As it’s a requirement that all open source projects are released under at least one open source license, they hold a great deal of influence in how said open source code is used and re-distributed by others. Whilst some licenses can be difficult to make head or tail of due to complicated non-developer language, there are some more relaxed licenses that take the opportunity to have some fun with their requirements. So, to save you doing it, we have assembled our top 5 all time quirky open source licenses to look out for:
The Beerware License
Written by Danish software developer Poul-Henning Kamp, this license states that if the user thinks the stuff they reuse is worth it they must buy the creator a beer in return. The license’s original notation can be found here. Kamp states his reasoning for the Beerware license is an act of defiance against ‘lawyers trying to interpret freedom’, believing that free open source code should remain free regardless of how much profit is made through its use. Since the requirement is optional, based on the contingency that the user believes the code is ‘worth it’, this license falls under the category of ‘CopyRight only’ licenses. If the requirement were mandatory, the license would be classed as ‘non-free’, and Kamp would most likely be drunk a lot of the time.
The Chicken Dance License
Otherwise known as the CDL, this license requires employees affiliated with organisations using the open source code to perform ‘The Chicken Dance’ for varying amounts of time, depending on how many units are distributed. The license was created by Andrew Harris with the goal of making “intellectual property far more entertaining to deal with”. Similarly to Kamp, Harries includes himself in wanting fewer lawyers in software – suggesting that the motive behind this wacky license holds strong roots in open source principles of open collaboration. The ‘Chicken Dance’ in question can be found here, but if you can’t master it don’t worry- the license states that moving in a chicken like manor is sufficient.
The Don’t Ask Me About It License
Perhaps the most simple of the licenses included in the blog, this license simply requests that users do not pester the creator with any issues they may be having with the file. The nod to lack of responsibility is admirable, there is something to be said for wanting to lead a quiet life post software development.
The Hot Potato License
This license states that ‘all rights are reserved by the last person to commit a change to this repository’. Thus, the rights are passed on from person to person infinitely- like a game of hot potato. However, to avoid anyone interrupting this game of hot potato, users are prohibited from making drastic changes to the repository that would do so. It’s a nice touch from the creator to give us all the opportunity to control the rights of such a well known open source license at least once in our life
The Do What The F*** You Want License
The Do What The F*** You Want License is a ‘very permissive’ license that can be taken as a direct stand against the principle of licencing software in general. Whilst playing by the rules of licencing, this license intends to be a free pass for distribution without any constraints. However, in the attempt of being so liberal, this license actually poses an issue for some major corporations. For example, Google finds the license too unclear to use confidently. As a result, they have banned the use of components under this license completely. However, if you like the look of this license don’t let Google scare you off, wtfpl.net offers guidance on how to make the most of it.
Whilst there is a funny side to open source licensing, failure to stay on top of your business’s license compliance management could be detrimental. A strong defence of these risks, as well as efficient software composition analysis tools will help manage the use of open source in your code base and avoid hefty fines and diminished customer relations. In this way, legal due diligence is an important step in agile development as it allows to ‘push forward’ and remediate any legal obstacles blocking a decision from being made. To read more about cyber due diligence, check out our past blog.
The right open source license is necessary to protect your intellectual property and an important factor in maintaining license compliance management. As well as this, open source licensing underpins the essence of open source values in facilitating open redistribution. The integration of license compliance management into your CI/CD pipeline is just another way of optimizing the efficiency of your software supply chain. The best license for you will be shaped by your reason for creating code and your goals for redistribution. Use our introductory guide to decide which is best for you. Licenses and legal terminology are that of a very different world than what developers are used to. Because of this, we have organised our guide into developer persona categories. Simply pick the Dev that aligns most closely with yourself to learn more.
Devs working within a community:
If you are collaborating with an existing community or project, the best option for you is to align with the community you are a part of by adopting the project’s existing license. This can be found under the ‘license’ or ‘copying’ file of a project. If this fails, simply contact the maintainers of your community for clarification. As the licensing decision has already been made for you, you can spend less time on legalities and more time on software innovation- lucky you.
Devs not looking to overcomplicate:
The MIT license is perfect for devs that want to keep things straightforward. It is relaxed in that redistribution requires little to no control criteria other than the continuation of copyright and licensing details. The material that falls under this license is able to be used for both commercial and private use, as long as a copy of the license and copyright notice is included in any instances of modification or distribution. However, when using this license you should be aware that limitation of liability is included. As well as this, there is no warranty provided with this license.
Devs that care about sharing improvements:
The GNU General Public License v3.0 allows you to copy, distribute and modify projects under the condition you note all modifications and dates of modification in the source files. All modifications made to GPL-license code must also be made available under the GPL with installation instructions for future devs. This license forbids users from sub-licensing, although it provides software that does have the right to run and distribute the code. Users should be aware that this license includes a limitation of liability, meaning that the owner cannot be charged for damages associated with code using this license.
We hope this quick read has shed some light on the world of license compliance management. Whilst it may be confusing at first, it is worth taking the time to pick the right license for you and your project to best publish your software and display your innovation. For more information on potential risks associated with license compliance, see our past blog: ‘How the wrong license can harm your business’.
We can all admit that as dreary as 2020 has been, it has at least been consistent in its dreariness. One organisation that can definitely vouch for this is music streaming giant Spotify. In true 2020 style, Spotify wrapped up the end of the year with a data breach on November 12th1 in which customers’ private account details were exposed.
Now, we may wonder why a hacker would be interested in Spotify accounts. Sadly, it’s not because they want to steal music inspiration from us. The details of targeted private accounts include customer display names, passwords, genders and D.O.B.’s which were leaked to various Spotify business partners. Speaking of business partners, we must also note that a Spotify breach does not solely expose Spotify users but may also put customers on connected devices or platforms at risk. The interconnectedness of our information sharing means that a problem for Spotify could be a problem for us all. This information is harvested by malicious actors to perform credential stuffing attacks, in which stolen passwords are used to uncover more stolen passwords for other sites and applications.
Moreover, this would not be the last experience Spotify had of data breaches in 2020. A week later, a cyber criminal under the guise ‘Daniel’ infiltrated celebrity Spotify accounts including Dua Lipa and Lana Del Rey2. Although in this case it was not customers PII that was exposed, it still casts a shadow on Spotify’s claim of prioritising “protecting privacy and maintaining user’s trust” as outlined in an official statement released on the 9th December 20203.
Enter now: Meterian web scanner, which we’ve used to perform a quick surface scan of http://www.spotify.com to identify what security, stability and licensing risks of open source components are within the website’s codebase. Here we can see that Spotify currently has a security score of 0 out of 100, with 1 known vulnerable component – jquery 2.1.3 which has at least one high and several medium threats as confirmed by NVD4. Although we do not know for sure what the unlocked route of entry was in Spotify’s case, this open source entry may well have been it. Subsequently, there is nothing stopping cyber criminals from using this chink in the armour to perpetrate similar breaches in the future.
Although the vulnerability was discovered on November 12th, Spotify disclosed that it was present within the system from as far back as April. This means that more than 320 million user’s personal data was at risk for at least 7 months prior. Having carried out our own analysis in a matter of minutes, we immediately notice that the vulnerable component in use is actually more than three years out of date! We hope their web and mobile apps get greater scrutiny with regards to the maintenance of their open source dependencies. At Meterian we have developed a security platform that automatically identifies known vulnerabilities in software applications’ open source supply chain. To give our customers the best chance of resolving such issues, the platform can be easily integrated in software development teams’ DevOps process. The continuous nature of DevSecOps empowers development teams to be the first line of defence as they code applications.
Open source components have become fundamental components of applications that are relied upon for basic functionality and security. Since over 90% of applications consist of open source components nowadays, securing this part of a business’ IT and software has become an area that requires greater scrutiny in quality and maintenance.
Meterian helps ensure software applications’ open source supply chain is free from any known vulnerabilities that could compromise the application’s security and stability. Is it worth risking to damage the firm’s reputation and competitive edge in the market?
Curious to see what we can automatically report on your software applications? Detect known vulnerabilities in your open source software supply chain before your own applications become an Achilles heel. Get in touch and see how Meterian can make your company’s application security defence more robust.
1 Whittaker, Zack. “Spotify resets passwords after a security bug exposed users’ private account information.” Tech Crunch, 10 Dec 2020, https:// techcrunch.com/2020/12/10/spotify-resets-user-passwords-after-a-bug-exposed-private-account-information/
2 “Dua Lipa and other Spotify artists’ pages hacked by Taylor Swift ‘fan’”. BBC News, 2 Dec 2020, https:// bbc.co.uk/news/technology-55158317.
In the second of our three part blog series as we lead up to Christmas, the Meterian Team shares with you shortcuts to make the most out of what you already have.
A library, component, piece of code is reusable when it can be re-used in different parts of the same or different project with minimal to no need of code modifications.
Scanning for, identifying, and patching open source dependencies in an application’s codebase is known as dependency management. This is a critical part of modern software development since nearly 100% of codebases are made up of open source components. These dependencies can be directly used by your application or indirectly used through transitive relationships. You can imagine the number of connected components if your software codebase has hundreds of modules.
Many vulnerabilities remain, leaving software applications unsecured
Neither software development nor cybersecurity teams can keep up with all the changes and fixes required to keep the code performant and secure. Therefore, knowing how to leverage the right tools to detect and patch in a timely manner can make a difference in preventing a cyber breach spoiling a company’s business and reputation. In a Ponemon study last year:
60% of respondents said their organisations suffered a breach due to an unpatched known vulnerability where the patch was not applied
62% were unaware that their organisations were vulnerable prior to the data breach
52% of respondents said their organisations were at disadvantage in responding to vulnerabilities because they use manual processes
Earlier this year another Ponemon report highlighted the need for a programmatic approach to managing vulnerabilities as unpatched known vulnerabilities remain a significant risk: “Over six months, an average of 28% of vulnerabilities remain unmitigated, and organizations have a backlog of 57,555 identified vulnerabilities.” Remember, even just one vulnerability exploited could lead to a cyber breach. Furthermore, 60% of open source programs audited had a vulnerability that’s already been patched.
For this blog, we present the top 3 most popular components found from our survey of 1310 web applications past their “best before” date. Below are recommended substitutions for an alternative or updated component that is vulnerability free so you can #BoostOpenSourceSecurity in your software applications:
jQuery 1.12.4 -> Please update to jQuery 3.5.1
handlebars.js 4.0.11 -> Update handlebars module to version >=4.6.0
1 high level threat: Versions of handlebars prior to 3.0.8 or 4.5.3 are vulnerable to prototype pollution. It is possible to add or modify properties to the Object prototype through a malicious template. This may allow attackers to crash the application or execute Arbitrary Code in specific conditions.1 medium level threat: Affected versions of handlebars are vulnerable to Denial of Service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This may allow attackers to exhaust system resources leading to Denial of Service.. Recommendation: Upgrade to version 4.4.5 or later.
Twitter-bootstrap 3.x.x (3.3.7) -> update to the next safe version 3.4.1
1 high level threat:XSS in data-template, data-content and data-title properties of tooltip/popover1 medium level threat: In Bootstrap before 3.4.0, XSS (cross site scripting)is possible in the affix configuration target property.
Remains of the day
At the end of the day, updating your application’s dependencies is easy if you know what to look out for, when to apply the update, and have an automated workflow to help you do this consistently and at scale. Finding the right combination of open source components to help speed and secure your development is one example of how “Necessity is the mother of invention.” Meterian speeds up the task of keeping your open source dependencies up to date easily and continuously so developers can focus on the main course of innovating securely.
In the spirit of giving this Christmas and to fuel the creative cooks out there (perhaps you or that important person in your life who always makes sure a delicious meal is ready for you at dinner time!), here’s how to use leftover Christmas veg to make two speedy suppers:
Linguine with with cavolo nero and bacon
Prep time: 10 minutes
Cooking time: 20 minutes
6 slices smoked streaky bacon, cut into 1cm or bite size pieces
1 tbsp olive oil
2 shallots, finely chopped
2 garlic cloves, crushed
300g cavolo nero, hard stalks removed, and roughly chopped (shortcut: blitz the shallots, garlic and cavolo nero leaves in food processor until finely chopped)
75ml double cream (optional)
2 egg yolks
¼ nutmeg, freshly grated
50g parmesan cheese, finely grated
salt & freshly ground black pepper
Tip: No cavolo nero? Don’t get stuck in a rut. Try any slightly bitter green veg, such as brussels sprouts, broccoli, broccolini, gai lan, or rapini. All lend a lovely nutty flavour balanced with the delightful pungence of parmesan cheese and black pepper.
Cook the linguine in a pan of boiling, salted water following the pack instructions. Meanwhile, heat some olive oil in a large frying pan, and cook the bacon for a couple of minutes. Add the shallots and garlic cloves, and finely chopped cavolo nero to stir-fry with the bacon. After 3-4 minutes, take off the heat.
Mix the cream and egg yolks with with the nutmeg, ⅔ of the cheese and some black pepper.
Put the bacon and veg stir fry back on the heat, add a little of the pasta cooking water and simmer down to 2 tbsp.
Drain the cooked pasta, and add the pasta to the pan with the cavolo nero-bacon and cream mixture. Next add the remaining grated parmesan cheese, and season with more salt and pepper to taste.
Cod, Chorizo and Potato Stew
Preparation time:10 minutes
Cooking time:30 minutes
110g chorizo, cut into 2cm slices
1 onion, sliced
1 garlic clove, crushed
1 can of chopped tomatoes (220-250g)
500ml fish stock
600g frozen cod fillets, defrosted and cut into 3 - 4cm chunks
20g flat leaf parsley, chopped
1. Heat a large pan over a medium heat and cook the chorizo for 2 - 3 minutes, then remove from the pan and set aside. Drain all but 1 tbsp of fat from the pan and use to cook the onion and garlic over a medium heat for 6 - 8 minutes until soft. Peel potatoes and cut into 3cm chunks. Put the potatoes in the pan with the chorizo and cook for 3 minutes.
2. Add the tomatoes and fish stock, bring to the boil and simmer for 10 - 12 minutes until the potatoes are tender. Stir in the cooked chorizo. You can freeze the stew at this stage, letting it cool to room temperature first.
3. If cooking from frozen, defrost the stew overnight in the fridge or in a microwave, then reheat. Add the cod to the stew and simmer for 4 - 5 minutes until just cooked. Season and serve immediately, scattered with parsley.
“The evening’s the best part of the day. You’ve done your day’s work. Now you can put your feet up and enjoy it.”
― Kazuo Ishiguro, The Remains of the Day
The tools that boost your efficiency when your coding project has a handful developers may need to be very different from the software that keeps your project humming when you have 1,000 or more. We’ve designed Meterian to evolve with your application security tech stack as your software engineering and digital transformation needs evolve. If your open source dependency management system is not humming smoothly with your software development life cycle, or your open source components are decaying and reducing their life time value for the organisation, consider reusing and securing your software components with Meterian. Get in touch today.
Recipes, ingredients and ideas to make your fuel (food and software!) go further.
In this three part blog series as we lead up to Christmas, the Meterian Team will share with you their work and christmas holiday hacks of life. First and foremost, let’s get our coding projects secured so we can have some peace of mind over the holidays.
Five things to do this December and then forgeddaboutituntil 2021
This last step will require you to put in some time and effort. Our customers have done this in minutes to several hours over 2 days. The best part is that once it’s done and you’ve got it running automatically, you can just leave it running and put your feet up. Or perhaps run off and be there for someone else who needs you. Boost your apps’ open source security — Enjoy!
As the extraordinary situation of the COVID-19 crisis continues and more such supervirus incidents will occur, the benefits that IoT can provide will be even in more demand. We are already seeing how IoT plays a significant role in modernising healthcare and disaster prevention, public safety and security, supply chain, and manufacturing and production.
The Good We’ve Seen
In Hong Kong, the government has deployed smart wristbands to monitor city residents1 quarantined inside their homes. Accelerating the timely discovery of outbreaks, these smart medical devices, powered with internet of things (IoT) technology, play an important role in containment of outbreaks like COVID-19 and prevent future pandemics.
Prior to COVID-19 pandemic, Japan was preparing for Tokyo 20202, the smartest Olympics ever with self-driving cabs to transport guests between sports venues, robotic guides, immersive virtual reality and crowd control directed by artificial intelligence. Getting ready to welcome 11,000 athletes with 4 to 7 million on-site spectators from Japan and all over the world, this would have been a wonderful showcase of IoT tech and applications from a country that is already a technological leader in robotics and consumer electronics. Unfortunately, the event is postponed 12 months, though the Olympic Committee resolves to have the games, it’s not clear how much of IoT tech applications will be used.
As public venues have been opening up in the past several weeks, there is a serious challenge of getting business going and the health and safety of people using the same facilities. How can public toilets be kept safe and clean for everyone to use? A common need at medical centres, restaurants, shopping malls, and any city where visitors would rely on public toilets. One new IoT company on the scene, Inferrix, has a solution for the “COVID Secure Washroom”, as described on their website: Inferrix wireless edge-intelligent sensors on the washroom doors show a red light to alert visitors if the washroom is unsafe to use. Any washroom can be installed in less than 1 hour. We can easily imagine its application to be useful in office spaces near shared kitchen areas or study areas of public or university libraries as well.
When we reflect on the role that IoT played over the course of the pandemic, there are more notable instances. For example, telehealth consultations meant that there was a reduced risk of transmission that would otherwise have been prevalent with face to face consultations. Secondly, robot assistance is used to disinfect contaminated areas and objects, both protecting health carers and giving health carers more time to care for their patients. China was the first country to use Danish made UVD robots using IoT and help to disinfect treatment areas in nursing homes and clean patient rooms.
The Not So Good
In a 2019 study of security of IoT devices3, data revealed that more than twice the number of vulnerabilities were detected compared to six years earlier. As covered in in our last blog post, cyber attacks from IoT risks have surged 300% and the UK and US are catching up on regulations to ensure companies safeguard devices. In March 2020 researchers found4 that more than half of all internet of things (IoT) devices are vulnerable to medium- or high-severity attacks, with 98% of all IoT device traffic being unencrypted.
As we’ve seen during the COVID-19 crisis, even when everyone else was rallying together, cyber criminals targeted vulnerable organizations in the health sector: data-stealing ransomware on US pharma company5 and Europe’s largest private hospital6, Czech republic hospital’s computer systems were attacked when their focus was on running coronavirus tests, and in the UK two construction companies building emergency hospitals were hacked7.
Such attacks can become more sophisticated and more dangerous to individuals using new health technology apps and devices used to provide medication or daily survival needs.
Bringing Tech Out for Good
Connected devices are available using cellular connectivity which are allowing doctors to rely on patients to use connected out-of-the-box devices for special readings to be sent directly to the doctor from the device (temperature, blood pressure, glucose meters). Such technology is not limited to medical practitioners and is already available for anyone. A user created a smart system to monitor his diabetic brother’s blood sugar8 (glucose) levels using an app, a data logging platform that processed data from his brother’s glucose sensor to make his own healthcare monitoring system.
Similarly, Australia saw its first ‘virtual hospital’9 open shortly before the COVID-19 pandemic hit through Royal Prince Alfred Hospital (RPA) in Sydney. Data from pulse oximeters used to measure oxygen saturation levels and heart rates along with armpit patches to track temperature were transmitted to the hospital. In addition, video-consultations allow coronavirus patients to receive the care they need without the risk of transmission.
Recently, we have seen evidence of health providers recognise the risks surrounding IoT devices and the need to incorporate security standards to protect against malicious hackers. For example, University Hospitals of North Midlands NHS Trust has opted to trust Ordr with providing a systems control engine (SCE)10 which will locate and secure every connected device. This includes Internet of Medical Things (IoMT), Internet of Things (IoT) and Operational Technologies (OT) devices.
Security, safety, and data privacy considerations are important aspects of designing, building and maintaining such systems to protect the identity and well-being of the individual. We’d hate to think about incidents where devices give wrong information due to a malicious actor – getting the wrong medication, dosage, or advice could have serious, even lethal consequences. Having IoT devices and apps to create a safer world requires more scrutiny and protective measures designed as part of the solution. As many of these solutions will be designed for one person’s use, customised to their medical needs or specific daily routines, it’s essential they are maintained, updated, and when no longer maintainable that they are properly turned off and disposed of.
Check out IoT For All Podcast with Christopher Schouten of Kudelski Group11. He talks about necessary considerations to secure IoT projects, making sure they can scale as well as be practical in protecting what is valuable.
Although the transformational journey to an IoT world seems daunting, the capabilities of IoT to bring high-tech care and consultancy out of the clinic and into homes and vulnerable communities across the world presents a thrilling opportunity. Health care and IT experts, technicians, research scientists and security experts are collaborating, as are carers, policy makers and administrators. Altogether, the confluence of tech and human intelligence will continue to evolve and strive to protect all that is worth protecting. COVID-19 and cybercrime are making seismic shifts in worldwide health and safety, threatening our prosperity. Let’s defend the world, use technology for good and build the world we want.
1 Doffman, Zak. “Coronavirus Police Surveillance Tags Are Now Here: Hong Kong First To Deploy.” Forbes, 17 March 2020, https: //www.forbes.com/sites/zakdoffman/2020/03/17/alarming-coronavirus-surveillance-bracelets-now-in-peoples-homes-heres-what-they-do/?sh=227b12984533
2 Hallet, Rebecca. “Tokyo on track for smartest Olympics ever”. Raconteur, 20 February 2020, https ://www.raconteur.net/technology/internet-of-things/iot-tokyo-2020/
3 Coble, Sarah. “Vulnerabilities in IoT Devices Have Doubled Since 2013”. Info Security, 17 September 2019, https ://www.infosecurity-magazine.com/news/vulnerabilities-in-iot-devices/.
5 Whittaker, Zack. “Hackers publish ExecuPharm internal data after ransomware”. Tech Crunch, 27 April 2020, https: //techcrunch.com/2020/04/27/execupharm-clop-ransomware/.
6“Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware”. KrebsonSecurity, 6 May 2020, https: //krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware/.
7 “Coronavirus: Cyber-attacks hit hospital construction companies” BBC News, 13 May 2020, https: //www.bbc.co.uk/news/technology-52646808.
8 Anx, Quintessant. “Healthcare IoT: Monitoring Diabetes with Logz.io” Logz.io, 11 December 2018, https: //logz.io/blog/healthcare-iot-monitoring/.
9 Minion, Lynne. “‘Flattening the curve’ with virtual care in Australia'” Healthcare IT News, 30 June 2020, https: //www.healthcareitnews.com/news/europe/flattening-curve-virtual-care-australia
10 Crouch, Hannah. “University Hospitals of North Midlands deploys Ordr cyber security solution”. digital health, 6 May 2021, https: //www.digitalhealth.net/2021/05/university-hospitals-of-north-midlands-ordr/
11 “Security Challenges in the IoT Landscape | Kudelski Group’s Christopher Schouten”. iot for all, 5 May 2020, https: //www.iotforall.com/podcasts/e064-iot-security-considerations.
How can we enjoy social gatherings in restaurants or busy spaces again? This is possible with robots, devices, space partitions and humans occupying the same space. With imagination, we will re-create the bustling spaces redefined with IoT technology.
What is IoT?
If you’re new to IoT, see from Wikipedia: “The Internet of things (IoT) is a system of interrelated computing devices, mechanical and digital machines provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.”1
Basically, an IoT device is one that has an internet connection, even though normally it wouldn’t. Your smart boiler and smart thermostat are examples of IoT devices. You talk to them using an app on your smartphone. You tell the smart boiler to heat water so you can take a shower, and the smart thermostat to warm up the room to a cosy temperature by the time you arrive home.
In recent months, as the reach and severity of the COVID-19 pandemic increased, adopting IoT solutions started joining the frontline in many countries outside Asia in order to manage the crisis. With the boost in increased use of digital and remote technologies, videoconferencing has become the norm for office meetings, school lessons and exercise classes. The capabilities of video conferencing, email and messaging technologies has shown just how productive remote work can really be, with studies showing that 65% of pandemic remote workers wished to continue working from home and only 2% wished to return to the office.2
These efforts are likely to take a step further with IoT. Many countries have set up temperature measurement systems at the entrance of public places such as airports and train stations. Restaurant managers are also recording the temperature of staff who are preparing food. If this collected data (temperature) could be transferred and analysed in the cloud through an app, it could result in real-time analysis.
To orchestrate such a system requires planning and a clear understanding of what is most valuable to protect and why. There are many benefits and use cases of IoT.
Benefits of IoT
IoT, artificial intelligence, and the analysis of vast amounts of real-time data sets (aka Big Data) can be used to slow down proliferation of pandemics to avoid future global health crises. Such real-time connected intelligence, dubbed “nowcasting”, could be gained from medical devices connecting over the internet. Trend monitoring of wearable devices could analyse population-level influenza trends daily according to a recent study from Scripps Research scientists.3
As seen during COVID-19 isolation period, this preventive action to stop the virus spread combined with telehealth services lets health care providers advise patients without risking exposure.
Robot surveillance for social distance monitoring can alleviate the stress on police or community patrol since robots don’t get tired of doing repetitive tasks — observe, record, count, report and take action. 4
Key reasons for implementing IoT projects are summarized in Microsoft Azure’s IoT survey featured in their IoT Signals report, which highlight the top three reasons as improving Safety and security, Operations optimization, and Quality assurance.
During COVID-19 crisis, we have seen that doctors and health care providers can maintain some employees’ productivity while social distancing and relying on the right connected devices and computing systems. Logistics companies, supermarkets and the food supply chain can track the quality and quantity of goods and produce from shore to shop or farm to market with minimal manual effort. Eventually, the click-pick-and-collect journey of groceries delivered by Ocado5 will be done entirely with robotics. Another instance in which IoT can act as a useful tool for retail stores is by tracking consumer and employee location data. Michele Pelino, senior analyst in infrastructure and operations research at Forrester said, “The idea is to use information about location: GPS capabilities in phones. Over time, there will be more opportunities to create location-based experiences to interact with a brand”. Possibilities for the next year include the ability for customers to use GPS to check in, allowing them to maintain distance by avoiding queues.
As with all new technology, great progress comes with risks in uncharted fields.
Since the explosion of the internet of things (IoT) across industries, companies providing products or services in any IoT ecosystem must carefully evaluate and examine possible threats of malicious intent.
We have been warned children’s toys6 and baby monitors’7 cameras have been hacked by strangers invading privacy and security of the home. In the UK, regulations for IoT devices are gradually being introduced to catch up with the 300% surge in cyberattacks using IoT devices8, and similarly in the US9.
In the United States, FBI warned 10 the US private sector in February: “Software supply chain companies are believed to be targeted in order to gain access to the victim’s strategic partners and/or customers, including entities supporting Industrial Control Systems (ICS) for global energy generation, transmission, and distribution”. Recently we have seen this exact industry area targeted in oil pipeline system company Colonial Pipeline’s Ransomware attack. This led to the take down of the largest fuel pipeline in the U.S., and Colonial Pipeline paying out a huge $4.4m crypto currency ransome.
In addition to attacks against supply chain software providers, the FBI said the same malware was also deployed in attacks against companies in the healthcare, energy, and financial sectors.
The Most popular supply chain attack is 2017’s NotPetya ransomware attack11. Due to a lack of patches to keep software in their Windows computer systems up to date, cyber criminals were able to gain access to computers and install a malware that spread through the networks of organizations like wildfire. Multinational companies, AP Moller-Maersk, Reckitt Benckiser and FedEx, were crippled and they were not even the target of the state-sponsored attack. Just collateral damage, and the estimated loss is $10 billion12.
Gavin Ashton recently wrote in his personal blog about his insider view of the NotPetya experience, which cost Maersk $300 million: “you should put up a damn good fight to stop these attacks in the first case. … Staying with the home analogy; Yes, there’s security cameras and wizard cloud-connected ‘Internet of Things’ (IoT) devices and all kinds of expensive measures and widgets, but a lot of organisations fail simply on the basics. Lock the damn door.”13
The Value Security Adds to Systems
Such risks and misfortunate events are avoidable and can be mitigated.
There is a range of use cases in which security indeed adds value to IoT systems. For example:
Need to prove authentic origin of products such as fresh produce or medications? Eliminate loss by tracking products with encrypted data.
Need to guarantee the integrity of data? Prevent tampering and fraud by ensuring systems have security controls for identification, authentication and authorization.
Prevent cloning/faking/tampering of trackers or meters?
Ensure data of logistics/transport/utility/food services is confidential end-to-end
individual contact tracing. Ensure tracker data is confidential end-to-end
Prevent device/software tampering that could affect pricing and billing
At home and with health care providers,
Safeguard customer privacy by preventing intrusion into home systems
Comply with patient privacy regulations by protecting data at rest (stored on devices/systems) and in motion (when sent from a device over the network to another device/system).
In the IoT ecosystem, it is crucial for organizations to have visibility into all connected devices and systems. As more employees use cloud apps and mobile devices for work, the traditional network security perimeter has lost relevance. This means more attention is needed on endpoint monitoring and protection, which includes not only employees’ devices to perform work, but also devices in the worker’s environment whether at home or at work. At work the environment may be an open plan of office desks, a clinician’s patient room, or on the assembly line of a manufacturing plant. Each environment will have its unique characteristics. For more on the role of IoT and the fight against COVID-19 in sensitive areas, read our blog: Cyber Security and IoT: Health Care and Well-Being in our Shared Spaces.
The user/actor in the environment may also vary and the device’s mobility would affect its position and environment. IoT system design must take many of these factors into consideration and use secure-by-design principles to protect the value of the information that is being moved around the ecosystem. There is no panacea to protect all aspects because in the IoT ecosystem the hardware, software, and services are provided by different vendors. Each aspect will need to be secured to be fit for its purpose within the context of its environment and ecosystem. Methods to update and/or remove devices are required to keep up with the pace of business and technological advancements.
Just as hardware devices come with basic security benefits that can be used and will need to be updated over time, the software of open source components used by IoT devices must also be maintained. Continuous updates are essential. New aspects of information and human security will need to be included. In the context of autonomous vehicles, software must be resilient against both malicious actors as terrorists as well as unauthorised but friendly users, such as a child who could use a smartphone to direct the car to go to school, for example.
Look Out Ahead for CyberSecurity in IoT
The future is not promising to be better in terms of cybersecurity threats and malicious attacks. Globally there were nearly 27.5 billion installed IoT devices number of installed IoT devices at the end of 2020, which is set to rise to 45.9 billion by 202514. So, with both of these figures growing, it is clear to see that IoT devices are the perfect vessel for cyber criminals to carry out attacks.
80% of data breaches can be prevented with basic actions, such as vulnerability assessments, patching, and proper configurations. Getting basic cyber hygiene right is critical to help prevent cyber attacks. There are always those who destroy unity and stifle positive progress. Cyber criminals unfortunately will continue to innovate with artificial intelligence to increase their attacks at machine speed from anywhere in the world and on a scale comparable to that of a pandemic.
How a Software Bill Of Materials can help prevent cyber attacks
The National Telecommunications and Information Administration (NTIA) defines a Software Bill Of Materials (SBOM) as “a complete, formally structured list of components, libraries, and modules that are required to build (i.e. compile and link) a given piece of software and the supply chain relationships between them. These components can be open source or proprietary, free or paid, and widely available or restricted access.” A bill of materials such as this acts as a comprehensive compilation of all internal parts of the software, including third party contributions. This would facilitate the tracking of individual components such as libraries or source code within software programs. With a complete and traceable inventory, companies can see and manage the risks associated with open source libraries by identifying vulnerable systems as early as possible. Furthermore, it allows developers to monitor what components they use by vetting the code in their projects. Finally, this level of transparency would allow for a more informed purchasing experience for consumers. President Biden recently formalized the importance of SBOMs through the Executive Order on Improving the Nation’s Cybersecurity15, in which it was made mandatory that all software used by the US government came with its own SBOM— so as to prevent from SolarWinds type hacks in the future.
If you are interested in automated auditing of your software applications for open source compliance risks and security vulnerabilities, get in touch.
2 Mlitz, Kimberly. “Work from home & remote work- Statistics and Facts”. Statistica, 30 March 2021, https: //www.statista.com/topics/6565/work-from-home-and-remote-work/.
3 “Fitness wearables may improve real-time tracking of seasonal influenza outbreaks.” Scripps Research, 16 January 2020, https ://www.scripps.edu/news-and-events/press-room/2020/20200116-wearable-flu.html.
4 Stieg, Cory. “This $75,000 Boston Dynamics robot ‘dog’ is for sale—take a look”. Make it, 22 June 2020, https ://www.cnbc.com/2020/06/22/75000-boston-dynamics-robot-dog-for-sale-take-a-look.html.
5 Banks, Martin. “Google Solving Together – Ocado Technology readies clients for more changes to online retail’s ‘new normal”. 15 June 2020, https ://diginomica.com/google-solving-together-ocado-technology-readies-clients-more-changes-online-retails-new-normal
6 “What did she say?! Talking doll Cayla is hacked”. 30 January 2015, https ://www.bbc.co.uk/news/av/technology-31059893 .
7 “Smart camera and baby monitor warning given by UK’s cyber-defender”. BBC News, 3 March 2020, https ://www.bbc.co.uk/news/technology-51706631.
8 Kelly Early. “What do the UK’s newly proposed IoT laws look like?”. Silicone Republic, 28 January 2020, https ://www.siliconrepublic.com/enterprise/uk-iot-internet-of-things-regulation-laws.
9 https ://www.nist.gov/internet-things-iot
11 Cimpanu, Catalin. “FBI warns about ongoing attacks against software supply chain companies”. ZD Net, 10 February 2020, https ://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/
12 Hall, Kat. “Largest advertising company in the world still wincing after NotPetya punch”. The Register, 7 July 2017, https ://www.theregister.com/2017/07/07/ad_giant_recovering_from_notpetya/.
13 Ashton, Gavin. GVNSHTN, Maersk, me & notPetya, 21 June 2020, https ://gvnshtn.com/maersk-me-notpetya/.
14 Belton, Padraig. “In 2021, as you work from home hackers eye your IoT”. Light Reading, 1 April 2021, https ://www.lightreading.com/iot/in-2021-as-you-work-from-home-hackers-eye-your-iot/d/d-id/766350
15 “Executive Order on Improving the Nation’s Cybersecurity”. The White House, 12 May 2021, https ://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.
Earlier this month, Honda announced it has suffered a cyber attack on its network. It was affecting its operations around the world: their manufacturing plants have shut down, customer service work has been forced to stop, and their internal communication systems were affected. Additionally, systems outside of Japan were affected due to a “virus” that spread through the network. No further details on the root cause of the attack yet, but at Meterian we have done a quick surface scan of their websites honda.com and www.honda.co.uk. Similar issues were found on both. We’ll focus our blog post on Honda UK’s site.
From the summary report above, we see their website’s security scored 0 From the summary report above, we see their website’s security scored 0 out of 100 because it has 19 vulnerabilities, including jquery 1.4.2 which is vulnerable and outdated. Honda.co.uk’s basic cybersecurity hygiene could be improved by making sure to not launch the website with vulnerable and old components — jquery 1.4.2 is from 2010. Similar issues were found after analysing honda.com.
Although we don’t know if these two components’ weaknesses contributed to the hack of Honda’s systems, while investigations are private, we know every software application is part of a company’s digital estate. Altogether, front end systems (like websites and mobile apps) and back end systems (like databases, servers, APIs that store or access a company’s customer data, intellectual property — the real business logic of the services) make up the digital estate. Any security hole is a vulnerable entry point for cyber criminals to exploit and gain unauthorized access to information or systems to cause damage. Last year in 2019, over 40GB of Honda’s data were breached, exposing details about internal systems and devices on their network. Cyber criminals have strategically targeted Honda again.
There are many strategies to build up an organization’s cyber resilience, including cybersecurity cultural awareness among employees and operational and software development best practices. Meterian helps customers reduce the time to detect, mitigate and resolve issues in applications’ software supply chain. These known vulnerabilities are easy to fix with Meterian because:
1. Safe coding practices can be easily adopted into the software development lifecycle
2. Automated controls fit directly into the software development workflow for continuous monitoring
3. Meterian can be set up to run continuously and prevent such vulnerabilities from going live
Most importantly, developers are empowered to recognise and address the issue early with information at their fingertips. As stewards of software, they can automatically cyber-proof their apps with Meterian so the business can run continuously and avert giving unwanted prying eyes unauthorized access to systems and data.
Good practices in cybersecurity can help protect a company’s reputation and growth. As we’ve also seen following the EasyJet hack incident revealed in May, business productivity and customer satisfaction can be adversely affected due to any cyber hack incident. You can read our recent analysis on easyjet.com’s website.
To see if your own public assets have open source vulnerabilities that anyone could find out about (and exploit to enter your systems), try our webscanner or project scanner.
Easyjet today admitted it was hacked by a “highly sophisticated cyber-attack”. 9 million customer records were compromised, where email addresses and travel details had been stolen. Also 2,208 customers credit card details were stolen.
“Are we surprised? Honestly, we are not.”
Are we surprised? Honestly, we are not. A quick surface scan of the Easyjet website reveals that it is using at least two out of date and vulnerable components: jquery 1.11.2 and angularjs 1.4
Angularjs is another popular web framework used to simplify web development. Version 1.4 of this framework was mainstream in 2015, when we had a nuclear deal with Iran and Barack Obama was at the White House. Sweet. But even if we do really miss those times, you do not necessarily want to use such version of angular because of multiple XSS, DOS and security bypass issues that can easily exploited.
“We can see what’s on the frontend. But what is the situation in the backend systems?”
Do we think that any of those two components can be the culprit of this hack? Well, we do not know. But remember: a system like the EasyJet.com is always composed of a frontend (the website itself) and a backend system, which contains the real business logic of the services (and usually your data).
So, if in the fronted we can see components outdated and vulnerable, what do we think the situation could be on the backend? Well, actually, we think it could be worse. As the frontend is usually easy to change and in fact changes frequently (think about new offers or new branding) the backend is usually a much more stable environment that changes less frequently. So it would be reasonable to expect a similar or worse situation on the backend code, with some outdated and vulnerable components. And this is scary.
“You should always know and assess your risks due to opensource components”
However, this is also something any development team should always actively look into. Making sure that your opensource components are up to date and not vulnerable is a fundamental step in the development process. Meterian can help you do that (actually, it can do that for you and your team). Check out our one minute video that explains how meterian works:
And if at this point you want to learn more, please take a look at these two articles: