View From The Bunker
A blog about security and availability from some of the folk at Symantec

• Home
• About
• RSS
• Get in contact

• Search

  Search for:

• Pages

  • Anyone need help with their VCR? Thought not.
  • Keep Your Data Safe Tool
  • About
  • Get in Contact
  • Books
  • Internet Security Threat Report – Podcast
  • Symantec Fast Response TV Widget
  • Contributers:
    • Darren Thomson
    • Dominic Cook
    • Gareth Fraser-King
    • Guy Bunker
    • John W. Turner

• Recent Posts

  • How Much Space To Store Pi…
  • Smudged… But Your Password Isn’t…
  • Spammers Turn to Oil Spill, Paul the Octopus and Phishing Live Chat
  • Cached Credentials & Data Loss
  • Is today really Black Thursday for Cyber Attackers?
  • From The Heart Of The Data-Centre…
  • World Cup 2010 spam sees nine fold increase on Germany 2006
  • Who Has Your Data? In The Cloud, It’s Not You…
  • Catching Up With The User…
  • Shanghai to London – Spammers will be following the crowds

• Tags

  backup book bot botnet business continuity Cloud CNI conficker credit card cyber-criminal data-loss Denial of service Downadup Education email encryption fraud Identity impersonation InfoSec ISTR Jericho Forum Las Vegas legislation Malicious insider outage passwords Phishing policy Privacy Ransomware Reputation security SMB SNIA social networking Spam Speaking underground economy USB Vision vulnerability website whaling wireless

• Blogroll

  • Bruce Schneier’s Blog
  • Get Safe Online (The Blog)
  • Gizmodo Gadget Blog
  • Jonathan Schwartz’s Blog
  • Phil Windley’s Technometria
  • Security Bloggers Network
  • Toby Stevens’ Data Trust Blog

• Multimedia

  • Symantec Guide to Scary Internet Stuff – Botnets
  • Symantec Guide to Scary Internet Stuff – Drive-by downloads
  • Symantec Guide to Scary Internet Stuff – No 5 Rogue AV
  • Symantec Guide to Scary Internet Stuff – No 6 Denial of Service Attacks
  • Symantec Guide to Scary Internet Stuff – No7 Pests on your PC
  • Symantec Guide to Scary Internet Stuff – No8 Losing your Data
  • Symantec Guide to Scary Internet Stuff – Phishing
  • Symantec Guide to Scary Internet Stuff – Underground Economy

• SYMC Blogs

  • Ask Marian Consumer Security Blog
  • Con Mallon’s Symantec Consumer Blog
  • Gareth’s BE Blog
  • Symantec French contributor
  • Symantec podcast channel
• 
• 

Lock Up Your Code

It has emerged that the latest set of high-profile cyber attacks were against source control management systems. For those not in the software engineering business, this is where source code for applications is held during development. A strange target you might think?

Cyber-criminals have been taking a longer and longer view of their activities and while the vast majority go for the quickest route to cash, stealing credit card and bank account details etc, there are those who are becoming more devious. So, why go after code? There are several reasons…

1. Intellectual Property theft… if you have the source code, or other product designs then you could sell them on to the competition, or back to the original company.
2. You can look for vulnerabilities to exploit. Having the code means you can find issues and use them – either by selling the vulnerability on the underground economy, or once more selling it back to the company it was stolen from.
3. You could look to introduce vulnerabilities or  backdoors into the code. Just because someone has accessed the code, doesn’t necessarily mean that they have only take a copy of the code, they could have also changed some that is there.

If you think this is all a little far-fetched, then there was another report this week of a USB battery charger which has a backdoor in it, enabling unauthorized access to the system. Not too good for the reputation of the company… This will no doubt be the first of many such attacks. Software is complex at the best of times, the introduction of a backdoor is not hard to do… and as long as no-one spots it, it can offer a great deal of leverage for the cyber-criminal. Spotting a 20 line backdoor in a million lines of code is tough!

Development systems and code repositories should be afforded the same security as production ones. Segregated data and networks with intrusion detection / prevention systems will help in protecting your Intellectual Property – before someone else exploits it.

Guy Bunker

comments

• Subscribe

  

  Enter your email address:

  Delivered by FeedBurner

• 
  

• 
  UK Orders
  US Orders

• 
  UK Orders
  US Orders

• Links, downloads and other resources

  Symantec UK
  Symantec Podcast Directory
  Symantec Security Response