RubyGems polishes security practices with multi-factor authentication push

Faced with rising software supply-chain attacks, package registries are locking things down

Slowly but surely, software package registries are adopting multi-factor authentication (MFA) to reduce the risk of hijacked accounts, a source of potential software supply chain attacks.

This week, RubyGems, the package registry serving the Ruby development community, said it has begun showing warnings through its command line tool to those maintainers of the hundred most popular RubyGems packages who have failed to adopt MFA.

"Account takeovers are the second most common attack on software supply chains," explained Betty Li, a member of the Ruby community and senior front end developer at Shopify, in a blog post. "The countermeasure against this type of attack is simple: enabling MFA. Doing so can prevent 99.9 percent of account takeover attacks."

Software supply chain attacks have been at the forefront of online security concerns since December 2020 when security firm FireEye said its systems had been compromised and it later emerged that Russian intelligence operatives had injected malware into SolarWinds' Orion monitoring tool. Having backdoored some 18,000 companies, SVR hackers were able to conduct attacks on about 100 of them.

With software package registries distributing millions of code libraries on a daily basis – and repeated reports of account compromises as well as proof-of-concept attacks – those overseeing open source package registries have been under pressure to up their security game.

And so they should, because software developers aren't stepping up. Only 47 percent of CIOs in a recent survey said their organizations checked the provenance of open source libraries used in their apps.

RubyGems began formulating its MFA push earlier this year. Presently just a recommendation, the package registry intends to make MFA mandatory for maintainers of popular gems (packages) on August 15, 2022.

Li said this will align RubyGems' policies with those of the NPM (Node Package Manager) registry and its owner, Microsoft's GitHub.

RubyGems also supports another package security measure: signed packages. However, few developers bother to sign. According to security firm Tidelift, a pitiful 1.4 percent (2,216 of 157,640 gems) of latest-version gems were signed as of March 2020.


Email domain for NPM lib with 6m downloads a week grabbed by expert to make a point


In February, GitHub required the maintainers of the top 100 NPM packages to adopt MFA and has been expanding mandatory participation to other package maintainers while diversifying the kinds of second factor devices usable for authentication. GitHub aims to have all users who contribute code avail themselves of MFA protection by the end of 2023.

That same month, GitHib parent company Microsoft began a push to add MFA support for package authors at NuGet – the .Net package registry.

The Python Package Index (PyPI) took an early lead in supporting MFA, and API tokens for uploads back in January, 2020. But these security measures have not yet been made mandatory, due to a lack of funding and support staff (needed to handle account recovery requests when people lock themselves out of their accounts).

PyPI plans to begin requiring API tokens for uploads on August 25, 2022 and work is underway to add more people so PyPI can be run more efficiently and more securely.

As RubyGems and other package registries roll out stronger account takeover defenses, expect miscreants to explore alternative attack strategies – like buying package registry accounts in order to subvert purchased code and creating malicious packages using names that are similar to established popular libraries to dupe the unwary. ®

Other stories you might like

  • Arrogant, subtle, entitled: 'Toxic' open source GitHub discussions examined
    Developer interactions sometimes contain their own kind of poison

    Analysis Toxic discussions on open-source GitHub projects tend to involve entitlement, subtle insults, and arrogance, according to an academic study. That contrasts with the toxic behavior – typically bad language, hate speech, and harassment – found on other corners of the web.

    Whether that seems obvious or not, it's an interesting point to consider because, for one thing, it means technical and non-technical methods to detect and curb toxic behavior on one part of the internet may not therefore work well on GitHub, and if you're involved in communities on the code-hosting giant, you may find this research useful in combating trolls and unacceptable conduct.

    It may also mean systems intended to automatically detect and report toxicity in open-source projects, or at least ones on GitHub, may need to be developed specifically for that task due to their unique nature.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Open source body quits GitHub, urges you to do the same
    Paid-for Copilot trained on FOSS code final straw for Software Freedom Conservancy

    The Software Freedom Conservancy (SFC), a non-profit focused on free and open source software (FOSS), said it has stopped using Microsoft's GitHub for project hosting – and is urging other software developers to do the same.

    In a blog post on Thursday, Denver Gingerich, SFC FOSS license compliance engineer, and Bradley M. Kuhn, SFC policy fellow, said GitHub has over the past decade come to play a dominant role in FOSS development by building an interface and social features around Git, the widely used open source version control software.

    In so doing, they claim, the company has convinced FOSS developers to contribute to the development of a proprietary service that exploits FOSS.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • For a few days earlier this year, rogue GitHub apps could have hijacked countless repos
    A bit of a near-hit for the software engineering world

    A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims' source-code repositories.

    For almost a week in late February and early March, rogue applications could have generated scoped installation tokens with elevated permissions, allowing them to gain otherwise unauthorized write or administrative access to developers' repos. For example, if an app was granted read-only access to an organization or individual's code repo, the app could effortlessly escalate that to read-write access.

    This security blunder has since been addressed and before any miscreants abused the flaw to, for instance, alter code and steal secrets and credentials, according to Microsoft's GitHub, which assured The Register it's "committed to investigating reported security issues."

    Continue reading
  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading
  • Jenkins warns of security holes in these 25 plugins
    Relax, most of the vulnerabilities so far have, er, no fix

    Jenkins, an open-source automation server for continuous integration and delivery (CI/CD), has published 34 security advisories covering 25 plugins used to extend the software.

    Eleven of the advisories are rated high severity, 14 are medium, and 9 are said to be low.

    The vulnerabilities described include: cross-site scripting (XSS); passwords, API keys, secrets, and tokens stored in plaintext; cross-site request forgery (CSRF); and missing and incorrect permission checks.

    Continue reading

Biting the hand that feeds IT © 1998–2022