Published 03/08/2017
Developmnent security concerns

Not scared yet? Read...

There are many attempts to hack others, to display ads, get data, earn money or just be evil and encrypt data without possible return point.

Be safe.

This post contains few recent breaches and few rules how to not become victim.

NodeJs npm repository malware

Be cautious which npm packages you install.

Recently, there was malware in npm package called crossenv. Maybe you already heard that package name, it's very popular - but the trick is official package is cross-env, so you can easily not type sign - and install malware.

https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry

Npm is now holding that package name: https://www.npmjs.com/package/crossenv

There is also latest 2021 flaw https://thehackernews.com/2021/11/two-npm-packages-with-22-million-weekly.html

Abd there might be many others.

To prevent possible issues, always verify that you are installing package from verified owners.

NodeJS security scan

To be more safe, you can integrate automated check which might find vulnerable dependencies.

It's called nsp.

After integration to your build process, if nsp find vulnerable dependency (or it's version), it will intermediately stop your build! ..and you will be forced to remove risky package.

See https://github.com/nodesecurity/nsp

Chrome extensions Hijacking

Extensions in Chrome are massively used. Did you ever thought that some of your extensions might contains some malicious code?

Answer might be yes, as already some popular extensions contained malware:

It's really hard to prevent these kind of attacks, but basic tip would be to not install many extensions which you not necessarily need - keep in mind that many extensions has access to whole websites you are browsing (Eg. internet banking, etc).

If you are developer, you need many extensions - many of those has access to whole content of websites. My advice is: Never use you browser for development (with dev extensions) for browsing web like email, bank, shops. Instead create different profile without dev extensions, or use another browser for general use.

I like to use Firefox for "safe browsing" & Chrome for development combination.

Electron critical flaw

In popular Electron (NodeJs) framework is (was) critical flaw. It affects all apps written for Electron - like Spotify, Slack, Skype (new), VSCode, Atom, and more.

It's being fixed by apps pretty quickly, but still it's something what might cause security concerns.

More detail here https://thehackernews.com/2018/01/electron-js-hacking.html

Java Log4j (late 2021) vulnerability

Scary as it might sound, quote "It means that any website or server on the Internet that uses a popular Java logging software called log4j can be instantly hacked"

See thread https://twitter.com/musalbas/status/1469297973704245260

Hardware vulnerabilities

Spectre. Meltdown!

Those were found after many years used processor architecture. Attacker might read/modify another application through special set of processor instructions.

This affects milions of computers using Intel and AMD architecture.

Generally there is no special way how to protect yourself :o only to rely on verified software and vendors hotfixes which were applied pretty "quickly".

Another general security tips

Https (SSL)

Use HTTPS everywhere.

If you are web developer, always use websites with valid SSL certificate. You can even get one for free from Let's encrypt.

Never trust websites without certificate.

Firefox even displays error note if website allows write text to fields, but website doesn't have certificate active.

Without SSL (https), you are sending data without any encryption, so potentially everyone can read you communication.

Disable Punycodes in URL address bar

Some unicode characters looks similar and this open large attack vector, and easy way to trick even advanced users.

https://www.xudongz.com/blog/2017/idn-phishing/

Prevention - Disable unicode "punycode" addresses: Firefox: about:config -> network.IDN_show_punycode as true.

Always use DKIM on emails

There is very easy way how to pretend to be someone else when using emails. Quite powerful method for protecting against this (spoofing) is to check DKIM.

For Thunderbird there is good addon: https://addons.thunderbird.net/en-US/thunderbird/addon/dkim-verifier/

Two Step verification

Use two step verification whenever you can.

Most of services and websites already allow to setup two step verification with SMS, or Google Authenticator (or other similar).

Note that Google Authenticator is much safer than SMS. Once you setup new website, it's working completely offline. While SMS can be more easily "catch" - by sniffing GSM network, or with applications in your phone. Another very popular hack is SIM SWAP - read more about SIM SWAP technique here.

Conclusion

Never underestimate attackers, whenever you are on Mac, Windows or Linux, there are always people who want's your computer power or your data.

And if you learned even single new security tip from this article I will be happy! If you already know all, that's even better.