Slowly but surely, software package registries are adopting multi-factor authentication (MFA) to reduce the risk of hijacked accounts, a source of potential software supply chain attacks.
This week, RubyGems, the package registry serving the Ruby development community, said it has begun showing warnings through its command line tool to those maintainers of the hundred most popular RubyGems packages who have failed to adopt MFA.
“Account takeovers are the second most common attack on software supply chains,” explained Betty Li, a member of the Ruby community and senior front end developer at Shopify, in a blog post. “The countermeasure against this type of attack is simple: enabling MFA. Doing so can prevent 99.9 percent of account takeover attacks.”
Software supply chain attacks have been at the forefront of online security concerns since December 2020 when security firm FireEye said its systems had been compromised and it later emerged that Russian intelligence operatives had injected malware into SolarWinds’ Orion monitoring tool. Having backdoored some 18,000 companies, SVR hackers were able to conduct attacks on about 100 of them.
With software package registries distributing millions of code libraries on a daily basis – and repeated reports of account compromises as well as proof-of-concept attacks – those overseeing open source package registries have been under pressure to up their security game.
And so they should, because software developers aren’t stepping up. Only 47 percent of CIOs in a recent survey said their organizations checked the provenance of open source libraries used in their apps.
RubyGems began formulating its MFA push earlier this year. Presently just a recommendation, the package registry intends to make MFA mandatory for maintainers of popular gems (packages) on August 15, 2022.
Li said this will align RubyGems’ policies with those of the NPM (Node Package Manager) registry and its owner, Microsoft’s GitHub.
RubyGems also supports another package security measure: signed packages. However, few developers bother to sign. According to security firm Tidelift, a pitiful 1.4 percent (2,216 of 157,640 gems) of latest-version gems were signed as of March 2020.
Email domain for NPM lib with 6m downloads a week grabbed by expert to make a point
In February, GitHub required the maintainers of the top 100 NPM packages to adopt MFA and has been expanding mandatory participation to other package maintainers while diversifying the kinds of second factor devices usable for authentication. GitHub aims to have all users who contribute code avail themselves of MFA protection by the end of 2023.
That same month, GitHib parent company Microsoft began a push to add MFA support for package authors at NuGet – the .Net package registry.
The Python Package Index (PyPI) took an early lead in supporting MFA, and API tokens for uploads back in January, 2020. But these security measures have not yet been made mandatory, due to a lack of funding and support staff (needed to handle account recovery requests when people lock themselves out of their accounts).
As RubyGems and other package registries roll out stronger account takeover defenses, expect miscreants to explore alternative attack strategies – like buying package registry accounts in order to subvert purchased code and creating malicious packages using names that are similar to established popular libraries to dupe the unwary. ®