The Insidious Consequences of Source Code Leaks

- Advertisement -


Digital Lapsus$ ransomware group is the latest to launch a high-profile data theft against big tech companies. Among other things, this group is known for grabbing and leaking source code at every opportunity, including from Samsung, Qualcomm and Nvidia. At the end of March, along with revelations that they hacked the Okta subprocessor, the hackers also dropped a lot of data containing source code snippets from Microsoft Bing, Bing Maps, and the Cortana virtual assistant. Sounds bad, right?

- Advertisement -

In recent years, businesses, governments, and other institutions have suffered from ransomware attacks, corporate email compromises, and a host of other breaches. The researchers, however, say that while source code leaks may seem disastrous, they certainly aren’t. wellthey are generally not the worst-case scenario for a criminal data breach.

- Advertisement -

“Some parts of the source code are indeed trade secrets, some parts of the source code can make it easier for people to abuse systems, but accounts and user data are usually the most important things that companies need to protect,” says Shane Huntley, Director of the Analysis Group Google Threats. . “For a vulnerability hunter, this simplifies some things by allowing you to skip a lot of steps. But it’s not magic. Just because someone can see the source code doesn’t mean they can use it right now.”

In other words, when attackers gain access to source code—and especially when they make it public—intellectual property of a company can be exposed in the process, and attackers can more quickly discover vulnerabilities in their systems. But the source code itself is not a roadmap for finding bugs that can be exploited. Attackers cannot grab Cortana from Microsoft or gain access to user accounts simply because they have some of the platform’s source code. In fact, as open source software shows, source code can be made available to the public without making the software on which it is based less secure.

- Advertisement -

Google’s Huntley notes that the same broad and varied scrutiny needed to protect open source software is also vital for critical proprietary source code in case it’s stolen or leaked. He also notes that major vulnerabilities in open source software, such as the recent Disadvantages of Log4joften go unnoticed for years or even decades, like inconspicuous typographical errors that are not detected by the author, editor or editor.

Microsoft detailed the Lapsus$ hack on March 22 and said in a statement that “Microsoft does not rely on code secrecy as a security measure, and viewing source code does not increase risk.”

Typically, security researchers and attackers must use “reverse engineering” to find vulnerabilities in software, working backwards from the final product to understand its components and how it works. And the researchers say the process may actually be more rewarding than looking at source code to find bugs, because it requires more creative and open-ended analysis than just looking at a recipe. However, there is no doubt that source code leaks can be problematic, especially for organizations that have not done enough auditing and validation to make sure they have found the most basic bugs.

Brett Callow, a threat analyst at antivirus firm Emsisoft, also notes that the attackers clearly have an interest in making the source code leak sound as dangerous as possible, regardless of the reality for a particular organization.

“Attackers want to make the incident look as horrific as possible, and it’s not just about getting paid by the current victim,” Callow says. the attention that these incidents may attract, we make your life completely unbearable. The easiest and least painful option is to just pay us!”

In practice, however, Callow says that while some data breach victims have some concerns about source code being leaked, it’s not a top priority for most organizations. “That doesn’t mean it can never be a problem, it just doesn’t usually happen,” he says.

The big problem with source code leaks is often not the source code itself. Rather, if an attacker has compromised something as heavily guarded as source code, it could mean that they have captured other crown jewels such as sensitive user data, encryption keys, or code signing certificates that are designed to verify that a piece of software has not been modified by an attacker. If stolen, they have more immediate and immediate implications for the security of the company, its products, and most importantly, its customers.

It is most dangerous if an attacker can not only gain access to or steal a copy, but also change product source code through software update or other manipulation, this is the type of violation that may have horrible effects.


More Great WIRED Stories

.


Credit: www.wired.com /

- Advertisement -

Stay on top - Get the daily news in your inbox

DMCA / Correction Notice

Recent Articles

Related Stories

Stay on top - Get the daily news in your inbox