An introduction to the world of SBOMs

3 minute read

We are sure many of you have been hearing about SBOMs. Nowadays, software include some components with code written by your own developers, but 80-90% of the code is typically from third-party developers. How can you know who produced what and when it absolutely needs to be replaced? Since Meterian has been managing SBOMs for awhile, we’re happy to share our know-how so you can consider a comprehensive strategy to manage your open source software supply chain. 

Photo by Raymond Rasmusson on Unsplash

What is an SBOM?

SBOM is an acronym that means Software Bill Of Materials. The concept originates from the manufacturing industry, where a bill of materials lists dependent components in machinery. A SBOM lists all third-party components present in your application. A good SBOM also lists the licences used by each component and, when possible, the specific copyright attribution. An excellent SBOM can also provide further information, such as possible relationships between those components to better understand any supply chain risk. You may have encountered SBOMs in the past, known as “third party notice” documents created to manage legal requirements, such as the one in the image below. 

Altova Third Party Software License Notice

However, modern SBOMs are “machine-readable”.  They follow a strict specification that can be understood by a computer. 

What machine-readable formats are used to publish SBOMs?

The most commonly used formats to define a SBOM are:

  • CycloneDX, a lightweight open-source standard designed for use in application security context and supply chain component analysis. This originated from within the OWASP community.
  • SPDX, an open source format with origins in the Linux Foundation, slightly more complex, and recently approved as ISO/IEC standard in version 2.2.1 as ISO IEC 5962:2021.
  • SWID, another ISO/IEC industry standard used by various commercial software publishers.

All these formats support a variety of use cases, but the first two (CycloneDX and SPDX) are the most versatile. Due to SPDX’s complexity, we think CycloneDX has an edge at this time, but only time can tell which of these formats will be the winner. To learn more about these formats you can also read the official NTIA publication, which drills down into the matter.

Why are SBOMs important? And how are they useful?

As a consumer of software, the main reason why you want to have access to the SBOMs of the systems you are using is to manage risks. When a very commonly used software component becomes vulnerable: how do you know what you need to patch and which subsystems are at risk? This is exactly what happened with the recent Log4Shell debacle. The logging library called Log4j, was suddenly exploitable with a very simple and repeatable attack. How do you know where it is? Which one of the systems you are using is suddenly at risk?  With a correctly managed archive of SBOMs, getting this information reduces to a very simple lookup task. Without it, it can be a real nuisance —a time consuming information hunt that disrupts everyone’s work flow.

As a producer of software, instead, you want to preserve and maintain an archive of all the SBOMs of the system you produce so that you can create and distribute timely patches to your customers. Having a systematic and comprehensive analysis of your most commonly used software packages would be useful indeed. Some companies were very fast in releasing patches to their customers, while others were extremely slow, mostly because they did not have the information.  You probably want to be in the first group of companies 🙂

Governments are also mandating the need for use of SBOMs, realising that software security needs to be regulated.  The U.S. Executive Order 14028 that mandates all federal agencies to require SBOMs from their suppliers.  This not only impacts the companies that have direct sales to the US government but also their own software suppliers.  As so many systems and devices have been connecting to the Internet to send and receive information, consequently our digital world relies on a software supply chain.  This “ripple effect” will be significant for many industries. 

It’s important to consider how software products you produce can meet basic security requirements and how the associated software security information is produced and managed in your organisation.   Similar legislation has already been proposed in Europe since the publication of  “Guidelines for securing the IoT” by ENISA (hint: SBOMs are required) and the ETSI EN 303 645 global standard for consumer IoT security, which is based on the UK government’s Code of Practice.  See also the recently published Product Security and Telecommunications Infrastructure (PSTI) Bill and more to come from the UK government to improve the UK’s cyber resilience.

How should SBOMs be handled?

Very carefully :), because an SBOM contains the full list of the “ingredients” of your system or application. While open-source projects happily share this information to the world, the same does not apply to private companies. In fact, a malicious actor that gets hold of the SBOM of your system can then check if you are using any vulnerable components. There are public vulnerability databases, such as the NVD, which are very popular. Someone can simply browse in there and compose a list of possible attacks, try them, and maybe get lucky.  Probably 9 out of 10 vulnerabilities affecting components in your system won’t be exploitable, but having the ability to go through the whole list, certainly makes the task of finding an exploit much easier. 

There’s no need to keep SBOMs a complete secret, however, as long as a few simple principles are kept in check:

  • SBOMs need to be shared securely,
  • they need to be accessed only by the authorised parties, across organisational boundaries, and
  • they should not be tampered with.

In summary, it is essential to produce a precise SBOM, and it is just as vital to share it and maintain it securely with the correct (trusted) third parties.  

Why bother with SBOMs now?

In summary, it is essential to produce a precise SBOM, and it is just as vital to share it and maintain it securely with the correct (trusted) third parties.  In our hyper connected world, comprehensive coverage of components is important for preventative strategies and threat detection in supply chain attacks.  Therefore, implementing SBOM management proactively now will be worth something to your organisation when the next critical vulnerability appears and stand your organisation in good stead. All good collections are worth organising. How valuable is your collection of software?

Photo by Susan Q Yin on Unsplash
An introduction to the world of SBOMs

Is it a good idea to have vulnerable opensource components in my application?

This may seem to be a trivial question or something more like a joke. Why would one keep a vulnerable component in his tech stack? That said, from time to time, we meet people who simply answer “well, this is not an issue”.

Surprisingly, some are part of the technology leadership, or even the security chapter. Often their answer is usually along the lines of: “Well, you should know there’s a difference between vulnerable and exploitable: the fact that a component is vulnerable does not automatically mean that it’s possible to exploit it”.

There’s a difference between vulnerable and exploitable…”

Yes, that is perfectly correct. We know it, as we do our own analysis as part of our routine.

Do you know what the problem is? You are probably not involved in the project and you are not a developer. I can bet that you are not continuously monitoring and assessing the code that your developers are daily pushing. Are you? Because at the speed innovation is going these days, there’s no guarantee that even tomorrow one of your developers will push a line of code that will enable the exploit. Yes, these exploits may be quite complex but also may be very easy to enable. It’s possible that an application including a vulnerable component is not exploitable today, but what about tomorrow? Your software is changing continuously.

“…but developers push new code daily, software is changing continuously.”

Do you know why Struts in Equifax was hacked? Because of a log message. A simple log message that echoes the content of a header, only that such content contained OGNL code, crafted by an attacker.

Do you know how jackson-databind remote code execution can be exploited? It’s just one configuration property away: enable polymorphic JSON deserialization and you are on.An apparently innocuous JSON message can feed now code to your server to be remotely executed.

So, in your position, I would not sit too complacent on the fact that you have vulnerable components that today cannot be exploited because of the current application code. That code changes continuously, daily, and unless you have in place an incredibly strict validation process, you are at risk, and you are putting your customers at risk. I do not believe such risk is acceptable.

“Most of the times the fix is just one patch away.”

Furthermore, most of the time fixes are just a patch away. We are not talking about a four-week refactoring session, but probably more like a one minute change and a run of the normal test regression suites, And if you had a system in place to continuously check your components against known vulnerabilities, you would have caught such an issue and patched it a while ago.

This is not a commercial plug for Meterian. Yes. this is our bread and butter, and we think we provide tons of value for the money. But some of our competitors do that as well. Maybe you are already using one of them in your company, and that’s great. Plug that in and set your customers free from this risk.

Nobody likes to be hacked.

Is it a good idea to have vulnerable opensource components in my application?

The new social network from Trump may violate the AGPL license.

It looks that everybody can misread a license, even a former President of the United States. The Software Freedom Conservancy (SFC) concluded that Trump’s new social network, “Truth Social”, violates the terms of the AGPL license. It looks like the code of the system is simply a copy of Mastodon, an existing open-source social network licensed under the AGPLv3 license. That license is a (very infectious) copyleft license, it specifically states that every user is entitled to receive the complete source code of the system. “Truth Social” is not compliant on this aspect, and also violates the license calling their software “proprietary”.

“…an entire open-source platform was just copied with no regard to the license…”

This is a very common mistake: nowadays software is built by hundreds of open-source components and license compliance is a very complex task, you can read an explanation in this article. However, in this instance and based on the SFC analysis, an entire open-source licensed platform was just copied and reused, with no regard to the license.

So what are the options for Truth Social at this time? I believe they can: 

  • release the derived system under a compatible open-source license, most possibly the AGPLv3 itself, and make their code publicly available
  • obtain a license for commercial use from the Mastodon contributors, but I doubt this will be possible, also given Mastodon view on Gab, another right-wing social
  • rewrite everything from scratch and relaunch

Of course, they may also fight this in court, but having seen some of the evidence from Mastodon, I doubt this is going to be a successful choice. It will be interesting to follow how this will evolve.

*** UPDATE ***

The Gab team, threatened by legal action, decided to release the source code publicly!
https://uk.pcmag.com/social-media/137421/trumps-social-media-site-quietly-admits-its-based-on-mastodon

The new social network from Trump may violate the AGPL license.

Update to terms and privacy policy

We have updated our terms and conditions and privacy policy as our business grows to serve more customers across the software industry in financial, cybersecurity, e-commerce, health, IT and telecommunications sectors.  We look forward to welcoming more customers who want to secure their open source software supply chain as part of secure app development. Software developers, security officers, quality assurance and legal compliance professionals can benefit from easy to read reports to streamline their decision making processes.

Get in touch to book a demo! 

Update to terms and privacy policy

Making the most of Christmas, Part 2

11 min read

In the second of our three part blog series as we lead up to Christmas, the Meterian Team shares with you shortcuts to make the most out of what you already have.  

A library, component, piece of code is reusable when it can be re-used in different parts of the same or different project with minimal to no need of code modifications. 

Scanning for, identifying, and patching open source dependencies in an application’s codebase is known as dependency management. This is a critical part of modern software development since nearly 100% of codebases are made up of open source components. These dependencies can be directly used by your application or indirectly used through transitive relationships. You can imagine the number of connected components if your software codebase has hundreds of modules.

Many vulnerabilities remain, leaving software applications unsecured

In our analysis of 1310 website applications,  the most popular component with a security vulnerability was jQuery.  Out of 332 javascript components used across all the web apps,  81% of the components had a security vulnerability.  All of these vulnerabilities could be easily removed by simply upgrading to jQuery 3.5.1.  It’s great that software is reusable, but beware of the invisible stakeholder who preys on out-of-date components’ security holes.  Like fresh food, software components also have a “best before” date.  To get the most out of them before they go bad and become easy pickings for malicious bot-scripts of hackers, keep your code’s dependencies up to date. This is best done programmatically rather than manually.

Neither software development nor cybersecurity teams can keep up with all the changes and fixes required to keep the code performant and secure. Therefore, knowing how to leverage the right tools to detect and patch in a timely manner can make a difference in preventing a cyber breach spoiling a company’s business and reputation. In a Ponemon study last year:

  • 60% of respondents said their organisations suffered a breach due to an unpatched known vulnerability where the patch was not applied
  • 62% were unaware that their organisations were vulnerable prior to the data breach
  • 52% of respondents said their organisations were at disadvantage in responding to vulnerabilities because they use manual processes

Earlier this year another Ponemon report highlighted the need for a programmatic approach to managing vulnerabilities as unpatched known vulnerabilities remain a significant risk: “Over six months, an average of 28% of vulnerabilities remain unmitigated, and organizations have a backlog of 57,555 identified vulnerabilities.” Remember, even just one vulnerability exploited could lead to a cyber breach. Furthermore, 60% of open source programs audited had a vulnerability that’s already been patched.

For this blog, we present the top 3 most popular components found from our survey of 1310 web applications past their “best before” date. Below are recommended substitutions for an alternative or updated component that is vulnerability free so you can #BoostOpenSourceSecurity in your software applications:

  • jQuery 1.12.4  -> Please update to jQuery 3.5.1
 1 high level threat:  Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option. 
 Recommendation: Update to version 3.0.0 or later. 
  • handlebars.js 4.0.11 ->  Update handlebars module to version >=4.6.0
 1 high level threat: Versions of handlebars prior to 3.0.8 or 4.5.3 are vulnerable to prototype pollution. It is possible to add or modify properties to the Object prototype through a malicious template. This may allow attackers to crash the application or execute Arbitrary Code in specific conditions.
 1 medium level threat: Affected versions of handlebars are vulnerable to Denial of Service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This may allow attackers to exhaust system resources leading to Denial of Service.. Recommendation: Upgrade to version 4.4.5 or later. 
  • Twitter-bootstrap 3.x.x (3.3.7)  -> update to the next safe version 3.4.1
 1 high level threat: XSS in data-template, data-content and data-title properties of tooltip/popover
 1 medium level threat: In Bootstrap before 3.4.0,  XSS  (cross site scripting) is possible in the affix configuration target property. 

Remains of the day

At the end of the day, updating your application’s dependencies is easy if you know what to look out for, when to apply the update, and have an automated workflow to help you do this consistently and at scale.  Finding the right combination of open source components to help speed and secure your development is one example of how “Necessity is the mother of invention.” Meterian speeds up the task of keeping your open source dependencies up to date easily and continuously so developers can focus on the main course of innovating securely.

In the spirit of giving this Christmas and to fuel the creative cooks out there (perhaps you or that important person in your life who always makes sure a delicious meal is ready for you at dinner time!), here’s how to use leftover Christmas veg to make two speedy suppers:

Linguine with with cavolo nero and bacon

Serves: 4
Prep time: 10 minutes
Cooking time: 20 minutes

Ingredients
400g linguine
olive oil
6 slices smoked streaky bacon, cut into 1cm or bite size pieces
1 tbsp olive oil
2 shallots, finely chopped
2 garlic cloves, crushed
300g cavolo nero, hard stalks removed, and roughly chopped (shortcut: blitz the shallots, garlic and cavolo nero leaves in food processor until finely chopped)
75ml double cream (optional)
2 egg yolks
¼ nutmeg, freshly grated
50g parmesan cheese, finely grated
salt & freshly ground black pepper 

Tip: No cavolo nero?  Don’t get stuck in a rut.  Try any slightly bitter green veg, such as brussels sprouts, broccoli, broccolini, gai lan, or rapini.  All lend a lovely nutty flavour balanced with the delightful pungence of parmesan cheese and black pepper.

 Instructions
 Cook the linguine in a pan of boiling, salted water following the pack instructions. Meanwhile, heat some olive oil in a large frying pan, and cook the bacon for a couple of minutes. Add the shallots and garlic cloves, and finely chopped cavolo nero to stir-fry with the bacon.  After 3-4 minutes,  take off the heat.
Mix the cream and egg yolks with with the nutmeg, ⅔ of the cheese and some black pepper.
Put the bacon and veg stir fry back on the heat, add a little of the pasta cooking water and simmer down to 2 tbsp.
Drain the cooked pasta, and add the pasta to the pan with the cavolo nero-bacon and cream mixture. Next add the remaining grated parmesan cheese, and season with more salt and pepper to taste. 
Cod, Chorizo and Potato Stew

Serves: 4
Preparation time:10 minutes
Cooking time:30 minutes

Ingredients
110g chorizo, cut into 2cm slices
1 onion, sliced
1 garlic clove, crushed
4 potatoes
1 can of chopped tomatoes (220-250g)
500ml fish stock
600g frozen cod fillets, defrosted and cut into 3 - 4cm chunks
20g flat leaf parsley, chopped

Instructions
1. Heat a large pan over a medium heat and cook the chorizo for 2 - 3 minutes, then remove from the pan and set aside. Drain all but 1 tbsp of fat from the pan and use to cook the onion and garlic over a medium heat for 6 - 8 minutes until soft. Peel potatoes and cut into 3cm chunks.  Put the potatoes in the pan with the chorizo and cook for 3 minutes.
2. Add the tomatoes and fish stock, bring to the boil and simmer for 10 - 12 minutes until the potatoes are tender. Stir in the cooked chorizo. You can freeze the stew at this stage, letting it cool to room temperature first.
3. If cooking from frozen, defrost the stew overnight in the fridge or in a microwave, then reheat. Add the cod to the stew and simmer for 4 - 5 minutes until just cooked. Season and serve immediately, scattered with parsley.

“The evening’s the best part of the day. You’ve done your day’s work. Now you can put your feet up and enjoy it.”

Kazuo Ishiguro, The Remains of the Day

The tools that boost your efficiency when your coding project has a handful developers may need to be very different from the software that keeps your project humming when you have 1,000 or more. We’ve designed Meterian to evolve with your application security tech stack as your software engineering and digital transformation needs evolve. If your open source dependency management system is not humming smoothly with your software development life cycle, or your open source components are decaying and reducing their life time value for the organisation, consider reusing and securing your software components with Meterian. Get in touch today.

Making the most of Christmas, Part 2

Making the Most of Christmas

Recipes, ingredients and ideas to make your fuel (food and software!) go further.

In this three part blog series as we lead up to Christmas, the Meterian Team will share with you their work and christmas holiday hacks of life.  First and foremost, let’s get our coding projects secured so we can have some peace of mind over the holidays.

Five things to do this December and then forgeddaboutit until 2021

1. Sign up to Meterian free trial (5 mins)

2. Run your Security, Stability, Licence check and get to know your components (20 mins)

3. Triage: Automatically fix out of date components, set exclusions or identify issues to discuss a mitigation plan. (30 mins)

4. Schedule your action plan (20mins)

5. Automate it to run continuously with your favourite CI, GitHub Action, or BitBucket Pipe so your software dependencies are checked without you needing to be interrupted during any of your Christmas socials. 

This last step will require you to put in some time and effort.  Our customers have done this in minutes to several hours over 2 days.  The best part is that once it’s done and you’ve got it running automatically, you can just leave it running and put your feet up.  Or perhaps run off and be there for someone else who needs you.  Boost your apps’ open source security — Enjoy!

Making the Most of Christmas

Cybersecurity and IoT: Health Care and Well-Being in our Shared Spaces

Last updated: 07/07/2021

As the extraordinary situation of the COVID-19 crisis continues and more such supervirus incidents will occur, the benefits that IoT can provide will be even in more demand.  We are already seeing how IoT plays a significant role in modernising healthcare and disaster prevention, public safety and security, supply chain, and manufacturing and production.  

The Good We’ve Seen

In Hong Kong, the government has deployed smart wristbands to monitor city residents1 quarantined inside their homes.  Accelerating the timely discovery of outbreaks, these smart medical devices, powered with internet of things (IoT) technology, play an important role in containment of outbreaks like COVID-19 and prevent future pandemics.

Prior to COVID-19 pandemic, Japan was preparing for Tokyo 20202, the smartest Olympics ever with self-driving cabs to transport guests between sports venues, robotic guides, immersive virtual reality and crowd control directed by artificial intelligence.  Getting ready to welcome 11,000 athletes with 4 to 7 million on-site spectators from Japan and all over the world, this would have been a wonderful showcase of IoT tech and applications from a country that is already a technological leader in robotics and consumer electronics.  Unfortunately, the event is postponed 12 months, though the Olympic Committee resolves to have the games, it’s not clear how much of IoT tech applications will be used.

As public venues have been opening up in the past several weeks, there is a serious challenge of getting business going and the health and safety of people using the same facilities.  How can public toilets be kept safe and clean for everyone to use?  A common need at medical centres, restaurants, shopping malls, and any city where visitors would rely on public toilets. One new IoT company on the scene, Inferrix, has a solution for the “COVID Secure Washroom”, as described on their website: Inferrix wireless edge-intelligent sensors on the washroom doors show a red light to alert visitors if the washroom is unsafe to use. Any washroom can be installed in less than 1 hour.  We can easily imagine its application to be useful in office spaces near shared kitchen areas or study areas of public or university libraries as well.

When we reflect on the role that IoT played over the course of the pandemic, there are more notable instances. For example, telehealth consultations meant that there was a reduced risk of transmission that would otherwise have been prevalent with face to face consultations. Secondly, robot assistance is used to disinfect contaminated areas and objects, both protecting health carers and giving health carers more time to care for their patients. China was the first country to use Danish made UVD robots using IoT and help to disinfect treatment areas in nursing homes and clean patient rooms.

The Not So Good

In a 2019 study of security of IoT devices3, data revealed that more than twice the number of vulnerabilities were detected compared to six years earlier.  As covered in in our last blog post, cyber attacks from IoT risks have surged 300% and the UK and US are catching up on regulations to ensure companies safeguard devices. In March 2020 researchers found4 that more than half of all internet of things (IoT) devices are vulnerable to medium- or high-severity attacks, with 98% of all IoT device traffic being unencrypted.

As we’ve seen during the COVID-19 crisis, even when everyone else was rallying together, cyber criminals targeted vulnerable organizations in the health sector: data-stealing ransomware on US pharma company5 and Europe’s largest private hospital6, Czech republic hospital’s computer systems were attacked when their focus was on running coronavirus tests, and in the UK two construction companies building emergency hospitals were hacked7.

Such attacks can become more sophisticated and more dangerous to individuals using new health technology apps and devices used to provide medication or daily survival needs.

Bringing Tech Out for Good

Connected devices are available using cellular connectivity which are allowing doctors to rely on patients to use connected out-of-the-box devices for special readings to be sent directly to the doctor from the device (temperature, blood pressure, glucose meters).   Such technology is not limited to medical practitioners and is already available for anyone.  A user created a smart system to monitor his diabetic brother’s blood sugar8 (glucose) levels using an app, a data logging platform that processed data from his brother’s glucose sensor to make his own healthcare monitoring system.

Similarly, Australia saw its first ‘virtual hospital’9 open shortly before the COVID-19 pandemic hit through Royal Prince Alfred Hospital (RPA) in Sydney. Data from pulse oximeters used to measure oxygen saturation levels and heart rates along with armpit patches to track temperature were transmitted to the hospital. In addition, video-consultations allow coronavirus patients to receive the care they need without the risk of transmission. 

Recently, we have seen evidence of health providers recognise the risks surrounding IoT devices and the need to incorporate security standards to protect against malicious hackers. For example, University Hospitals of North Midlands NHS Trust has opted to trust Ordr with providing a systems control engine (SCE)10 which will locate and secure every connected device. This includes Internet of Medical Things (IoMT), Internet of Things (IoT) and Operational Technologies (OT) devices.

Security, safety, and data privacy considerations are important aspects of designing, building and maintaining such systems to protect the identity and well-being of the individual.  We’d hate to think about incidents where devices give wrong information due to a malicious actor – getting the wrong medication, dosage, or advice could have serious, even lethal consequences.  Having IoT devices and apps to create a safer world requires more scrutiny and protective measures designed as part of the solution.  As many of these solutions will be designed for one person’s use, customised to their medical needs or specific daily routines, it’s essential they are maintained, updated, and when no longer maintainable that they are properly turned off and disposed of.

Check out IoT For All Podcast with Christopher Schouten of Kudelski Group11.  He talks about necessary considerations to secure IoT projects, making sure they can scale as well as be practical in protecting what is valuable. 

Although the transformational journey to an IoT world seems daunting, the capabilities of IoT to bring high-tech care and consultancy out of the clinic and into homes and vulnerable communities across the world presents a thrilling opportunity.  Health care and IT experts, technicians, research scientists and security experts are collaborating, as are carers, policy makers and administrators.  Altogether, the confluence of tech and human intelligence will continue to evolve and strive to protect all that is worth protecting.  COVID-19 and cybercrime are making seismic shifts in worldwide health and safety, threatening our prosperity. Let’s defend the world, use technology for good and build the world we want.

If you are a developer or have a software development team using open source components, learn how  Meterian automates monitoring of software applications for open source risks and vulnerabilities.  Read about Meterian-X: Invisible Security for your Open Source Security Management in IoT systems and devices.

1 Doffman, Zak. “Coronavirus Police Surveillance Tags Are Now Here: Hong Kong First To Deploy.” Forbes, 17 March 2020, https: //www.forbes.com/sites/zakdoffman/2020/03/17/alarming-coronavirus-surveillance-bracelets-now-in-peoples-homes-heres-what-they-do/?sh=227b12984533

2 Hallet, Rebecca. “Tokyo on track for smartest Olympics ever”. Raconteur, 20 February 2020, https ://www.raconteur.net/technology/internet-of-things/iot-tokyo-2020/

3 Coble, Sarah. “Vulnerabilities in IoT Devices Have Doubled Since 2013”. Info Security, 17 September 2019, https ://www.infosecurity-magazine.com/news/vulnerabilities-in-iot-devices/.

4 O’Donnell, Lindsey. “More Than Half of IoT Devices Vulnerable to Severe Attacks”. threat post, 11 March 2020, https:// threatpost.com/ half-iot-devices-vulnerable-severe-attacks/153609/.

5 Whittaker, Zack. “Hackers publish ExecuPharm internal data after ransomware”. Tech Crunch, 27 April 2020, https: //techcrunch.com/2020/04/27/execupharm-clop-ransomware/.

6“Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware”. KrebsonSecurity, 6 May 2020, https: //krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware/.

7 “Coronavirus: Cyber-attacks hit hospital construction companies” BBC News, 13 May 2020, https: //www.bbc.co.uk/news/technology-52646808.

8 Anx, Quintessant. “Healthcare IoT: Monitoring Diabetes with Logz.io” Logz.io, 11 December 2018, https: //logz.io/blog/healthcare-iot-monitoring/.

9 Minion, Lynne. “‘Flattening the curve’ with virtual care in Australia'” Healthcare IT News, 30 June 2020,  https: //www.healthcareitnews.com/news/europe/flattening-curve-virtual-care-australia

10 Crouch, Hannah. “University Hospitals of North Midlands deploys Ordr cyber security solution”. digital health, 6 May 2021, https: //www.digitalhealth.net/2021/05/university-hospitals-of-north-midlands-ordr/

11 “Security Challenges in the IoT Landscape | Kudelski Group’s Christopher Schouten”. iot for all, 5 May 2020, https: //www.iotforall.com/podcasts/e064-iot-security-considerations.

Cybersecurity and IoT: Health Care and Well-Being in our Shared Spaces

Meterian Spotlight: A quick look at Honda’s open source software supply chain

Photo of front view of white honda car with headlights on at dusk
Photo by Douglas Bagg on Unsplash

Earlier this month, Honda announced it has suffered a cyber attack on its network.  It was affecting its operations around the world: their manufacturing plants have shut down, customer service work has been forced to stop, and their internal communication systems were affected.  Additionally, systems outside of Japan were affected due to a “virus” that spread through the network.  No further details on the root cause of the attack yet, but at Meterian we have done a quick surface scan of their websites honda.com and www.honda.co.uk.  Similar issues were found on both.  We’ll focus our blog post on Honda UK’s site.

From the summary report above, we see their website’s security scored 0 From the summary report above, we see their website’s security scored 0 out of 100 because it has 19 vulnerabilities, including jquery 1.4.2 which is vulnerable and outdated.  Honda.co.uk’s basic cybersecurity hygiene could be improved by making sure to not launch the website with vulnerable and old components — jquery 1.4.2 is from 2010.  Similar issues were found after analysing honda.com.

Although we don’t know if these two components’ weaknesses contributed to the hack of Honda’s systems, while investigations are private, we know every software application is part of a company’s digital estate.  Altogether, front end systems (like websites and mobile apps) and back end systems (like databases, servers, APIs that store or access a company’s customer data, intellectual property — the real business logic of the services) make up the digital estate.  Any security hole is a vulnerable entry point for cyber criminals to exploit and gain unauthorized access to information or systems to cause damage.  Last year in 2019, over 40GB of Honda’s data were breached, exposing details about internal systems and devices on their network. Cyber criminals have strategically targeted Honda again.  

There are many strategies to build up an organization’s cyber resilience, including cybersecurity cultural awareness among employees and operational and software development best practices.  Meterian helps customers reduce the time to detect, mitigate and resolve issues in applications’ software supply chain. These known vulnerabilities are easy to fix with Meterian because:

1. Safe coding practices can be easily adopted into the software development lifecycle  

2. Automated controls fit directly into the software development workflow for continuous monitoring

3. Meterian can be set up to run continuously and prevent such vulnerabilities from going live 

Most importantly, developers are empowered to recognise and address the issue early with information at their fingertips.  As stewards of software, they can automatically cyber-proof their apps with Meterian so the business can run continuously and avert giving unwanted prying eyes unauthorized access to systems and data.

To this day, Equifax’s mistake for not fixing a known security hole in its software application’s open source component still has consequences since the 2017 mega breach they suffered.  See TechRadar’s lackluster review of Equifax’s identity theft protection service, which they did not include in their article “Best identity theft protection for 2020.”   

Good practices in cybersecurity can help protect a company’s reputation and growth.  As we’ve also seen following the EasyJet hack incident revealed in May, business productivity and customer satisfaction can be adversely affected due to any cyber hack incident.  You can read our recent analysis on easyjet.com’s website.  

To see if your own public assets have open source vulnerabilities that anyone could find out about (and exploit to enter your systems), try our webscanner or project scanner.

Meterian Spotlight: A quick look at Honda’s open source software supply chain

Easyjet hacked, 9 million customer records compromised.

Easyjet today admitted it was hacked by a “highly sophisticated cyber-attack”. 9 million customer records were compromised, where email addresses and travel details had been stolen. Also 2,208 customers credit card details were stolen.

“Are we surprised? Honestly, we are not.”

Are we surprised? Honestly, we are not. A quick surface scan of the Easyjet website reveals that it is using at least two out of date and vulnerable components: jquery 1.11.2 and angularjs 1.4

jQuery is a popular package used to simplify manipulation of HTML via Javascript. Version 1.11.2 of the package was popular in 2014, when the Ebola pandemic started. Yes, the previous pandemic, not this one. Still, for some reason, somebody thought it was a good idea to keep using it in 2020. But hey, what if I like legacy? Well, there are a few problems related to such library version, but among all of them, I think the most relevant one is CVE-2015-9251. This vulnerability allows an attacker to cause the execution of arbitrary code using a cross-site scripting (XSS) attack.

Angularjs is another popular web framework used to simplify web development. Version 1.4 of this framework was mainstream in 2015, when we had a nuclear deal with Iran and Barack Obama was at the White House. Sweet. But even if we do really miss those times, you do not necessarily want to use such version of angular because of multiple XSS, DOS and security bypass issues that can easily exploited.

“We can see what’s on the frontend.
But what is the situation in the backend systems?”

Do we think that any of those two components can be the culprit of this hack? Well, we do not know. But remember: a system like the EasyJet.com is always composed of a frontend (the website itself) and a backend system, which contains the real business logic of the services (and usually your data).

So, if in the fronted we can see components outdated and vulnerable, what do we think the situation could be on the backend? Well, actually, we think it could be worse. As the frontend is usually easy to change and in fact changes frequently (think about new offers or new branding) the backend is usually a much more stable environment that changes less frequently. So it would be reasonable to expect a similar or worse situation on the backend code, with some outdated and vulnerable components. And this is scary.

You should always know and assess your
risks due to opensource components”

However, this is also something any development team should always actively look into. Making sure that your opensource components are up to date and not vulnerable is a fundamental step in the development process. Meterian can help you do that (actually, it can do that for you and your team). Check out our one minute video that explains how meterian works:

And if at this point you want to learn more, please take a look at these two articles:

Remember also that you can check your website yourself with our online web scanner, and Meterian has also a free plan that you can start using today. Why wait?

Stay safe. Stay connected. Stay endless.

Easyjet hacked, 9 million customer records compromised.

A recent Scala vulnerability emerges

Last month a new vulnerability was discovered that affects several versions of http4s, a prominent Scala HTTP library for client and server applications. The vulnerability is of a high severity nature hence it poses substantial risks.  Therefore be sure to read on and find out what these risks are and how to safely resolve them.

CVE-2020-5280

Vulnerability Score: 7.5

Platform: Scala

Component: http4s versions

  • 0.8.0 – 0.18.25
  • 0.19.0
  • 0.20.0 – 0.20.19
  • 0.21.0 – 0.21.1

Http4s allows Scala developers to create native client and server applications while favouring the pure functional side of the programming language.

In versions prior to 0.18.26, 0.20.20 and 0.21.2, the library has been found to be prone to local file inclusion (LFI) vulnerabilities caused by an erroneous URI normalization process that takes place when requests are performed. URI normalization is a very common process.  For example, browsers and web crawlers use it to modify and standardise URIs in order to determine whether two syntactically different ones are equivalent.

In vulnerable http4s versions, a malicious request could allow a potential attacker to gain access to resources on the server filesystem. This is known as a local file inclusion attack and it can lead to remote code execution (RCE) vulnerabilities.

File inclusions are part of every advanced server side scripting language on the web. In addition to keeping web application’s code tidy and maintainable, they are also used to parse files (e.g. configuration files) from the file system to be evaluated in the application’s code. Issues arise when these are not properly implemented, thus making the system vulnerable to exploits.

A typical exploit scenario could be the following. Assume you modularise your app so that required modules are defined in separate files, which are included and interpreted through a function that allows to specify the path to said modules. If the appropriate security checks are not present, the attacker could specify the path to sensitive files (e.g. the passwd file which stores passwords on Unix systems) or even worse, inject malicious code on the server and specify the path to successfully perform arbitrary remote code execution. A relatively trivial way to do so could be by abusing the web app’s upload functionality to upload an image containing this malicious code in its source.

How to fix this issue?

The recommended course is to upgrade:

  • v0.18.26 (compatible with the 0.18.x series)
  • v0.20.20 (compatible with the 0.20.x series)
  • v0.21.2 (compatible with the 0.21.x series)

If you can not perform an upgrade due to compatibility issues, it is advised to temporarily replace FileService.scala, ResourceService.scala and WebjarService.scala in your project with their non-vulnerable versions from the appropriate release series specified above.

As they say, prevention is better than cure. Don’t delay! Take remedial actions as specified above now. Integrate your system with Meterian to be informed when similar vulnerabilities arise and eliminate possible threats!

A recent Scala vulnerability emerges