Resources to help protect developers (humans) from attacks similar to the xz backdoor compromise

[SecurityCRob]

We discussed today in our call about the need to find, identify, and evangelize resources that are available to developers and maintainers to help detect social engineering, identify and defend against bully behaviours pressuring maintainers into making choices they otherwise would not have, and to help them cope with stress, self-care, and have a network of persons or resources to be able to reach out to in times of crisis.

We will be collaborating together to help assemble these resources and then make plans to help share them with the community.

[SecurityCRob]

for a very good timeline on the incident: https://boehs.org/node/everything-i-know-about-the-xz-backdoor

[nathan-menhorn]

Just want to post a couple of links with decent references to social engineering:

https://www.ibm.com/topics/social-engineering https://www.eset.com/fileadmin/ESET/INT/Landing/2021/Project_progress/ESET-Social_engineering_handbook.pdf

However, it doesn't appear that there's anything open source developer specific resources - training or guides - so we may need to create our own document geared for the OS community based upon all the information that's currently out there.

[taladrane]

I saw this similar example from 2020 in the Software Supply Chain Security newsletter that we may want to reference:

One of the maintainers of the F-Droid project (an open-source Android app store) highlighted a similar incident from 2020 where a new contributor offered up a PR to improve search in the product, combined with heavy pressure from other accounts to merge the PR. In the end, they discovered that the PR introduced a SQL injection, and rejected the patch. Once the PR was rejected, the submitted deleted their account and disappeared…

[underkay]

I've been reviewing and collecting some government created resources around Insider Threat. The organizations and resources I've looked at so far are below.

The main challenge is very few of the behaviors/indicators of potential insider threat are relevant in the OSS community. Same with the mitigations. So, the fun part will be understanding/documenting the "normal" behavior for the OSS community and then extrapolating the indicators where insider threat activity is a possibility. An exciting challenge to say the least.

Resources so far: National Counterintelligence and Security Center https://www.dni.gov/files/NCSC/documents/nittf/20180209-CERT-Common-Sense-Guide-Fifth-Edition.pdf https://www.dni.gov/files/NCSC/documents/products/Insider_Threat_Brochure.pdf

CISA resources https://www.cisa.gov/topics/physical-security/insider-threat-mitigation https://www.cisa.gov/sites/default/files/2022-11/Insider%20Threat%20Mitigation%20Guide_Final_508.pdf

NATO CCDCOE https://ccdcoe.org/uploads/2018/10/Insider_Threat_Study_CCDCOE.pdf

[nathan-menhorn]

Thanks @underkay.

@SecurityCRob could you take an action for our meetings to see if our non-US members have access to the .gov resources? Thanks!

[SecurityCRob]

https://github.com/giuliacassara/awesome-social-engineering https://www.cmu.edu/iso/aware/dont-take-the-bait/social-engineering.html https://www.knowbe4.com/what-is-social-engineering/

[SecurityCRob]

https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks https://www.cmu.edu/iso/aware/dont-take-the-bait/social-engineering.html