Source code management a weak spot in Aurora attacks

McAfee says that hackers were after the source code management systems

Companies should take extra steps to secure their source code from the type of targeted attacks that hit Google, Adobe, Intel and others over the past few months.

That's according to security vendor McAfee, which released a report detailing the way software source code was accessed in some of these attacks. "We saw targeted attacks against software configuration management products," said George Kurtz, McAfee's chief technology officer.

In many of the attacks company engineers and technical staff were targeted with malicious software. And in some cases, source code management systems were accessed and code was downloaded outside of company firewalls, Kurtz said.

"These systems are designed so you can have multiple people around the world working on them," Kurtz said. That often gives the bad guys several ways to get into the code. To make matters worse, source code management systems "are underprotected and not very well monitored," he said.

That means that they could make easy targets in future attacks.

To illustrate this point, McAfee researchers took a look at a source code management system used by Google itself, software called Perforce. They found a number of problems. Perforce sends passwords across the network in unencrypted form, allows anonymous users to create new accounts, and runs with a higher-than-necessary level of privileges, giving hackers an extra way to exploit the system it's running on.

"There's not a lot of security in place and there's not a lot of logging," to protect source code within most companies, Kurtz said. "If that's your crown jewels, you might want to think twice about how you're protected."

Perforce was unable to comment immediately on McAfee's findings, but the Perforce bugs that McAfee found have little to do with the actual Aurora attacks, first disclosed by Google in mid-January.

That's because the Aurora hackers didn't need to break into any source code management systems. They were able to get access to engineering computers, which could in turn access these systems, said Alex Stamos, a partner with Isec Partners.

A bigger problem is the fact that the Aurora hackers were able to access such a wealth of data from a small number of machines, he said. "Most engineer have access to way more than they need," he said.

With access to source code systems, criminals could alter software products, planting back door access mechanisms or logic bombs. Or they could simply download the code to analyze it for software bugs. Either of these is a scary proposition, security experts say.

In Google's case, there is a lot of data on that Perforce Server. According to this paper by Google staffer Rick Wright 8,000 engineers at Google have access to a Perforce server with about 600 gigabytes of data.

Tags Aurora attacksoftware developmentGooglesource code

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?