There’s been a 71% increase in open source-related breaches over the past five years, with UK firms downloading on average 21,000 software components known to be vulnerable over the past 12 months, according to Sonatype.
The DevOps automation firm’s annual State of the Software Supply Chain report features global analysis from 36,000 open source project teams, 3.7 million open source releases, 12,000 commercial engineering teams and two surveys.
It claimed supply and demand of open source components is at an all-time high, with over 146 billion download requests of Java components in 2018: a 68% increase on 2017 figures.
Yet while these downloads help to speed up DevOps, they also introduce potential risk. The report found that over 51% of Java package downloads have a known security vulnerability, as do 1 in 10 Java component releases.
The 21,000 open source components UK firms downloaded containing known software vulnerabilities amounts to nearly 9% of all downloads made last year. More worrying still: nearly a third (30%) of these were critical vulnerabilities.
The report also highlighted the number of firms using the infamous vulnerable Apache Struts component responsible for the Equifax breach which affected an estimated half of all adult Americans.
It revealed that downloads of the component actually increased by 11% in the year following the 2017 breach — amounting to 2.1m each month.
However, there was some cause for optimism: the report revealed 295 open source projects with exemplary coding practices, using automated tools to remediate known vulnerabilities quicker and update dependencies.
"We have long advised business that they should rely on the fewest open source components suppliers with the best track records in order to develop the highest quality and lowest risk software,'' said Wayne Jackson, CEO of Sonatype. “For organizations who tame their software supply chains through better supplier choices, component selection, and use of automation, the rewards revealed in this year’s report are impressive.”
An online forum focused on discussion of all things social engineering has been breached, with the details of tens of thousands of account holders compromised.
Social Engineered administrator “Snow101” explained to users in a post late last week that the hackers exploited a vulnerability in open source forum software MyBB.
The admin claimed they had been forced to move the platform over to XenForo, asking users to chip in to help pay for the migration.
The breach itself happened on June 13, 2019 and compromised 89,392 accounts, according to information on HaveIBeenPwned.
It claimed the details were published on a rival hacking forum, and included around 89,000 unique email addresses linked to 55,000 users and other tables in the same database.
“The exposed data also included usernames, IP addresses, private messages and passwords stored as salted MD5 hashes,” it added.
Tripwire vice president, Tim Erlin, warned that, ironically enough, email addresses are often used in follow-on phishing raids and other social engineering attacks.
“This type of sensitive data can be used to the benefit of the attacker in a variety of ways, including identity theft and impersonation,” he added.
“MD5 is not a secure algorithm for hashing passwords. It has well-known flaws and is generally understood to be insufficient for protecting sensitive data of any kind."
However, the very nature of the forum may well mean hackers have a hard time monetizing the data, Erlin claimed.
"If you were going to choose a user base that’s especially difficult to target with phishing and other social engineering-based attacks, this would certainly be near the top of the list,” he said.