As March passed and April rolled around, the cybersecurity community was abuzz with news such as: Ribblesmacomponent. xz An open source data compression utility was hijacked as a vehicle for code that could create backdoors into computers that installed and ran software.you probably haven't heard of it Ribblesma or xz, you also don't have to spend a lot of time thinking about software compression utilities. However, you may have actually installed and used it, whether you know it or not. xz As is the case with many obscure open-source software packages, this is a problem for cybersecurity because it gets incorporated into other software tools.Hidden malicious code xz It was not discovered because the software was carefully scrutinized by a team of cybersecurity experts tasked with eliminating the malware. Rather, this problem was discovered by accident. The bad news is that detecting cybersecurity attacks before they are actually deployed and used is often a matter of luck.
Although generally unknown, xz Utilities are widely used on many computing platforms.There is nothing particularly noteworthy. xz, one of many software compression utilities that exploit statistical redundancy of information to make large files or data streams smaller. Compression tools can come as standalone software, but they are often used as part of a larger software package that invisibly uses compression functionality as part of its overall purpose. In this way, xz Packages are now part of large software projects.of xz This tool has been around for over 15 years, has no security flaws, and has since been deployed on many operating systems, including most Linux distributions and Microsoft Windows. In addition, xz It was added as a dependency to the OpenSSH software package, a widely used set of tools for secure login between computers.What should be noted is xzis not included as part of OpenSSH's core technology, but rather was added indirectly to optionally work with the internal functionality of the Linux operating system.
You might think that open source software projects depend on a wide range of things, including: xz It is maintained by a large team of developers and its code is regularly reviewed by security experts. That wasn't the case.of xz The utility was maintained by one developer, who was starting to have health issues and was slow to release updates. xz Because of them. In October 2021, a developer named Jia Tan. xz I offered to develop the code and take over the maintenance of the project. In 2023, the reins were passed to Jia, who began discreetly introducing well-hidden malware onto systems. xz The code released its final version in February 2024, and users of the code, including Linux distributions, have selected it for inclusion in future versions of their own software.
of xz The backdoor code was discovered by accident. In late March 2024, a Microsoft software engineer noticed that logging into his computer remotely using OpenSSH was taking about 500 milliseconds longer than usual. He took a closer look at his OpenSSH code and noticed that the code was making unusual calls. xz's Ribblesma Libraries on my computer running the Debian Linux operating system. After analyzing, xz When we analyzed the code, we discovered a carefully hidden script, or backdoor, that allowed remote users to log into their computers without their permission. He immediately alerted his Debian security team, and the Red Hat Linux team followed up with his CVE (Common Vulnerabilities and Exposures, a reference method for tracking information security vulnerabilities). initialization) with the highest severity level of 10. level.
All signs refer to xz Backdoors are sophisticated, well-planned hacking attempts. “Jia Tan” (probably a pseudonym) suddenly appeared in his 2021 year, xz Projects on GitHub, all of which were generally of high quality.Soon after, the original xz The maintainer began to receive ongoing trouble from multiple accounts operated by Jia Tan or his associates. Eventually the maintainer relented in his 2023 year, and Jia Tan began adding malicious code to the project. A Red Hat Linux engineer, Jia Tan, asked the distribution maintainer to update the new version. xz Because the code has “great new features”.
This model of open source software development is not uncommon and raises cybersecurity issues. In fact, this scenario, often referred to as the supply chain problem, is so common that the xkcd webcomic has published a clever illustration of the problem. Operating systems and software applications around the world regularly rely on open source software packages and libraries, which are not always carefully vetted in advance. Open source software is extremely useful and is often required for large and highly complex software projects, such as operating systems, without requiring additional time and cost to the manufacturer, and offering possibilities not otherwise available. You can provide certain functionality to your users. and regulatory and legal liability that would give technology companies, as users of open source software, an incentive to incur the costs necessary to avoid imposing cybersecurity risks on their customers as a type of negative externality. There are very few. The U.S. government is aware of this issue and is implementing the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Software Bill of Materials (SBOM) concept to better identify supply chain risks from software dependencies. I am creating a program like this. However, it is unlikely that the SBOM requirement alone would have detected this issue. xz Back door. The solution to this problem has proven to be frustratingly elusive.
Relying on luck is not a sustainable cybersecurity strategy, especially considering how much of the world relies on secure and reliable software.Advanced and malicious hacking attempts such as xz The backdoor might not have been easily discovered if Microsoft engineers had not been intrigued by the 500ms delay in login time. We currently rely too much on luck when it comes to software security. What happens when open source projects allow AI-based tools to write parts of their codebases? When already complex systems move at a faster pace, disaster strikes. At the very least, we need to seriously consider a regulatory system that appropriately shares risks and responsibilities.
