Re: Netbeans and malware article
Hi, I like the wording. In fact, it is more a Github project maintainer issue that didn't filtered a new file on his repo. The fact this repo was based on an IDE and that the threatening file exploit this infirmation could lead to more risk using source code from public repo, with Netbeans or not. So the blog entry could also suggest the start of an IDE proper tech answer to mitigate this risk. I think all IDE will have to provide something to mitigate this risk otherwise, the open source will be at risk. Providing an answer is something to do right now to inject trust. On Sat, 30 May 2020 at 15:57, Emma Atkinson wrote: > I wouldn't treat this as a negative thing about which to be defensive. It > can be positive and show the team in a good light. > > Here's a suggestion > > We are aware of news report ... etc. > We contacted the researchers behind the news. They found 26 infected > projects. The owners have been contacted and their accounts have been made > private, which we think is the correct action. > We contacted the researcher who has given us some additional information. > We will examine the information to identify whether there is anything we > could add or change to Netbeans. There appears to be no need for urgent > action ahead of the imminent release of Netbeans IDE version 12. > > Perhaps add. > > We welcome suggestions from Netbeans users. Please send your constructive > proposals and suggestions to . > > Then give the key details of the problems uncovered. > > > Just a suggestion. > > Emma > > > > > On Sat, 30 May 2020, 14:11 Geertjan Wielenga, wrote: > >> >> OK, I’ll put together a blog we can refer to that will say this — >> “research has been done on GitHub that identified 26 small Ant-based Java >> projects, mostly games, some of them by the same person, none of the >> projects appeared to be enterprise/professional, that had been infiltrated >> by malware. The projects have been set to private on GitHub and the project >> owners have been approached about this. The malware campaign has had very >> low impact and is considered by GitHub to be over.” >> >> Most of the above is not in the research article, but comes from me >> asking repeated questions on Twitter to the guy behind tbe report. >> >> Gj >> >> >> On Sat, 30 May 2020 at 13:57, Emilian Bold >> wrote: >> >>> Note this is not a CVE since it's not a NetBeans vulnerability. >>> >>> Executing any build will run with the local user privileges on any >>> popular IDE and injecting something dubious in a build is trivial. >>> >>> Still, I think GitHub could have approached the Apache security team so >>> the NetBeans PMC has a reply to this. >>> >>> It would be trivial to push a check for that cache.dat file but it's not >>> the role of the IDE to play at being an antivirus. >>> >>> --emi >>> >>> sâm., 30 mai 2020, 14:03 Geertjan Wielenga a >>> scris: >>> It seems to me like we should put out a blog entry with some response to this. Just so that we have a central point to refer to when people ask about this. However, I have no idea what that blog entry should say, beyond “if someone wants to do so, they can inject malware into the build process of software, here’s an example of how they can do that”, and then point to that report. Gj On Sat, 30 May 2020 at 12:08, Emma Atkinson wrote: > Should someone from the Apache Netbeans governing team, approach > Microsoft for information on this matter? > > I would have thought Microsoft GitHub would welcome any approach that > might go some way toward tackling the problem. Knowing details should > enable the Netbeans and NetbeansIDE communities to help. It would also be > good for the public to know Apache Netbeans takes these matters as > seriously as Oracle would have done. Be on the front foot. > > This might be a matter of reducing risk rather than eliminating a > vulnerability. Any fix may not involve much effort. Perhaps a written or > updated guide might be all that is needed. If the contaminated accounts > belong to computer science students, perhaps some changes to Apache > Netbeans IDE defaults, or added warnings would help users avoid > inadvertent > contamination of their code or build environments from untrusted origins. > A > general lesson in good practice perhaps. > > Emma > > > On Sat, 30 May 2020, 09:32 Emilian Bold, > wrote: > >> I'm leaning towards this being a student project honestly. Why would a >> company developing a legacy project grab random unknown Ant-based >> projects from GitHub? >> >> But NetBeans is used a lot for teaching and I suspect teachers don't >> introduce Maven / Gradle since they are more complex and they use the >> default Ant-based build system. >> >> So, if a smart student wants to troll his fellow students it does
Re: Netbeans and malware article
On 5/30/20 8:11 AM, Geertjan Wielenga wrote: > OK, I’ll put together a blog we can refer to that will say this — > “research has been done on GitHub that identified 26 small Ant-based > Java projects, mostly games, some of them by the same person, none of > the projects appeared to be enterprise/professional, that had been > infiltrated by malware. The projects have been set to private on GitHub > and the project owners have been approached about this. The malware > campaign has had very low impact and is considered by GitHub to be over.” > > Most of the above is not in the research article, but comes from me > asking repeated questions on Twitter to the guy behind tbe report. Much ado about nothing, then. It does seem odd that this was published just before the release of 12.0... -- Glenn Holmer (Linux registered user #16682) "After the vintage season came the aftermath -- and Cenbe." <> - To unsubscribe, e-mail: users-unsubscr...@netbeans.apache.org For additional commands, e-mail: users-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Re: Netbeans and malware article
Sure, there is no need to be defensive. But, there really isn’t — the research has identified nothing that NetBeans can do or has any control over at all. Any project’s build process can be impacted by malware. 26 of these have been identified on GitHub — which happened to make use of Ant-based NetBeans project templates, are all small, mostly games, and no longer being developed. Gj On Sat, 30 May 2020 at 15:57, Emma Atkinson wrote: > I wouldn't treat this as a negative thing about which to be defensive. It > can be positive and show the team in a good light. > > Here's a suggestion > > We are aware of news report ... etc. > We contacted the researchers behind the news. They found 26 infected > projects. The owners have been contacted and their accounts have been made > private, which we think is the correct action. > We contacted the researcher who has given us some additional information. > We will examine the information to identify whether there is anything we > could add or change to Netbeans. There appears to be no need for urgent > action ahead of the imminent release of Netbeans IDE version 12. > > Perhaps add. > > We welcome suggestions from Netbeans users. Please send your constructive > proposals and suggestions to . > > Then give the key details of the problems uncovered. > > > Just a suggestion. > > Emma > > > > > On Sat, 30 May 2020, 14:11 Geertjan Wielenga, wrote: > >> >> OK, I’ll put together a blog we can refer to that will say this — >> “research has been done on GitHub that identified 26 small Ant-based Java >> projects, mostly games, some of them by the same person, none of the >> projects appeared to be enterprise/professional, that had been infiltrated >> by malware. The projects have been set to private on GitHub and the project >> owners have been approached about this. The malware campaign has had very >> low impact and is considered by GitHub to be over.” >> >> Most of the above is not in the research article, but comes from me >> asking repeated questions on Twitter to the guy behind tbe report. >> >> Gj >> >> >> On Sat, 30 May 2020 at 13:57, Emilian Bold >> wrote: >> >>> Note this is not a CVE since it's not a NetBeans vulnerability. >>> >>> Executing any build will run with the local user privileges on any >>> popular IDE and injecting something dubious in a build is trivial. >>> >>> Still, I think GitHub could have approached the Apache security team so >>> the NetBeans PMC has a reply to this. >>> >>> It would be trivial to push a check for that cache.dat file but it's not >>> the role of the IDE to play at being an antivirus. >>> >>> --emi >>> >>> sâm., 30 mai 2020, 14:03 Geertjan Wielenga a >>> scris: >>> It seems to me like we should put out a blog entry with some response to this. Just so that we have a central point to refer to when people ask about this. However, I have no idea what that blog entry should say, beyond “if someone wants to do so, they can inject malware into the build process of software, here’s an example of how they can do that”, and then point to that report. Gj On Sat, 30 May 2020 at 12:08, Emma Atkinson wrote: > Should someone from the Apache Netbeans governing team, approach > Microsoft for information on this matter? > > I would have thought Microsoft GitHub would welcome any approach that > might go some way toward tackling the problem. Knowing details should > enable the Netbeans and NetbeansIDE communities to help. It would also be > good for the public to know Apache Netbeans takes these matters as > seriously as Oracle would have done. Be on the front foot. > > This might be a matter of reducing risk rather than eliminating a > vulnerability. Any fix may not involve much effort. Perhaps a written or > updated guide might be all that is needed. If the contaminated accounts > belong to computer science students, perhaps some changes to Apache > Netbeans IDE defaults, or added warnings would help users avoid > inadvertent > contamination of their code or build environments from untrusted origins. > A > general lesson in good practice perhaps. > > Emma > > > On Sat, 30 May 2020, 09:32 Emilian Bold, > wrote: > >> I'm leaning towards this being a student project honestly. Why would a >> company developing a legacy project grab random unknown Ant-based >> projects from GitHub? >> >> But NetBeans is used a lot for teaching and I suspect teachers don't >> introduce Maven / Gradle since they are more complex and they use the >> default Ant-based build system. >> >> So, if a smart student wants to troll his fellow students it does >> something like this. >> >> Note that GitHub has the full logs of who uploaded, downloaded, >> visited and cloned those 26 projects but made no remarks about them. I >>
Re: Netbeans and malware article
Yes, this could be good publicity right before the release! --emi sâm., 30 mai 2020, 16:57 Emma Atkinson a scris: > I wouldn't treat this as a negative thing about which to be defensive. It > can be positive and show the team in a good light. > > Here's a suggestion > > We are aware of news report ... etc. > We contacted the researchers behind the news. They found 26 infected > projects. The owners have been contacted and their accounts have been made > private, which we think is the correct action. > We contacted the researcher who has given us some additional information. > We will examine the information to identify whether there is anything we > could add or change to Netbeans. There appears to be no need for urgent > action ahead of the imminent release of Netbeans IDE version 12. > > Perhaps add. > > We welcome suggestions from Netbeans users. Please send your constructive > proposals and suggestions to . > > Then give the key details of the problems uncovered. > > > Just a suggestion. > > Emma > > > > > On Sat, 30 May 2020, 14:11 Geertjan Wielenga, wrote: > >> >> OK, I’ll put together a blog we can refer to that will say this — >> “research has been done on GitHub that identified 26 small Ant-based Java >> projects, mostly games, some of them by the same person, none of the >> projects appeared to be enterprise/professional, that had been infiltrated >> by malware. The projects have been set to private on GitHub and the project >> owners have been approached about this. The malware campaign has had very >> low impact and is considered by GitHub to be over.” >> >> Most of the above is not in the research article, but comes from me >> asking repeated questions on Twitter to the guy behind tbe report. >> >> Gj >> >> >> On Sat, 30 May 2020 at 13:57, Emilian Bold >> wrote: >> >>> Note this is not a CVE since it's not a NetBeans vulnerability. >>> >>> Executing any build will run with the local user privileges on any >>> popular IDE and injecting something dubious in a build is trivial. >>> >>> Still, I think GitHub could have approached the Apache security team so >>> the NetBeans PMC has a reply to this. >>> >>> It would be trivial to push a check for that cache.dat file but it's not >>> the role of the IDE to play at being an antivirus. >>> >>> --emi >>> >>> sâm., 30 mai 2020, 14:03 Geertjan Wielenga a >>> scris: >>> It seems to me like we should put out a blog entry with some response to this. Just so that we have a central point to refer to when people ask about this. However, I have no idea what that blog entry should say, beyond “if someone wants to do so, they can inject malware into the build process of software, here’s an example of how they can do that”, and then point to that report. Gj On Sat, 30 May 2020 at 12:08, Emma Atkinson wrote: > Should someone from the Apache Netbeans governing team, approach > Microsoft for information on this matter? > > I would have thought Microsoft GitHub would welcome any approach that > might go some way toward tackling the problem. Knowing details should > enable the Netbeans and NetbeansIDE communities to help. It would also be > good for the public to know Apache Netbeans takes these matters as > seriously as Oracle would have done. Be on the front foot. > > This might be a matter of reducing risk rather than eliminating a > vulnerability. Any fix may not involve much effort. Perhaps a written or > updated guide might be all that is needed. If the contaminated accounts > belong to computer science students, perhaps some changes to Apache > Netbeans IDE defaults, or added warnings would help users avoid > inadvertent > contamination of their code or build environments from untrusted origins. > A > general lesson in good practice perhaps. > > Emma > > > On Sat, 30 May 2020, 09:32 Emilian Bold, > wrote: > >> I'm leaning towards this being a student project honestly. Why would a >> company developing a legacy project grab random unknown Ant-based >> projects from GitHub? >> >> But NetBeans is used a lot for teaching and I suspect teachers don't >> introduce Maven / Gradle since they are more complex and they use the >> default Ant-based build system. >> >> So, if a smart student wants to troll his fellow students it does >> something like this. >> >> Note that GitHub has the full logs of who uploaded, downloaded, >> visited and cloned those 26 projects but made no remarks about them. I >> think those logs would be highly informative as to source and the >> target domain / country. My money is on students from India / China / >> Greece / Brazil. >> >> --emi >> >> On Fri, May 29, 2020 at 11:50 PM Alan < >> netbeans.5zc...@ambitonline.com> wrote: >> > >> > The odds that a virus
Re: Netbeans and malware article
I wouldn't treat this as a negative thing about which to be defensive. It can be positive and show the team in a good light. Here's a suggestion We are aware of news report ... etc. We contacted the researchers behind the news. They found 26 infected projects. The owners have been contacted and their accounts have been made private, which we think is the correct action. We contacted the researcher who has given us some additional information. We will examine the information to identify whether there is anything we could add or change to Netbeans. There appears to be no need for urgent action ahead of the imminent release of Netbeans IDE version 12. Perhaps add. We welcome suggestions from Netbeans users. Please send your constructive proposals and suggestions to . Then give the key details of the problems uncovered. Just a suggestion. Emma On Sat, 30 May 2020, 14:11 Geertjan Wielenga, wrote: > > OK, I’ll put together a blog we can refer to that will say this — > “research has been done on GitHub that identified 26 small Ant-based Java > projects, mostly games, some of them by the same person, none of the > projects appeared to be enterprise/professional, that had been infiltrated > by malware. The projects have been set to private on GitHub and the project > owners have been approached about this. The malware campaign has had very > low impact and is considered by GitHub to be over.” > > Most of the above is not in the research article, but comes from me asking > repeated questions on Twitter to the guy behind tbe report. > > Gj > > > On Sat, 30 May 2020 at 13:57, Emilian Bold wrote: > >> Note this is not a CVE since it's not a NetBeans vulnerability. >> >> Executing any build will run with the local user privileges on any >> popular IDE and injecting something dubious in a build is trivial. >> >> Still, I think GitHub could have approached the Apache security team so >> the NetBeans PMC has a reply to this. >> >> It would be trivial to push a check for that cache.dat file but it's not >> the role of the IDE to play at being an antivirus. >> >> --emi >> >> sâm., 30 mai 2020, 14:03 Geertjan Wielenga a scris: >> >>> >>> It seems to me like we should put out a blog entry with some response to >>> this. Just so that we have a central point to refer to when people ask >>> about this. >>> >>> However, I have no idea what that blog entry should say, beyond “if >>> someone wants to do so, they can inject malware into the build process of >>> software, here’s an example of how they can do that”, and then point to >>> that report. >>> >>> Gj >>> >>> On Sat, 30 May 2020 at 12:08, Emma Atkinson >>> wrote: >>> Should someone from the Apache Netbeans governing team, approach Microsoft for information on this matter? I would have thought Microsoft GitHub would welcome any approach that might go some way toward tackling the problem. Knowing details should enable the Netbeans and NetbeansIDE communities to help. It would also be good for the public to know Apache Netbeans takes these matters as seriously as Oracle would have done. Be on the front foot. This might be a matter of reducing risk rather than eliminating a vulnerability. Any fix may not involve much effort. Perhaps a written or updated guide might be all that is needed. If the contaminated accounts belong to computer science students, perhaps some changes to Apache Netbeans IDE defaults, or added warnings would help users avoid inadvertent contamination of their code or build environments from untrusted origins. A general lesson in good practice perhaps. Emma On Sat, 30 May 2020, 09:32 Emilian Bold, wrote: > I'm leaning towards this being a student project honestly. Why would a > company developing a legacy project grab random unknown Ant-based > projects from GitHub? > > But NetBeans is used a lot for teaching and I suspect teachers don't > introduce Maven / Gradle since they are more complex and they use the > default Ant-based build system. > > So, if a smart student wants to troll his fellow students it does > something like this. > > Note that GitHub has the full logs of who uploaded, downloaded, > visited and cloned those 26 projects but made no remarks about them. I > think those logs would be highly informative as to source and the > target domain / country. My money is on students from India / China / > Greece / Brazil. > > --emi > > On Fri, May 29, 2020 at 11:50 PM Alan > wrote: > > > > The odds that a virus scanner would have a pattern for something > like this are very low indeed, so in this specific case I doubt it would > make a difference. However, excluding paths for any reason leaves an > aperture open that could be exploited. > > > > The targeted attacks I've seen are amazingly specific.
Re: Netbeans and malware article
OK, I’ll put together a blog we can refer to that will say this — “research has been done on GitHub that identified 26 small Ant-based Java projects, mostly games, some of them by the same person, none of the projects appeared to be enterprise/professional, that had been infiltrated by malware. The projects have been set to private on GitHub and the project owners have been approached about this. The malware campaign has had very low impact and is considered by GitHub to be over.” Most of the above is not in the research article, but comes from me asking repeated questions on Twitter to the guy behind tbe report. Gj On Sat, 30 May 2020 at 13:57, Emilian Bold wrote: > Note this is not a CVE since it's not a NetBeans vulnerability. > > Executing any build will run with the local user privileges on any popular > IDE and injecting something dubious in a build is trivial. > > Still, I think GitHub could have approached the Apache security team so > the NetBeans PMC has a reply to this. > > It would be trivial to push a check for that cache.dat file but it's not > the role of the IDE to play at being an antivirus. > > --emi > > sâm., 30 mai 2020, 14:03 Geertjan Wielenga a scris: > >> >> It seems to me like we should put out a blog entry with some response to >> this. Just so that we have a central point to refer to when people ask >> about this. >> >> However, I have no idea what that blog entry should say, beyond “if >> someone wants to do so, they can inject malware into the build process of >> software, here’s an example of how they can do that”, and then point to >> that report. >> >> Gj >> >> On Sat, 30 May 2020 at 12:08, Emma Atkinson >> wrote: >> >>> Should someone from the Apache Netbeans governing team, approach >>> Microsoft for information on this matter? >>> >>> I would have thought Microsoft GitHub would welcome any approach that >>> might go some way toward tackling the problem. Knowing details should >>> enable the Netbeans and NetbeansIDE communities to help. It would also be >>> good for the public to know Apache Netbeans takes these matters as >>> seriously as Oracle would have done. Be on the front foot. >>> >>> This might be a matter of reducing risk rather than eliminating a >>> vulnerability. Any fix may not involve much effort. Perhaps a written or >>> updated guide might be all that is needed. If the contaminated accounts >>> belong to computer science students, perhaps some changes to Apache >>> Netbeans IDE defaults, or added warnings would help users avoid inadvertent >>> contamination of their code or build environments from untrusted origins. A >>> general lesson in good practice perhaps. >>> >>> Emma >>> >>> >>> On Sat, 30 May 2020, 09:32 Emilian Bold, wrote: >>> I'm leaning towards this being a student project honestly. Why would a company developing a legacy project grab random unknown Ant-based projects from GitHub? But NetBeans is used a lot for teaching and I suspect teachers don't introduce Maven / Gradle since they are more complex and they use the default Ant-based build system. So, if a smart student wants to troll his fellow students it does something like this. Note that GitHub has the full logs of who uploaded, downloaded, visited and cloned those 26 projects but made no remarks about them. I think those logs would be highly informative as to source and the target domain / country. My money is on students from India / China / Greece / Brazil. --emi On Fri, May 29, 2020 at 11:50 PM Alan wrote: > > The odds that a virus scanner would have a pattern for something like this are very low indeed, so in this specific case I doubt it would make a difference. However, excluding paths for any reason leaves an aperture open that could be exploited. > > The targeted attacks I've seen are amazingly specific. For example, someone profiled a customer site looking for the queries with the slowest response time, then launched requests against those pages at a rate low enough to not trigger DDoS protection on the network firewall, but to bring the site down anyway. > > This malware has the hallmarks of such a specific attack. Scan the end product for open source components, then infect the components, get in, get the code, go away. Not something your general antivirus software is ever going to even notice. > > On 2020-05-29 16:32, Juan Algaba wrote: > > I wonder if excluding netbeans from antivirus scanning (for performance reasons), but not the project folders, make you more at risk to something like this? > > On Fri, May 29, 2020 at 12:40 PM Alan < netbeans.5zc...@ambitonline.com> wrote: >> >> The malware is oddly focused. I suspect a specific group was being targeted. If eventually GitHub releases the project names that might
Re: Netbeans and malware article
Note this is not a CVE since it's not a NetBeans vulnerability. Executing any build will run with the local user privileges on any popular IDE and injecting something dubious in a build is trivial. Still, I think GitHub could have approached the Apache security team so the NetBeans PMC has a reply to this. It would be trivial to push a check for that cache.dat file but it's not the role of the IDE to play at being an antivirus. --emi sâm., 30 mai 2020, 14:03 Geertjan Wielenga a scris: > > It seems to me like we should put out a blog entry with some response to > this. Just so that we have a central point to refer to when people ask > about this. > > However, I have no idea what that blog entry should say, beyond “if > someone wants to do so, they can inject malware into the build process of > software, here’s an example of how they can do that”, and then point to > that report. > > Gj > > On Sat, 30 May 2020 at 12:08, Emma Atkinson > wrote: > >> Should someone from the Apache Netbeans governing team, approach >> Microsoft for information on this matter? >> >> I would have thought Microsoft GitHub would welcome any approach that >> might go some way toward tackling the problem. Knowing details should >> enable the Netbeans and NetbeansIDE communities to help. It would also be >> good for the public to know Apache Netbeans takes these matters as >> seriously as Oracle would have done. Be on the front foot. >> >> This might be a matter of reducing risk rather than eliminating a >> vulnerability. Any fix may not involve much effort. Perhaps a written or >> updated guide might be all that is needed. If the contaminated accounts >> belong to computer science students, perhaps some changes to Apache >> Netbeans IDE defaults, or added warnings would help users avoid inadvertent >> contamination of their code or build environments from untrusted origins. A >> general lesson in good practice perhaps. >> >> Emma >> >> >> On Sat, 30 May 2020, 09:32 Emilian Bold, wrote: >> >>> I'm leaning towards this being a student project honestly. Why would a >>> company developing a legacy project grab random unknown Ant-based >>> projects from GitHub? >>> >>> But NetBeans is used a lot for teaching and I suspect teachers don't >>> introduce Maven / Gradle since they are more complex and they use the >>> default Ant-based build system. >>> >>> So, if a smart student wants to troll his fellow students it does >>> something like this. >>> >>> Note that GitHub has the full logs of who uploaded, downloaded, >>> visited and cloned those 26 projects but made no remarks about them. I >>> think those logs would be highly informative as to source and the >>> target domain / country. My money is on students from India / China / >>> Greece / Brazil. >>> >>> --emi >>> >>> On Fri, May 29, 2020 at 11:50 PM Alan >>> wrote: >>> > >>> > The odds that a virus scanner would have a pattern for something like >>> this are very low indeed, so in this specific case I doubt it would make a >>> difference. However, excluding paths for any reason leaves an aperture open >>> that could be exploited. >>> > >>> > The targeted attacks I've seen are amazingly specific. For example, >>> someone profiled a customer site looking for the queries with the slowest >>> response time, then launched requests against those pages at a rate low >>> enough to not trigger DDoS protection on the network firewall, but to bring >>> the site down anyway. >>> > >>> > This malware has the hallmarks of such a specific attack. Scan the end >>> product for open source components, then infect the components, get in, get >>> the code, go away. Not something your general antivirus software is ever >>> going to even notice. >>> > >>> > On 2020-05-29 16:32, Juan Algaba wrote: >>> > >>> > I wonder if excluding netbeans from antivirus scanning (for >>> performance reasons), but not the project folders, make you more at risk to >>> something like this? >>> > >>> > On Fri, May 29, 2020 at 12:40 PM Alan >>> wrote: >>> >> >>> >> The malware is oddly focused. I suspect a specific group was being >>> targeted. If eventually GitHub releases the project names that might >>> provide a clue. >>> >> >>> >> On 2020-05-29 15:30, Emilian Bold wrote: >>> >> >>> >> so I guess this is all just about me. :-) >>> >> >>> >> Hehe. >>> >> >>> >> Still, they worked too much to target Ant and NetBeans. I think the >>> >> Gradle wrapper is a much easier target and developers will run >>> >> ./gradlew without a 2nd tought. >>> >> >>> >> --emi >>> >> >>> >> On Fri, May 29, 2020 at 10:25 PM Geertjan Wielenga < >>> geert...@apache.org> wrote: >>> >> >>> >> Sure, those are simply Ant files. >>> >> >>> >> I also wonder about the 26 open source projects they refer to on >>> GitHub, without naming them, where this problem was encountered. I have >>> about that number of NetBeans projects in my GitHub repo, so I guess this >>> is all just about me. :-) >>> >> >>> >> Gj >>> >> >>> >> On Fri, 29 May 2020 at
Re: Netbeans and malware article
LOL, still, why so much enphasis on ant with Netbeans? Just throwing out ideas but could IDEA be behind this? given Netbeans 12 is around the corner?
Re: Netbeans and malware article
It seems to me like we should put out a blog entry with some response to this. Just so that we have a central point to refer to when people ask about this. However, I have no idea what that blog entry should say, beyond “if someone wants to do so, they can inject malware into the build process of software, here’s an example of how they can do that”, and then point to that report. Gj On Sat, 30 May 2020 at 12:08, Emma Atkinson wrote: > Should someone from the Apache Netbeans governing team, approach Microsoft > for information on this matter? > > I would have thought Microsoft GitHub would welcome any approach that > might go some way toward tackling the problem. Knowing details should > enable the Netbeans and NetbeansIDE communities to help. It would also be > good for the public to know Apache Netbeans takes these matters as > seriously as Oracle would have done. Be on the front foot. > > This might be a matter of reducing risk rather than eliminating a > vulnerability. Any fix may not involve much effort. Perhaps a written or > updated guide might be all that is needed. If the contaminated accounts > belong to computer science students, perhaps some changes to Apache > Netbeans IDE defaults, or added warnings would help users avoid inadvertent > contamination of their code or build environments from untrusted origins. A > general lesson in good practice perhaps. > > Emma > > > On Sat, 30 May 2020, 09:32 Emilian Bold, wrote: > >> I'm leaning towards this being a student project honestly. Why would a >> company developing a legacy project grab random unknown Ant-based >> projects from GitHub? >> >> But NetBeans is used a lot for teaching and I suspect teachers don't >> introduce Maven / Gradle since they are more complex and they use the >> default Ant-based build system. >> >> So, if a smart student wants to troll his fellow students it does >> something like this. >> >> Note that GitHub has the full logs of who uploaded, downloaded, >> visited and cloned those 26 projects but made no remarks about them. I >> think those logs would be highly informative as to source and the >> target domain / country. My money is on students from India / China / >> Greece / Brazil. >> >> --emi >> >> On Fri, May 29, 2020 at 11:50 PM Alan >> wrote: >> > >> > The odds that a virus scanner would have a pattern for something like >> this are very low indeed, so in this specific case I doubt it would make a >> difference. However, excluding paths for any reason leaves an aperture open >> that could be exploited. >> > >> > The targeted attacks I've seen are amazingly specific. For example, >> someone profiled a customer site looking for the queries with the slowest >> response time, then launched requests against those pages at a rate low >> enough to not trigger DDoS protection on the network firewall, but to bring >> the site down anyway. >> > >> > This malware has the hallmarks of such a specific attack. Scan the end >> product for open source components, then infect the components, get in, get >> the code, go away. Not something your general antivirus software is ever >> going to even notice. >> > >> > On 2020-05-29 16:32, Juan Algaba wrote: >> > >> > I wonder if excluding netbeans from antivirus scanning (for performance >> reasons), but not the project folders, make you more at risk to something >> like this? >> > >> > On Fri, May 29, 2020 at 12:40 PM Alan >> wrote: >> >> >> >> The malware is oddly focused. I suspect a specific group was being >> targeted. If eventually GitHub releases the project names that might >> provide a clue. >> >> >> >> On 2020-05-29 15:30, Emilian Bold wrote: >> >> >> >> so I guess this is all just about me. :-) >> >> >> >> Hehe. >> >> >> >> Still, they worked too much to target Ant and NetBeans. I think the >> >> Gradle wrapper is a much easier target and developers will run >> >> ./gradlew without a 2nd tought. >> >> >> >> --emi >> >> >> >> On Fri, May 29, 2020 at 10:25 PM Geertjan Wielenga < >> geert...@apache.org> wrote: >> >> >> >> Sure, those are simply Ant files. >> >> >> >> I also wonder about the 26 open source projects they refer to on >> GitHub, without naming them, where this problem was encountered. I have >> about that number of NetBeans projects in my GitHub repo, so I guess this >> is all just about me. :-) >> >> >> >> Gj >> >> >> >> On Fri, 29 May 2020 at 21:22, Scott Palmer wrote: >> >> >> >> The malware explicitly targets NetBeans: >> >> >> >> The malware is capable of identifying the NetBeans project files and >> embedding malicious payload both in project files and build JAR files. >> Below is a high -evel description of the Octopus Scanner operation: >> >> >> >> • Identify user's NetBeans directory >> >> • Enumerate all projects in the NetBeans directory >> >> • Copy malicious payload cache.dat to nbproject/cache.dat >> >> • Modify the nbproject/build-impl.xml file to make sure the malicious >> payload is executed every time NetBeans project is build >> >> • If
Netbeans 12 Adding Jars to project
I have a folder full of jar files. How do I add these files to my dependencies for a Maven project? Do I have to manually add each jar ? Is there a way to add the jars at once? Thanks, Ron
Re: Netbeans and malware article
Should someone from the Apache Netbeans governing team, approach Microsoft for information on this matter? I would have thought Microsoft GitHub would welcome any approach that might go some way toward tackling the problem. Knowing details should enable the Netbeans and NetbeansIDE communities to help. It would also be good for the public to know Apache Netbeans takes these matters as seriously as Oracle would have done. Be on the front foot. This might be a matter of reducing risk rather than eliminating a vulnerability. Any fix may not involve much effort. Perhaps a written or updated guide might be all that is needed. If the contaminated accounts belong to computer science students, perhaps some changes to Apache Netbeans IDE defaults, or added warnings would help users avoid inadvertent contamination of their code or build environments from untrusted origins. A general lesson in good practice perhaps. Emma On Sat, 30 May 2020, 09:32 Emilian Bold, wrote: > I'm leaning towards this being a student project honestly. Why would a > company developing a legacy project grab random unknown Ant-based > projects from GitHub? > > But NetBeans is used a lot for teaching and I suspect teachers don't > introduce Maven / Gradle since they are more complex and they use the > default Ant-based build system. > > So, if a smart student wants to troll his fellow students it does > something like this. > > Note that GitHub has the full logs of who uploaded, downloaded, > visited and cloned those 26 projects but made no remarks about them. I > think those logs would be highly informative as to source and the > target domain / country. My money is on students from India / China / > Greece / Brazil. > > --emi > > On Fri, May 29, 2020 at 11:50 PM Alan > wrote: > > > > The odds that a virus scanner would have a pattern for something like > this are very low indeed, so in this specific case I doubt it would make a > difference. However, excluding paths for any reason leaves an aperture open > that could be exploited. > > > > The targeted attacks I've seen are amazingly specific. For example, > someone profiled a customer site looking for the queries with the slowest > response time, then launched requests against those pages at a rate low > enough to not trigger DDoS protection on the network firewall, but to bring > the site down anyway. > > > > This malware has the hallmarks of such a specific attack. Scan the end > product for open source components, then infect the components, get in, get > the code, go away. Not something your general antivirus software is ever > going to even notice. > > > > On 2020-05-29 16:32, Juan Algaba wrote: > > > > I wonder if excluding netbeans from antivirus scanning (for performance > reasons), but not the project folders, make you more at risk to something > like this? > > > > On Fri, May 29, 2020 at 12:40 PM Alan > wrote: > >> > >> The malware is oddly focused. I suspect a specific group was being > targeted. If eventually GitHub releases the project names that might > provide a clue. > >> > >> On 2020-05-29 15:30, Emilian Bold wrote: > >> > >> so I guess this is all just about me. :-) > >> > >> Hehe. > >> > >> Still, they worked too much to target Ant and NetBeans. I think the > >> Gradle wrapper is a much easier target and developers will run > >> ./gradlew without a 2nd tought. > >> > >> --emi > >> > >> On Fri, May 29, 2020 at 10:25 PM Geertjan Wielenga > wrote: > >> > >> Sure, those are simply Ant files. > >> > >> I also wonder about the 26 open source projects they refer to on > GitHub, without naming them, where this problem was encountered. I have > about that number of NetBeans projects in my GitHub repo, so I guess this > is all just about me. :-) > >> > >> Gj > >> > >> On Fri, 29 May 2020 at 21:22, Scott Palmer wrote: > >> > >> The malware explicitly targets NetBeans: > >> > >> The malware is capable of identifying the NetBeans project files and > embedding malicious payload both in project files and build JAR files. > Below is a high -evel description of the Octopus Scanner operation: > >> > >> • Identify user's NetBeans directory > >> • Enumerate all projects in the NetBeans directory > >> • Copy malicious payload cache.dat to nbproject/cache.dat > >> • Modify the nbproject/build-impl.xml file to make sure the malicious > payload is executed every time NetBeans project is build > >> • If the malicious payload is an instance of the Octopus Scanner itself > the newly built JAR file is also infected. > >> > >> > >> > >> Though they did also mention: > >> > >> "If malware developers took the time to implement this malware > specifically for NetBeans, it means that it could either be a targeted > attack, or they may already have implemented the malware for build systems > such as Make, MsBuild, Gradle and others as well and it may be spreading > unnoticed," GitHub added. > >> > >> > >> I’m not sure if there is any sort of sanity check NB can do to the > cache.dat file to
Re: Netbeans and malware article
I'm leaning towards this being a student project honestly. Why would a company developing a legacy project grab random unknown Ant-based projects from GitHub? But NetBeans is used a lot for teaching and I suspect teachers don't introduce Maven / Gradle since they are more complex and they use the default Ant-based build system. So, if a smart student wants to troll his fellow students it does something like this. Note that GitHub has the full logs of who uploaded, downloaded, visited and cloned those 26 projects but made no remarks about them. I think those logs would be highly informative as to source and the target domain / country. My money is on students from India / China / Greece / Brazil. --emi On Fri, May 29, 2020 at 11:50 PM Alan wrote: > > The odds that a virus scanner would have a pattern for something like this > are very low indeed, so in this specific case I doubt it would make a > difference. However, excluding paths for any reason leaves an aperture open > that could be exploited. > > The targeted attacks I've seen are amazingly specific. For example, someone > profiled a customer site looking for the queries with the slowest response > time, then launched requests against those pages at a rate low enough to not > trigger DDoS protection on the network firewall, but to bring the site down > anyway. > > This malware has the hallmarks of such a specific attack. Scan the end > product for open source components, then infect the components, get in, get > the code, go away. Not something your general antivirus software is ever > going to even notice. > > On 2020-05-29 16:32, Juan Algaba wrote: > > I wonder if excluding netbeans from antivirus scanning (for performance > reasons), but not the project folders, make you more at risk to something > like this? > > On Fri, May 29, 2020 at 12:40 PM Alan wrote: >> >> The malware is oddly focused. I suspect a specific group was being targeted. >> If eventually GitHub releases the project names that might provide a clue. >> >> On 2020-05-29 15:30, Emilian Bold wrote: >> >> so I guess this is all just about me. :-) >> >> Hehe. >> >> Still, they worked too much to target Ant and NetBeans. I think the >> Gradle wrapper is a much easier target and developers will run >> ./gradlew without a 2nd tought. >> >> --emi >> >> On Fri, May 29, 2020 at 10:25 PM Geertjan Wielenga >> wrote: >> >> Sure, those are simply Ant files. >> >> I also wonder about the 26 open source projects they refer to on GitHub, >> without naming them, where this problem was encountered. I have about that >> number of NetBeans projects in my GitHub repo, so I guess this is all just >> about me. :-) >> >> Gj >> >> On Fri, 29 May 2020 at 21:22, Scott Palmer wrote: >> >> The malware explicitly targets NetBeans: >> >> The malware is capable of identifying the NetBeans project files and >> embedding malicious payload both in project files and build JAR files. Below >> is a high -evel description of the Octopus Scanner operation: >> >> • Identify user's NetBeans directory >> • Enumerate all projects in the NetBeans directory >> • Copy malicious payload cache.dat to nbproject/cache.dat >> • Modify the nbproject/build-impl.xml file to make sure the malicious >> payload is executed every time NetBeans project is build >> • If the malicious payload is an instance of the Octopus Scanner itself the >> newly built JAR file is also infected. >> >> >> >> Though they did also mention: >> >> "If malware developers took the time to implement this malware specifically >> for NetBeans, it means that it could either be a targeted attack, or they >> may already have implemented the malware for build systems such as Make, >> MsBuild, Gradle and others as well and it may be spreading unnoticed," >> GitHub added. >> >> >> I’m not sure if there is any sort of sanity check NB can do to the cache.dat >> file to help prevent this. >> >> Scott >> >> >> On May 29, 2020, at 3:16 PM, Geertjan Wielenga wrote: >> >> >> It seems to be saying that a build system that uses Apache Ant can be >> poisoned by malware. That probably is equally true for Gradle and Apache >> Maven — so I don’t understand why they’re picking on Ant. >> >> Gj >> >> On Fri, 29 May 2020 at 21:09, Peter Steele wrote: >> >> Hi >> >> Saw this >> >> https://www.zdnet.com/article/github-warns-java-developers-of-new-malware-poisoning-netbeans-projects/ >> >> Do we know anything more about this? >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@netbeans.apache.org >> For additional commands, e-mail: users-h...@netbeans.apache.org >> >> For further information about the NetBeans mailing lists, visit: >> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists >> >> >> > > > -- > > -Juan Algaba - To unsubscribe, e-mail: users-unsubscr...@netbeans.apache.org For additional
