Source Code Management a Weak Spot in Aurora Attacks
Companies should take extra steps to secure their source code from the type of targeted attacks that hit Google, Adobe, Intel and others over the past few months.
That's according to security vendor McAfee, which released a report detailing the way software source code was accessed in some of these attacks. "We saw targeted attacks against software configuration management products," said George Kurtz, McAfee's chief technology officer.
In many of the attacks company engineers and technical staff were targeted with malicious software. And in some cases, source code management systems were accessed and code was downloaded outside of company firewalls, Kurtz said.
"These systems are designed so you can have multiple people around the world working on them," Kurtz said. That often gives the bad guys several ways to get into the code. To make matters worse, source code management systems "are underprotected and not very well monitored," he said.
That means that they could make easy targets in future attacks.
To illustrate this point, McAfee researchers took a look at a source code management system used by Google itself, software called Perforce. They found a number of problems. Perforce sends passwords across the network in unencrypted form, allows anonymous users to create new accounts, and runs with a higher-than-necessary level of privileges, giving hackers an extra way to exploit the system it's running on.
"There's not a lot of security in place and there's not a lot of logging," to protect source code within most companies, Kurtz said. "If that's your crown jewels, you might want to think twice about how you're protected."
Perforce was unable to comment immediately on McAfee's findings, but the Perforce bugs that McAfee found have little to do with the actual Aurora attacks, first disclosed by Google in mid-January.
That's because the Aurora hackers didn't need to break into any source code management systems. They were able to get access to engineering computers, which could in turn access these systems, said Alex Stamos, a partner with Isec Partners.
A bigger problem is the fact that the Aurora hackers were able to access such a wealth of data from a small number of machines, he said. "Most engineer have access to way more than they need," he said.
With access to source code systems, criminals could alter software products, planting back door access mechanisms or logic bombs. Or they could simply download the code to analyze it for software bugs. Either of these is a scary proposition, security experts say.
In Google's case, there is a lot of data on that Perforce Server. According to this paper by Google staffer Rick Wright 8,000 engineers at Google have access to a Perforce server with about 600 gigabytes of data.