Alerting a financial services firm to existential security threats and enabling fast, effective remediation

May 19, 2022May 19, 2022 viviandufourBeatOpenSourceVulns, cybersecurity, opensource, riskLeave a comment

Location: UK
Industry: Financial Services
Customers: Fortune 500 clients around the world

Skyward view from the ground and 4-6 tall buildings pointing up — Credit: Samson-ZGjBuikp_ from Unsplash

A Race Against Malicious Actors

The breaking news in December 2021 of the zero-day vulnerability in the Java logger Log4j 2, known as Log4Shell, sent shockwaves through organisations around the world. Over the last 20 years Log4j has been used globally in billions of software developments and applications for logging incidents. This meant that until the vulnerability could be mitigated, the doors were open to millions of organisations. Attackers could break into systems, steal passwords and logins, extract data, and infect networks with malicious software causing untold damage. The issue was also a major threat to corporate reputations, especially where trust and confidentiality was key, such as in the financial services sector.

In the early hours an alert notification about the Log4j critical vulnerability reached one major financial services organisation based in the UK, with Fortune 500 clients around the world. On hearing the news, the Director of DevOps and Engineering cross-checked other sources for corroboration, including social media, and contacted the organisation’s Lead Technical Security Officer. It was clear that, unchecked, this could be a major problem, but how big an issue would depend on how widely Log4j 2 was embedded into systems used and being developed throughout the corporation.

Often in the race to innovate and implement systems quickly, documentation may not be as comprehensively kept and updated as ideally required. In its absence, it can be difficult for an organisation to discover how widely Log4j is integrated within its application estate, let alone know if it has been previously patched.

The race was on against the malicious actors poised to automate exploitation of Log4J vulnerabilities, with major impacts for the corporation and potentially for millions of customers around the world.

Mobilising the IT & Security Workforce with Meterian

The organisation moved rapidly by using Meterian’s out-of-the-box reports to enable it to identify where Log4J vulnerabilities were to be found across its application estate, and hence the size of the potential problem. Only then could it be possible to build a remediation plan to mitigate the risks of all the Log4J vulnerabilities.

By 10am, the list of projects utilising the Meterian solution could be seen via the Meterian Dashboard and automated scanning initiated. Scanning the software bills of materials of the affected projects, an indication of the potential impact of Log4J was emerging which could give direction and scope on the follow-up actions. Other projects which had not yet begun to use Meterian as part of their regular processes, found that Meterian’s simplicity of use meant that they could also quickly scan their projects for vulnerabilities.

Working methodically and forensically with the organisation’s development teams across multiple locations, by 5pm it was possible to present to senior management a concise summary of the situation, showing areas of the business at risk; those projects which had already been remediated; and those still needing work. A comprehensive communication plan was then invoked to alert the business to remaining vulnerabilities.

The following Meterian tools were used:

Meterian Sentinel notification alerts: an always-on security messaging service which sends notification alerts, emails, or Slack IMs to account administrators about new public vulnerabilities found in open source components used by their projects.
Meterian Boost Open Source Security (BOSS) Scanner: which gives instant visibility to the application’s open source dependencies with automated discovery, risk scoring, continuous scanning, and actionable security insights.
Meterian Account Dashboard: insight reports show dependent components and related Critical/High/Medium/Low vulnerabilities within the remit of a particular account.

The Meterian toolset alerts key employees to security issues and vulnerabilities; the breadth of the issue for the organisation’s application estate; and the projects impacted. The CISO is then armed with all the information needed to mobilise an effective action plan and comprehensive remediation.

Visibility and Control of Vulnerable Components

Log4J created great upheaval in IT teams across the industry, but for this business unit at this global Financial Services organisation, Meterian tools rapidly delivered a complete view of projects that were susceptible to attack. In comparison, other business units were not able to gather such insights so quickly because there was no single comprehensive reference point which was easy to access and use.

Meterian enabled a speedy time to resolution: 2 hours to implement remediation on projects identified using Meterian as having the Log4J vulnerability.

Meterian freed up employee time from finding the vulnerabilities, enabling them to focus on isolating the application estate from risk and implementing remediations. The Log4J threat demonstrated that critical incident prevention is possible with a more automated, secure-by-design approach. Additional or external staff were not required as existing employees could use smart tools on their application estate, and on a more regular basis to save time and remove headaches.

Through using Meterian the organisation benefits from:

Prompt alerts and early warnings of vulnerabilities in the open source software supply chain
Enhanced protection against threats
Increased confidence in people and tools working together to protect from organisational risk
Decreased stress that vulnerabilities will cause major damage and reputational harm
Reduction in “known unknown” risks and number of security fires

Cultivating Cyber Resilience Consistently and Responsively

The organisation is using the effective response enabled by Meterian as a case study to demonstrate that regulatory and compliance requirements can be met with easy-to-use continuous scanning tools that provide immediate visibility and quicken the development of secure code.

The proven partnership with Meterian will extend and facilitate their further innovation in automation, analytics and cyberresilience, through even more responsive and secure development.

Visit our homepage to learn more about how Meterian can secure your businesses’ open source components—keeping cyber hackers out and your intellectual property in.

Spotify vs Hacker, Round 2: Room for Improvement

February 4, 2021February 9, 2021 Elizabeth Laffoycybersecurity, Data Protection, entertainment, privacyLeave a comment

5 minute read

We can all admit that as dreary as 2020 has been, it has at least been consistent in its dreariness. One organisation that can definitely vouch for this is music streaming giant Spotify. In true 2020 style, Spotify wrapped up the end of the year with a data breach on November 12th¹ in which customers’ private account details were exposed.

Photo by cottonbro on Pexels.com

Now, we may wonder why a hacker would be interested in Spotify accounts. Sadly, it’s not because they want to steal music inspiration from us. The details of targeted private accounts include customer display names, passwords, genders and D.O.B.’s which were leaked to various Spotify business partners. Speaking of business partners, we must also note that a Spotify breach does not solely expose Spotify users but may also put customers on connected devices or platforms at risk. The interconnectedness of our information sharing means that a problem for Spotify could be a problem for us all. This information is harvested by malicious actors to perform credential stuffing attacks, in which stolen passwords are used to uncover more stolen passwords for other sites and applications.

Meterian web scanner scan of www.Spotify.com, showing a security score of 0, a stability score of 99, and a licensing score of 72

Moreover, this would not be the last experience Spotify had of data breaches in 2020. A week later, a cyber criminal under the guise ‘Daniel’ infiltrated celebrity Spotify accounts including Dua Lipa and Lana Del Rey². Although in this case it was not customers PII that was exposed, it still casts a shadow on Spotify’s claim of prioritising “protecting privacy and maintaining user’s trust” as outlined in an official statement released on the 9th December 2020³.

Screenshot of twitter post of Lana Del Rey's twitter account hacked

Enter now: Meterian web scanner, which we’ve used to perform a quick surface scan of http://www.spotify.com to identify what security, stability and licensing risks of open source components are within the website’s codebase. Here we can see that Spotify currently has a security score of 0 out of 100, with 1 known vulnerable component – jquery 2.1.3 which has at least one high and several medium threats as confirmed by NVD⁴. Although we do not know for sure what the unlocked route of entry was in Spotify’s case, this open source entry may well have been it. Subsequently, there is nothing stopping cyber criminals from using this chink in the armour to perpetrate similar breaches in the future.

Although the vulnerability was discovered on November 12th, Spotify disclosed that it was present within the system from as far back as April. This means that more than 320 million user’s personal data was at risk for at least 7 months prior. Having carried out our own analysis in a matter of minutes, we immediately notice that the vulnerable component in use is actually more than three years out of date! We hope their web and mobile apps get greater scrutiny with regards to the maintenance of their open source dependencies. At Meterian we have developed a security platform that automatically identifies known vulnerabilities in software applications’ open source supply chain. To give our customers the best chance of resolving such issues, the platform can be easily integrated in software development teams’ DevOps process. The continuous nature of DevSecOps empowers development teams to be the first line of defence as they code applications.

Open source components have become fundamental components of applications that are relied upon for basic functionality and security. Since over 90% of applications consist of open source components nowadays, securing this part of a business’ IT and software has become an area that requires greater scrutiny in quality and maintenance.

Meterian helps ensure software applications’ open source supply chain is free from any known vulnerabilities that could compromise the application’s security and stability. Is it worth risking to damage the firm’s reputation and competitive edge in the market?

Curious to see what we can automatically report on your software applications? Detect known vulnerabilities in your open source software supply chain before your own applications become an Achilles heel. Get in touch and see how Meterian can make your company’s application security defence more robust.

¹Whittaker, Zack. “Spotify resets passwords after a security bug exposed users’ private account information.” Tech Crunch, 10 Dec 2020, https:// techcrunch.com/2020/12/10/spotify-resets-user-passwords-after-a-bug-exposed-private-account-information/

²“Dua Lipa and other Spotify artists’ pages hacked by Taylor Swift ‘fan’”. BBC News, 2 Dec 2020, https:// bbc.co.uk/news/technology-55158317.

³“Spotify Breach Notice Letter.” Spotify, 9 Dec 2020, https:// beta.documentcloud.org/documents/20422370-spotify-breach-notice-letter-californiadocx

⁴U.S. Department of Commerce. “National Vulnerability Database.” https:// nvd.nist.gov/vuln/search/results?adv_search=true&cpe_version=cpe%3A%2Fa%3Ajquery%3Ajquery%3A2.1.3

Data Protection Day!

January 29, 2020January 30, 2020 Victoria C.awareness, cybersecurity, data, day, java, meterian, Node.js, personaldata, PHP, protection, python, rubyLeave a comment

Image of a screen if the label 'Security' and a cursor hovering on it. — https://www.pexels.com/photo/internet-screen-security-protection-60504/

Yesterday, 28th January was an important day… The Council of Europe celebrated this year the 14^th edition of Data Protection Day.

This practice was to raise awareness about good practices in this field, informing users about their rights and how to exercise them.

This date is aligned to the anniversary of the opening for signature of the Council of Europe’s Convention 108 for the Protection of individuals in relation to automatic processing of personal data. For the past 30 years this has been a cornerstone of data protection, in Europe and around the world.

Why is Data Protection so important?

Data protection issues are very present throughout everyone’s lives. Not to mention in the work environment, in public relations, in the health sector, when buying goods and services, in travel or merely whilst using the internet.

However, not all people are informed on their rights. For this reason, the 28th January has been allocated to inform more users on their rights and so that data protection professionals address data subjects. It is important our digitally advanced society understands what personal data is collected from them and why, as well as what their rights are when their data is processed. This in turn, will help users be aware of the risks which comes with illegal mishandling and unfair processing of personal data.

Meterian can help!

Here are a list of our blogs which can help users be more cyber resilient and diligent when it comes to managing sensitive data.

Read also our past blog posts about vulnerabilities in:

to make sure your apps are not susceptible to such exploits that would risk data confidentiality.

Read up on more Node.Js Vulnerabilities!

January 22, 2020January 22, 2020 Victoria C.BeatOpenSourceVulns, cybersecurity, hack, Node.js, report, risk, vulnerabilityLeave a comment

It’s that time of the week again folks. Meterian has two new Node.Js vulnerabilities to inform you on. Both are ranked a severity score of 7.5 and therefore considered to be of urgent attention. The first vulnerability concerns the bson-objectid package and the second the csv-parse module. Act fast and don’t let these vulnerabilities sit within your software/networks, or you could be at serious risk of a cyber attack.

CVE-2019-19729: There is an issue discovered in the bson-objectid package version 1.3.0 for Node.js. Hackers could generate a malformed objectid, resulting in objects in arbitrary forms to bypass formatting if they have a valid bsontype.

CVE-2019-17592: The csv-parse module before version 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. An attacker can cause a program to spend an unnecessary amount of time processing.

CVE-2019-19729

Vulnerability Score: 7.5 /HIGH

Platform: Node.js

Component: bson-objectid

Affected Versions: up to 1.3.0

Read up Node.js users you’ll want to know about this vulnerability! This was discovered on the 12th December 2019 by user Xiaofen9 on Github who noticed that ObjectID() allows an attacker to generate a malformed objectid by inserting an additional property to his user-input.

What is bson-objectid? This component allows you to create and parse ObjectIDs without using bigger components, such as other fully-fledged bson libraries.

The problem is that in certain conditions the input object will not be checked and will be returned early. This means that objects in arbitrary (potentially malicious) forms can completely bypass formatting and validation.

https://github.com/williamkapke/bson-objectid/issues/30

So what can hackers do? The manipulation with an unknown input leads to a privilege escalation vulnerability and could lead to an impact on confidentiality, integrity, and availability.

But what does a privilege escalation vulnerability actually entail? It is when a malicious user gains access to the privileges of another user account in a target system. This allows hackers to use these privileges to steal confidential data, run administrative demands or deploy malware.

What can you do to fix this? Unfortunately, at this time of writing there is still no remedy to this vulnerability. However, we recommend to cease using this component or switch to a full bson library like bson.

CVE-2019-17592

Vulnerability Score: 7.5/ HIGH

Platform: Node.js

Component: csv-parse module

Affected Versions: up to 4.4.5

Oh yes…we are not done yet. Here is another Node.js vulnerability for you all! This was discovered on the 14th of October and given a high score of 7.5 by NVD. The affected module is csv-parse which is a CSV module. This project is a parser which converts CSV text inputs into objects. It uses the Node.js stream.Transform API and provides a simple callback-based API. Released for the first time in 2010, it is very easy to use and helps the big community that uses it with large data sets.

The problem is that before version 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. A cast option is available in the module, it defines multiple functions to transform values based on their type. When such option is active and an integer cast is required, the corresponding __isInt() function uses a malformed regular expression that processes large inputs extremely slowly.

Why is Regular Expression Denial Service a backdoor for hackers? The attacker will insert in the file a malicious string which they know would take a very long time to evaluate. This means the attacker can make the user spend an excessive amount of time processing, resulting in the user’s executed commands to slow down or become unresponsive. Thus, the availability of the system degrades. To make things worse, the exploit can be easily and remotely executed depicting clearly why this vulnerability is classified as problematic.

An image of a coffee shop. A barista making coffee with a speech bubble saying '*making coffee slowly*' and a woman at the till looking impatient with a speech bubble saying "My coffee is taking forever".

The best thing to do to avoid getting caught out by such exploit, is to upgrade to version 4.4.6 and above.

That is it from us…for now! Make sure to spread the word on these critically-rated Node.js vulnerabilities in order to help protect your apps/the apps you develop. But as you all know, open-source vulnerabilities are discovered daily, so you can expect us to be back with new vulnerabilities very soon!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously. Sign up here to download the Meterian client today. You’ll get an instant analysis of your first project for free. See the risks immediately and know which components to remove or upgrade to secure your app.

New Python Vulnerabilities!

January 13, 2020January 14, 2020 Victoria C.BeatOpenSourceVulns, cybersecurity, python, risk, vulnerabilityLeave a comment

Image of thief climbing out of laptop shining flashlight on Python icon, titled Vulnerability Focus: Python.

In honour of Meterian introducing Python into their beta production, here are two Python vulnerabilities which you should look out for. We don’t like it when systems or computers behave in unexpected ways. It’s worse when such outcomes result in a cyber security incident. This month’s Python vulnerabilities can cause unexpected behaviours which hackers could exploit to compromise the integrity of your system in unpredictable ways. Don’t waste any time as you could be affected, so read on and learn how to avoid these risks.

CVE-2019-18874: through python-psutil versions 5.6.5 there are risks of double free consequences. Attackers could use this issue to cause psutil to crash, therefore a denial of service, and possibly execute arbitrary code.
CVE-2019-17626: ReportLab through 3.5.31 allows remote code execution because of toColor(eval(arg)) in colors.py. This vulnerability could affect confidentiality, integrity, and availability within your software/network.

CVE-2019-18874

Vulnerability Score: 7.5 / HIGH

Platform: Python

Component: python-psutil

Affected Versions: up to 5.6.5 inclusive

Indeed…Python has a vulnerability within the package python-psutil. This was discovered on the 11th November 2019 by Riccardo Schirone who noticed that the psutil incorrectly handled certain reference counting operations.

Python-psutil, is a Python package which provides convenient functions for accessing system process data. It is a cross-platform library for retrieving information on running processes and system utilization in Python. It is mainly used for system monitoring, profiling and limiting process resources and management of running processes. Psutil supports a range of platforms: Linux, Windows, macOS, FreeBSD, OpenBSD, NetBSD, Sun Solaris and AIX.

How does this vulnerability happen? It was caused by incorrect reference counting handling within for/while loops that convert system data into said Python objects. If an error occurred, the reference counter would be dropped twice. In this case, the computer system’s memory storage is mishandled. Essentially, a double free releases the same area of memory twice.

How can hackers take advantage of the system? They could use this vulnerability to cause the psutil program to crash which could lead to a denial of service and potentially the execution of arbitrary code. This execution of arbitrary code will provide the attacker with the ability to execute any command of their choice in a target machine or process. Like landmines, this vulnerability is unpredictable and hard to spot. The idea is that the hacker is waiting for the system to trip up in order for the “landmine” (malicious code) to set off and infect the users’ system.

Image of an area with signs saying 'Danger!!!Mines!!!' — https://flickr.com/photos/anzclusters/3404799066/

To remedy this vulnerability, please upgrade to version 5.6.6 or higher of python-psutil. Upgrade fast Python users, you don’t want to be at risk of a cyber attack.

CVE-2019-17626

Vulnerability Score: 9.8 / CRITICAL

Platform: Python

Component: reportlab

Affected Versions: up to 3.5.31 inclusive

Yes that’s right! We have one more Python vulnerability to inform you on. This one is found within ReportLab up to 3.5.31 and it has allowed remote code execution because of toColor(eval(arg)) in colors.py. This vulnerability was found on the 10th October 2019 and has been classified as critical. The issue is affecting the function toColor of the file colors.py.

An image displaying the lines of code which show where the vulnerability was found. — https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code

ReportLab is an open source engine for creating data-driven PDF documents and custom vector graphics. So it is free, hence open-source and widely used to generate reports in Python. The package sees more than 50,000 downloads per month, it is embedded in many products and was even selected to power the print/export feature for Wikipedia. So you can understand now why this vulnerability is critical and urgently needed to be fixed by users.

The issue with this vulnerability is that the manipulation of the input value to <span color=” can lead to a privilege escalation vulnerability. Not only can this attack be initiated remotely but it will impact a user’s confidentiality, integrity and availability. To make matters worse, it has been said that the price of this exploit be around USD $0-$5k since last stated on 16/10/19.

An image of 3 eggs, 2 white one brown. The first egg has a bubble which says in remarks to the brown egg 'Hey how'd you get in here?' and the brown egg has another bubble which says "Oh no they found me". This image represents the vulnerability discussed. — https://www.pexels.com/photo/eggs-in-tray-on-white-surface-1556707/

To remedy this vulnerability, please upgrade to version 3.5.32 or higher. This is different from the recommendation of NVD which suggests to upgrade to version 3.5.26 or higher. NVD also references the incorrect CWE, which should be corrected to CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’). Based on Meterian’s analysis, we only see the remediation implemented in versions 3.5.32 or later. You can verify the code here.

Spread the word on these critically-rated, easy-to-exploit Python vulnerabilities in order to help the app sec community defend against unwanted exploits. But as you all know, open-source vulnerabilities are discovered daily, so you can expect us to be back with new vulnerabilities very soon!

A starting point

May 9, 2017May 9, 2017 bbossolaLeave a comment

The other significant point is that technology, like the evolution of the life-forms that spawned it, is inherently an accelerating process.

Ray Kurzweil, “The age of spiritual machines”

Anybody involved in writing code, from the lone hobbyist developer to Fortune 500 companies, cannot miss the acceleration we are going through in software technologies.

While twenty years ago web developers were facing just a few choices in determining their favourite software stack, nowadays we have to decide among thousands of possible combinations of development languages, frameworks and databases – just to mention a few areas. And this acceleration doesn’t just stop at tools; we face new challenges in making our code run in multiple environments (and in the cloud), challenges like coping with traffic generated by 3+ billions of internet users, and challenges in keeping our data safe from malicious attacks.

When looking at the landscape from this angle, it is surprising companies are still able to cope with this accelerating complexity and still produce software that works, and serve hundred of millions of users. However that’s no small task, especially for small and medium companies: keeping always up to date with the latest security advisories, with the latest bug fixes and new software updates takes a lot of effort.

At this point the perfect first blog post should pull the proverbial rabbit out of a hat, and announce we have a solution. More humbly, at Meterian we can say we are embarking on a path to make all that easier; to make a platform that works together with developers in analysing the code and finding ways to improve it, to prevent bugs and, most importantly, security issues. We call it continuous security.

Ship software without vulnerabilities.

Level up your confidence in open source dependencies

Menu

General