Open Season On Open Source?
Massive, Internet-scale compromise has taken many forms over the years. But it's probably never been easier than today.
With huge user databases exposed to the web, low-trust social graphs putting everyone within reach, and endpoint insecurity rendering nearly all other controls impotent, attackers barely need to "break into" systems. They simply tailgate users in, and siphon data out.
All your base are belong to us
While such breaches are often presented as isolated failures (e.g. "lazy" hackers getting lucky) or hopelessly advanced (state-sponsored cyber ninjas lying in wait), much of what we actually see is simply systemic. Targets of choice are now just as often targets by chance, when attackers have access to so many accounts. In the last decade, we've seen exploit markets and crimeware services materialize; I predict we'll eventually see Jigsaw-style account sharing emerge in a credible two-sided underground marketplace...
There are other systemic trust issues on the Internet that have been (and will be) issues for decades. For instance, attacks in the network control plane – active sniffers on MAE-East in the mid 90's (not just the NSA!), backdoored nameservers and ISP bastion hosts in the late 90's; targeted BGP hijacking in the early 2000's; un-lawful intercept in the mid-2000's, etc.
Somebody set us up the bomb
But the rabbit hole goes deeper. There have been a flurry of compromises reported in the media:
- Fortune 100 (Sony x 2, Exxon, Shell, BP, Nasdaq, ...)
- Commercial e-mail marketing (Epsilon, Silverpop, ReturnPath)
- IT & Security (RSA Security, Comodo, HBGary Federal, Barracuda Networks)
Yet nobody noticed when hackers won the LAMP merit badge last year:
- Open source (Fedora, Apache, MySQL, PHP, Sourceforge, GNU Savannah, BerliOS, Wordpress, Atlassian, UnrealIRCd, ProFTPd, vendor-sec, ...)
The Internet (or more accurately, the web) was built on open source. For hackers, though, it's the gift that keeps on giving.
You have no chance to survive make your time
Since the early 90's, there have been attempts (some successful, some not), to backdoor critical open source infrastructure. Automated systems have helped in some cases, but attackers have found their way to private source control, build, and distribution infrastructure via compromised developers and admins (or defunct public systems like the Sourceforge and Compaq compile farms). We'll never know how many sites have been compromised as a result, from the inside out. We suspect, however, that Ken Thompson's theoretically-perfect compiler backdoor is actually possible (please don't try!).