Thursday, March 4, 2010

Google hackers targeted SCM systems

There's an interesting article in Wired today regarding the Google hacking attempts:

Hackers who breached Google and other companies in January targeted source code management systems, security firm McAfee asserted Wednesday, manipulating a little-known trove of security flaws that would allow easy unauthorized access to the intellectual property it is meant to protect. The software management systems, widely used at businesses unaware that the holes exist, were exploited by the so-called Aurora hackers in a way that would have enabled them to siphon source code as well as modify it to make customers of the software vulnerable to attack.

McAfee has published more details, but I haven't read them yet.

As the McAfee researchers point out, your SCM system is the most important system in your entire software development process, and you must pay the utmost attention to administering it properly:

these were the crown jewels of most of these companies in many ways — much more valuable than any financial or personally identifiable data that they may have and spend so much time and effort protecting.

It is certainly true that some of the default security settings on SCM systems are weak, and allow too much access if left unchanged. However, administrators can definitely provide alternate settings.

An important principle of security protection is "defense in depth"; that is, providing multiple layers of defense so that if one is breached, the entire system does not fail. It sounds like in at least some cases, there was insufficient attention paid to administering security at all the various layers where it can be done.

No comments:

Post a Comment