Open Source
Combatting attacks against Ruby Gems with Multi-factor Authentication

Summarized using AI

Combatting attacks against Ruby Gems with Multi-factor Authentication

Jenny Shen • January 31, 2023 • online

The video titled "Combatting attacks against Ruby Gems with Multi-factor Authentication" features Jenny Shen, a developer at Shopify, discussing the importance of Multi-factor Authentication (MFA) in securing RubyGems.org from account takeover attacks. The session focuses on the proactive steps taken to enforce MFA among gem authors to mitigate the risk of malicious code injections that have affected various gems in the past.

Key Points Discussed:
- Introduction to MFA: Jenny begins by highlighting her enthusiasm for the topic, drawing connections between the historical iodine deficiency and contemporary vulnerabilities in software supply chains.
- Increasing Threats: There has been a staggering 742% increase in supply chain attacks over the last three years, underscoring the significance of securing developer accounts.
- Account Takeovers: A common method of attack involves malicious actors gaining access to maintainers' accounts to publish compromised versions of gems.
- Examples of Compromised Gems: The talk includes an example of the 'strong-password' gem, where an attacker inserted harmful code through an account takeover.
- Preventative Measures: The introduction of MFA is portrayed as a critical step, akin to iodizing salt to combat iodine deficiency—both seek to prevent widespread health issues through a simple, effective solution.
- Implementation Journey: Jenny elaborates on the process her team underwent to implement MFA, starting from understanding RubyGems' infrastructure to drafting a proposal for requiring MFA on popular gems.
- Community Engagement: Initially suggested that MFA should be mandatory for the top 100 gems; stakeholders were engaged through a Request for Comments (RFC), which was met with positive feedback.
- Final Rollout: By June, the policy was publicly announced, with a mandate requiring MFA for gems with over 180 million downloads, showcasing successful community collaboration.
- Future Directions: The session concludes by discussing forthcoming enhancements, such as enabling security keys for authentication and developing safer methods for CI/CD processes.

In summary, Shen emphasizes that implementing MFA is a fundamental step in securing the RubyGems ecosystem and invites further conversation on open-source contributions and supply chain security initiatives.

Combatting attacks against Ruby Gems with Multi-factor Authentication
Jenny Shen • January 31, 2023 • online

What do rest-client, strong-password and bootstrap-sass gems have in common? They all suffered malicious code injections that were preventable. Attackers aim to take control of a legitimate RubyGems.org user account, and use it to publish malicious gem version for their own benefit.

Multi-factor authentication (or MFA) prevents these account takeover attacks. In this talk, I'll be sharing a bit about how MFA works in a package ecosystem like RubyGems and how we started to enforce MFA on the RubyGems platform.

Jenny is a developer at Shopify where she works to help secure Ruby's supply chain. Over the past year, she has enjoyed contributing to RubyGems. As a relatively new Torontonian, she often spends her free time acting like a tourist, eating different cuisines and trying new activities in the city.

https://www.wnb-rb.dev/meetups/2023/01/31

WNB.rb Meetup

00:00:00.000 hi then everyone
00:00:01.920 um thanks for having me at this wmb
00:00:04.319 Meetup very excited to be here
00:00:07.440 um this talk that I'm going to give is
00:00:09.720 just a shortened version of the talk I
00:00:11.880 gave at Rubicon mini last year
00:00:14.820 um it was called rubygems.org MFA past
00:00:18.420 present and future
00:00:20.220 uh for those who for of you who I went I
00:00:24.359 had a great time meeting all of you and
00:00:27.300 again shout out to
00:00:30.180 um Emily and Gemma for organizing the
00:00:32.279 conference it was one of the best ones I
00:00:34.739 ever been to
00:00:36.660 um as Emily mentioned I'm Jenny I'm
00:00:39.600 currently a developer at Shopify working
00:00:42.239 in the Ruby and rails infraorg I work in
00:00:45.300 a team there that helps toughen up the
00:00:47.340 security in the in the gems that uh
00:00:50.100 Shopify and the community uses
00:00:53.160 um and I also just moved from Canada's
00:00:57.180 capital Ottawa to Toronto a few months
00:01:00.059 ago and I've been trying a bunch of
00:01:02.640 different things uh my current Obsession
00:01:05.640 that I tried out for the first time this
00:01:08.159 year was Wheel Pottery
00:01:10.680 um I made a wobbly poll
00:01:13.500 um and I wanted Redemption so I went
00:01:15.840 again last Saturday and on Sunday I
00:01:20.040 don't know if there's been an
00:01:21.119 improvement but I like to think that
00:01:23.220 that there was a bit
00:01:26.280 um I also love food and Toronto has a
00:01:30.119 lot of it
00:01:31.500 um my recent favorite is a restaurant
00:01:34.020 called karate boys they serve giant Nan
00:01:37.380 on a stick
00:01:38.460 um definitely recommend uh for anyone
00:01:41.820 living or visiting the downtown area but
00:01:44.880 yeah that's a little bit about me let's
00:01:47.159 dive into what we're really here for so
00:01:49.860 last year Ruby Jones announced that
00:01:53.520 they're requiring gem owners of popular
00:01:55.680 gems to enable multi-factor
00:01:58.079 authentication the teen diving part of
00:02:00.960 helped create this change so uh today
00:02:04.320 I'll be going through
00:02:07.020 um why the policy is important and why
00:02:11.039 is MFA important how the policy got
00:02:14.280 implemented and going through the
00:02:16.080 process of so as someone new to the open
00:02:19.200 source community and a bit about what's
00:02:22.260 next for securing our gems
00:02:25.280 to start
00:02:27.300 um feel free to do some reactions if you
00:02:30.420 ever heard of the term goiter and know
00:02:34.020 it is I'll give
00:02:35.879 a second for people to react or not
00:02:38.819 react okay there's some thinking emojis
00:02:42.239 there's some hands
00:02:44.879 um for those who don't know
00:02:48.480 um uh goiter is a condition that makes
00:02:50.700 your thyroid gland abnormally large what
00:02:53.580 makes your neck appear swollen the
00:02:55.860 common cause of this is iodine
00:02:58.080 deficiency
00:02:59.940 um and up until the past Century iodine
00:03:03.180 deficiency was a global public health
00:03:05.760 issue
00:03:08.220 um in ancient times the treatment for
00:03:10.400 goiter was consuming seaweed or sea
00:03:14.099 sponge
00:03:15.480 um and it wasn't until the 19th century
00:03:18.300 that the element iodine was discovered
00:03:20.819 and found to be the cure for goiter
00:03:24.000 um it was then found that iodizing salt
00:03:25.920 was an effective way to add iodine to
00:03:28.440 people's regular diets
00:03:31.019 um 120 countries have made iodization of
00:03:34.860 salt mandatory and currently areas that
00:03:37.739 implemented a policy like Canada had
00:03:40.140 removed so the need to monitor iodine
00:03:43.140 levels as it removed so much of the risk
00:03:47.580 you may be asking okay why is Jenny
00:03:50.700 talking about goiter where she was
00:03:53.040 supposed to talk about MFA
00:03:55.500 um while there are many similarities
00:03:57.659 between salt iodization and MFA there's
00:04:01.560 an exponential increase in software
00:04:04.200 supply chain attacks over the past few
00:04:06.420 years and it's reported that there's a
00:04:08.959 742 percent increase in supply chain
00:04:12.599 attacks year over year in the past three
00:04:15.480 years
00:04:16.280 for those who don't know a supply chain
00:04:19.560 attack is when a malicious actor tries
00:04:22.800 to sneak in by attacking any component
00:04:25.320 involved in developing an application
00:04:27.600 this could include something like
00:04:30.259 pushing malicious code to me without any
00:04:33.120 reviews somehow inserting malicious code
00:04:36.300 in cni or deployment infrastructure or
00:04:40.139 an open source package or Jam which uh
00:04:43.320 we're most interested in the second most
00:04:47.040 common attack on dependencies is account
00:04:49.800 takeovers so if a malicious actor gets a
00:04:53.220 hold of your Ruby Jones account they can
00:04:55.380 grab your gem insert malicious code and
00:04:58.680 release a new bad version of the gem
00:05:02.699 um and anyone insult that installs this
00:05:05.280 version would be compromised
00:05:08.120 an example of a gem that that an example
00:05:12.840 of a gem is a strong password so someone
00:05:16.620 took over the gem maintainers account
00:05:19.220 and inserted code that would execute
00:05:22.860 from a paste bin URL and in that paste
00:05:26.400 bid it evaluates contents of a cookie
00:05:29.639 that matches a certain regex
00:05:32.160 if the attacker sends a cookie that
00:05:34.860 matches the regex that behind here the
00:05:37.139 contents of the cookie will be executed
00:05:39.000 and the attacker could basically do
00:05:41.340 whatever they want
00:05:43.620 but strong password isn't the only
00:05:46.800 gender many cases where packages were
00:05:49.620 taken over
00:05:51.660 um thankfully there's a simple solution
00:05:54.539 to all of this you may know what it is
00:05:58.680 um is multi-factor authentication adding
00:06:02.280 another Factor during authentication
00:06:04.320 makes it a lot harder for someone else
00:06:06.900 to sign in and act like you
00:06:10.039 and now that you know a little bit about
00:06:12.539 supply chain attacks and account
00:06:14.220 takeovers I mentioned that there's many
00:06:18.600 similarities between goiters and these
00:06:21.660 takeovers well what are they
00:06:24.680 they are both a widespread problem ID
00:06:27.900 deficiency was a global public health
00:06:30.600 issue and supply chain attacks are a
00:06:34.800 growing issue in the world of software
00:06:37.380 for both instances there's an effective
00:06:40.080 and simple preventative measure saw
00:06:42.900 iodization and multi-factor
00:06:45.479 Authentication
00:06:47.419 though for both of these countermeasures
00:06:50.160 this requires changes from a certain
00:06:52.440 group of people producers of salt must
00:06:55.560 spend money to buy equipment hire staff
00:06:57.960 and materials well for MFA package
00:07:01.319 maintainers need to spend more time to
00:07:03.720 publish and maintain their gems with MFA
00:07:06.479 which can be burdensome
00:07:10.020 um so why Implement laws to for cell
00:07:13.020 iodization and create a policy to
00:07:16.020 require MFA
00:07:18.840 um
00:07:21.060 well the costs of prevent these issues
00:07:23.639 is significantly smaller than the cost
00:07:26.280 to deal with them when people get sick
00:07:28.800 due to being iodine deficient they need
00:07:31.500 to seek medical help which is costly web
00:07:33.960 malicious package versions are released
00:07:36.180 kind of effort needs to spent on
00:07:38.039 removing the gem and consumers must try
00:07:40.800 to assess and revert all the damage that
00:07:43.620 has been done
00:07:45.360 so hopefully I convince you the
00:07:48.060 importance of
00:07:49.620 um MFA
00:07:51.120 um
00:07:52.199 um and to perfect uh account takeover
00:07:55.319 attacks in our gems so
00:07:58.800 um let's get into how this process of
00:08:01.979 uh let's get into the process of getting
00:08:05.580 this policy in
00:08:07.800 um my team saw MFA as a area of
00:08:11.280 improvement for our gem ecosystem but we
00:08:13.740 never really worked in ruby gems before
00:08:16.699 something fell off and going in and
00:08:19.919 suggesting a pretty major change when we
00:08:22.680 did know how do you exactly push a gem
00:08:26.000 and how MFA really works
00:08:29.940 um in ruby gems how the code bases work
00:08:34.979 um and who was maintaining the project
00:08:37.399 the first bit of time was just learning
00:08:40.080 about those things we tried to publish a
00:08:43.740 gem like uh how a gem maintainer would
00:08:46.500 use a documentation to create a job you
00:08:50.820 can run bundle Jam which would create a
00:08:53.820 scaffolder gem for you
00:08:56.519 um then you once you're finished
00:08:58.380 building your jam you can run gem build
00:09:01.920 uh which would package up all the
00:09:04.440 contents of your Gem and add metadata to
00:09:07.380 it
00:09:08.700 um and it'll create a little gem file
00:09:10.980 for you if you decompress this file it
00:09:14.519 has compressed files of
00:09:17.339 um the contents of your Gem and some
00:09:20.399 metadata
00:09:22.580 once you have the package gem you can
00:09:25.320 run gem push to send that package file
00:09:28.740 to groupiegems.org so now that we
00:09:33.839 learned how to publish a gem The Next
00:09:36.899 Step was figuring out how MFA affects
00:09:39.480 this process
00:09:40.800 so oh that's how you pop uh that's the
00:09:44.580 command that you run to publish the job
00:09:47.279 um Ruby jams currently has FFA in the
00:09:51.300 form of time-based one-time passcodes
00:09:53.580 which you can use the authenticator app
00:09:55.740 like Google Authenticator or Aki on your
00:09:58.500 phone and once enabled you can MFA when
00:10:02.580 you log into the web
00:10:04.800 to run gen push maintainers are required
00:10:08.100 to sign into the command line first by
00:10:10.380 running gen sign in which you can MFA
00:10:13.800 this produces an API key that gets
00:10:18.779 stored in your computer so you can use
00:10:20.519 to authenticate yourself an attacker
00:10:23.519 can't sign in unless they as I say when
00:10:27.779 you decide to publish your gem by
00:10:30.060 writing gem push you also may be
00:10:32.339 required to FSA for that action as well
00:10:35.420 if an attacker gets a hold of one of
00:10:38.100 your API keys that you use to sign in
00:10:40.560 they can't uh they still can't really
00:10:43.260 publish your job without MFA
00:10:46.620 um I did say May Since users have the
00:10:49.260 option to turn that off by downgrading
00:10:52.200 their MFA level to UI and Jen sign in
00:10:55.579 because maintainers might use an RNA
00:10:58.860 system or script like GitHub actions to
00:11:01.800 publish gems
00:11:03.600 um and requiring MFA with enabling MFA
00:11:07.380 would break that workflow
00:11:10.079 um now that we know a little bit about
00:11:12.420 how gem publishing Works still really
00:11:15.120 don't know what's in the code base
00:11:18.420 um think of uh the best way to learn
00:11:21.540 about a code base is to contribute it
00:11:23.899 contribute to it through making small
00:11:26.160 improvements from Team coming around and
00:11:28.320 learning about the application uh we got
00:11:31.019 to learn how to set up rubygems locally
00:11:33.779 and see how the application is organized
00:11:36.839 thankfully
00:11:38.420 rubygems.org is a rails app so it was
00:11:41.459 nice to onboard since
00:11:43.860 um uh rails is nice and I've been
00:11:47.519 comfortable continuing to rails through
00:11:50.700 opening a few PRS I got to interact with
00:11:54.180 the maintainers of rubygems.org and they
00:11:57.480 suggested issues that were more high
00:11:59.519 priority which I can also
00:12:03.180 um
00:12:03.839 contribute to this part was a bit
00:12:07.079 nerve-wracking to me since I was
00:12:09.360 interacting with people that I don't
00:12:10.980 work with on a daily basis and
00:12:13.200 everything was kind of public
00:12:14.959 but Ty it got better with time
00:12:18.600 um since the maintainers were really
00:12:20.040 nice and helpful and
00:12:22.620 um yeah and through getting our feet wet
00:12:25.740 we stumbled upon the RFC repo which is a
00:12:29.760 repo to propose substantial changes to
00:12:32.820 the platform and since the team felt
00:12:35.519 comfortable about the systems and built
00:12:37.500 some trust with the maintainers it felt
00:12:39.839 appropriate to draft a proposal to
00:12:42.420 require MFA to our gems for ruby gems
00:12:46.680 they outlined the process which allows
00:12:49.500 you to share some of the motivation give
00:12:52.860 you a guy level explanation and
00:12:56.360 Technical changes required which you can
00:13:00.300 see uh right in the reference level
00:13:03.839 explanation
00:13:06.120 for the first draft we suggested that we
00:13:09.480 should require MFA for the most popular
00:13:11.940 gems more specifically the top hundred
00:13:14.579 which covers more than a third of total
00:13:17.459 downloads we also thought we should
00:13:20.160 surface warnings in our app to notify
00:13:24.420 allow maintainers to make the change
00:13:26.220 themselves before it's required and when
00:13:29.040 it is required we want to protect major
00:13:32.240 changes for the maintainer like count
00:13:35.100 changes pushing gems and managing owners
00:13:39.600 um with that behavior decided uh we
00:13:43.139 drafted it RSC and created a prototype
00:13:46.620 to show what kind of changes is required
00:13:48.899 which uh was really helpful for the
00:13:51.360 maintainers
00:13:53.279 um when the RFC was published we got a
00:13:57.060 lot of good feedback to refine The
00:13:58.920 Proposal this included like
00:14:01.320 communication editions like writing a
00:14:03.300 blog post and emailing users and we also
00:14:06.600 adjusted the metric from requiring it
00:14:09.839 from the top 100 to a certain download
00:14:12.660 threshold so when a jam reaches that
00:14:15.720 threshold they'll be required to enable
00:14:18.000 MFA
00:14:19.320 and with that the RSC was merged in
00:14:22.260 March last year
00:14:24.180 um and in June we announced the policy
00:14:27.480 to the public and users would start
00:14:30.720 getting recommendations if they own a
00:14:33.420 popular gem uh after two months uh we
00:14:37.260 started to require users that own at
00:14:39.839 least 180 million downloads to have MFA
00:14:43.260 enabled and the feedback from the
00:14:45.600 community was like shockingly very
00:14:47.639 positive
00:14:49.380 um most if not everyone thought the need
00:14:51.600 for this change and we're happy that
00:14:54.420 this is one of the first steps that
00:14:56.040 we're taking to secure the supply chain
00:14:58.880 also during implementing the RC two of
00:15:02.160 our team members became inhalers
00:15:04.380 themselves Ashley Pierce and I it felt
00:15:07.500 like a test
00:15:08.940 um it was nice to see the effort that
00:15:11.820 the team has been putting into improving
00:15:14.459 group jobs for the better so yeah yay
00:15:18.000 um
00:15:18.720 so now that this policy is out
00:15:23.040 um
00:15:24.019 and top 100 jamming keys are required to
00:15:27.839 enable MFA uh what's next in store
00:15:31.699 as
00:15:33.360 um one piece of feedback we got during
00:15:36.360 the release is that people would like to
00:15:38.339 use security Keys as a form of
00:15:40.199 authentication so like UV keys and touch
00:15:42.779 IDs and just recently at the end of 2022
00:15:48.240 um we generally parents can now use
00:15:50.579 security devices while logging into the
00:15:53.040 web as you can see here and we're
00:15:56.040 currently implementing uh security
00:15:58.199 devices on
00:16:00.420 um command lines so people can use it
00:16:02.519 when they're pushed at running gen sign
00:16:05.339 in or pushing a gem another thing that
00:16:08.639 we're thinking of is exploring ways for
00:16:11.720 CI and scripts like GitHub actions to
00:16:15.660 safely perform actions on the behalf on
00:16:18.959 behalf of the user so
00:16:21.240 um looking forward to that
00:16:23.760 um and yeah so hopefully you uh you
00:16:27.060 learned a little bit about the Ruby Jam
00:16:29.399 system supply chain security and I got a
00:16:33.899 deeper look into the journey to
00:16:35.760 implement
00:16:37.079 um in implementing the MFA policy to uh
00:16:40.740 an open source project like ruby gems
00:16:44.220 um yeah thanks for listening
00:16:46.740 um if you're interested in learning
00:16:48.300 about uh more about contributing to open
00:16:50.940 source or any of the supply chain
00:16:52.860 security stuff uh don't hesitate to
00:16:55.800 reach out and I would also like to shout
00:16:58.199 out to my team and Ruby Jazz fade haters
00:17:01.139 for helping rolling out this policy also
00:17:04.079 want to say kudos to Ashley and Betty
00:17:06.720 for creating uh the uh gen Doodles
00:17:11.280 um they're very funny and I have used
00:17:13.559 them extensively in this presentation
Explore all talks recorded at WNB.rb Meetup
+20