If you're using this hijacked NPM library anywhere in your software stack, read this The US government's Cybersecurity and Infrastructure Security Agency (CISA) has warned developers that a version of the ua-parser-js JavaScript library, available via NPM, was infected with data-stealing and cryptocurrency-mining malware. The package, which is fetched nearly eight million times a week, is used by software to …
I mean, let's assume the decryption works, and is faster than restoring your backups - both really long shots.
There's no way you can't possibly actually trust any of the data you "get back" anyway.
They could - and almost certainly did - put further unwelcome surprises in there. Or change a few important numbers - it's not like spotting "things that look like bank details" is hard, for example.
Yup, my parents watch local news off KGAN (sinclair station); it is still autonomous enough that they didn't go off the air or have dead air instead of ads or whatever.
But it must have killed the teleprompters, the one day they switched to another channel because the newscasters were just like "bare with us we are having technically difficulties", next day (and still I think...) they've been reading off of like 6 inches of printouts sitting in front of them.
This is made very difficult by the way NPM works. Because NPM doesn't just pull down the library you want, but also the dependencies of that library, recursively. So you may have vetted one library, but missed all of it's dependencies dependencies. Add that to short development timelines (unless you're doing government work) and checking all the sources is a nearly impossible task, especially when code is updated all the time.
Add that to the fact that the current JavaScript ecosystem is heavily dependent on NPM and you have a recipe for disaster.
Recipe that apparently everyone is happily walking straight into, because then it's someone else's fault.
What should be done is have a build server, make sure your code works there, then port all the used code to the production server and LOCK IT DOWN. No more calls to outside libraries, everything is on-site and under control.
When the build server gets an update, CHECK THE UPDATE. Yes, AND ALL DEPENDANCIES.
It's called security. Nobody said it was easy.
I was wondering this too: is there any sign yet of any drive encryption ransomware that can infect unix servers, or are they just going for the low hanging fruit?
Sure, many of the users who will sadly fall for the "clicky link here" or "importanttt!!! file download" phishing emails may be using Windoze, but in many organisations their important work files will be stored on network drives mounted from unix servers.
I guess potentially the payload might be able to start opening and rewriting (encrypting) files on the server that the user's account can access from the user's computer, but the chances of the malware creators additionally also shipping the right sort of executable for any of numerous Linux or other unix distros to run on the server (and the user's account actually having permissions to run executables there, and so try to worm its way from there into backups) must be pretty negligible?
A good example of why a bit of heterogeneity is surely a good thing?
The one MASSIVE benefit that the Internet originally brought was interoperability (which is a word I needed some time to actually pronounce, but I digress :) ). It is also the single most important thing that every online vendor wants to get rid of: everyone is trying to create their own locked ecosphere..
Should read: Microsoft, who own both GitHub and NPM these days, [don't really seem to give a shit?]
For a package to be hosted on NPM and be available to normal users via the standard 'npm install' / 'npm update' commands, SURELY it should have to be signed-off by more than one developer, and ideally had a supervisory glance from someone at Microsoft.
I'm sure PyPi do this.. Debian certainly do.
Embrace, Extend... Exonerate all responsibility?
Gotta love Microsoft for buying up the competition and then disclaiming any responsibility for good stewardship.. It's almost as if it buys the open source competitors only to let them rot and die inside its macrophage-like belly. Nah Microsoft would never do that.
This is why I am not a fan of open source software. One bloke maintaining a vital bit of software in shed with bad browsing habits, a lax attitude to security and passwords could bring your company to its knees.
Yes I know it is not all of them but do you know for certain which are good, safe, secure well maintained, patched in a timely manner and which are not all of those?
Those are the perils of open-source software. Closed-source software suffers from having no insight on the inner workings at all. It could be riddled with flaws and if the developer walks off you're totally SOL. You also missed the point if you have issues with open-source software you can fix them yourself (maybe you can't, but I definitely can).
There is no panacea, but I think software that's developed open-source but with a big corporation paying the bills is a good middle ground. E.G. .NET Core, My SQL. That way you know it's likely to keep going, but if it doesn't you can pick up the code and fix it yourself or maybe someone else will.
You have to be a fuckwit to use NPM.
Also if your including shit not hosted on your own server, your a fucking idiot. (have you seen how many external sites a lot of "professional" web sites, pull crap from!!, I've seen quite a few that pull from as many as 50+domains, fucking crazy!).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
