Source Code is the New Hacker Currency

Sunday, May 01, 2011

Rafal Los

0a8cae998f9c51e3b3c0ccbaddf521aa

No doubt you've been paying attention to the data breaches pile up lately... but have you noticed a trend? 

If you wade through the hype and hyperbole, dig into the details of the most prolific intrusions in recent history you'll notice one thing that shines like a neon sign.

"Source code" is the new hotness on the hacker market.  It's quite interesting to see this evolution primarily because many of us are used to defending the 'endpoints'... because that's where the data is, right?  I think we may be seeing a shift here. 

Much like the tectonic plates that cause earthquakes, there are some though-forces that are currently colliding deep under the surface and may cause certain mayhem.

"There are no borders"

For many years now, much like you I've been reading articles and hearing talks about how the enterprise attack surface is fractured and splintered -causing an ever-increasing opportunity for breach from the bad guys. 

For the record, I don't disagree... in fact, it's entirely too obvious to disagree with... but there's this subtle point that's been quietly going largely un-noticed.  Attacking endpoints may get you at end-user data... but its in exploiting these endpoints as stepping-stones that will get you into the inner sanctum of an organization where the real good stuff is kept tightly locked up (or so we would hope). 

So the idea of a borderless enterprise is scary for multiple reasons: valuable data walks out with the various gadgets a user may have, and exploitation of those end-points will likely lead to a larger, much more serious compromise.

"Work Anywhere, Any Time"

Much to the painful grin of the enterprise security manager, the corporate CIO wants the enterprise 'network' to be everywhere.  Some companies go as far as to let employees bring their own devices and allow them to work from those devices. 

Pulling at the extensions in the corporate network is the continually expanding need for people to be able to work remotely, effectively, and at any time.  Interestingly enough the extension of corporate applications that have traditionally been installed as binaries on the corporate desktops to web-based applications accessible through a browser has caused serious issues for enterprises big and small. 

That mainframe application was quite good at user control, access provisioning, and so on -but once you turn it into just a database and abstract the access controls to the logic which runs the web application... all bets are off.

It's All About the Source Code

Looking at these opposing forces, and factoring in recent high-profile breaches ... it really does seem to be all about the source code.  Specifically it's all about the secrets behind some of the more compelling software that runs security solutions on grand scales. 

RSA was attacked and source code was presumably stolen because millions of users world-wide use their tokens and access control mechanisms to gain access to corporate resources and highly guarded corporate secrets. 

Think about it... how much more sense does it make to concentrate your energy, as an organized attacker, to penetrate and pilfer a security vendor so you can then either find flaws in their source code OR use that source code to understand their systems better?  Answer: a lot.

The reason we're seeing security companies as a big, bright, shining target recently is attackers finally had that "light bulb goes on" moment where someone realized that they were sick of hitting each target individually - and wanted a way to hit millions of high-valued corporate safes all at once, potentially.

Think about that.

Now think about where your source code, your corporate secrets, are stored.  They're on desktops, laptops, servers, tablets and if you're really unlucky even on PasteBin.net (remember PasteBinFail?)... my point is that the source code that governs the security solutions is the next target.

So if you've got the source code which stands between an attacker and a large customer or a big target - check your systems.  You may already be a statistic.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
12062
Network->General
Information Security
RSA Attacks Network Security vendor hackers Source Code
Post Rating I Like this!
3c66e7e9308d6d674f331fb1d4507c4d
Franc Schiphorst I think it's not so much the source code they want. They want to exploit the secret (business processes) inside. Break RSA or rank high at google. They don't want to build the next rsa/google with the code.
For some of us it's not a problem. We delever services. Nothing secret and competitors who can do similar stuff.
The "secret" is more embeded in the DNA of the company, not something hidden in one room. And if your DNA is embedded deep enough you survive the loss of a key resource (top staff leaving) and business keep on going.

So where is you [company name]-machine, and can someone put it in the back of a van ;)
1304318140
Default-avatar
Joseph Wulf Um, dude, the term is CRIMINAL. Hackers are we good folk who are moral, ethical and apply our skills to protect from CRIMINALS. Please utilize the correct term.
1304371451
Default-avatar
Joseph Wulf I would have thought so too. Thus my complaint about the incorrect allegation against good folk. This is a matter of clarity for us in the field---and especially for all the folks who casually read about what all we (and they) do. Being clear that CRIMINALS do such things is best.
1304373019
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.