Security News > 2021 > February > How one man silently infiltrated dozens of high-tech networks

How one man silently infiltrated dozens of high-tech networks
2021-02-16 19:15

Any mis-step in the curation of any of the packages you rely upon, by any one of the hundreds or even thousands of coders in the community whose programming, testing and software publishing skills you have implicitly chosen to trust, could lead to a security disaster.

Worse still, updated packages that are fetched and installed by your dependency manager can introduce malware into the heart of your coding ecosystem even if the source code in the package itself remains the exactly the same.

With a modified and booby-trapped package installation script, but unsullied and unmodified package source code, your developers won't notice or experience any changes in the behaviour of the software that they're working on, because the source code theydepende upon will remain unaltered.

In Birsan's research, he found numerous cases where source code published by a variety of major vendors, including Apple, Microsoft, Telsa, Uber, Yelp and dozens of others, contained clearly documented dependencies on internal packages written in a variety of different languages.

How many of these internal names don't appear in any open source package repositories? Intuition suggests that packages with company-specific names will be globally unique because no one else would have a reason to choose them.

Don't let external package updates into your development network until they have been downloaded and vetted by your security team.


News URL

https://nakedsecurity.sophos.com/2021/02/16/how-one-man-silently-infiltrated-dozens-of-high-tech-networks/