Source code management a weak spot in Aurora attacks

McAfee says that hackers were after the source code management systems

Companies should take extra steps to secure their source code from the type of targeted attacks that hit Google, Adobe, Intel and others over the past few months.

That's according to security vendor McAfee, which released a report detailing the way software source code was accessed in some of these attacks. "We saw targeted attacks against software configuration management products," said George Kurtz, McAfee's chief technology officer.

In many of the attacks company engineers and technical staff were targeted with malicious software. And in some cases, source code management systems were accessed and code was downloaded outside of company firewalls, Kurtz said.

"These systems are designed so you can have multiple people around the world working on them," Kurtz said. That often gives the bad guys several ways to get into the code. To make matters worse, source code management systems "are underprotected and not very well monitored," he said.

That means that they could make easy targets in future attacks.

To illustrate this point, McAfee researchers took a look at a source code management system used by Google itself, software called Perforce. They found a number of problems. Perforce sends passwords across the network in unencrypted form, allows anonymous users to create new accounts, and runs with a higher-than-necessary level of privileges, giving hackers an extra way to exploit the system it's running on.

"There's not a lot of security in place and there's not a lot of logging," to protect source code within most companies, Kurtz said. "If that's your crown jewels, you might want to think twice about how you're protected."

Perforce was unable to comment immediately on McAfee's findings, but the Perforce bugs that McAfee found have little to do with the actual Aurora attacks, first disclosed by Google in mid-January.

That's because the Aurora hackers didn't need to break into any source code management systems. They were able to get access to engineering computers, which could in turn access these systems, said Alex Stamos, a partner with Isec Partners.

A bigger problem is the fact that the Aurora hackers were able to access such a wealth of data from a small number of machines, he said. "Most engineer have access to way more than they need," he said.

With access to source code systems, criminals could alter software products, planting back door access mechanisms or logic bombs. Or they could simply download the code to analyze it for software bugs. Either of these is a scary proposition, security experts say.

In Google's case, there is a lot of data on that Perforce Server. According to this paper by Google staffer Rick Wright 8,000 engineers at Google have access to a Perforce server with about 600 gigabytes of data.

More about: Adobe, etwork, Google, Intel, Isec, McAfee, McAfee Security
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: source code, software development, Google, Aurora attack
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/133/feeddemon/

FeedDemon

FeedDemon is an easy-to-use RSS reader for Windows which will keep you informed with the latest news and information. The Google Reader Synchronization allows you ...

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia