The breaking news in December 2021 of the zero-day vulnerability in the Java logger Log4j 2, known as Log4Shell, sent shockwaves through organisations around the world. Over the last 20 years Log4j has been used globally in billions of software developments and applications for logging incidents. This meant that until the vulnerability could be mitigated, the doors were open to millions of organisations. Attackers could break into systems, steal passwords and logins, extract data, and infect networks with malicious software causing untold damage. The issue was also a major threat to corporate reputations, especially where trust and confidentiality was key, such as in the financial services sector.
In the early hours an alert notification about the Log4j critical vulnerability reached one major financial services organisation based in the UK, with Fortune 500 clients around the world. On hearing the news, the Director of DevOps and Engineering cross-checked other sources for corroboration, including social media, and contacted the organisation’s Lead Technical Security Officer. It was clear that, unchecked, this could be a major problem, but how big an issue would depend on how widely Log4j 2 was embedded into systems used and being developed throughout the corporation.
Often in the race to innovate and implement systems quickly, documentation may not be as comprehensively kept and updated as ideally required. In its absence, it can be difficult for an organisation to discover how widely Log4j is integrated within its application estate, let alone know if it has been previously patched.
The race was on against the malicious actors poised to automate exploitation of Log4J vulnerabilities, with major impacts for the corporation and potentially for millions of customers around the world.
Mobilising the IT & Security Workforce with Meterian
The organisation moved rapidly by using Meterian’s out-of-the-box reports to enable it to identify where Log4J vulnerabilities were to be found across its application estate, and hence the size of the potential problem. Only then could it be possible to build a remediation plan to mitigate the risks of all the Log4J vulnerabilities.
By 10am, the list of projects utilising the Meterian solution could be seen via the Meterian Dashboard and automated scanning initiated. Scanning the software bills of materials of the affected projects, an indication of the potential impact of Log4J was emerging which could give direction and scope on the follow-up actions. Other projects which had not yet begun to use Meterian as part of their regular processes, found that Meterian’s simplicity of use meant that they could also quickly scan their projects for vulnerabilities.
Working methodically and forensically with the organisation’s development teams across multiple locations, by 5pm it was possible to present to senior management a concise summary of the situation, showing areas of the business at risk; those projects which had already been remediated; and those still needing work. A comprehensive communication plan was then invoked to alert the business to remaining vulnerabilities.
The following Meterian tools were used:
Meterian Sentinel notification alerts: an always-on security messaging service which sends notification alerts, emails, or Slack IMs to account administrators about new public vulnerabilities found in open source components used by their projects.
Meterian Boost Open Source Security (BOSS) Scanner: which gives instant visibility to the application’s open source dependencies with automated discovery, risk scoring, continuous scanning, and actionable security insights.
Meterian Account Dashboard: insight reports show dependent components and related Critical/High/Medium/Low vulnerabilities within the remit of a particular account.
The Meterian toolset alerts key employees to security issues and vulnerabilities; the breadth of the issue for the organisation’s application estate; and the projects impacted. The CISO is then armed with all the information needed to mobilise an effective action plan and comprehensive remediation.
Visibility and Control of Vulnerable Components
Log4J created great upheaval in IT teams across the industry, but for this business unit at this global Financial Services organisation, Meterian tools rapidly delivered a complete view of projects that were susceptible to attack. In comparison, other business units were not able to gather such insights so quickly because there was no single comprehensive reference point which was easy to access and use.
Meterian enabled a speedy time to resolution: 2 hours to implement remediation on projects identified using Meterian as having the Log4J vulnerability.
Meterian freed up employee time from finding the vulnerabilities, enabling them to focus on isolating the application estate from risk and implementing remediations. The Log4J threat demonstrated that critical incident prevention is possible with a more automated, secure-by-design approach. Additional or external staff were not required as existing employees could use smart tools on their application estate, and on a more regular basis to save time and remove headaches.
Through using Meterian the organisation benefits from:
Prompt alerts and early warnings of vulnerabilities in the open source software supply chain
Enhanced protection against threats
Increased confidence in people and tools working together to protect from organisational risk
Decreased stress that vulnerabilities will cause major damage and reputational harm
Cultivating Cyber Resilience Consistently and Responsively
The organisation is using the effective response enabled by Meterian as a case study to demonstrate that regulatory and compliance requirements can be met with easy-to-use continuous scanning tools that provide immediate visibility and quicken the development of secure code.
The proven partnership with Meterian will extend and facilitate their further innovation in automation, analytics and cyberresilience, through even more responsive and secure development.
Visit our homepage to learn more about how Meterian can secure your businesses’ open source components—keeping cyber hackers out and your intellectual property in.
Recent high profile cyber security incidents have reinforced the importance of cleaning up the open-source software supply chain. From Heartbleed to the Apache Software Foundation’s Log4j vulnerability, these highly publicised incidents have exposed the threats associated with the software supply chain.
Open source security vulnerabilities are nothing new. Heartbleed was a security bug in the OpenSSL cryptography library that affected many systems. Similarly, Log4Shell is a severe vulnerability, however in the case of Log4j the number of affected systems could well run into potentially billions. Many cybersecurity experts have characterised Log4Shell as the single biggest, most critical vulnerability of the last decade.
These incidents have brought into sharp focus the risks and galvanised a range of responses at national and international level. It even prompted the White House to convene an Open Source Software Security Summit in January that was attended by leaders from global technology companies including Google, Meta, Apple, and Cisco. Members of the open source community were also represented at the summit, as well as US government agencies, including the Cybersecurity and Infrastructure Security Agency, the National Security Council and the National Institute of Standards and Technology.
The gathering may have been precipitated by the Log4Shell vulnerability, but the wider context was clear. How do we ensure source code, build, and distribution integrity to achieve effective open source security management?
Open source under the microscope
Technology companies have been using open source for years as it speeds up innovation and time to market. Indeed, most major software developments include open source software – including software used by the national security community.
Open source software brings unique value, but it also has unique security challenges. It is used extensively, however, the responsibility of ongoing security maintenance is carried out by a community of dedicated volunteers. These security incidents have demonstrated that the use of open source is so ubiquitous that no company can blindly continue in the mode of business as usual. Recent research showed that 73% of applications scanned have at least one vulnerability. These can be buried deep in the open source software supply chain that software-driven businesses rely on for basic functionality and security to accelerate their time to market.
The known unknown
The concept of known knowns, known unknowns and unknown unknowns has been widely used as a risk assessment methodology. When it comes to cybersecurity and the voracity of threat actors to exploit vulnerabilities, it is a useful analogy.
Let’s take Apache Log4J as an example. Companies often create products by assembling open source and commercial software components. Almost all software will have some form of ability to journal activity and Log4j is a very common component used for this.
How do you quickly patch what you don’t know you have?
Java logger Log4j 2 – A zero-day vulnerability
Log4J was originally released in 2001, and over the last 20 years it has been used in billions of software developments and applications across the world. For logging incidents within software, Log4j is used by everything from the humble 404 error message, gaming software such as Minecraft, and Cloud providers such as iCloud and Amazon Web Services, as well as for all manner of software and security tools.2 On 9 December 2021, the zero-day vulnerability in the Java logger Log4j 2, known as Log4Shell, sent shockwaves across organisations as security teams scrambled to patch the flaw. If left unfixed, attackers can break into systems, steal passwords and logins, extract data, and infect networks with malicious software causing untold damage, not least to brand reputations.
However, herein lies the problem. How do you quickly patch what you don’t know you have?
Often in the race to innovate, the first thing sacrificed is up-to-date documentation. Without it how does a company know if Log4J is integrated within its application estate, let alone know if it has been previously patched.
Improving safety and trust when speed is of the essence
If we are to increase safety and trust in software, we must improve transparency and visibility across the entire software supply chain. Companies should have the ability to automatically identify open source components in order to monitor and manage security risk from publicly disclosed vulnerabilities. A software bill of materials (SBOM) should be a minimum for any project or development. Without such visibility of all component parts, security teams cannot manage risk and will be unaware, and potentially exposed, to dangers lurking in their software.
Case study – Full Visibility within an Hour
To give an example; one of the largest UK based financial services company with millions of customers across the world discovered it had Log4J embedded within dozens of in-house developed software projects. Having seen the first reports of the vulnerability at the start of the business day, within an hour the security team had identified projects using Log4j and were able to start work on follow up activities. By the end of the day, the entire business had a concise list of projects at risk, some of which were already remediated.
How was this achieved?
The company had automated tooling integrated into their software development environment with comprehensive component security. This enabled them to quickly identify those software projects which depended on the affected log4j component.
This visibility allowed the company to devise remediation plans to mitigate the risks of the vulnerability in Log4J. The company was able to target valuable resources across multiple locations to ensure fixes were applied quickly to critical business applications within just a couple of hours. While they were implementing an action plan based on the organisation’s use of Log4j, some of its competitors without such comprehensive tools were still in the information gathering stage.
As organisations continue to innovate at pace in order to reduce time to market, the reliance on open source software continues to increase. However, when the security of a widely-used open source component or application is compromised, every company, every country, and every community is impacted.
The White House has taken an important first step in trying to identify the challenges present in the open source software supply chain and encourage the sharing of ideas on ways to mitigate risk and enhance resilience. Organisations can and should take advantage of the many benefits that open source software can deliver, but they must not do it blindly. Ensuring you know the exact make-up of your technology stack including all the component parts is an important first step. Choosing discovery tools that have the widest comprehensive coverage is important, and so too is the flexibility to grade alerts so that only the most pressing threats are highlighted. This avoids ‘alert fatigue’ and enables security teams to focus resource where it matters most, putting organisations in a good position to act fast when vulnerabilities are discovered.
Hackers faced with stronger security defences will continue to turn their attention to the weaker underbelly of the software supply chain. Now is the time for organisations to implement integrated and automated tooling to gain comprehensive risk control of components in their open-source software supply chain. Only by increasing visibility, coverage of known unknowns and transparency can companies stay one step ahead.
1 Meterian research from aggregated and anonymised data of 2044 scanned software applications in 2020.
We are sure many of you have been hearing about SBOMs. Nowadays, software include some components with code written by your own developers, but 80-90% of the code is typically from third-party developers. How can you know who produced what and when it absolutely needs to be replaced? Since Meterian has been managing SBOMs for awhile, we’re happy to share our know-how so you can consider a comprehensive strategy to manage your open source software supply chain.
What is an SBOM?
SBOM is an acronym that means Software Bill Of Materials. The concept originates from the manufacturing industry, where a bill of materials lists dependent components in machinery. A SBOM lists all third-party components present in your application. A good SBOM also lists the licences used by each component and, when possible, the specific copyright attribution. An excellent SBOM can also provide further information, such as possible relationships between those components to better understand any supply chain risk. You may have encountered SBOMs in the past, known as “third party notice” documents created to manage legal requirements, such as the one in the image below.
However, modern SBOMs are “machine-readable”. They follow a strict specification that can be understood by a computer.
What machine-readable formats are used to publish SBOMs?
The most commonly used formats to define a SBOM are:
CycloneDX, a lightweight open-source standard designed for use in application security context and supply chain component analysis. This originated from within the OWASP community.
SPDX, an open source format with origins in the Linux Foundation, slightly more complex, and recently approved as ISO/IEC standard in version 2.2.1 as ISO IEC 5962:2021.
SWID, another ISO/IEC industry standard used by various commercial software publishers.
All these formats support a variety of use cases, but the first two (CycloneDX and SPDX) are the most versatile. Due to SPDX’s complexity, we think CycloneDX has an edge at this time, but only time can tell which of these formats will be the winner. To learn more about these formats you can also read the official NTIA publication, which drills down into the matter.
Why are SBOMs important? And how are they useful?
As a consumer of software, the main reason why you want to have access to the SBOMs of the systems you are using is to manage risks. When a very commonly used software component becomes vulnerable: how do you know what you need to patch and which subsystems are at risk? This is exactly what happened with the recent Log4Shell debacle. The logging library called Log4j, was suddenly exploitable with a very simple and repeatable attack. How do you know where it is? Which one of the systems you are using is suddenly at risk? With a correctly managed archive of SBOMs, getting this information reduces to a very simple lookup task. Without it, it can be a real nuisance —a time consuming information hunt that disrupts everyone’s work flow.
As a producer of software, instead, you want to preserve and maintain an archive of all the SBOMs of the system you produce so that you can create and distribute timely patches to your customers. Having a systematic and comprehensive analysis of your most commonly used software packages would be useful indeed. Some companies were very fast in releasing patches to their customers, while others were extremely slow, mostly because they did not have the information. You probably want to be in the first group of companies 🙂
Governments are also mandating the need for use of SBOMs, realising that software security needs to be regulated. The U.S. Executive Order 14028 that mandates all federal agencies to require SBOMs from their suppliers. This not only impacts the companies that have direct sales to the US government but also their own software suppliers. As so many systems and devices have been connecting to the Internet to send and receive information, consequently our digital world relies on a software supply chain. This “ripple effect” will be significant for many industries.
Very carefully :), because an SBOM contains the full list of the “ingredients” of your system or application. While open-source projects happily share this information to the world, the same does not apply to private companies. In fact, a malicious actor that gets hold of the SBOM of your system can then check if you are using any vulnerable components. There are public vulnerability databases, such as the NVD, which are very popular. Someone can simply browse in there and compose a list of possible attacks, try them, and maybe get lucky. Probably 9 out of 10 vulnerabilities affecting components in your system won’t be exploitable, but having the ability to go through the whole list, certainly makes the task of finding an exploit much easier.
There’s no need to keep SBOMs a complete secret, however, as long as a few simple principles are kept in check:
SBOMs need to be shared securely,
they need to be accessed only by the authorised parties, across organisational boundaries, and
they should not be tampered with.
In summary, it is essential to produce a precise SBOM, and it is just as vital to share it and maintain it securely with the correct (trusted) third parties.
Why bother with SBOMs now?
In summary, it is essential to produce a precise SBOM, and it is just as vital to share it and maintain it securely with the correct (trusted) third parties. In our hyper connected world, comprehensive coverage of components is important for preventative strategies and threat detection in supply chain attacks. Therefore, implementing SBOM management proactively now will be worth something to your organisation when the next critical vulnerability appears and stand your organisation in good stead. All good collections are worth organising. How valuable is your collection of software?
This is a call to arms. All enterprise software maintainers of software using Java libraries need to check if their systems are affected by the newly discovered Apache Log4j vulnerability since its announcement on Dec 9, 2021. Since then several security vulnerabilities in the wild have been discovered.
Vulnerability Score: 6.6 (CVSS: 3.0 / AV: N / AC: L / PR: N / UI: N / S: C / C: H / I: H / A: H) Platform: Java Component: org.apache.logging.log4j:log4j-core Affected versions: 2.0-alpha7 to 2.17.0 inclusive, except 2.3.2 and 2.12.4. Fixed in version: 2.17.1
Vulnerability Score: 10.0 (CVSS: 3.0 / AV: N / AC: L / PR: N / UI: N / S: C / C: H / I: H / A: H) Platform: Java Component: org.apache.logging.log4j:log4j-core Affected versions: all versions before 2.14.1, inclusive Fixed in version: 2.15.0 but upgrade to 2.17.0 is required because of CVE-2021-45105
Vulnerability Score: 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) (updated 18/12/2021) Platform: Java Component: org.apache.logging.log4j:log4j-core Affected versions: all versions up to 2.15.0, excluding 2.12.2 Fixed in version: 2.16.0 but upgrade to 2.17.0 is required because of CVE-2021-45105
Vulnerability Score: 7.5 (CVSS: 3.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Platform: Java Component: org.apache.logging.log4j:log4j-core Affected versions: all versions from 2.0-beta9 to 2.16.0, inclusive Fixed in version: 2.17.0
Which systems does this affect?
Apache Log4j is probably the most common library used for logging in the Java ecosystem with over 400,000 downloads from its GitHub project. It is used in Java applications to log system and user activities, so there’s a serious possibility your Java software is using it. It is used, internally, by many other Apache frameworks such as Apache Flink, Apache Druid, Apache Flume, Apache Solr, Apache Flink, Apache Kafka, Apache Dubbo. It is also actively used in many other open source projects, like Redis, ElasticSearch, Elastic Logstash, Ghidra and many others.
Among all these open source components, one needs a special mention: Apache Struts. Yes, it is actively using Log4j. There exists a potential to trigger high-impact attacks against a wide variety of apps and services, similar to the scale witnessed in 2017. At that time, due to the vulnerability exploited in the Equifax megahack, 140 million customers’ data in North America and UK were breached. The latest version of Apache Struts, 2.5.28, uses by default Log4j version 2.12.21, which is vulnerable to this attack. This time, however, the scope for damage could be even wider, as Apache Struts is one of many Apache frameworks that use Log4j.
The Java ecosystem is in very broad use in enterprise systems and web apps and many mainstream services are likely to be vulnerable. Therefore, software maintainers and developers should pay close attention to this vulnerability.
“All an attacker has to do to exploit the flaw is strategically send a malicious code string that eventually gets logged by Log4j version 2.0 or higher. The exploit lets an attacker load arbitrary Java code on a server, allowing them to take control. […]Minecraft screenshots circulating on forums appear to show players exploiting the vulnerability from the Minecraft chat function. On Friday, some Twitter users began changing their display names to code strings that could trigger the exploit. Another user changed his iPhone name to do the same and submitted the finding to Apple. Researchers told WIRED that the approach could also potentially work using email.”
If you maintain an enterprise system using Java software, you would need to update all affected applications, whether they are maintained directly by your organisation or your supplier organisation.
Within 2 days of the 2017 vulnerability being announced, several systems around the world were breached by exploiting the software weakness. We do not want more cyber breaches of such scale and all need to react quickly to patch vulnerable systems.
How can I check if my system is affected?
If you maintain any software using Java libraries, check if you are using Apache Log4j. Meterian BOSS scanner can be used to scan your codebase to identify all dependent software libraries. If it is using Log4j, it will find the affected vulnerable versions and provide more information on how to mitigate this risk.
If you are a developer and you have access to the code, you can simply execute this command from your terminal:
If you see any response lines, check the version: if it’s below 2.16.0 (as in the above example) you may be affected.
My system has the vulnerable log4j library — how can I mitigate the risk?
There is a patched version of the library that resolves the issue. Released by Apache Software Foundation, the solution is to immediately upgrade log4j to the latest log4j version 2.16.0. The fixed version is available via Maven.
If the library is coming from a transitive dependency (it’s not one of your direct dependencies, but a dependency of them) you can just include an override in your root pom.xml (or where applicable) and retest that it’s not there anymore with the command shown before:
To include this as part of your continuous improvement efforts to build resilience into your software development lifecycle, see our documentation on the various integrations we support with GitHub Actions, Azure DevOps Pipelines, and others.
Are Meterian applications affected by the log4j vulnerability?
No. We have verified our applications and none are using log4j. We maintain a continuous monitoring system to ensure our development operations are up to date with the latest known vulnerabilities in software components.
This may seem to be a trivial question or something more like a joke. Why would one keep a vulnerable component in his tech stack? That said, from time to time, we meet people who simply answer “well, this is not an issue”.
Surprisingly, some are part of the technology leadership, or even the security chapter. Often their answer is usually along the lines of: “Well, you should know there’s a difference between vulnerable and exploitable: the fact that a component is vulnerable does not automatically mean that it’s possible to exploit it”.
“There’s a difference between vulnerable and exploitable…”
Yes, that is perfectly correct. We know it, as we do our own analysis as part of our routine.
Do you know what the problem is? You are probably not involved in the project and you are not a developer. I can bet that you are not continuously monitoring and assessing the code that your developers are daily pushing. Are you? Because at the speed innovation is going these days, there’s no guarantee that even tomorrow one of your developers will push a line of code that will enable the exploit. Yes, these exploits may be quite complex but also may be very easy to enable. It’s possible that an application including a vulnerable component is not exploitable today, but what about tomorrow? Your software is changing continuously.
“…but developers push new code daily, software is changing continuously.”
Do you know why Struts in Equifax was hacked? Because of a log message. A simple log message that echoes the content of a header, only that such content contained OGNL code, crafted by an attacker.
Do you know how jackson-databind remote code execution can be exploited? It’s just one configuration property away: enable polymorphic JSON deserialization and you are on.An apparently innocuous JSON message can feed now code to your server to be remotely executed.
So, in your position, I would not sit too complacent on the fact that you have vulnerable components that today cannot be exploited because of the current application code. That code changes continuously, daily, and unless you have in place an incredibly strict validation process, you are at risk, and you are putting your customers at risk. I do not believe such risk is acceptable.
“Most of the times the fix is just one patch away.”
Furthermore, most of the time fixes are just a patch away. We are not talking about a four-week refactoring session, but probably more like a one minute change and a run of the normal test regression suites, And if you had a system in place to continuously check your components against known vulnerabilities, you would have caught such an issue and patched it a while ago.
This is not a commercial plug for Meterian. Yes. this is our bread and butter, and we think we provide tons of value for the money. But some of our competitors do that as well. Maybe you are already using one of them in your company, and that’s great. Plug that in and set your customers free from this risk.
We can all admit that as dreary as 2020 has been, it has at least been consistent in its dreariness. One organisation that can definitely vouch for this is music streaming giant Spotify. In true 2020 style, Spotify wrapped up the end of the year with a data breach on November 12th1 in which customers’ private account details were exposed.
Now, we may wonder why a hacker would be interested in Spotify accounts. Sadly, it’s not because they want to steal music inspiration from us. The details of targeted private accounts include customer display names, passwords, genders and D.O.B.’s which were leaked to various Spotify business partners. Speaking of business partners, we must also note that a Spotify breach does not solely expose Spotify users but may also put customers on connected devices or platforms at risk. The interconnectedness of our information sharing means that a problem for Spotify could be a problem for us all. This information is harvested by malicious actors to perform credential stuffing attacks, in which stolen passwords are used to uncover more stolen passwords for other sites and applications.
Moreover, this would not be the last experience Spotify had of data breaches in 2020. A week later, a cyber criminal under the guise ‘Daniel’ infiltrated celebrity Spotify accounts including Dua Lipa and Lana Del Rey2. Although in this case it was not customers PII that was exposed, it still casts a shadow on Spotify’s claim of prioritising “protecting privacy and maintaining user’s trust” as outlined in an official statement released on the 9th December 20203.
Enter now: Meterian web scanner, which we’ve used to perform a quick surface scan of http://www.spotify.com to identify what security, stability and licensing risks of open source components are within the website’s codebase. Here we can see that Spotify currently has a security score of 0 out of 100, with 1 known vulnerable component – jquery 2.1.3 which has at least one high and several medium threats as confirmed by NVD4. Although we do not know for sure what the unlocked route of entry was in Spotify’s case, this open source entry may well have been it. Subsequently, there is nothing stopping cyber criminals from using this chink in the armour to perpetrate similar breaches in the future.
Although the vulnerability was discovered on November 12th, Spotify disclosed that it was present within the system from as far back as April. This means that more than 320 million user’s personal data was at risk for at least 7 months prior. Having carried out our own analysis in a matter of minutes, we immediately notice that the vulnerable component in use is actually more than three years out of date! We hope their web and mobile apps get greater scrutiny with regards to the maintenance of their open source dependencies. At Meterian we have developed a security platform that automatically identifies known vulnerabilities in software applications’ open source supply chain. To give our customers the best chance of resolving such issues, the platform can be easily integrated in software development teams’ DevOps process. The continuous nature of DevSecOps empowers development teams to be the first line of defence as they code applications.
Open source components have become fundamental components of applications that are relied upon for basic functionality and security. Since over 90% of applications consist of open source components nowadays, securing this part of a business’ IT and software has become an area that requires greater scrutiny in quality and maintenance.
Meterian helps ensure software applications’ open source supply chain is free from any known vulnerabilities that could compromise the application’s security and stability. Is it worth risking to damage the firm’s reputation and competitive edge in the market?
Curious to see what we can automatically report on your software applications? Detect known vulnerabilities in your open source software supply chain before your own applications become an Achilles heel. Get in touch and see how Meterian can make your company’s application security defence more robust.
1 Whittaker, Zack. “Spotify resets passwords after a security bug exposed users’ private account information.” Tech Crunch, 10 Dec 2020, https:// techcrunch.com/2020/12/10/spotify-resets-user-passwords-after-a-bug-exposed-private-account-information/
2 “Dua Lipa and other Spotify artists’ pages hacked by Taylor Swift ‘fan’”. BBC News, 2 Dec 2020, https:// bbc.co.uk/news/technology-55158317.
How can we enjoy social gatherings in restaurants or busy spaces again? This is possible with robots, devices, space partitions and humans occupying the same space. With imagination, we will re-create the bustling spaces redefined with IoT technology.
What is IoT?
If you’re new to IoT, see from Wikipedia: “The Internet of things (IoT) is a system of interrelated computing devices, mechanical and digital machines provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.”1
Basically, an IoT device is one that has an internet connection, even though normally it wouldn’t. Your smart boiler and smart thermostat are examples of IoT devices. You talk to them using an app on your smartphone. You tell the smart boiler to heat water so you can take a shower, and the smart thermostat to warm up the room to a cosy temperature by the time you arrive home.
In recent months, as the reach and severity of the COVID-19 pandemic increased, adopting IoT solutions started joining the frontline in many countries outside Asia in order to manage the crisis. With the boost in increased use of digital and remote technologies, videoconferencing has become the norm for office meetings, school lessons and exercise classes. The capabilities of video conferencing, email and messaging technologies has shown just how productive remote work can really be, with studies showing that 65% of pandemic remote workers wished to continue working from home and only 2% wished to return to the office.2
These efforts are likely to take a step further with IoT. Many countries have set up temperature measurement systems at the entrance of public places such as airports and train stations. Restaurant managers are also recording the temperature of staff who are preparing food. If this collected data (temperature) could be transferred and analysed in the cloud through an app, it could result in real-time analysis.
To orchestrate such a system requires planning and a clear understanding of what is most valuable to protect and why. There are many benefits and use cases of IoT.
Benefits of IoT
IoT, artificial intelligence, and the analysis of vast amounts of real-time data sets (aka Big Data) can be used to slow down proliferation of pandemics to avoid future global health crises. Such real-time connected intelligence, dubbed “nowcasting”, could be gained from medical devices connecting over the internet. Trend monitoring of wearable devices could analyse population-level influenza trends daily according to a recent study from Scripps Research scientists.3
As seen during COVID-19 isolation period, this preventive action to stop the virus spread combined with telehealth services lets health care providers advise patients without risking exposure.
Robot surveillance for social distance monitoring can alleviate the stress on police or community patrol since robots don’t get tired of doing repetitive tasks — observe, record, count, report and take action. 4
Key reasons for implementing IoT projects are summarized in Microsoft Azure’s IoT survey featured in their IoT Signals report, which highlight the top three reasons as improving Safety and security, Operations optimization, and Quality assurance.
During COVID-19 crisis, we have seen that doctors and health care providers can maintain some employees’ productivity while social distancing and relying on the right connected devices and computing systems. Logistics companies, supermarkets and the food supply chain can track the quality and quantity of goods and produce from shore to shop or farm to market with minimal manual effort. Eventually, the click-pick-and-collect journey of groceries delivered by Ocado5 will be done entirely with robotics. Another instance in which IoT can act as a useful tool for retail stores is by tracking consumer and employee location data. Michele Pelino, senior analyst in infrastructure and operations research at Forrester said, “The idea is to use information about location: GPS capabilities in phones. Over time, there will be more opportunities to create location-based experiences to interact with a brand”. Possibilities for the next year include the ability for customers to use GPS to check in, allowing them to maintain distance by avoiding queues.
As with all new technology, great progress comes with risks in uncharted fields.
Since the explosion of the internet of things (IoT) across industries, companies providing products or services in any IoT ecosystem must carefully evaluate and examine possible threats of malicious intent.
We have been warned children’s toys6 and baby monitors’7 cameras have been hacked by strangers invading privacy and security of the home. In the UK, regulations for IoT devices are gradually being introduced to catch up with the 300% surge in cyberattacks using IoT devices8, and similarly in the US9.
In the United States, FBI warned 10 the US private sector in February: “Software supply chain companies are believed to be targeted in order to gain access to the victim’s strategic partners and/or customers, including entities supporting Industrial Control Systems (ICS) for global energy generation, transmission, and distribution”. Recently we have seen this exact industry area targeted in oil pipeline system company Colonial Pipeline’s Ransomware attack. This led to the take down of the largest fuel pipeline in the U.S., and Colonial Pipeline paying out a huge $4.4m crypto currency ransome.
In addition to attacks against supply chain software providers, the FBI said the same malware was also deployed in attacks against companies in the healthcare, energy, and financial sectors.
The Most popular supply chain attack is 2017’s NotPetya ransomware attack11. Due to a lack of patches to keep software in their Windows computer systems up to date, cyber criminals were able to gain access to computers and install a malware that spread through the networks of organizations like wildfire. Multinational companies, AP Moller-Maersk, Reckitt Benckiser and FedEx, were crippled and they were not even the target of the state-sponsored attack. Just collateral damage, and the estimated loss is $10 billion12.
Gavin Ashton recently wrote in his personal blog about his insider view of the NotPetya experience, which cost Maersk $300 million: “you should put up a damn good fight to stop these attacks in the first case. … Staying with the home analogy; Yes, there’s security cameras and wizard cloud-connected ‘Internet of Things’ (IoT) devices and all kinds of expensive measures and widgets, but a lot of organisations fail simply on the basics. Lock the damn door.”13
The Value Security Adds to Systems
Such risks and misfortunate events are avoidable and can be mitigated.
There is a range of use cases in which security indeed adds value to IoT systems. For example:
Need to prove authentic origin of products such as fresh produce or medications? Eliminate loss by tracking products with encrypted data.
Need to guarantee the integrity of data? Prevent tampering and fraud by ensuring systems have security controls for identification, authentication and authorization.
Prevent cloning/faking/tampering of trackers or meters?
Ensure data of logistics/transport/utility/food services is confidential end-to-end
individual contact tracing. Ensure tracker data is confidential end-to-end
Prevent device/software tampering that could affect pricing and billing
At home and with health care providers,
Safeguard customer privacy by preventing intrusion into home systems
Comply with patient privacy regulations by protecting data at rest (stored on devices/systems) and in motion (when sent from a device over the network to another device/system).
In the IoT ecosystem, it is crucial for organizations to have visibility into all connected devices and systems. As more employees use cloud apps and mobile devices for work, the traditional network security perimeter has lost relevance. This means more attention is needed on endpoint monitoring and protection, which includes not only employees’ devices to perform work, but also devices in the worker’s environment whether at home or at work. At work the environment may be an open plan of office desks, a clinician’s patient room, or on the assembly line of a manufacturing plant. Each environment will have its unique characteristics. For more on the role of IoT and the fight against COVID-19 in sensitive areas, read our blog: Cyber Security and IoT: Health Care and Well-Being in our Shared Spaces.
The user/actor in the environment may also vary and the device’s mobility would affect its position and environment. IoT system design must take many of these factors into consideration and use secure-by-design principles to protect the value of the information that is being moved around the ecosystem. There is no panacea to protect all aspects because in the IoT ecosystem the hardware, software, and services are provided by different vendors. Each aspect will need to be secured to be fit for its purpose within the context of its environment and ecosystem. Methods to update and/or remove devices are required to keep up with the pace of business and technological advancements.
Just as hardware devices come with basic security benefits that can be used and will need to be updated over time, the software of open source components used by IoT devices must also be maintained. Continuous updates are essential. New aspects of information and human security will need to be included. In the context of autonomous vehicles, software must be resilient against both malicious actors as terrorists as well as unauthorised but friendly users, such as a child who could use a smartphone to direct the car to go to school, for example.
Look Out Ahead for CyberSecurity in IoT
The future is not promising to be better in terms of cybersecurity threats and malicious attacks. Globally there were nearly 27.5 billion installed IoT devices number of installed IoT devices at the end of 2020, which is set to rise to 45.9 billion by 202514. So, with both of these figures growing, it is clear to see that IoT devices are the perfect vessel for cyber criminals to carry out attacks.
80% of data breaches can be prevented with basic actions, such as vulnerability assessments, patching, and proper configurations. Getting basic cyber hygiene right is critical to help prevent cyber attacks. There are always those who destroy unity and stifle positive progress. Cyber criminals unfortunately will continue to innovate with artificial intelligence to increase their attacks at machine speed from anywhere in the world and on a scale comparable to that of a pandemic.
How a Software Bill Of Materials can help prevent cyber attacks
The National Telecommunications and Information Administration (NTIA) defines a Software Bill Of Materials (SBOM) as “a complete, formally structured list of components, libraries, and modules that are required to build (i.e. compile and link) a given piece of software and the supply chain relationships between them. These components can be open source or proprietary, free or paid, and widely available or restricted access.” A bill of materials such as this acts as a comprehensive compilation of all internal parts of the software, including third party contributions. This would facilitate the tracking of individual components such as libraries or source code within software programs. With a complete and traceable inventory, companies can see and manage the risks associated with open source libraries by identifying vulnerable systems as early as possible. Furthermore, it allows developers to monitor what components they use by vetting the code in their projects. Finally, this level of transparency would allow for a more informed purchasing experience for consumers. President Biden recently formalized the importance of SBOMs through the Executive Order on Improving the Nation’s Cybersecurity15, in which it was made mandatory that all software used by the US government came with its own SBOM— so as to prevent from SolarWinds type hacks in the future.
If you are interested in automated auditing of your software applications for open source compliance risks and security vulnerabilities, get in touch.
2 Mlitz, Kimberly. “Work from home & remote work- Statistics and Facts”. Statistica, 30 March 2021, https: //www.statista.com/topics/6565/work-from-home-and-remote-work/.
3 “Fitness wearables may improve real-time tracking of seasonal influenza outbreaks.” Scripps Research, 16 January 2020, https ://www.scripps.edu/news-and-events/press-room/2020/20200116-wearable-flu.html.
4 Stieg, Cory. “This $75,000 Boston Dynamics robot ‘dog’ is for sale—take a look”. Make it, 22 June 2020, https ://www.cnbc.com/2020/06/22/75000-boston-dynamics-robot-dog-for-sale-take-a-look.html.
5 Banks, Martin. “Google Solving Together – Ocado Technology readies clients for more changes to online retail’s ‘new normal”. 15 June 2020, https ://diginomica.com/google-solving-together-ocado-technology-readies-clients-more-changes-online-retails-new-normal
6 “What did she say?! Talking doll Cayla is hacked”. 30 January 2015, https ://www.bbc.co.uk/news/av/technology-31059893 .
7 “Smart camera and baby monitor warning given by UK’s cyber-defender”. BBC News, 3 March 2020, https ://www.bbc.co.uk/news/technology-51706631.
8 Kelly Early. “What do the UK’s newly proposed IoT laws look like?”. Silicone Republic, 28 January 2020, https ://www.siliconrepublic.com/enterprise/uk-iot-internet-of-things-regulation-laws.
9 https ://www.nist.gov/internet-things-iot
11 Cimpanu, Catalin. “FBI warns about ongoing attacks against software supply chain companies”. ZD Net, 10 February 2020, https ://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/
12 Hall, Kat. “Largest advertising company in the world still wincing after NotPetya punch”. The Register, 7 July 2017, https ://www.theregister.com/2017/07/07/ad_giant_recovering_from_notpetya/.
13 Ashton, Gavin. GVNSHTN, Maersk, me & notPetya, 21 June 2020, https ://gvnshtn.com/maersk-me-notpetya/.
14 Belton, Padraig. “In 2021, as you work from home hackers eye your IoT”. Light Reading, 1 April 2021, https ://www.lightreading.com/iot/in-2021-as-you-work-from-home-hackers-eye-your-iot/d/d-id/766350
15 “Executive Order on Improving the Nation’s Cybersecurity”. The White House, 12 May 2021, https ://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.
Earlier this month, Honda announced it has suffered a cyber attack on its network. It was affecting its operations around the world: their manufacturing plants have shut down, customer service work has been forced to stop, and their internal communication systems were affected. Additionally, systems outside of Japan were affected due to a “virus” that spread through the network. No further details on the root cause of the attack yet, but at Meterian we have done a quick surface scan of their websites honda.com and www.honda.co.uk. Similar issues were found on both. We’ll focus our blog post on Honda UK’s site.
From the summary report above, we see their website’s security scored 0 From the summary report above, we see their website’s security scored 0 out of 100 because it has 19 vulnerabilities, including jquery 1.4.2 which is vulnerable and outdated. Honda.co.uk’s basic cybersecurity hygiene could be improved by making sure to not launch the website with vulnerable and old components — jquery 1.4.2 is from 2010. Similar issues were found after analysing honda.com.
Although we don’t know if these two components’ weaknesses contributed to the hack of Honda’s systems, while investigations are private, we know every software application is part of a company’s digital estate. Altogether, front end systems (like websites and mobile apps) and back end systems (like databases, servers, APIs that store or access a company’s customer data, intellectual property — the real business logic of the services) make up the digital estate. Any security hole is a vulnerable entry point for cyber criminals to exploit and gain unauthorized access to information or systems to cause damage. Last year in 2019, over 40GB of Honda’s data were breached, exposing details about internal systems and devices on their network. Cyber criminals have strategically targeted Honda again.
There are many strategies to build up an organization’s cyber resilience, including cybersecurity cultural awareness among employees and operational and software development best practices. Meterian helps customers reduce the time to detect, mitigate and resolve issues in applications’ software supply chain. These known vulnerabilities are easy to fix with Meterian because:
1. Safe coding practices can be easily adopted into the software development lifecycle
2. Automated controls fit directly into the software development workflow for continuous monitoring
3. Meterian can be set up to run continuously and prevent such vulnerabilities from going live
Most importantly, developers are empowered to recognise and address the issue early with information at their fingertips. As stewards of software, they can automatically cyber-proof their apps with Meterian so the business can run continuously and avert giving unwanted prying eyes unauthorized access to systems and data.
Good practices in cybersecurity can help protect a company’s reputation and growth. As we’ve also seen following the EasyJet hack incident revealed in May, business productivity and customer satisfaction can be adversely affected due to any cyber hack incident. You can read our recent analysis on easyjet.com’s website.
To see if your own public assets have open source vulnerabilities that anyone could find out about (and exploit to enter your systems), try our webscanner or project scanner.
There is no question that the automotive industry is one undergoing constant innovation and digital transformation. Nowadays, people expect to stay connected when commuting in their vehicles at all times and locations. Modern cars will have built-in navigation systems, Wi-Fi access, as well as in-vehicle infotainment systems (a combination of entertainment and information delivery to drivers). Alas, with the rise of new technologies, comes the rise of new hacks and gateways for cyber criminals to penetrate car systems.
Yet, it is also true that these cyberattacks are not just occurring out of new technologies, there is still clearly a lack of scrutiny over vulnerable open-source components within a company’s software code. This is confirmed by a 2019 survey by Synopsys and SAE International on current cybersecurity practices which found 62% of professionals interviewed believe malicious attacks on software and open source components are bound to occur in 2020 within the automotive industry. Clearly,these security holes are major contributors as to why malicious actors have been so successful in penetrating systems and networks.
This article intends to enlighten readers on the problems which certain hacks can cause to the automotive industry and its customers, as well as insight into ways this industry could prevent future exploits as part of their digital transformation.
What can go wrong?
Cyberattacks to the automotive industry can have health, financial and reputational consequences. Take the examples below:
A scary reality is if the hackers access the brakes or steering wheel. We have already seen an example of this in April 2019, where a hacker broke into two GPS tracking apps (ProTrack and iTrack). This resulted in access to personal data, the monitoring of the vehicle location and the ability to stop the engine altogether. This type of hack could cause serious accidents and therefore threatens the health and safety of the passenger.
Losing control of a web or mobile app also has its downfalls. Ransomware attacks or data breaches could expose a lot of sensitive data, as well as stop systems from running. As automotive companies compile a significant amount of this customer data, they become a plausible target for hackers. For example, in April 2019, Toyota announced a breach had exposed the data of up to 3.1 million customers. This disrupts the business, causes financial problems and most certainly diminishes the reputation of the company. Additionally, the leaking of software IP can also be damaging to a business, as it can give information to hackers for future exploits.
Cybersecurity is like a seatbelt
Until 1966, cars were often made without seat belts. But now, it would never cross the mind of any manufacturer to not include seatbelts in the design of a car, as it would be a major risk to the health and safety of the passenger. Here we can make a parallel with cybersecurity. In the same way there is a blatant risk of not wearing a seatbelt due to the possibility of a car accident, there is also a major risk of letting software-driven devices run without having secured their entire software supply chain to de-risk the possibility of a cyber attack via a vulnerable software component. Everyone should wear a seatbelt in a car, so why does the automotive industry not treat cybersecurity with the same mentality?
How to improve cybersecurity in a constantly evolving industry?
For manufacturers and suppliers in the automotive industry, there is a need to prioritise cybersecurity as part of the automobile’s e-safety. Collaborators in the automobile value chain must take into consideration the digital life cycle of the vehicle’s software as part of the vehicle’s holistic life cycle. Therefore producers of intelligent cars (or their electronic subcomponents) powered with software must include these 4 pillars:
A good baseline: understanding the relevant legislation in the OEM markets and making sure to uphold all the existing cybersecurity standards involved. This will help all parties deliver secure software.
Enforce a security-by-design culture within the engineering process. This should focus on secure development practices, software testing and new supplier-audit processes that include cybersecurity issues. Here there should also be testing or evaluating the components within code, to check for vulnerabilities.
Monitor the cybersecurity of cars on the road. This means having a clear view of a vehicle’s configuration and setting up a security operations center for cars. Here the center could use correlation and artificial intelligence to detect adverse events and respond efficiently. The use of new technologies adds to how the industry needs to digitally transform to address cybersecurity effectively.
Ensure software updates to vehicles pass security and safety tests. This should be run by the OEM through a software-engineering approach. This shows automakers are testing and securing changes to the vehicle as part of their continuous maintenance.
Look into the future. When investing in new technologies, understand how this will impact your business models, operational processes and the user experience. Successful transformations also depend on how firms manage digital transformation process through leadership and governance (not solely its implementation). If businesses don’t keep up with evolving technologies, how will they be able to keep up with the growing sophistication of hackers? Research by Accenture has highlighted the advantage which digital transformation provides to companies: early innovators are 67% more likely to outperform compared to 18% for market share protectors.
Let Meterian be your seat belt
Meterian can automatically inventory your open source components and analyse them to check if they are up-to-date or have any publicly disclosed security and licence risks. Get started on building a proactive defence for your customer data and software IP as your business goes through digital transformation. Try our FREE web scanner today to get a preview of what kind of potential vulnerabilities are in your website. We can provide more in-depth analyses for all your software code bases. Get in touch today.
Greetings App Sec community! Meterian is back with some .NET vulnerabilities which need some attention. Both these vulnerabilities are of a medium to high threat nature, so make sure to give this a read, it’ll be worth your while. The first case deals with a cross-site scripting vulnerability, whilst the second can cause a core denial of service issue. Don’t let hackers use this as a backdoor to your systems and networks. Stay protected people!
CVE-2019-1301: .NET Core suffers from a denial of service vulnerability when it improperly handles web requests.
CVE-2019-12562: There is stored cross-site scripting vulnerability in DotNetNuke (DNN) versions before 9.4.0, allowing attackers to store and embed malicious script into the administration notification page.
.NET Core / Microsoft.NetCore.App: 2.1.0-2.1.12 or 2.2.0-2.2.6
The first .NET vulnerability we bring to your urgent attention is a denial of service vulnerability which occurs when .NET Core improperly handles web requests. The affected versions are in any .NET Core based application running on .NET Core 2.1.0 to 2.1.12 or 2.2.0 to 2.2.6, and System.Net.Sockets 4.3.0. This is regarded as a high threat to security and should be tended to immediately.
How can you confirm if your .NET application is affected? Run the dotnet –info command to see the list of the versions you have installed. You will then see output as shown below:
If you see that you have a version of .NET Core which is less than 2.1.13 or less than 2.2.7, then unfortunately you are vulnerable. The same applies if you are using the meta-package “Microsoft.NETCore.App”, with the same version range. Please note that this also applies to the package System.Net.Sockets version 4.3.0.
What is .NET Core? It is an open source, development platform which is maintained by Microsoft and the .NET community on GitHub. It can be used to build device, cloud and IoT applications.
Why is this vulnerability such a threat? Firstly, the attacker who is successful in the exploit of this vulnerability would use the denial of service against the .NET Core web application. Not only can this vulnerability be exploited remotely, but also without authentication of the user-cum-attacker. A denial of service attack (DoS) is focused on making a resource unavailable for the purpose of its design. The unavailability of a resource can come in many forms: manipulating network packets, programming, logical or resource handling vulnerabilities. Sometimes the attacker may execute arbitrary code to access critical information or execute commands on the server. Generally, this type of attack would cause response delays, large-scale losses, interruption to services and therefore an impact on availability.
So how can you fix this issue? It is recommended to install the latest version of .NET Core but it depends on the versions which you have already installed. You may need to update if you have either version 2.1 (upgrade at least to 2.1.13) or 2.2 (upgrade at least to 2.2.7). If you are using the meta-package, upgrade the meta-package following the same version numbering. Also, if you are using System.Net.Sockets, please upgrade to version 4.3.1
You read right. DotNetNuke (DNN) has a cross-site scripting vulnerability before versions 9.4.0 which is allowing remote attackers to store and embed malicious script into the admin notification page. The success of this exploit occurs when an admin user visits a notification page with stored cross-site scripting.
A little information on DNN. First of all, it is a program that runs on Microsoft ASP.NET. It is also a framework, meaning it is a program designed to be extended. When you install DNN it can allow the creation of thousands of individual portals. These portals can then display pages and the pages display modules. More importantly, DNN is an open source web content management system meaning many businesses around the world rely on it for organisational purposes. DNNSoftware.com has over 1million registered members since 2013 and is used on nearly 750,000 websites globally. This might illuminate how many people could be affected by this vulnerability and why this needs urgent attention to avoid getting hacked.
The severity of this vulnerability is emphasized through the fact that stored cross site-scripting is the most dangerous type of cross-site scripting. The exploit could be used to perform any action that has administrator privileges. This includes: managing content, adding users, uploading backdoors to the server and more.
Once this vulnerability had been detected it was reported to the DNN Software Security Department who have fixed the problem and released a patch. Users should update to the latest version 9.4.0 of DNN to avoid any security holes within their systems and networks.
That is it from us…for now! Make sure to spread the word on these .NET vulnerabilities in order to help protect your apps or the apps you develop. But as you all know, open-source vulnerabilities are discovered daily, so you can expect us to be back with new vulnerabilities very soon!
Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously. Sign up here to download the Meterian client today. You’ll get an instant analysis of your first project for free. See the risks immediately and know which components to remove or upgrade to secure your app.