'Google' Hackers Had Ability to Alter Source Code
Kim Zetter writes on Threat Level:
The hackers who targeted Google and other companies in January targeted the source code management systems of companies, allowing them to siphon source code as well as modify it, according to a new report.More here.
More importantly, systems that the companies used to develop and manage their source code have numerous security flaws that would allow easy compromise of a company’s intellectual property. The same systems are used by numerous other companies who may not realize that their source code is open to attack.
The white paper [.pdf], released by security firm McAfee during this week’s RSA security conference in San Francisco, provides a couple of new details about the attacks, dubbed Operation Aurora, that affected some 34 U.S. companies, including Google and Adobe, beginning last July. McAfee helped Adobe investigate the attack on its system and also provided information to Google about malware that was used in the attacks.
According to the paper, the hackers gained access to software configuration management systems (SCM), which could have allowed them to steal proprietary source code or surreptitiously make changes to the code that could seep undetected into commercial versions of the company’s software product. Stealing the code would also allow attackers to examine the source code for vulnerabilities in order to develop exploits to attack customers who use the software, such as Adobe Reader, for example.