OpenSSF Issues Guidance to Help Prevent Social Engineering Attacks
The recent attempted XZ Utils attack may not be an isolated incident, and project maintainers are urged to watch for unusual activity, according to the Open Source Security (OpenSSF) and OpenJS Foundations.
In a recent blog post, the foundations jointly called upon “all open source maintainers to be alert for social engineering takeover attempts, to recognize the early threat patterns emerging, and to take steps to protect their open source projects.”
In collaboration with the Linux Foundation, the group have put together a list of warning signs to help maintainers and others detect suspicious patterns, including:
- Requests to be elevated to maintainer status by new or unknown persons
- Endorsement coming from other unknown members of the community who may also be using false identities
- Pull requests containing blobs as artifacts
- Intentionally obfuscated or difficult to understand source code
- Deviation from typical project compile, build, and deployment practices
They also offer guidelines to help secure your open source project, including:
- Use strong authentication practices, such as:
- Enable two-factor authentication (2FA) or Multifactor Authentication (MFA).
- Use a secure password manager.
- Preserve your recovery codes in a safe, preferably offline place.
- Do not reuse credentials/passwords across different services.
- Have a security policy including a “coordinated disclosure” process for reports.
- Review resources such as “Avoiding social engineering and phishing attacks” from CISA and/or “What is ‘Social Engineering’” from ENISA.
Learn more from OpenSSF.
Related content
-
News for Admins
In the news: DHS Releases New Guidelines for Securing Critical Infrastructure; Datadog Report Examines DevSecOps Best Practices; Upskilling Key to Tech Staffing Challenges, Says LF Survey; 2024 Open Source Pros Job Survey Report Released; OpenSSF Issues Guidance to Help Prevent Social Engineering Attacks; Black Duck Supply Chain Edition Released by Synopsys; Spectra Logic Announces New Tape Libraries and Management Software; LPI Launches Open Source Essentials Program; Apache Software Foundation Celebrates 25 Years; SUSE Announces Rancher Prime 3.0; NSA Issues Zero Trust Guidelines for Network Security; and NIST Releases Major New Version of Cybersecurity Framework.
- OpenSSF Introduces Siren Security Platform
- Google Commits $1 Million in Funding to the Secure Open Source Program
-
News for Admins
In the news: MySQL 9.0 Released; NordVPN Launches File Checker Tool; Critical OpenSSH Vulnerability Affects Linux Systems; IT Pros See Shrinking Job-Related Benefits Despite Salary Increases; Top Trends Driving Observability Adoption; Containers Dominate in Both Development and Production, According to Docker Report; Ubuntu Core 24 Released for Edge and IoT; Yocto Project Releases 5.0 LTS Version; OpenSSF Introduces Siren Security Platform; Raspberry Pi Announces Intent to Go Public; and Red Hat Introduces Image Mode for RHEL.
-
Guarding against social engineering attacks
BackBox Linux includes the Social-Engineer Toolkit, which prepares you to keep social engineering attacks at bay, and now you can run it from an Amazon Web Services machine image.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
