OpenSSF launches npm Best Practices Guide
The npm Best Practices Guide has been made available by the Open Source
Security Foundation (OpenSSF) to assist JavaScript and TypeScript developers in lowering the security risks connected with using open source dependencies.
The manual, produced by the OpenSSF Best Practices Working Group, focuses on npm’s dependency management and supply chain security and addresses a number of topics, including how to set up a secure CI configuration, how to avoid dependency confusion, and how to minimise the effects of a hijacked dependency.
The release coincides with developers sharing and using dependencies more frequently, which can pose problems while also accelerating innovation and development. Contributors to OpenSSF noted in a blog post that while adopting open source dependencies frequently has more advantages than disadvantages, there can also be major risks involved.
According to David A. Wheeler, the Linux Foundation’s director of open source supply chain security: “Underestimating the potential impact of vulnerabilities in both direct and indirect dependencies is the biggest security risk associated with developers’ use of open source dependencies. However, creating a strategy for dependency security that works can be difficult since it entails a unique set of issues that most developers aren’t used to dealing with.”
The npm Best Practices manual is intended to help developers and organisations dealing with such issues so they may more securely and confidently consume dependencies. It gives an overview of the supply chain security options offered by npm, discusses the dangers of using dependencies, and offers suggestions for risk mitigation at various project phases. A large part of the manual is devoted to dependency management, outlining actions developers can take to lessen potential risks.
Following a confrontation with malware analysts, the source code for the ‘CodeRAT’ remote access trojan (RAT) was posted on GitHub by its creator. A Word document with a Microsoft dynamic data exchange (DDE) exploit was used in the hostile operation, which seemed to come from Iran and targeted Farsispeaking software developers.
The attack pulls down CodeRAT from the threat actor’s GitHub repository and runs it, offering the remote user a wide range of post-infection options. More specifically, CodeRAT comes with extensive monitoring capabilities that target webmail, databases, Microsoft Office documents, social media platforms, integrated development environments (IDEs) for Windows and Android, and even specific websites like PayPal.
Instead of the more typical command and control server infrastructure, CodeRAT uses a Telegram-based method that relies on a public anonymous file upload API to connect with its operator and exfiltrate stolen material. Around 50 commands are supported by the virus, including capturing screenshots, copying content from the clipboard, getting a list of active processes, killing them, checking GPU utilisation, downloading, uploading, deleting files, and running programs.
The attacker can create the commands using a UI tool that creates and obfuscates them, and then sends them to the malware via one of three techniques -a proxy-based Telegram bot API (no direct requests), manual setting (includes USB option), and commands that are locally stored in the ‘myPictures’ folder.
The same three techniques, which include focusing on particular file extensions, entire folders, or single files, can also be used to exfiltrate data. If Telegram has been outlawed in the victim’s nation, CodeRAT has an anti-filter functionality that creates a different request routing channel in order to get around the restrictions.
Although the malware stopped abruptly when the researchers contacted its developer, CodeRAT may become more prevalent since its source code has been made public.
The release of VectorBoost, an open source program for the GiGAWire profile that controls crosstalk prevention in broadband access networks, has been announced by the HomeGrid Forum. By utilising the GiGAWire profile, the initiative will hasten the development of network solutions based on ITU-T G.hn standards extended to the multi dwelling units (MDUs) environment, which includes large apartment complexes and office buildings, as well as single family units (SFUs) and fiber extender scenarios. In order to accommodate numerous users using bundled wires, it has crosstalk mitigation and auto pairing features.
The G.hn access feature known as VectorBoost enables a twisted pair copper telephone cable to operate at its highest efficiency even in the presence of crosstalk from other subscribers in the same binder. It can run locally on a GAM (G.hn access multiplexer) or in the cloud, and can guarantee the best resource distribution amongst adjacent lines in accordance with their real-time traffic requirements. As more computer resources become available in the carrier private cloud, VectorBoost can be readily enhanced and tailored to the needs of service providers.
By boosting the spectrum only when customers demand more bandwidth, VectorBoost optimises its allocation in addition to reducing crosstalk between pairs of a copper binder. When used in conjunction with coordinated dynamic time allocation (cDTA), it provides the ideal bandwidth distribution for each G.hn link in real-time.
The VectorBoost compute engine interacts with each of the VectorBoost drivers that are running in the GAM as part of the GAM firmware or in a cloud server.
In 2010, Google had introduced the vulnerability reward program (VRP). As the name implies, it encourages security researchers and professionals to find security flaws and exploits, and then disclose them in confidence to the vendor. These defects can then be rectified by the business, and the person who discovered the problem is granted a cash reward. The tech giant has now disclosed a VRP for open source software (OSS).
With projects like Golang, Angular, and Fuchsia under its wing, Google has underlined that it is one of the largest donors and maintainers of OSS and that it is aware of the need to secure this area. As a result, its OSS VRP program is made to promote consistent effort on this front as well. Any OSS code that is part of Google’s portfolio is the target of OSS VRP. This includes any OSS dependencies that are maintained by other vendors in addition to the projects that it manages. The following definitions apply to the two OSS categories covered by this VRP:
- All current open source software (including repository settings) kept in the public repositories of GitHub organisations controlled by Google.
- The third-party dependencies of such projects (before submission to Google’s OSS VRP, notice of the affected dependency is required).
Google is currently accepting reports for supply chain compromise, design flaws, and basic security concerns including weakened or compromised credentials or unsecured deployments. Reward levels start at US$ 100 and go up to US$ 31,337.
Google has integrated its open source fully homomorphic encryption (FHE) transpiler, which was created using the XLS SDK and is hosted on GitHub, with the Duality-led OpenFHE, the open source fully homomorphic encryption library, according to a press release from Duality Technologies. This will make cryptographic knowledge more approachable and streamlined, accelerating the uptake of FHE by developers.
Yuriy Polyakov, senior director of cryptography research and principal scientist at Duality, said, “Our team has achieved significant milestones with our OpenFHE library, and it has quickly become the choice for many of today’s technology leaders, like Google. The Google Transpiler provides access to the latest features of OpenFHE for the community of application developers who are not FHE experts.”
The class of encryption techniques known as FHE differs from more common encryption techniques in that it enables computation to be done directly on encrypted data without the requirement for a secret key. A community of wellknown cryptographers founded OpenFHE, a library with roots in post-quantum open source lattice cryptography.
The library was built for optimal usability, enhanced APIs, modularity, crossplatform portability, and, when combined with hardware, a project accelerator. Developers can operationalise encrypted data using high-level code, such as C++, which is frequently used on unencrypted data, by combining OpenFHE with Google’s Transpiler without having to learn cryptography.
The Google Transpiler simplifies the procedure for utilising FHE-powered applications without necessitating the extensive software development expertise currently required to construct FHE from scratch.