Open Season On Open Source?
Massive, Internet-scale compromise has taken many forms over the years. But it's probably never been easier than today.
With huge user databases exposed to the web, low-trust social graphs putting everyone within reach, and endpoint insecurity rendering nearly all other controls impotent, attackers barely need to "break into" systems. They simply tailgate users in, and siphon data out.
All your base are belong to usWhile such breaches are often presented as isolated failures (e.g. "lazy" hackers getting lucky) or hopelessly advanced (state-sponsored cyber ninjas lying in wait), much of what we actually see is simply systemic. Targets of choice are now just as often targets by chance, when attackers have access to so many accounts. In the last decade, we've seen exploit markets and crimeware services materialize; I predict we'll eventually see Jigsaw-style account sharing emerge in a credible two-sided underground marketplace...
There are other systemic trust issues on the Internet that have been (and will be) issues for decades. For instance, attacks in the network control plane – active sniffers on MAE-East in the mid 90's (not just the NSA!), backdoored nameservers and ISP bastion hosts in the late 90's; targeted BGP hijacking in the early 2000's; un-lawful intercept in the mid-2000's, etc.
Somebody set us up the bombBut the rabbit hole goes deeper. There have been a flurry of compromises reported in the media:
- Fortune 100 (Sony x 2, Exxon, Shell, BP, Nasdaq, ...)
- Commercial e-mail marketing (Epsilon, Silverpop, ReturnPath)
- IT & Security (RSA Security, Comodo, HBGary Federal, Barracuda Networks)
- Open source (Fedora, Apache, MySQL, PHP, Sourceforge, GNU Savannah, BerliOS, Wordpress, Atlassian, UnrealIRCd, ProFTPd, vendor-sec, ...)