Source code management a weak spot in Aurora attacks

McAfee says that hackers were after the source code management systems

Companies should take extra steps to secure their source code from the type of targeted attacks that hit Google, Adobe, Intel and others over the past few months.

That's according to security vendor McAfee, which released a report detailing the way software source code was accessed in some of these attacks. "We saw targeted attacks against software configuration management products," said George Kurtz, McAfee's chief technology officer.

In many of the attacks company engineers and technical staff were targeted with malicious software. And in some cases, source code management systems were accessed and code was downloaded outside of company firewalls, Kurtz said.

"These systems are designed so you can have multiple people around the world working on them," Kurtz said. That often gives the bad guys several ways to get into the code. To make matters worse, source code management systems "are underprotected and not very well monitored," he said.

That means that they could make easy targets in future attacks.

To illustrate this point, McAfee researchers took a look at a source code management system used by Google itself, software called Perforce. They found a number of problems. Perforce sends passwords across the network in unencrypted form, allows anonymous users to create new accounts, and runs with a higher-than-necessary level of privileges, giving hackers an extra way to exploit the system it's running on.

"There's not a lot of security in place and there's not a lot of logging," to protect source code within most companies, Kurtz said. "If that's your crown jewels, you might want to think twice about how you're protected."

Perforce was unable to comment immediately on McAfee's findings, but the Perforce bugs that McAfee found have little to do with the actual Aurora attacks, first disclosed by Google in mid-January.

That's because the Aurora hackers didn't need to break into any source code management systems. They were able to get access to engineering computers, which could in turn access these systems, said Alex Stamos, a partner with Isec Partners.

A bigger problem is the fact that the Aurora hackers were able to access such a wealth of data from a small number of machines, he said. "Most engineer have access to way more than they need," he said.

With access to source code systems, criminals could alter software products, planting back door access mechanisms or logic bombs. Or they could simply download the code to analyze it for software bugs. Either of these is a scary proposition, security experts say.

In Google's case, there is a lot of data on that Perforce Server. According to this paper by Google staffer Rick Wright 8,000 engineers at Google have access to a Perforce server with about 600 gigabytes of data.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags software developmentAurora attackGooglesource code

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?