Operation Aurora continues to be a hot topic inside and outside of security circles. At this week’s RSA Conference in San Francisco many conversations are on the topic of the attacks that hit Google and dozens of other companies in January.
During a talk this afternoon Stuart McClure and I discussed how the attackers in Operation Aurora went after the crown jewels of the targeted companies, their intellectual property. Also, we disclosed some additional findings from the McAfee investigation into the attacks.
Specifically, we have concluded that, in several cases, the attackers executed precision strikes to gain access to source code configuration management systems (SCMs) at targeted companies. SCMs are used by software engineers to manage their projects and are used to store source code, the crown jewels of any tech company.
In our analysis of the attacks we found that the perpetrators went through several hoops to ultimately compromise the systems of the SCM users at the targeted organizations. This means that the attackers now had access to the SCM system and could siphon out source code or, worse, modify and add code.
As we continued our investigation, we realized that the SCM installations often aren’t properly secured. Many organizations have tight security around financial systems and other mission critical systems, but leave their intellectual property repositories broadly accessible. The company might have strong perimeter security, but once you’re in the SCM is readily available.
The SCM implementations were inherently insecure. A common SCM system we found in many of the Operation Aurora attacks, called Perforce, was researched by McAfee as to exactly how these attacks were targeting people with privileged access to intellectual property, including source code.
In the wake of Operation Aurora we published a white paper today that explores how SCM should be secured. We took a hard look at Perforce first and will look at other applications in the near future.
The main point: intellectual property is valuable, perhaps even more valuable than money, so it should be properly secured. If organizations today secured their financial assets as they secure their source code, they’d be broke.
Many of the companies that were attacked used the same source-code management system made by Perforce, a California-based company that makes products used by many large companies. McAfee’s white paper focuses on the insecurities in the Perforce system and provides suggestions for securing it, but McAfee said it look at other source-code management systems in the future. The paper doesn’t indicate which companies were using Perforce or had vulnerable configurations installed