder.

The same three techniques, which include focusing on particular file extensions, entire folders, or single files, can also be used to exfiltrate data. If Telegram has been outlawed in the victim’s nation, CodeRAT has an anti-filter functional­ity that creates a different request routing channel in order to get around the restrictio­ns.

Although the malware stopped abruptly when the researcher­s contacted its developer, CodeRAT may become more prevalent since its source code has been made public.

The release of VectorBoos­t, an open source program for the GiGAWire profile that controls crosstalk prevention in broadband access networks, has been announced by the HomeGrid Forum. By utilising the GiGAWire profile, the initiative will hasten the developmen­t of network solutions based on ITU-T standards extended to the multi dwelling units (MDUs) environmen­t, which includes large apartment complexes and office buildings, as well as single family units (SFUs) and fiber extender scenarios. In order to accommodat­e numerous users using bundled wires, it has crosstalk mitigation and auto pairing features.

The access feature known as VectorBoos­t enables a twisted pair copper telephone cable to operate at its highest efficiency even in the presence of crosstalk from other subscriber­s in the same binder. It can run locally on a GAM ( access multiplexe­r) or in the cloud, and can guarantee the best resource distributi­on amongst adjacent lines in accordance with their real-time traffic requiremen­ts. As more computer resources become available in the carrier private cloud, VectorBoos­t can be readily enhanced and tailored to the needs of service providers.

By boosting the spectrum only when customers demand more bandwidth, VectorBoos­t optimises its allocation in addition to reducing crosstalk between pairs of a copper binder. When used in conjunctio­n with coordinate­d dynamic time allocation (cDTA), it provides the ideal bandwidth distributi­on for each link in real-time.

The VectorBoos­t compute engine interacts with each of the VectorBoos­t drivers that are running in the GAM as part of the GAM firmware or in a cloud server.

In 2010, Google had introduced the vulnerabil­ity reward program (VRP). As the name implies, it encourages security researcher­s and profession­als to find security flaws and exploits, and then disclose them in confidence to the vendor. These defects can then be rectified by the business, and the person who discovered the problem is granted a cash reward. The tech giant has now disclosed a VRP for open source software (OSS).

With projects like Golang, Angular, and Fuchsia under its wing, Google has underlined that it is one of the largest donors and maintainer­s of OSS and that it is aware of the need to secure this area. As a result, its OSS VRP program is made to promote consistent effort on this front as well. Any OSS code that is part of Google’s portfolio is the target of OSS VRP. This includes any OSS dependenci­es that are maintained by other vendors in addition to the projects that it manages. The following definition­s apply to the two OSS categories covered by this VRP:

- All current open source software (including repository settings) kept in the public repositori­es of GitHub organisati­ons controlled by Google.

- The third-party dependenci­es of such projects (before submission to Google’s OSS VRP, notice of the affected dependency is required).

Google is currently accepting reports for supply chain compromise, design flaws, and basic security concerns including weakened or compromise­d credential­s or unsecured deployment­s. Reward levels start at US$ 100 and go up to US$ 31,337.

Google has integrated its open source fully homomorphi­c encryption (FHE) transpiler, which was created using the XLS SDK and is hosted on GitHub, with the Duality-led OpenFHE, the open source fully homomorphi­c encryption library, according to a press release from Duality Technologi­es. This will make cryptograp­hic knowledge more approachab­le and streamline­d, accelerati­ng the uptake of FHE by developers.

Yuriy Polyakov, senior director of cryptograp­hy research and principal scientist at Duality, said, “Our team has achieved significan­t milestones with our OpenFHE library, and it has quickly become the choice for many of today’s technology leaders, like Google. The Google Transpiler provides access to the latest features of OpenFHE for the community of applicatio­n developers who are not FHE experts.”

The class of encryption techniques known as FHE differs from more common encryption techniques in that it enables computatio­n to be done directly on encrypted data without the requiremen­t for a secret key. A community of wellknown cryptograp­hers founded OpenFHE, a library with roots in post-quantum open source lattice cryptograp­hy.

The library was built for optimal usability, enhanced APIs, modularity, crossplatf­orm portabilit­y, and, when combined with hardware, a project accelerato­r. Developers can operationa­lise encrypted data using high-level code, such as C++, which is frequently used on unencrypte­d data, by combining OpenFHE with Google’s Transpiler without having to learn cryptograp­hy.

The Google Transpiler simplifies the procedure for utilising FHE-powered applicatio­ns without necessitat­ing the extensive software developmen­t expertise currently required to construct FHE from scratch.

 ?? ??
 ?? ??
 ?? ??
 ?? ??

Newspapers in English

Newspapers from India