Banner image of Monthly review – February 2021

Monthly review – February 2021

Each month, we publish a review that covers essential activities of the last 30 days. This month, we discuss “Dependency confusion” attacks, malware for Apple’s M1, “Dynamic State Partitioning” in Firefox 86, and more.

Always stay in the loop!
Subscribe to our RSS/Atom feed.

News of the month

Let us recap the following news:

“Dependency confusion” attacks

Researchers presented another supply-chain attack, called “dependency confusion” or “substitution attack.” This attack targets companies that develop software with lots of dependencies.

When developers use private and public repositories to retrieve packages for their application, their package manager may prioritize the public repositories over the private ones. In this scenario, an attacker may create a public repository with the same name as an internal one. Then, the package manager retrieves the package that the attacker controls. The researchers successfully targeted 35 major tech companies with a non-malicious proof of concept.

If you use multiple repositories for your software project, you should check and understand your package manager’s configuration and behavior. The attack applies to pip, Maven, Gradle, NuGet Gallery, npm, RubyGems, etc. Define controlled scopes such as prefixes or namespaces in the configuration of your package manager. If possible, use version pinning and verify the integrity of packages, especially private packages' integrity.

Malware for Apple’s new M1 chip

Bad actors adapted their malware to support the Apple M1 chip natively. Apple presented its first ARM-based SoC in November 2020.

While this discovery shouldn’t surprise any security professional, it should highlight the ubiquity of malware: You find malware in apps for smartphones, malware in extensions for web browsers, malware as a self-propagating nightmare in industrial networks. If you dig a little deeper, you find more malware attached to e-mails and malware as “chain letters” in instant messengers or on social networks.

The good news is that most malware never reaches your devices. Even if malware reaches your devices, it may not run as your device doesn’t meet specific requirements for it to execute successfully. However, the risk of getting infected by malware still exists, even when it is unlikely for most people.

This fact brings us to “What should I do?” As always, we recommend a mix of distinct security measures based on the NIST Cybersecurity Framework:

  • Identify: Know what data on your devices is vital for you (e.g., photos, documents) and where you store it.
  • Protect: Keep the software on your device up-to-date. Turn off features that you never use. Think twice before opening unsolicited files attached to e-mails or installing software. Back up important data frequently.
  • Detect: Frequently scan your files for malware. Yes, anti-malware software doesn’t come with 100% rock-solid malware protection. And yes, anti-malware software can contain security vulnerabilities. However, both applies to any piece of security software, including OpenSSH, Firejail, Fail2ban, and iptables.
  • Respond: If you detect malware, act accordingly. At work, report this incident as required. At home, disconnect storage devices and isolate the device from any networks.
  • Recover: After an infection, restore your files and devices. It may be necessary to reinstall the operating system and scan all files.

As always, security requires a mix of distinct measures to achieve a high level of protection. And no, “I’m secure since my machine runs Linux” is another myth.

Firefox 86 adds ‘Dynamic State Partitioning’

Last December, we covered Mozilla’s plan to add client-side storage partitioning. Firefox divides client-side storage partitioning into a permanent “Network Partitioning” and a “Dynamic State Partitioning.” Firefox 85 enables Network Partitioning by default.

This month, Mozilla released Firefox 86. The latest Firefox 86 comes with “Dynamic State Partitioning” (aka “Total Cookie Protection”). Dynamic State Partitioning is enabled if you set the privacy protection level to “Strict” in Firefox. Contrary to Network Partitioning, the Dynamic State Partitioning dynamically changes depending on the context. For instance, Firefox 86 isolates cookies for third parties by the top-level site. However, a third party may still access these cookies in specific contexts (e.g., when used for sign-in).

Currently, Mozilla realizes the dynamic approach by implementing “Storage Access Heuristics.” The goal is to make certain APIs of the web browser more resistant to tracking while maintaining their original functional purpose. Mozilla describes both approaches in a detailed technical report.

Data breaches and leaks

In February, Have I Been Pwned added information about the following breaches:

  • Pixlr (breached in October 2020)
  • StoryBird (breached in August 2015)
  • (breached in May 2017)
  • CityBee (breached before February 2021)
  • NetGalley (breached in December 2020)
  • People’s Energy (breached in December 2020)
  • NurseryCam (security flaws identified in February 2021 – they added NurseryCam for notifying affected people only)
  • (breached in 2020 or 2019)

Check if you were affected, and change your credentials.

Our activities of the month

Fourth server migration

In February, we migrated our content to a new server once again. The new server requires less energy and better fits our current use cases. We further optimized the underlying operating system and web server, which results in an even faster loading speed when accessing our content. Does this sound like marketing yada yada? Maybe, but our combination of modern features and static content results in a swift website. A welcomed side effect is a web server that is more secure than most WordPress setups out there.

Goodbye, OpenPGP (for e-mails)

This month, we removed OpenPGP for e-mails. In 2020, 99% of e-mails we received were in cleartext. The remaining senders often struggled with OpenPGP. For instance, two readers attached their private OpenPGP key to their e-mails, rendering encryption useless. Even “security researchers” failed to encrypt their e-mails when contacting us.

We stopped providing an OpenPGP key for these reasons.

New content

We published one article in February 2021:

  • CVSS myths: CVSS is the de facto standard for rating the severity of security vulnerabilities. In this article, we debunk three myths that we see over and over again.

Read also