Source code management a weak spot in Aurora attacks

McAfee says that hackers were after the source code management systems

Companies should take extra steps to secure their source code from the type of targeted attacks that hit Google, Adobe, Intel and others over the past few months.

That's according to security vendor McAfee, which released a report detailing the way software source code was accessed in some of these attacks. "We saw targeted attacks against software configuration management products," said George Kurtz, McAfee's chief technology officer.

In many of the attacks company engineers and technical staff were targeted with malicious software. And in some cases, source code management systems were accessed and code was downloaded outside of company firewalls, Kurtz said.

"These systems are designed so you can have multiple people around the world working on them," Kurtz said. That often gives the bad guys several ways to get into the code. To make matters worse, source code management systems "are underprotected and not very well monitored," he said.

That means that they could make easy targets in future attacks.

To illustrate this point, McAfee researchers took a look at a source code management system used by Google itself, software called Perforce. They found a number of problems. Perforce sends passwords across the network in unencrypted form, allows anonymous users to create new accounts, and runs with a higher-than-necessary level of privileges, giving hackers an extra way to exploit the system it's running on.

"There's not a lot of security in place and there's not a lot of logging," to protect source code within most companies, Kurtz said. "If that's your crown jewels, you might want to think twice about how you're protected."

Perforce was unable to comment immediately on McAfee's findings, but the Perforce bugs that McAfee found have little to do with the actual Aurora attacks, first disclosed by Google in mid-January.

That's because the Aurora hackers didn't need to break into any source code management systems. They were able to get access to engineering computers, which could in turn access these systems, said Alex Stamos, a partner with Isec Partners.

A bigger problem is the fact that the Aurora hackers were able to access such a wealth of data from a small number of machines, he said. "Most engineer have access to way more than they need," he said.

With access to source code systems, criminals could alter software products, planting back door access mechanisms or logic bombs. Or they could simply download the code to analyze it for software bugs. Either of these is a scary proposition, security experts say.

In Google's case, there is a lot of data on that Perforce Server. According to this paper by Google staffer Rick Wright 8,000 engineers at Google have access to a Perforce server with about 600 gigabytes of data.

Join the CSO newsletter!

Error: Please check your email address.

Tags software developmentAurora attackGooglesource code

More about Adobe SystemsetworkGoogleIntelIsecMcAfee AustraliaMcAfee Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert McMillan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place