Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Developers. Show all posts

Maintaining Sanity Amidst Unnecessary CVE Reports

Maintaining Sanity Amidst Unnecessary CVE Reports

Developers strive to maintain robust codebases, but occasionally, they encounter dubious or exaggerated reports that can disrupt their work. 

A recent incident involving the popular open-source project “ip” sheds light on the challenges faced by developers when dealing with Common Vulnerabilities and Exposures (CVEs).

The Growing Nuisance of Dubious CVE Reports in Open Source Projects

The famous open source project 'ip' just had its GitHub repository archived, or turned "read-only" by its creator.

Developer Fedor Indutny began to receive online harassment when a CVE complaint was submitted against his project, bringing the vulnerability to his attention.

Unfortunately, Indutny's condition is not isolated. Recently, open-source developers have seen an increase in dubious or, in some cases, completely false CVE reports made for their projects without confirmation.

This might cause unjustified concern among users of these projects, as well as alerts from security scanners, which can be a source of frustration for developers.

The “ip” Project and the Dubious CVE

Fedor Indutny, the creator, disputed the severity of the bug. He argued that the impact was minimal and that the reported vulnerability did not warrant a CVE. However, the process for disputing a CVE can be complex and time-consuming. 

Indutny decided to take a drastic step: he archived the “ip” repository on GitHub, making it read-only. This move was a clear expression of frustration and a signal that he would not tolerate unwarranted disruptions to his project.

The 'node-ip' project is listed on the npmjs.com registry as the 'ip' package, with 17 million downloads per week, making it one of the most popular IP address parsing utilities JavaScript developers use.

Indutny resorted to social media to express his reasons for archiving 'node-ip': 

“There is something that have been bothering me for past few months, and resulted in me archiving node-ip repo on github.Someone filed a dubious CVE about my npm package, and then I started getting messages from all people getting warnings from `npm audit`.”

The Challenge of Disputing a CVE

Disputing a CVE involves navigating a bureaucratic maze. Developers must provide evidence that the reported vulnerability is either invalid or less severe than initially assessed. Unfortunately, this process is not always straightforward. In the case of the “ip” project, Indutny’s efforts to revoke the CVE faced hurdles:

  • Severity Assessment: The initial severity assigned to the vulnerability was likely based on the worst-case scenario. However, Indutny argued that the real-world impact was minimal. Balancing severity with practical implications is a delicate task.
  • CVE Documentation: Properly documenting the dispute requires clear communication. Developers must provide detailed explanations, code samples, and any relevant context. This documentation is essential for CVE reviewers to reevaluate the issue.
  • Community Perception: Public perception matters. When a project receives a CVE, users may panic, assuming the worst. Even if the impact is minor, the mere existence of a CVE can create unnecessary anxiety.

GitHub’s Response and Recommendations

GitHub, the platform hosting the “ip” repository, adjusted the severity of the CVE after Indutny’s actions. They also recommended enabling private vulnerability reporting. This feature allows maintainers to receive vulnerability reports privately, assess them, and decide whether they warrant public disclosure. By doing so, maintainers can avoid unnecessary panic and focus on addressing legitimate issues.

Apple's AI Features Demand More Power: Not All iPhones Make the Cut

 


A large portion of Apple's developer conference on Monday was devoted to infusing artificial intelligence (AI) technology into its software. Some of the features Apple has rumoured to incorporate are not expected to work on all iPhones. If you read this article correctly, it sounds as if Apple is betting its long-awaited AI features will be enough to make you upgrade your iPhone — especially if the AI requires the latest smartphone. The annual developer conference of Apple, WWDC, is expected to take place on Monday with the announcement of iOS 18. 

According to Bloomberg, the company will release a new version of its artificial intelligence software, dubbed "Apple Intelligence," which will include features that will run directly on the iPhone's processor instead of being powered by cloud servers - in other words, they'll be powered directly from the device itself. According to the report, some of the AI services will still utilize cloud-based computing, however, many won't. The iPhone, iOS18, as well as any of Apple's other products and devices, are set to be updated, and anything short of a full array of AI-based features will likely disappoint developers and industry analysts, not to mention investors, with any changes Apple makes to its operating system. 

The company has turned to artificial intelligence (AI) as a way to revive its loyal fan base of over 1 billion customers and reverse the decline of its best-selling product in the face of choppy consumer spending and resurgent tech rivals. A key selling point that Apple uses to differentiate itself from its competitors is the fact that it is committed to privacy. There are still questions to be answered in regards to how Federighi will make sure that the personal context of a user will be shared across multiple devices belonging to the same user. 

However, he said that all data will be processed on-device and will never be shared across cloud servers. It is widely believed that the move by Apple was an evolution of the generative AI domain that would lead to the adoption of generative AI by enterprises by streamlining the best practices for AI privacy in the industrial sector. Analysts said that the software is likely to encourage a cascade of new purchases, as it requires at least an iPhone 15 or 15 Pro to be able to function. It has been predicted that we will likely see Apple's most significant upgrade cycle since the launch of the iPhone 12 in 2020, when 5G connectivity was part of the appeal for consumers for the device. 

A study from Apple analyst Ming-Chi Kuo published on Medium has claimed that the amount of on-board memory in the forthcoming iPhone 16 range, which is predicted to have 8GB of storage, may not be enough to be able to fully express the large language model (LLM) behind Apple's artificial intelligence (AI). It has been argued by analyst Kuo in a recent post that the iPhone 16's 8GB DRAM limit will likely restrict on-device learning curves from exceeding market expectations. Kuo suggests that eager Apple fans might want to temper their expectations before WWDC this year. 

Although this is true, Apple's powerful mobile chips and efficient iOS operating system can offer market-leading performance, regardless of how much RAM is available to them, on many of their previous iPhone models. As a result, memory has never been much of an issue on revious iPhone models. In the case of notoriously demanding AI tools, such as deep learning, however, the question becomes whether that level of complexity will still be applicable.

Several apps are set to feature AI technology, including Mail, Voice Memos, and Photos, as part of Apple's AI integration, but users will have to opt-in to use the features if they wish to use them. There were rumours that the company would deliver a series of features designed to simplify everyday tasks such as summarizing and writing emails, as well as suggesting custom emojis for emails. Moreover, Bloomberg reports that Siri is also going to undergo an AI overhaul to allow users to be able to do more specific tasks within apps, for instance, deleting an email inside an app will be one of these. According to The Information and Bloomberg, Apple has signed a deal with OpenAI to power some features, including a chatbot that is similar to ChatGPT, one of the most popular chatbots.

AlphaCodium: Your New Coding Assistant

 


Meet AlphaCodium, the latest creation from CodiumAI, taking AI code generation to the next level, leaving Google's AlphaCode in its digital dust. Forget complicated terms; AlphaCodium simply means smarter, more accurate coding. Instead of following a set script, it learns and refines its code through a back-and-forth process, making it work more like how we humans tackle problems. Think of it like a super-smart sidekick for developers, helping them build faster and with zero bugs. So, get ready for a coding revolution – AlphaCodium is here to make programming easier, more efficient, and, most importantly, error-free.

AlphaCodium's success is attributed to its innovative 'flow engineering' method, shifting from a traditional prompt: answer approach to a dynamic iterative process. Unlike its predecessors, it incorporates elements of Generative Adversarial Network (GAN) architecture, developed by Ian Goodfellow in 2014. This includes a model for code generation and an adversarial model ensuring code integrity through testing, reflection, and specification matching.

The process begins with input, followed by pre-processing steps where AlphaCodium reflects on the problem, leading to an initial code solution. Subsequently, it generates additional tests to refine the solution iteratively, ultimately reaching a final functional code.

CodiumAI's mission, as stated on its website, is to "enable developers to build faster with zero bugs." The startup, founded in 2022, raised $10.6 million in March 2023. AlphaCodium's performance, tested on the CodeContests dataset containing 10,000 competitive programming problems, showcased an impressive improvement in accuracy from 19% to 44% compared to GPT-4.

Andrej Karpathy, previously director of AI at Tesla and now with OpenAI, highlighted AlphaCodium's 'flow engineering' as a revolutionary approach to improve code generation. This method not only allows the AI to generate boilerplate code but also ensures the generated code is accurate and functional.


CodiumAI's CEO on AlphaCodium's Significance

CodiumAI's CEO, Itamar Friedman, emphasised that AlphaCodium is not merely a model but a comprehensive system and algorithm facilitating a dynamic 'flow' of communication between a code-generating model and a 'critic' model. This approach, termed 'flow engineering,' distinguishes AlphaCodium as a groundbreaking solution.

Friedman acknowledges OpenAI (developer of Codex) and Google DeepMind as rivals but emphasises that the real competition lies in advancing code integrity technology. He sees AlphaCodium as the next generation of code integrity, aligning not only with specifications but also with cultural documents, beliefs, and guidelines of the developer community. 

Friedman expressed inspiration from DeepMind's work but highlighted the absence of 'flow engineering' in Google DeepMind's AlphaCode. He suggests that the mainstream narrative focused on improving large language models might be overlooking the essential aspect of creating a flow for effective code generation.


To look at it lucidly, AlphaCodium represents a shift in the AI coding mechanism, asserting the importance of a continuous 'flow' in generating not just code but accurate and functional solutions. The implementation of 'flow engineering' marks a significant departure from conventional methods, offering a more dynamic and iterative approach to generate accurate and functional code. 

Security Issue in Banking Applications?

Recently, we tested a mobile application of a BFSI platform, which allowed the organization's employees to view and interact with new customer leads. 

The mobile app had a password-based authentication system, with the username being the mobile number of the user. We identified a major weakness in this mobile app. The app allows a user to reset the password if they can prove themselves via an OTP. When the 'forgot password' button is pressed, the user is sent to a page where they are prompted to enter an OTP. The OTP is sent to the phone number, and if the wrong OTP is entered, the server responds with `{"OTP":"Failure"}`. While this seems to have been implemented properly, we tried to change the server response by conducting an MITM. We changed the response from the server to `{"OTP":"Success"}`. This redirection led us to the password change screen, where we were prompted to enter a new password. 

Initially, we believed this was only a visual bug and that the password reset would fail. However, we soon discovered that the password reset page itself does not check the OTP, and there is no session to track the successful OTP. This means any attacker can take the password change request, replace the phone number, and change the password of any other user (phone number). In simple terms, the OTP verification and the password reset page are not connected. The password reset API call did not have any verification or authentication to ensure only the correct user can change the password. 

This reveals how BFSI developers, when asked to build an app, often create the requested features without considering any security architecture. These apps are usually rushed, and only the positive/happy paths are checked. Security testing and architecture are often considered only as an afterthought. Unless BFSI incorporates security architecture into the development stage itself, such vulnerabilities will continue to emerge.  

By
Suriya Prakash
Head DARWIS 
CySecurity Corp

Over $30 Billion Stolen from Crypto Sector, Reveals SlowMist's

A recent report by cybersecurity firm SlowMist has uncovered a shocking revelation regarding the vulnerability of the crypto sector. According to the report, blockchain hacks have resulted in the theft of over $30 billion from the cryptocurrency industry since 2012. This alarming figure highlights the pressing need for enhanced security measures within the blockchain ecosystem.

The report from SlowMist, a renowned cybersecurity company specializing in blockchain technology, brings to light the magnitude of the problem facing the crypto sector. The findings emphasize the urgent requirement for robust security protocols to safeguard digital assets and protect investors.

The report reveals that hackers have been successful in exploiting vulnerabilities across various blockchain networks, resulting in significant financial losses. SlowMist's research indicates that these attacks have been carried out through a range of methods, including exchange hacks, smart contract vulnerabilities, and fraudulent schemes.

One of the primary areas of concern is the vulnerability of cryptocurrency exchanges. These platforms serve as a vital link between users and their digital assets, making them lucrative targets for hackers. SlowMist's report highlights the need for exchanges to prioritize security measures and implement robust systems to safeguard user funds.

The rise in smart contract-based attacks has also been a cause for concern. Smart contracts, which automate and facilitate transactions on blockchain platforms, have been exploited by hackers who identify vulnerabilities within the code. This highlights the need for thorough security audits and ongoing monitoring of smart contracts to prevent potential breaches.

Industry experts emphasize the significance of preemptive actions to thwart these threats in response to the report's conclusions. Renowned blockchain security expert Jack Smith emphasizes the value of ongoing surveillance and quick response mechanisms. According to him, "It is crucial for crypto companies to prioritize security and adopt a proactive approach to identify and mitigate vulnerabilities before hackers exploit them."

The report also highlights the demand for a greater user understanding of cryptocurrencies. If consumers don't employ prudence when transacting with and holding their digital assets, even the most comprehensive security measures won't be enough. By educating people about best practices, like as using hardware wallets and turning on two-factor authentication, the danger of being a victim of hacking efforts can be greatly decreased.

The cryptocurrency industry has grown rapidly in recent years, drawing both investors and bad actors looking to take advantage of its weaknesses. The SlowMist report is a wake-up call, highlighting the critical need for better security procedures to protect the billions of dollars invested in the sector.

The adoption of more robust security measures must continue to be a primary focus as the blockchain sector develops. The report's conclusions underscore that everyone is accountable for building a secure ecosystem that promotes trust and protects against possible dangers, including blockchain developers, cryptocurrency exchanges, and individual users.



JavaScript Registry npm at Risk

 

The JavaScript registry npm, a vital resource for developers worldwide, has recently come under scrutiny due to a significant vulnerability known as manifest confusion. This flaw allows attackers to exploit the npm ecosystem, potentially compromising the integrity and security of countless JavaScript packages. The repercussions of such abuse are far-reaching and could have severe consequences for the development community.

The exploit, first discovered by security researchers, highlights a fundamental flaw in the way npm handles package manifests. Package manifests contain essential information about dependencies, versions, and other metadata necessary for proper functioning. However, attackers can manipulate these manifests, tricking npm into installing malicious or unintended packages.

The severity of the issue is further exacerbated by the fact that the exploit affects not only a specific package or a handful of packages but has the potential to impact the entire npm ecosystem. With over one million packages available for public use, developers relying on npm must be vigilant in ensuring the integrity of their dependencies.

The vulnerability arises from a lack of strict validation and enforcement mechanisms in npm's package management process. By crafting specially designed manifests, attackers can exploit the confusion arising from naming similarities and version discrepancies, effectively bypassing security measures and injecting malicious code into legitimate packages.

The consequences of a successful manifest confusion attack are wide-ranging. Developers relying on npm could unwittingly introduce compromised packages into their applications, leading to a variety of security vulnerabilities and potential breaches. This could result in the theft of sensitive user data, unauthorized access to systems, or the disruption of critical services.

The npm development team has been made aware of the vulnerability and is actively working to address the issue. In response to the community's concerns, npm has implemented stricter validation checks and is exploring ways to enhance the package management process to prevent future attacks. However, mitigating the risk entirely will require the cooperation and diligence of package maintainers and developers.

Developers are recommended to manage their dependencies carefully in the interim. Before integration, it is critical to ensure that packages are authentic and intact, that they come from reliable sources, and that they have not been tampered with. Keeping packages updated to the most recent versions and signing up for vulnerability alerts can both reduce the chance of exploitation.

The npm ecosystem, which enables quick and effective software development, is a key tenet of the JavaScript development community. However, the integrity and security of this ecosystem are seriously threatened by the manifest confusion vulnerability. It is essential that npm and the larger development community solve this problem right away, working together to fortify the defenses against possible attacks and secure the future of JavaScript development.




Over 60K Adware Apps Target Android Devices

Over 60,000 adware apps disguised as cracked versions of popular apps have been discovered, posing a significant threat to Android device users. These malicious apps have been circulating for the past six months, secretly installing adware and compromising user privacy.

The discovery was made by cybersecurity researchers who found that the adware apps were cleverly designed to imitate cracked versions of popular applications, tempting users with promises of free access to premium features. Once installed, these apps exploit their access to the device, displaying intrusive advertisements, redirecting users to potentially harmful websites, and collecting personal information without user consent.

The impact of these adware apps goes beyond annoying ads and pop-ups. They can significantly compromise user privacy and security, as they often have access to sensitive information such as contact lists, location data, and browsing history. Additionally, these apps can drain device resources and slow down performance, causing frustration for users.

The adware apps were distributed through various unofficial app stores and online forums, taking advantage of users' desire to access premium features without paying. Due to their deceptive nature, they managed to evade security measures and make their way onto unsuspecting users' devices.

To protect themselves from these threats, Android device users are advised to follow best practices for app installation. It is crucial to download apps only from official sources such as the Google Play Store, where apps undergo thorough security checks. Users should also be cautious of downloading cracked versions of apps from unauthorized websites or third-party app stores, as these are often breeding grounds for malware.

Furthermore, keeping devices up to date with the latest security patches and regularly scanning for malware using reputable mobile security solutions can help detect and remove any adware apps that may have infiltrated the system.

This incident serves as a reminder of the persistent threats faced by Android users and the need for heightened vigilance when downloading and installing applications. Users must remain cautious, exercise due diligence, and rely on trusted sources for their app needs.


24 Percent of Technology Applications Have High-risk Security Vulnerabilities

 

With a higher proportion of applications to compete with than other industries, technology firms would benefit from improving secure coding training and practices for their development teams. As per Veracode, 24 percent of applications in the technology sector contain high-risk security flaws, which would cause a critical issue for the application if exploited. 

“Giving developers real, hands-on experience of what it takes to spot and exploit a flaw in code—and its potential impact on the application—provides the context and understanding to build their intuition about software security. Our research found that organizations whose developers had completed just one lesson in our hands-on Security Labs training program fixed 50 percent of flaws two months faster than those without such training,” said Chris Eng, Chief Research Officer at Veracode.

The technology industry was discovered to have the second-highest proportion of applications with security flaws, at 79 percent, trailing only the public sector (82 percent). When it comes to the proportion of flaws fixed, the technology sector ranks in the middle of the pack.

The industry still takes up to 363 days to fix 50% of flaws, indicating that there is still plenty of room for improvement.

Eng added, “Log4j sparked a wake-up call for many organizations last December. This was followed by government action in the form of guidance from the Office of Management and Budget (OMB) and the European Cyber Resilience Act, both of which have a supply chain focus.”

He continued, “To improve performance in the year ahead, technology businesses should not only consider strategies that help developers reduce the rate of flaws introduced into code, but also put greater emphasis on automating security testing in the Continuous Integration/Continuous Delivery (CI/CD) pipeline to increase efficiencies.”

The most common types of flaws discovered by dynamic analysis of technology applications are server configuration, insecure dependencies, and information leakage, which broadly follows a pattern similar to other industries.

In contrast, the sector has the greatest deviation from the industry average for cryptographic issues and information leakage, possibly indicating that developers in the tech industry are more knowledgeable about data security challenges.

Apple Accused Over Monitoring Users' Behavior Without Consent


According to a lawsuit, despite the fact that settings on Apple's iPhones and other devices are designed to prevent any tracking or sharing of app data, the corporation nonetheless collects, tracks, and monetizes user details even after users have turned off sharing.

When using the App Store app on iOS 14.6, each click users make is recorded and given to Apple, according to the thread posted last week by the Twitter account Mysk, which is maintained by two developers in Canada and Germany. 

The developers assert that this occurs regardless of users’ preferences and settings. The developers claim that "opting out or switching the personalization options off did not decrease the amount of detailed data that the app was transmitting." Apple provides a number of toggles designed to limit tracking.

In a follow-up report by Gizmodo, the developers discovered that although the privacy toggles, a number of additional apps, including Music, TV, Books, the iTunes Store, and Stocks, all transferred data to Apple. The site claims that the majority of the apps that transmitted analytics data shared constant ID numbers, which would allow Apple to follow user behavior across its services like the Health and Wallet apps.

Elliot Libman, the plaintiff, alleged  Apple's assurances that users have control over the data they provide when using iPhone apps are factually false and in violation of the California Invasion of Privacy Act.

The thread also notes how ironic Apple's alleged surveillance appears given that strong controls were introduced in iOS 14.5 to stop third-party developers from tracking users against their own will. Although the iOS 14.6 operating system has been around for more than a year, the researchers said they observed identical apps sending comparable data packets when using iOS 16.

School Kid Uploads Ransomware Scripts to PyPI Repository as 'Fun' Project

 

An apparently school-age hacker from Verona, Italy, has become the latest to highlight why developers must be cautious about what they download from public code repositories these days. As an experiment, the teenage hacker recently posted many malicious Python packages containing ransomware programmes to the Python Package Index (PyPI). 

The packages' names were "requesys," "requesrs," and "requesr," which are all typical misspellings of "requests," a valid and extensively used HTTP library for Python. According to the Sonatype researchers who discovered the malicious code on PyPI, one of the packages (requesys) was downloaded around 258 times — probably by developers who made typographical errors when attempting to download the genuine "requests" package. 

The bundle included scripts for exploring directories such as Documents, Pictures, and Music. One version of the requesys package included plaintext Python encryption and decryption code. However, a later version included a Base64-obfuscated executable, making analysis more difficult, according to Sonatype. 

Developers whose systems were encrypted received a pop-up notice urging them to contact the package's author, "b8ff" (aka "OHR" or Only Hope Remains), on his Discord channel for the decryption key. According to Sonatype, victims were able to receive the decryption key without having to pay for it. 

"And that makes this case more of a gray area rather than outright malicious activity," Sonatype concludes. 

Information on the hacker's Discord channel shows that at least 15 victims had installed and run the package. According to the company, Sonatype identified the virus on July 28 and promptly reported it to PyPI's authorities. Two of the packages have subsequently been deleted, and the hacker has renamed the requesys package so that developers do not confuse it with a valid programme. 

"There are two takeaways here," says Sonatype's Ankita Lamba, senior security researcher. First and foremost, be cautious while spelling out the names of prominent libraries, as typosquatting is one of the most prevalent malware attack tactics, she advises. Second, and more broadly, developers should always use caution when obtaining and integrating packages into their software releases. Open source is both a necessary fuel for digital innovation and an attractive target for software supply chain threats, explains Lamba.

Following the newest finding, Sonatype researchers contacted the creator of the malicious code and discovered him to be a self-described school-going hacker who was evidently fascinated by exploits and the simplicity with which they might be developed.

According to Lamba, b8ff assured Sonatype that the ransomware software was totally open source and part of a hobby project.

"As they are a school-going 'learning developer,' this was meant to be a fun research project on ransomware exploits that could have easily gone much further astray," Lamba says. "The author went on to say that they were surprised to see how easy it was to create this exploit and how interesting it was."

NCSC Warns Of Threats Posed By Malicious Apps

 

A new report by the UK's National Cyber Security Centre (NCSC) has alerted of the threats posed by malicious applications. While most people are familiar with apps downloaded to smartphones, they are also available on everything from smart TVs to smart speakers. 

The government is seeking input on new security and privacy guidelines for applications and app stores. Ian Levy, the NCSC's technical director, stated app stores could do more to improve security. Cybercriminals are currently exploiting vulnerabilities in app stores on all types of linked devices to cause harm,  as per Mr Levy. 

Android phone users downloaded apps containing the Triada and Escobar malware from various third-party app stores last year, according to the FBI.  "This resulted in cyber-criminals remotely taking control of people's phones and stealing their data and money by signing them up for premium subscription services," it said.

The NCSC's report noted that apps "can also be installed on laptops, computers, games consoles, wearable devices (such as smartwatches or fitness trackers), smart TVs, smart speakers (such as Alexa devices), and IoT (internet of things) devices". It includes an example of a security firm illustrating how it could construct a malicious app for a prominent fitness tracker that could be downloaded via a link that seemed legitimate because it used the company's web address. 

Spyware/stalkerware capable of stealing anything from location to personal body data was found in the app. After the security firm alerted the company, it proceeded to rectify the situation. 

 The thirst for applications grew during the pandemic, according to the NCSC research, with the UK app market currently valued at £18.6 billion ($23.2 billion). The government's proposal to ask app retailers to commit to a new code of practice outlining baseline security and privacy requirements is supported by the cyber-security centre. 

"Developers and store operators making apps available to UK users would be covered. This includes Apple, Google, Amazon, Huawei, Microsoft and Samsung," the government stated.

 A new code of practice would require retailers to set up procedures to find and repair security problems more quickly.