OpenSSF and OpenJS warn about social-engineering attacks
The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails. These emails implored OpenJS to take action to update one of its popular JavaScript projects to "address any critical vulnerabilities," yet cited no specifics. The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement.
(Log in to post comments)
OpenSSF and OpenJS warn about social-engineering attacks
Posted Apr 15, 2024 18:43 UTC (Mon) by willy (subscriber, #9762) [Link]
> Use strong authentication.
> Enable two-factor authentication (2FA) or Multifactor Authentication (MFA).
> Use a secure password manager.
> Preserve your recovery codes in a safe, preferably offline place.
> Do not reuse credentials/passwords across different services.
Keep it specific to this attack and link to the generic "good practices".
OpenSSF and OpenJS warn about social-engineering attacks
Posted Apr 15, 2024 20:20 UTC (Mon) by sdalley (subscriber, #18550) [Link]
OpenSSF and OpenJS warn about social-engineering attacks
Posted Apr 15, 2024 20:43 UTC (Mon) by flussence (subscriber, #85566) [Link]
But, being serious for a minute: an entity can only be trusted insofar as it has *something to lose*. A crowd of firstname-bunchanumbers accounts with "secure email" addresses and the default identicon avatars (or reaction image templates from their 4chan meme folder) has absolutely nothing mortgaged, a trust multiplier of zero, no matter how many of them swarm a github project or bugzilla. These are non-persons. That property is transitive to any entity they vouch for, in the absence of other input.
It'd be much more productive for security to simply check whether the Weird Guy leaving drive-by essay comments trying to pressure the project owner into specific action does anything else with his life; most of them fail this check. *Especially* when the guy starts yelling "you must trust me here are my socials" and it turns out all they do all day is reblog product announcements.
OpenSSF and OpenJS warn about social-engineering attacks
Posted Apr 17, 2024 20:47 UTC (Wed) by mbp (subscriber, #2737) [Link]
And it's been documented that intelligence agencies have an established capability to build up social media trails for their personas, as you would expect they would. And of course taking on the name of a real person has been an established practice for centuries: on the internet they don't even need to be dead, just inactive in that particular space. If the maintainer had searched the internet for Jia Tan they would have found lots of hits -- it seems to be not an uncommon name.
OpenSSF and OpenJS warn about social-engineering attacks
Posted Apr 18, 2024 10:56 UTC (Thu) by Wol (subscriber, #4433) [Link]
That's not what the GP was saying though. ALWAYS treat people you don't know with a degree of suspicion. That's not to say they can't worm their way into your trust, but a little but of "trust but verify" doesn't go amiss. If a quick search on LinkedIn or Facebook adds up, that's a plus point. If you can't find them, absence of evidence is not evidence of absence - I don't have a facebook presence - but that should not make you trust (or distrust) them, it should just enhance the need for other checks. On the other hand, that search might well raise good cause for alarm - act on it!
If they come into your project demanding (or even just requesting) social change, check out their social credentials.
If they come into your project with drive-by code, check out their code! I have a long history in MultiValue - I know most people in the ScarletDME space going back possibly even before the first line of ScarletDME code was written - I have strong social cred. Still doesn't mean they should trust my programming ability :-) but the chances of me being malicious are pretty much nil.
I know it's hard, but you can't accept people at face value - especially if it's the internet and you can't see their face :-) Accept what they're offering with a pinch of salt until you really get a feel for what sort of guy they are.
Cheers,
Wol
OpenSSF and OpenJS warn about social-engineering attacks
Posted Apr 18, 2024 11:26 UTC (Thu) by farnz (subscriber, #17727) [Link]
The challenge with the sorts of social checks you're talking about is that they're the things that a competent adversary can build up and keep in reserve to deploy later, while young new contributors simply don't have the lifespan so far to have built up social credentials.
Checking their code is important, but again is something that a competent adversary can do; Jia Tan's code was decent, for example, up until they had enough trust established to abuse it. Ultimately, this is a very hard problem; one of the biggest problems intelligence agencies have is that they work in a "trust no-one" world, and verifying everything is a big problem.
OpenSSF and OpenJS warn about social-engineering attacks
Posted Apr 16, 2024 2:32 UTC (Tue) by gdt (subscriber, #6284) [Link]
OpenSSF and OpenJS warn about social-engineering attacks
Posted Apr 16, 2024 6:48 UTC (Tue) by LtWorf (subscriber, #124958) [Link]
I personally don't see the value in it. Plus I'm moving off from github, I have accounts on 3 other git services. I don't understand this corporate fixation that all FOSS is on github. In fact the bigger projects tend to not be on github.
https://web.archive.org/web/20240331024907/https://openss...
OpenSSF and OpenJS warn about social-engineering attacks
Posted Apr 17, 2024 11:42 UTC (Wed) by weal (subscriber, #168153) [Link]
Lately I see things like Github and LinkedIn and it just seems like they are money hustlers trying to ruin the industry.
OpenSSF and OpenJS warn about social-engineering attacks
Posted Apr 17, 2024 15:03 UTC (Wed) by LtWorf (subscriber, #124958) [Link]
PyPI (bankrolled by google) implemented the whole "Trusted publishers" thing (that only works for 1 publisher: github).
Coincidentally (?) github banned russian users when the USA government told them so.
A while ago a Google employee indicated that all open source contributors should be identified and not anonymous/pseudonymous.
It seems pretty clear to me that google and microsoft are cooperating towards that goal, mostly for regulatory purposes of being able to say that no nationals from "bad" countries contributed to the code being used in the past X months.
I'm not russian but perhaps the USA will ban my country next? I don't know. I doubt it's best to not rely on github I think.
OpenSSF and OpenJS warn about social-engineering attacks
Posted Apr 15, 2024 19:06 UTC (Mon) by jafd (subscriber, #129642) [Link]
OpenSSF and OpenJS warn about social-engineering attacks
Posted Apr 15, 2024 21:59 UTC (Mon) by JoeBuck (subscriber, #2330) [Link]
OpenSSF and OpenJS warn about social-engineering attacks
Posted Apr 15, 2024 22:10 UTC (Mon) by mgb (guest, #3226) [Link]
OpenSSF and OpenJS warn about social-engineering attacks
Posted Apr 16, 2024 2:32 UTC (Tue) by bersl2 (guest, #34928) [Link]
OpenSSF and OpenJS warn about social-engineering attacks
Posted Apr 16, 2024 9:03 UTC (Tue) by pm215 (subscriber, #98099) [Link]
OpenSSF and OpenJS warn about social-engineering attacks
Posted Apr 18, 2024 0:41 UTC (Thu) by NYKevin (subscriber, #129325) [Link]
It can be both. There are ~200 countries in the world. Not all of them have intelligence agencies on par with the US, China, or Russia.
OpenSSF and OpenJS warn about social-engineering attacks
Posted Apr 17, 2024 11:45 UTC (Wed) by weal (subscriber, #168153) [Link]