Operation Aurora and Source Control
If you were watching the news a year ago you cant have missed the hack on Google. If you were watching some news today you might have noticed that Morgan Stanley was also a target. What amazes me the the attack vector. Malicious email apparently from a trusted colleague, launches a browser, downloads some javascript exploits a day zero vulnerability in the browser which then gives the attacker access to inside the corporate network. Now that is pretty basic hacking that most script kiddies could do (and do). If you were worried about getting caught you would have hacked a few intermediate machines or servers before reaching your target. The next step is what amazes me more than anything. With local access, the SCM is wide open. LOL, not in my world its not. Imagine, Apache SVN or Github configured without ssl/ssh, configured to allow any user that can open a port to create an unprivileged user who can then go on to discover other things, and even, if configured really badly (http://www.wired.com/images_blogs/threatlevel/2010/03/operationaurora_wp_0310_fnl.pdf) indicates that thats an OOTB config, that user gets privileges. From the reports of the attack and the white papers, it looks like the attackers were able to bypass version control and audit to make changes at will to the repository. Whats not clear in any of these incidents is what the SCMs were holding. Product, core production code or documents and management reports?
The other observation I can make is the only open source code that was mentioned in the report was CVS. I wonder if relying on a SCM system that has been used in anger in open source, exposed to attack at all levels and all vectors would not have been better? Strange, McAfee chose to mention CVS which almost no one uses any more. When Linus went to talk to Google about Git (http://www.youtube.com/watch?v=4XpnKHJAok8) he teased them about their SCM, if only someone had listened then. The SCM is not the real villain here. The real villain is software vendors who think its ok to know of a Zero Day vulnerability in some cases published to the net through CERT alerts, and do nothing about it for almost 6 months, and then only prioritise it when one of there major customers goes public. (shame on you)
Will this happen again: Yes, without a doubt. Since its clear the some vendors cant be trusted, your only protection is having the source code and skills to check, or trusting that peer review in the open will identify and eliminate holes. For those reading this who don’t know. Installed running binaries are almost as easy to analyse for holes as source code, but with source code you can provide a patch and if the community is open, you can even persuade/embarrass them into doing something long before the problem ever reaches production. Trying to do the same to a commercial operation is nigh on impossible. Consequence ? My inbox is full of the potential attack vectors for the next juicy story to hit the press. So much to do, so little time. :)