Source Code is the New Hacker Currency

No doubt you've been paying attention to the data breaches pile up lately ...but have you noticed a trend?  If you wade through the hype and hyperbole, dig into the details of the most prolific intrusions in recent history you'll notice one thing that shines like a neon sign.

 

"Source code" is the new hotness on the hacker market.  It's quite interesting to see this evolution primarily because many of us are used to defending the 'endpoints' ...because that's where the data is, right?  I think we may be seeing a shift here.  Much like the tectonic plates that cause earthquakes, there are some though-forces that are currently colliding deep under the surface and may cause certain mayhem.

 

 

"There are no borders"

For many years now, much like you I've been reading articles and hearing talks about how the enterprise attack surface is fractured and splintered -causing an ever-increasing opportunity for breach from the bad guys.  For the record, I don't disagree ... in fact, it's entirely too obvious to disagree with. ...but there's this subtle point that's been quietly going largely un-noticed.  Attacking endpoints may get you at end-user data ...but its in exploiting these endpoints as stepping-stones that will get you into the inner sanctum of an organization where the real good stuff is kept tightly locked up (or so we would hope).  So the idea of a borderless enterprise is scary for multiple reasons: valuable data walks out with the various gadgets a user may have, and exploitation of those end-points will likely lead to a larger, much more serious compromise.

 

 

"Work Anywhere, Any Time"

Much to the painful grin of the enterprise security manager, the corporate CIO wants the enterprise 'network' to be everywhere.  Some companies go as far as to let employees bring their own devices and allow them to work from those devices.  Pulling at the extensions in the corporate network is the continually expanding need for people to be able to work remotely, effectively, and at any time.  Interestingly enough the extension of corporate applications that have traditionally been installed as binaries on the corporate desktops to web-based applications accessible through a browser has caused serious issues for enterprises big and small.  That mainframe application was quite good at user control, access provisioning, and so on -but once you turn it into just a database and abstract the access controls to the logic which runs the web application ...all bets are off.

 

 

It's All About the Source Code

Looking at these opposing forces, and factoring in recent high-profile breaches ... it really does seem to be all about the source code.  Specifically it's all about the secrets behind some of the more compelling software that runs security solutions on grand scales.  RSA was attacked and source code was presumably stolen because millions of users world-wide use their tokens and access control mechanisms to gain access to corporate resources and highly guarded corporate secrets.  Think about it ... how much more sense does it make to concentrate your energy, as an organized attacker, to penetrate and pilfer a security vendor so you can then either find flaws in their source code OR use that source code to understand their systems better?  Answer: a lot.

 

The reason we're seeing security companies as a big, bright, shining target recently is attackers finally had that "light bulb goes on" moment where someone realized that they were sick of hitting each target individually - and wanted a way to hit millions of high-valued corporate safes all at once, potentially.

 

Think about that.

 

Now think about where your source code, your corporate secrets, are stored.  They're on desktops, laptops, servers, tablets and if you're really unlucky even on PasteBin.net (remember PasteBinFail?) ... my point is that the source code that governs the security solutions is the next target ... so if you've got the source code which stands between an attacker and a large customer or a big target - check your systems.  You may already be a statistic.

Labels: hacking| trends
Comments
(anon) | ‎04-20-2011 01:29 PM

Is it really?

 

The recent Verizon data breach 2011 indicated that payment card data is still the prime target of criminals, and accounted for 96% of all records compromised.  The report  however does note an increase in the theft of sensitive information, intellectual property and classified data.

 

Having said that, I don't know if I would single out  "Source Code" as the new hotness.

 

Benson_1 | ‎04-29-2011 03:53 PM

I think source code is only a valuable commodity for systems that rely in some way on security through obscurity.  A truly well-designed and well-built piece of software should be resilient against inspection of its code.  I think the best way to secure your software is to assume the attacker has your source (I invariably post mine on github.com).  Once you make that assumption, you'll build better software.  Making your source public is a lot like working with the chaos monkey described in this post on Jeff Atwood's "Coding Horror" blog: http://www.codinghorror.com/blog/2011/04/working-with-the-chaos-monkey.html  The heart of the matter is this:  assume everything that can fail will.  Once you work this way, you will build stronger, more resilient systems. 

 

As far as I can tell, SSA is a matter of working with devs.  If you want to protect systems from source code leakage, you'll have to talk devs into changing their ways.  As a dev, I can promise you that you won't keep them from putting source code on laptops, dropbox, and all manner of other vulnerable systems.  With that in mind, the best solution you can hope for is a system that's resilient even if its source is public.  The shortest path to that goal is to publish all your source, and make sure the devs know it.  If you hire a pentester, make sure they have a copy of the source when they start their test, and make sure the devs know this will happen.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
Community Announcements
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation